Upload
evan-hamilton
View
222
Download
0
Embed Size (px)
Citation preview
CIT 016Review for Final
Security+ Guide to Network Security FundamentalsSecond Edition
Three characteristics of information must be protected by information security: Confidentiality Integrity Availability
Information security achieved through a combination of three entities
Defining Information Security
Importance of Information Security
Information security is important to businesses: Prevents data theft Avoids legal consequences of not securing
information Maintains productivity Foils cyberterrorism Thwarts identity theft
Preventing Data Theft
Theft of data is single largest cause of financial loss due to a security breach
One of the most important objectives of information security is to protect important business and personal data from theft
Developing Attacker Profiles
Six categories: Hackers Crackers Script kiddies Spies Employees Cyberterrorists
Developing Attacker Profiles
Hackers
Person who uses advanced computer skills to attack computers, but not with a malicious intent
Use their skills to expose security flaws
Know that breaking in to a system is illegal but do not intend on committing a crime “Hacker code of ethics” Target should have had better security
Person who violates system security with malicious intent
Have advanced knowledge of computers and networks and the skills to exploit them
Destroy data, deny legitimate users of service, or otherwise cause serious problems on computers and networks
Crackers
Break into computers to create damage
Not as skilled as Crackers Download automated hacking
software from Web sites and use it to break into computers
Tend to be young computer users with large amounts of leisure time, which they can use to attack systems
Script Kiddies
Person hired to break into a computer and steal information
Do not randomly search for unsecured computers to attack
Hired to attack a specific computer that contains sensitive information
Possess excellent computer skills Could also use social engineering to
gain access to a system Financially motivated
Spies
One of the largest information security threats to business
Employees break into their company’s computer for these reasons: To show the company a weakness in their
security Being overlooked, revenge For money
Inside of network is often vulnerable because security focus is at the perimeter
Unskilled user could inadvertently launch virus, worm or spyware
Employees
Experts fear terrorists will attack the network and computer infrastructure to cause panic
Cyberterrorists’ motivation may be defined as ideology, or attacking for the sake of their principles or beliefs
Targets that are high on the cyberterrorists list are: Infrastructure outages Internet itself
Cyberterrorists
Three goals of a cyberattack: Deface electronic information to spread
disinformation and propaganda Deny service to legitimate computer users Commit unauthorized intrusions into
systems and networks that result in critical infrastructure outages and corruption of vital data
Cyberterrorists (continued)
Understanding Security Principles
Ways information can be attacked: Crackers can launch distributed denial-of-
service (DDoS) attacks through the Internet
Spies can use social engineering Employees can guess other user’s
passwords Hackers can create back doors
Protecting against the wide range of attacks calls for a wide range of defense mechanisms
Layering
Layered security approach has the advantage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks
Information security likewise must be created in layers
All the security layers must be properly coordinated to be effective
Layering (continued)
Limiting
Limiting access to information reduces the threat against it Only those who must use data should have access
to it Access must be limited for a subject (a person
or a computer program running on a system) to interact with an object (a computer or a database stored on a server)
The amount of access granted to someone should be limited to what that person needs to know or do
Limiting (continued)
Diversity Diversity is closely related to layering You should protect data with diverse layers of
security, so if attackers penetrate one layer, they cannot use the same techniques to break through all other layers
Using diverse layers of defense means that breaching one security layer does not compromise the whole system Not just perimeter security Possibly using different vendors Increased administrative overhead
Diversity (continued)
You can set a firewall to filter a specific type of traffic, such as all inbound traffic, and a second firewall on the same system to filter another traffic type, such as outbound traffic Use application layer filtering by a Linux
box before traffic hits the firewall Use one device as the firewall and
different device as the spam filter Using firewalls produced by different
vendors creates even greater diversity This could add some complexity
Obscurity
Obscuring what goes on inside a system or organization and avoiding clear patterns of behavior make attacks from the outside difficult Network Address Translation Port Address Translation Internal ports different from external
External port 80 Internal port 8080
Simplicity
Complex security systems can be difficult to understand, troubleshoot, and feel secure about
The challenge is to make the system simple from the inside but complex from the outside
Using Effective Authentication Methods
Information security rests on three key pillars: Authentication Access control (Authorization) Auditing (Accounting)
Also Known as AAA
Effective Authentication Methods
Authentication: Process of providing identity Can be classified into three main
categories: what you know, what you have, what you are
Most common method: providing a user with a unique username and a secret password
Username and Password
ID management: User’s single authenticated ID is shared
across multiple networks or online businesses
Attempts to address the problem of users having individual usernames and passwords for each account (thus, resorting to simple passwords that are easy to remember)
Can be for users and for computers that share data
Disabling Nonessential Systems
First step in establishing a defense against computer attacks is to turn off all nonessential services
Disabling services that are not necessary restricts attackers can use Reducing the attack surface
Disabling Nonessential Systems
A service can be set to one of the following modes: Automatic Manual Disabled
Besides preventing attackers from attaching malicious code to services, disabling nonessential services blocks entries into the system
Hardening Operating Systems
Hardening: process of reducing vulnerabilities
A hardened system is configured and updated to protect against attacks
Three broad categories of items should be hardened: Operating systems Applications that the operating system
runs Networks
Hardening Operating Systems
You can harden the operating system that runs on the local client or the network operating system (NOS) that manages and controls the network, such as Windows Server 2003 or Novell NetWare
Applying Updates
Operating systems are intended to be dynamic
As users’ needs change, new hardware is introduced, and more sophisticated attacks are unleashed, operating systems must be updated on a regular basis
However, vendors release a new version of an operating system every two to four years
Vendors use certain terms to refer to the different types of updates.
Applying Updates (continued)
A service pack (a cumulative set of updates including fixes for problems that have not been made available through updates) provides the broadest and most complete update
A hotfix does not typically address security issues; instead, it corrects a specific software problem
Applying Updates (continued)
Applying Updates (continued)
A patch or a software update fixes a security flaw or other problem May be released on a regular or irregular
basis, depending on the vendor or support team
A good patch management system: Design patches to update groups of
computers Include reporting system Download patches from the Internet Distribute patches to other computers
Securing the File System
Another means of hardening an operating system is to restrict user access
Generally, users can be assigned permissions to access folders (also called directories in DOS and UNIX/Linux) and the files contained within them
Firmware Updates
RAM is volatile―interrupting the power source causes RAM to lose its entire contents
Read-only memory (ROM) is different from RAM in two ways: Contents of ROM are fixed ROM is nonvolatile―disabling the power
source does not erase its contents
Firmware Updates (continued) ROM, Erasable Programmable Read-
Only Memory (EPROM), and Electrically Erasable Programmable Read-Only Memory (EEPROM) are firmware (flash)
To erase an EPROM chip, hold the chip under ultraviolet light so the light passes through its crystal window
The contents of EEPROM chips can also be erased using electrical signals applied to specific pins
Firmware Updates (continued)
To update a network device we copy over a new version of the OS software to the flash memory of the device.
This can be done via a tftp server or a compact flash reader/writer Router# copy tftp flash:
Having the firmware updated ensures the device is not vulnerable to bugs in the OS that can be exploited
Network Configuration
You must properly configure network equipment to resist attacks
The primary method of resisting attacks is to filter data packets as they arrive at the perimeter of the network
In addition to making sure the perimeter is secure, make sure the device itself is secure by using strong passwords and encrypted connections SSH instead of Telnet and console, vty
passwords
Configuring Packet Filtering
The User Datagram Protocol (UDP) provides for a connectionless TCP/IP transfer
TCP and UDP are based on port numbers Socket: combination of an IP address and a
port number The IP address is separated from the port number
by a colon, as in 198.146.118.20:80
Network Configuration
Rule base or access control list (ACL): rules a network device uses to permit or deny a packet (not to be confused with ACLs used in securing a file system)
Rules are composed of several settings (listed on pages 122 and 123 of the text)
Observe the basic guidelines on page 124 of the text when creating rules
Network Cable Plant
Cable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment
Three types of transmission media: Coaxial cables Twisted-pair cables Fiber-optic cables
Twisted-Pair Cables
Standard for copper cabling used in computer networks today, replacing thin coaxial cable
Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket
Twisted-Pair Cables (continued)
Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference
Unshielded twisted-pair (UTP) cables do not have any shielding
Twisted-pair cables have RJ-45 connectors
Fiber-Optic Cables
Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal
Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses
A glass tube (cladding) surrounds the core
The core and cladding are protected by a jacket
Hardening Standard Network Devices
A standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router
This equipment has basic security features that you can use to harden the devices
Switches and Routers
Switch Most commonly used in Ethernet LANs Receives a packet from one network device
and sends it to the destination device only Limits the collision domain (part of network
on which multiple devices may attempt to send packets simultaneously)
A switch is used within a single network Routers connect two or more single
networks to form a larger network
Hardening Network Security Devices
The final category of network devices includes those designed and used strictly to protect the network
Include: Firewalls Intrusion-detection systems Network monitoring and diagnostic
devices
Firewalls
Typically used to filter packets Designed to prevent malicious packets
from entering the network or its computers (sometimes called a packet filter)
Typically located outside the network security perimeter as first line of defense
Can be software or hardware configurations
Firewalls (continued)
Software firewall runs as a program on a local computer (sometimes known as a personal firewall) Enterprise firewalls are software firewalls
designed to run on a dedicated device and protect a network instead of only one computer
One disadvantage is that it is only as strong as the operating system of the computer
Firewalls (continued)
Filter packets in one of two ways: Stateless packet filtering: permits or denies
each packet based strictly on the rule base Stateful packet filtering: records state of a
connection between an internal computer and an external server; makes decisions based on connection and rule base
Can perform content filtering to block access to undesirable Web sites
Designing Network Topologies
Topology: physical layout of the network devices, how they are interconnected, and how they communicate
Essential to establishing its security Although network topologies can be
modified for security reasons, the network still must reflect the needs of the organization and users
Security Zones
One of the keys to mapping the topology of a network is to separate secure users from outsiders through: Demilitarized Zones (DMZs) Intranets Extranets
Demilitarized Zones (DMZs)
Separate networks that sit outside the secure network perimeter
Outside users can access the DMZ, but cannot enter the secure network
For extra security, some networks use a DMZ with two firewalls
The types of servers that should be located in the DMZ include: Web servers – E-mail
servers Remote access servers – FTP servers
Network Address Translation (NAT)
“You cannot attack what you do not see” is the philosophy behind Network Address Translation (NAT) systems
Hides the IP addresses of network devices from attackers
Computers are assigned special IP addresses (known as private addresses)
These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network
Port address translation (PAT) is a variation of NAT
Each packet is given the same IP address, but a different TCP port number
Network Address Translation (NAT)
Virtual LANs (VLANs)
Segment a network with switches to divide the network into a hierarchy
Core switches reside at the top of the hierarchy and carry traffic between switches
Workgroup switches are connected directly to the devices on the network
Core switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches
Virtual LANs (VLANs)
Virtual LANs (VLANs)
Segment a network by grouping similar users together
Instead of segmenting by user, you can segment a network by separating devices into logical groups (known as creating a VLAN)
Secure/MIME (S/MIME)
Protocol that adds digital signatures and encryption to Multipurpose Internet Mail Extension (MIME) messages
Provides these features: Digital signatures – Interoperability Message privacy – Seamless integration Tamper detection
Pretty Good Privacy (PGP) Functions much like S/MIME by encrypting
messages using digital signatures A user can sign an e-mail message without
encrypting it, verifying the sender but not preventing anyone from seeing the contents
First compresses the message Reduces patterns and enhances resistance to
cryptanalysis Creates a session key (a one-time-only
secret key) This key is a number generated from random
movements of the mouse and keystrokes typed
Pretty Good Privacy (PGP)
Uses a passphrase to encrypt the private key on the local computer
Passphrase: A longer and more secure version of a
password Typically composed of multiple words More secure against dictionary attacks
Pretty Good Privacy (PGP)
Securing Web Communications
Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol
One implementation is the Hypertext Transport Protocol over Secure Sockets Layer
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
SSL protocol developed by Netscape to securely transmit documents over the Internet Uses private key to encrypt data
transferred over the SSL connection Version 20 is most widely supported
version Personal Communications Technology
(PCT), developed by Microsoft, is similar to SSL
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
TLS protocol guarantees privacy and data integrity between applications communicating over the Internet An extension of SSL; they are often
referred to as SSL/TLS SSL/TLS protocol is made up of two
layers
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
TLS Handshake Protocol allows authentication between server and client and negotiation of an encryption algorithm and cryptographic keys before any data is transmitted
FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architecture Has cryptographic mechanism that provides
message confidentiality, integrity, authentication, and access control to messages, components, and even systems
Secure Hypertext Transport Protocol (HTTPS)
One common use of SSL is to secure Web HTTP communication between a browser and a Web server This version is “plain” HTTP sent over SSL/TLS and
named Hypertext Transport Protocol over SSL Sometimes designated HTTPS, which is the
extension to the HTTP protocol that supports it
Whereas SSL/TLS creates a secure connection between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely
Tunneling Protocols
Tunneling: technique of encapsulating one packet of data within another type to create a secure link of transportation
IEEE 8021x
Based on a standard established by the Institute for Electrical and Electronic Engineers (IEEE)
Gaining wide-spread popularity Provides an authentication framework
for 802-based LANs (Ethernet, Token Ring, wireless LANs)
Uses port-based authentication mechanisms Switch denies access to anyone other than
an authorized user attempting to connect to the network through that port
IEEE 8021x (continued)
Network supporting the 8021x protocol consists of three elements: Supplicant: client device, such as a
desktop computer or personal digital assistant (PDA), which requires secure network access
Authenticator: serves as an intermediary device between supplicant and authentication server
Authentication server: receives request from supplicant through authenticator
802.1x
802.1x is a standardized framework defined by the IEEE that is designed to provide port-based network access.
The 802.1x framework defines three roles in the authentication process:1. Supplicant = endpoint that needs network access2. Authenticator = switch or access point3. Authentication Server = RADIUS, TACACS+, LDAP
The authentication process consists of exchanges of Extensible Authentication Protocol (EAP) messages between the supplicant and the authentication server.
802.1x Roles
Authentication ServerAuthenticator
Supplicant
Microsoft Windows XP includes 802.1x supplicant support
Remote Authentication Dial-In User Service (RADIUS)
Originally defined to enable centralized authentication and access control and PPP sessions
Requests are forwarded to a single RADIUS server
Supports authentication, authorization, and auditing functions
After connection is made, RADIUS server adds an accounting record to its log and acknowledges the request
Allows company to maintain user profiles in a central database that all remote servers can share
Terminal Access Control Access Control System (TACACS+)
Industry standard protocol specification that forwards username and password information to a centralized server (TACACS)
Whereas communication between a NAS and a TACACS+ server is encrypted, communication between a client and a NAS is not
TACACS+ utilizes TCP port 49. It is a Cisco proprietary enhancement
to original TACACS protocol.
IP Security (IPSec) (continued)
IPSec is a set of protocols developed to support the secure exchange of packets
Considered to be a transparent security protocol
Transparent to applications, users, and software
Provides three areas of protection that correspond to three IPSec protocols: Authentication Confidentiality Key management
IP Security (IPSec) (continued)
IP Security (IPSec) (continued)
Supports two encryption modes: Transport mode encrypts only the data
portion (payload) of each packet, yet leaves the header encrypted
Tunnel mode encrypts both the header and the data portion
IPSec accomplishes transport and tunnel modes by adding new headers to the IP packet
The entire original packet is then treated as the data portion of the new packet
IP Security (IPSec) (continued)
IP Security (IPSec) (continued)
Both Authentication Header (AH) and Encapsulating Security Payload (ESP) can be used with Transport or Tunnel mode, creating four possible transport mechanisms: AH in transport mode AH in tunnel mode ESP in transport mode ESP in tunnel mode
Virtual Private Networks (VPNs)
Takes advantage of using the public Internet as if it were a private network
Allow the public Internet to be used privately
Prior to VPNs, organizations were forced to lease expensive data connections from private carriers so employees could remotely connect to the organization’s network
Virtual Private Networks (VPNs)
Two common types of VPNs include: Remote-access VPN or virtual private dial-
up network (VPDN): user-to-LAN connection used by remote users
Site-to-site VPN: multiple sites can connect to other sites over the Internet
VPN transmissions achieved through communicating with endpoints An endpoint can be software on a local
computer, a dedicated hardware device such as a VPN concentrator, or even a firewall
Basic WLAN Security
Two areas: Basic WLAN security Enterprise WLAN security
Basic WLAN security uses two new wireless tools and one tool from the wired world: Service Set Identifier (SSID) beaconing MAC address filtering Wired Equivalent Privacy (WEP)
Service Set Identifier (SSID) Beaconing
A service set is a technical term used to describe a WLAN network
Three types of service sets: Independent Basic Service Set (IBSS) Basic Service Set (BSS) Extended Service Set (ESS)
Each WLAN is given a unique SSID
MAC Address Filtering
Another way to harden a WLAN is to filter MAC addresses
The MAC address of approved wireless devices is entered on the AP
A MAC address can be spoofed When wireless device and AP first exchange
packets, the MAC address of the wireless device is sent in plaintext, allowing an attacker with a sniffer to see the MAC address of an approved device
Wired Equivalent Privacy (WEP)
Optional configuration for WLANs that encrypts packets during transmission to prevent attackers from viewing their contents
Uses shared keys―the same key for encryption and decryption must be installed on the AP, as well as each wireless device
A serious vulnerability in WEP is that the IV is not properly implemented
Every time a packet is encrypted it should be given a unique IV
Other Wireless Authentication Protocols
Wi-Fi Protected Access WPA The TKIP encryption algorithm was developed for WPA
to provide improvements to WEP WPA2
WiFi Alliance branded version of the final 802.11i standard
WPA2 support EAP authentication methods using RADIUS servers and preshared key (PSK) based security
802.1X LEAP PEAP TKIP
Untrusted Network
The basic WLAN security of SSID beaconing, MAC address filtering, and WEP encryption is not secure enough for an organization to use
One approach to securing a WLAN is to treat it as an untrusted and unsecure network
Requires that the WLAN be placed outside the secure perimeter of the trusted network
Untrusted Network (continued)
Trusted Network (continued)
WPA encryption addresses the weaknesses of WEP by using the Temporal Key Integrity Protocol (TKIP)
TKIP mixes keys on a per-packet basis to improve security
Although WPA provides enhanced security, the IEEE 80211i solution is even more secure
80211i is expected to be released sometime in 2004
Cryptography Terminology
Cryptography: science of transforming information so it is secure while being transmitted or stored
Steganography: attempts to hide existence of data
Encryption: changing the original text to a secret message using cryptography
Cryptography Terminology
Decryption: reverse process of encryption
Algorithm: process of encrypting and decrypting information based on a mathematical procedure
Key: value used by an algorithm to encrypt or decrypt a message
Cryptography Terminology
Weak key: mathematical key that creates a detectable pattern or structure
Plaintext: original unencrypted information (also known as clear text)
Cipher: encryption or decryption algorithm tool used to create encrypted or decrypted text
Ciphertext: data that has been encrypted by an encryption algorithm
Cryptography Terminology (continued)
Defining Hashing
Hashing, also called a one-way hash, creates a ciphertext from plaintext
Cryptographic hashing follows this same basic approach
Hash algorithms verify the accuracy of a value without transmitting the value itself and subjecting it to attacks
A practical use of a hash algorithm is with automatic teller machine (ATM) cards
Defining Hashing (continued)
Hashing is typically used in two ways: To determine whether a password a user
enters is correct without transmitting the password itself
To determine the integrity of a message or contents of a file
Hash algorithms are considered very secure if the hash that is produced has the characteristics listed on pages 276 and 277 of the text
Message Digest (MD)
Message digest 2 (MD2) takes plaintext of any length and creates a hash 128 bits long MD2 divides the message into 128-bit
sections If the message is less than 128 bits, data
known as padding is added Message digest 4 (MD4) was developed in
1990 for computers that processed 32 bits at a time Takes plaintext and creates a hash of 128 bits The plaintext message itself is padded to a
length of 512 bits
Message Digest (MD)
Message digest 5 (MD5) is a revision of MD4 designed to address its weaknesses The length of a message is padded to 512
bits The hash algorithm then uses four
variables of 32 bits each in a round-robin fashion to create a value that is compressed to generate the hash
Secure Hash Algorithm (SHA)
Patterned after MD4 but creates a hash that is 160 bits in length instead of 128 bits
The longer hash makes it more resistant to attacks
SHA pads messages less than 512 bits with zeros and an integer that describes the original length of the message
Protecting with Symmetric Encryption Algorithms
A block cipher manipulates an entire block of plaintext at one time
The plaintext message is divided into separate blocks of 8 to 16 bytes and then each block is encrypted independently
The blocks can be randomized for additional security
Data Encryption Standard (DES)
One of the most popular symmetric cryptography algorithms
DES is a block cipher and encrypts data in 64-bit blocks
The 8-bit parity bit is ignored so the effective key length is only 56 bits
DES encrypts 64-bit plaintext by executing the algorithm 16 times
The four modes of DES encryption are summarized on pages 282 and 283
Triple Data Encryption Standard (3DES)
Uses three rounds of encryption instead of just one
The ciphertext of one round becomes the entire input for the second iteration
Employs a total of 48 iterations in its encryption (3 iterations times 16 rounds)
The most secure versions of 3DES use different keys for each round
Advanced Encryption Standard (AES)
Approved by the NIST in late 2000 as a replacement for DES
Process began with the NIST publishing requirements for a new symmetric algorithm and requesting proposals
Requirements stated that the new algorithm had to be fast and function on older computers with 8-bit, 32-bit, and 64-bit processors
Advanced Encryption Standard (AES)
Performs three steps on every block (128 bits) of plaintext
Within step 2, multiple rounds are performed depending upon the key size: 128-bit key performs 9 rounds 192-bit key performs 11 rounds 256-bit key uses 13 rounds
Hardening with Asymmetric Encryption Algorithms
The primary weakness of symmetric encryption algorithm is keeping the single key secure
This weakness, known as key management, poses a number of significant challenges
Asymmetric encryption (or public key cryptography) uses two keys instead of one The private key typically is used to encrypt the
message The public key decrypts the message
Hardening with Asymmetric Encryption Algorithms
Rivest Shamir Adleman (RSA)
Asymmetric algorithm published in 1977 and patented by MIT in 1983
Most common asymmetric encryption and authentication algorithm
Included as part of the Web browsers from Microsoft and Netscape as well as other commercial products
Multiplies two large prime numbers
Diffie-Hellman
Unlike RSA, the Diffie-Hellman algorithm does not encrypt and decrypt text
Strength of Diffie-Hellman is that it allows two users to share a secret key securely over a public network
Once the key has been shared, both parties can use it to encrypt and decrypt messages using symmetric cryptography
Elliptic Curve Cryptography
First proposed in the mid-1980s Instead of using prime numbers, uses
elliptic curves An elliptic curve is a function drawn on
an X-Y axis as a gently curved line By adding the values of two points on
the curve, you can arrive at a third point on the curve
Understanding How to Use Cryptography
Cryptography can provide a major defense against attackers
If an e-mail message or data stored on a file server is encrypted, even a successful attempt to steal that information will be of no benefit if the attacker cannot read it
Understanding Cryptography Strengths and Vulnerabilities
Cryptography is science of “scrambling” data so it cannot be viewed by unauthorized users, making it secure while being transmitted or stored
When the recipient receives encrypted text or another user wants to access stored information, it must be decrypted with the cipher and key to produce the original plaintext
Symmetric Cryptography Strengths and Weaknesses
Identical keys are used to both encrypt and decrypt the message
Popular symmetric cipher algorithms include Data Encryption Standard, Triple Data Encryption Standard, Advanced Encryption Standard, Rivest Cipher, International Data Encryption Algorithm, and Blowfish
Disadvantages of symmetric encryption relate to the difficulties of managing the private key
Asymmetric Cryptography Strengths and Vulnerabilities
With asymmetric encryption, two keys are used instead of one The private key encrypts the message The public key decrypts the message
Digital Signatures
Asymmetric encryption allows you to use either the public or private key to encrypt a message; the receiver uses the other key to decrypt the message
A digital signature helps to prove that: The person sending the message with a
public key is who they claim to be The message was not altered It cannot be denied the message was sent
Digital Certificates
Digital documents that associate an individual with its specific public key
Data structure containing a public key, details about the key owner, and other optional information that is all digitally signed by a trusted third party
Certification Authority (CA)
The owner of the public key listed in the digital certificate can be identified to the CA in different ways By their e-mail address By additional information that describes
the digital certificate and limits the scope of its use
Revoked digital certificates are listed in a Certificate Revocation List (CRL), which can be accessed to check the certificate status of other users
Certification Authority (CA)
The CA must publish the certificates and CRLs to a directory immediately after a certificate is issued or revoked so users can refer to this directory to see changes
Can provide the information in a publicly accessible directory, called a Certificate Repository (CR)
Some organizations set up a Registration Authority (RA) to handle some CA, tasks such as processing certificate requests and authenticating users
Understanding Public Key Infrastructure (PKI)
Weaknesses associated with asymmetric cryptography led to the development of PKI
A CA is an important trusted party who can sign and issue certificates for users
Some of its tasks can also be performed by a subordinate function, the RA
Updated certificates and CRLs are kept in a CR for users to refer to
The Need for PKI
Description of PKI Manages keys and identity information
required for asymmetric cryptography, integrating digital certificates, public key cryptography, and CAs
For a typical enterprise: Provides end-user enrollment software Integrates corporate certificate directories Manages, renews, and revokes certificates Provides related network services and security
Typically consists of one or more CA servers and digital certificates that automate several tasks
PKI Standards and Protocols
A number of standards have been proposed for PKI Public Key Cryptography Standards (PKCS) X509 certificate standards
Public Key Cryptography Standards (PKCS)
Numbered set of standards that have been defined by the RSA Corporation since 1991
Composed of 15 standards detailed on pages 318 and 319 of the text
X509 Digital Certificates
X509 is an international standard defined by the International Telecommunication Union (ITU) that defines the format for the digital certificate
Most widely used certificate format for PKI
X509 is used by Secure Socket Layers (SSL)/Transport Layer Security (TLS), IP Security (IPSec), and Secure/Multipurpose Internet Mail Extensions (S/MIME)
X509 Digital Certificates
Trust Models Refers to the type of relationship that can
exist between people or organizations In the direct trust, a personal relationship
exists between two individuals Third-party trust refers to a situation in
which two individuals trust each other only because each individually trusts a third party
The three different PKI trust models are based on direct and third-party trust
Hardening Physical Security with Access Controls
Adequate physical security is one of the first lines of defense against attacks
Protects equipment and the infrastructure itself
Has one primary goal: to prevent unauthorized users from reaching equipment to use, steal, or vandalize
Hardening Physical Security with Access Controls
Configure an operating system to enforce access controls through an access control list (ACL), a table that defines the access rights each subject has to a folder or file
ACLs are also configured on network devices to permit or deny packets to the network.
Access control also refers to restricting physical access to computers or network devices
Controlling Access with Physical Barriers
Most servers are rack-mounted servers A rack-mounted server is 175 inches
(445 cm) tall and can be stacked with up to 50 other servers in a closely confined area
Rack-mounted units are typically connected to a KVM (keyboard, video, mouse) switch, which in turn is connected to a single monitor, mouse, and keyboard
Controlling Access with Physical Barriers
In addition to securing a device itself, you should also secure the room containing the device
Two basic types of door locks require a key: A preset lock (key-in-knob lock) requires
only a key for unlocking the door from the outside
A deadbolt lock extends a solid metal bar into the door frame for extra security
To achieve the most security when using door locks, observe the good practices listed on pages 345 and 346 of the text
Controlling Access with Physical Barriers
Cipher locks are combination locks that use buttons you push in the proper sequence to open the door
Can be programmed to allow only the code of certain people to be valid on specific dates and times
Basic models can cost several hundred dollars each while advanced models can run much higher
Users must be careful to conceal which buttons they push to avoid someone seeing the combination (shoulder surfing)
Limiting Wireless Signal Range
Use the following techniques to limit the wireless signal range: Relocate the access point Add directional antenna Reduce power Cover the device Modify the building
Reducing the Risk of Fires
Systems can be classified as: Water sprinkler systems that spray the
room with pressurized water Dry chemical systems that disperse a fine,
dry powder over the fire Clean agent systems that do not harm
people, documents, or electrical equipment in the room
Types of Security Policies
Types of Security Policies
Acceptable Use Policy (AUP)
Defines what actions users of a system may perform while using computing and networking equipment
Should have an overview regarding what is covered by this policy
Unacceptable use should also be outlined
Understanding Identity Management (continued)
Four key elements: Single sign-on (SSO) Password synchronization Password resets Access management
Understanding Identity Management (continued)
SSO allows user to log on one time to a network or system and access multiple applications and systems based on that single password
Password synchronization also permits a user to use a single password to log on to multiple servers Instead of keeping a repository of user
credentials, password synchronization ensures the password is the same for every application to which a user logs on
Understanding Identity Management (continued)
Password resets reduce costs associated with password-related help desk calls Identity management systems let users
reset their own passwords and unlock their accounts without relying on the help desk
Access management software controls who can access the network while managing the content and business that users can perform while online
Auditing Privileges
You should regularly audit the privileges that have been assigned
Without auditing, it is impossible to know if users have been given too many unnecessary privileges and are creating security vulnerabilities
Usage Audit
Process of reviewing activities a user has performed on the system or network
Provides a detailed history of every action, the date and time, the name of the user, and other information
Usage Audits (continued)
Privilege Audit
Reviews privileges that have been assigned to a specific user, group, or role
Begins by developing a list of the expected privileges of a user
Escalation Audits
Reviews of usage audits to determine if privileges have unexpectedly escalated
Privilege escalation attack: attacker attempts to escalate her privileges without permission
Certain programs on Mac OS X use a special area in memory called an environment variable to determine where to write certain information