i INTERNET SECURITY Click anywhere on this page to jump to ...box.cs.istu.ru/public/docs/admin/hack-security/internet/toc.pdf · p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela

i

p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4

Professional Reference

New Riders Publishing, Indianapolis, IN

Derek Atkins

Paul Buis

Chris Hare

Robert Kelley

Carey Nachenberg

Anthony B. Nelson

Paul Phillips

Tim Ritchey

William Steen

INTERNET SECURITY

NOTE

Click anywhere on this page to jump to the Contents at a Glance page.


ii Internet Security Professional Reference

Acquisitions EditorMary Foote

Development EditorIan Sheeler

Project EditorJohn Sleeva

Copy EditorsPeter KuhnsCatherine ManshipAngie TrzepaczPhil Worthington

Technical EditorsJohn FisherPaul NelsonTom PeltierMichael Van Biesbrouck

Associate Marketing ManagerTamara Apple

Acquisitions CoordinatorStacia Mellinger

Publisher’s AssistantKaren Opal

Cover DesignerKaren Ruggles

Book DesignerSandra Schroeder

Production ManagerKelly D. Dobbs

Production Team SupervisorLaurie Casey

Graphics Image SpecialistsClint LahnenLaura Robbins

Production AnalystsJason HandBobbi Satterfield

Production TeamHeather Butler, Angela Calvert,Kim Cofer, Tricia Flodder,Aleata Howard, Erika Millen,Beth Rago, Regina Rexrode,Erich Richter, Jenny Shoemake,Christine Tyner, Karen Walsh

IndexersChristopher ClevelandTom Dinse

Internet Security Professional ReferenceBy Derek Atkins, Paul Buis, Chris Hare, Robert Kelley, Carey Nachenberg,Anthony B. Nelson, Paul Phillips, Tim Ritchey, and William Steen

Published by:New Riders Publishing201 West 103rd StreetIndianapolis, IN 46290 USA

All rights reserved. No part of this book may be reproduced or transmittedin any form or by any means, electronic or mechanical, including photo-copying, recording, or by any information storage and retrieval system,without written permission from the publisher, except for the inclusion ofbrief quotations in a review.

Copyright 1996 by New Riders Publishing

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

Warning and DisclaimerThis book is designed to provide information about Internet security. Everyeffort has been made to make this book as complete and as accurate aspossible, but no warranty or fitness is implied.

The information is provided on an “as is” basis. The authors and NewRiders Publishing shall have neither liability nor responsibility to anyperson or entity with respect to any loss or damages arising from theinformation contained in this book or from the use of the disks or programsthat may accompany it.

Publisher Don Fowley

Publishing Manager Emmett Dulaney

Marketing Manager Ray Robinson

Managing Editor Carla Hall

iii


About the AuthorsDerek Atkins grew up in Beachwood, Ohio, and gradu-ated from Beachwood City Schools. He followed thatwith schooling at MIT in Cambridge, Massachusetts.While working toward his B.S. degree, Derek becameinterested in computer security. He started working withKerberos, PGP, and other security systems before hegraduated. After receiving his degree, he went to the MITMedia Laboratory for his M.S. degree in Media Arts andSciences. His security background was used in his thesis,a payment system based on digital movie tickets. Today,Derek works at Sun Microsystems, programming thenext generation of system security applications.

Paul Buis started life in Kalamazoo, Michigan, movedabout in the midwest, and met his wife-to-be in a highschool German class. Paul attended Hope College inHolland, Michigan, where he majored in Physics andMathematics. Hope graduated him magna cum laudeand elected him to Phi Beta Kappa, a Liberal Artshonorary; Sigma Pi Sigma, a Physics honorary; and PiMu Epsilon, a Mathematics honorary. After marryinghis wife, Barbara, Paul went to Purdue University wherehe received M.S. degrees in both Mathematics andComputer Science.

While attending Purdue, Paul was the software architectfor a firm that sold veterinary cardiology systems toautomatically diagnose heart problems in dogs and cats.Eventually, Paul completed his doctoral work in com-puter science at Purdue and got a real job as a professorin the Computer Science Department at Ball StateUniversity in Muncie, Indiana. He is also an instructorfor the Technology Exchange Company, located inReading, Massachusetts, which sends him around thecountry to give workshops on TCP/IP networking, theX Window system, C++ programming, and Unix systemadministration.

Paul and Barbara are the parents of three delightfulchildren: Daniel, Jennifer, and Thomas.

Chris Hare is the Production Services Manager for aCanadian national Internet Service Provider, iSTARinternet. He started working in computer-based technol-ogy in 1986, after studying health sciences. Since that

time, he has worked in programming, system adminis-tration, quality assurance, training, network manage-ment, consulting, and technical management positions.

Chris has taught Unix courses all over the world, for hisprevious employers and for SCO. As a professionalwriter, Chris has authored almost 20 articles for SysAdmin magazine, and coauthored several books for NewRiders, including Inside Unix, Internet Firewalls andNetwork Security, and Building an Internet Server withLinux.

Chris lives in Ottawa, Canada, with his wife Terri andtheir children Meagan and Matthew.

Robert Kelley is currently a software engineer in thenetworking lab of Hewlett-Packard, supporting networksecurity and Internet services. He has held a variety ofpositions in marketing, support, and development. Hiseducational background includes a B.S. degree in Electri-cal Engineering from San Jose State University, anM.S. degree in Computer Science from California StateUniversity at Hayward, and graduate work at Santa ClaraUniversity. Mr. Kelley has written a number of whitepapers on topics ranging from disk drive manufacturingto microwave communications. He has created and pre-sented training to classes in Asia, Europe, and the UnitedStates, including video productions and live broadcastseminars. He created the [email protected] mailalias and has written many of HP’s security bulletins. Hiscurrent interests include compilers, cryptography, anddata compression.

Carey Nachenberg is a senior software engineer atSymantec Corporation. He researches, designs, and de-velops new antivirus technologies for the award-winningNorton Antivirus line of products. Mr. Nachenberg hasworked at Symantec for five years as a software engineerand architect on Norton Commander, Norton Desktopfor DOS, and Norton Antivirus. He holds B.S. and M.S.degrees in Computer Science and Engineering from theUniversity of California at Los Angeles. His master’sthesis covers the topic of polymorphic computer virusdetection.


iv Internet Security Professional Reference

Anthony B. Nelson is a management consultant special-izing in information security and business automation. Aregular contributor to the IT security industry, Mr.Nelson has 26 years of experience in the field, includingregular speaking engagements at international confer-ences on information security and auditing issues. He hasworked with a wide range of applications, from businessand government accounting to technical applicationssuch as Electronic and Mechanical Computer AssistedDrafting. He has worked on a variety of standard andproprietary platforms, including Unix, Microsoft Win-dows NT, PC DOS, Windows, and various networks.

Mr. Nelson has been involved in the security architecturedesign for a major West Coast utility. In addition, hedesigned their information security policy and devel-oped their security implementation. The environment isan integrated network running Banyan Vines, TCP/IP,DecNet, Appletalk, and SNA. Other security projectshave included disaster recovery projects, internetworkfile transfer security, and reviews of security for, andintrusion testing of, Internet firewalls.

Recently, Mr. Nelson has been involved with corporateinternal audit departments investigating IT-related prob-lems. These have involved intrusion tracing to determinethe source of system crashes, file damage, as well as fraudinvestigations in which the computer was the main pointof attack. He has been involved in intrusion testing ofclient/server applications to determine the security holesthat must be protected. Where companies have beeninvolved in remote communication, he has reviewedremote dial up security, and looked into single-point ofsign on solutions. Finally, he recently reviewed SCADAapplication security for master stations connected to thecorporate LAN/WAN.

Mr. Nelson also has software project management expe-rience. Project supervision has ranged from the initialsystems analysis to programming, debugging, imple-mentation, training, and after sales support for theapplications. Direct participation in each of the phaseshas resulted in a firm understanding of the problemsand pitfalls throughout the entire development cycle.In these projects, Mr. Nelson has been involved withimplementing security at the computer hardware level,the operating systems level, and at the applications level.

Paul Phillips is a programmer and author currentlyresiding in San Diego, California.

Tim Ritchey received his honors B.S. from Ball StateUniversity in Physics and Anthropology and is currentlyworking toward his Ph.D. in Archaeology from Cam-bridge University, England. He has worked on artificialintelligence, high-performance parallel architectures, andcomputer vision. His honors thesis was the developmentof an inexpensive 3D scanner using structured lighting.Present interests include artificial intelligence, distribut-ing computing, VRML, and Java. His Ph.D. includesadapting non-linear dynamics and artificial intelligencetechniques to archaeological theory. In addition to com-puting and archaeology, he enjoys scuba diving, flying,and riding his Harley Davidson motorcycle.

William Steen owns and operates a consulting firmspecializing in networking small businesses and localgovernmental agencies. He also works for BI Inc. as asenior customer support representative. He is the authorof Managing the NetWare 3.x Server and NetWare Secu-rity, and a contributing author for Implementing InternetSecurity, published by New Riders.

Trademark AcknowledgmentsAll terms mentioned in this book that are known to betrademarks or service marks have been appropriatelycapitalized. New Riders Publishing cannot attest to theaccuracy of this information. Use of a term in this bookshould not be regarded as affecting the validity of anytrademark or service mark.


vi Internet Security Professional Reference

Contents at a GlanceIntroduction .............................................................................................. 1

Part I: Managing Internet Security1 Understanding TCP/IP ............................................................................. 5

2 Understanding and Creating Daemons.................................................... 49

3 Using UUCP........................................................................................... 95

4 Audit Trails ........................................................................................... 145

5 RFC 1244—The Site Security Handbook ............................................ 169

Part II: Gaining Access and Securing the Gateway6 IP Spoofing and Sniffing ....................................................................... 257

7 How to Build a Firewall ........................................................................ 317

8 SATAN and the Internet Inferno .......................................................... 429

9 Kerberos ................................................................................................ 535

Part III: Messaging: Creating a Secure Channel10 Encryption Overview ............................................................................ 615

11 PGP ...................................................................................................... 633

Part IV: Modern Concerns12 Java Security .......................................................................................... 693

13 CGI Security ......................................................................................... 731

14 Viruses .................................................................................................. 751

Part V: AppendixesA Security Information Sources ................................................................ 845

B Internet Security References .................................................................. 849

Index ..................................................................................................... 855


viii Internet Security Professional Reference

Table of ContentsIntroduction 1

Part I: Managing Internet Security

1 Understanding TCP/IP 5The History of TCP/IP ...................................................................................... 6Exploring Addresses, Subnets, and Hostnames ................................................... 7

Address Classes .............................................................................................. 8Subnets .......................................................................................................... 9Hostnames .................................................................................................. 12

Working with Network Interfaces .................................................................... 14Configuration Using ifconfig ....................................................................... 15

Reviewing the Network Configuration Files ..................................................... 17The /etc/hosts File ....................................................................................... 17The /etc/ethers File ...................................................................................... 18The /etc/networks File ................................................................................. 18The /etc/protocols File ................................................................................ 19The /etc/services File ................................................................................... 19The /etc/inetd.conf File ............................................................................... 20

Understanding the Network Access Files .......................................................... 21/etc/hosts.equiv File ..................................................................................... 21The .rhosts File ............................................................................................ 21User and Host Equivalency ......................................................................... 21

Examining TCP/IP Daemons .......................................................................... 23The slink Daemon....................................................................................... 23The ldsocket Daemon ................................................................................. 23The cpd Daemon ........................................................................................ 23The Line Printer Daemon (lpd) ................................................................... 23The SNMP Daemon (snmpd) ..................................................................... 24The RARP Daemon (rarpd) ........................................................................ 24The BOOTP Daemon (bootpd) .................................................................. 24The ROUTE Daemon (routed) .................................................................. 24The Domain Name Service Daemon (named) ............................................. 25The System Logger Daemon (syslogd) ......................................................... 26Inetd—The Super-Server ............................................................................ 26The RWHO Daemon (rwhod).................................................................... 26

ix


Exploring TCP/IP Utilities .............................................................................. 26Administration Commands ......................................................................... 27User Commands ......................................................................................... 40

2 Understanding and Creating Daemons 49What Is a Daemon? .......................................................................................... 50Examining the System Daemons ...................................................................... 55

init .............................................................................................................. 55swapper ....................................................................................................... 55update and bdflush ...................................................................................... 55lpd ............................................................................................................... 56lpsched ........................................................................................................ 56cpd and sco_cpd (SCO) .............................................................................. 56cron ............................................................................................................. 56syslog ........................................................................................................... 57sendmail ...................................................................................................... 58getty ............................................................................................................ 59rlogind......................................................................................................... 59deliver ......................................................................................................... 59inetd ............................................................................................................ 59routed.......................................................................................................... 59nfsd ............................................................................................................. 60mountd ....................................................................................................... 60pcnfsd ......................................................................................................... 60statd, rpc.statd ............................................................................................. 60lockd, rpc.lockd ........................................................................................... 60

Creating Daemons with the Bourne Shell ........................................................ 61Handling Input and Output ........................................................................ 61Handling Messages ...................................................................................... 62Handling Signals ......................................................................................... 62The dfmon Program .................................................................................... 64

Creating Daemons with PERL ......................................................................... 65Handling Input and Output ........................................................................ 66Handling Signals ......................................................................................... 67The procmon Program ................................................................................ 67

Unix Run Levels ............................................................................................... 71Program Listings .............................................................................................. 74

Listing 2.1—The dfmon Program ............................................................... 74Listing 2.2—The dfmon Configuration File ................................................ 78Listing 2.3—The procmon Command ........................................................ 82Listing 2.4—The procmon.cfg File ............................................................. 94


x Internet Security Professional Reference

3 Using UUCP 95The History of UUCP ..................................................................................... 96The UUCP Network........................................................................................ 98

How UUCP Works ..................................................................................... 99Naming Your Host ........................................................................................ 100

The Naming Process ................................................................................. 101The System V Basic Networking Utilities UUCP........................................... 101

UUCP File Layout .................................................................................... 102Configuring UUCP ................................................................................... 103Testing the Connection ............................................................................. 106The Dialers File ......................................................................................... 106The Systems File ....................................................................................... 108

The UUCP Chat Script ................................................................................. 111Testing the Connection—Using uucico .................................................... 114Permissions File ......................................................................................... 118Allowing Anonymous UUCP Access ......................................................... 123UUCP Log Files ........................................................................................ 124Maintenance.............................................................................................. 126

Configuring Version 2 UUCP........................................................................ 128What Is Version 2 UUCP? ........................................................................ 128File Layout ................................................................................................ 128Configuring UUCP ................................................................................... 129The L-devices File ..................................................................................... 129Testing the Connection ............................................................................. 130The L.sys File ............................................................................................ 131Testing the Connection with uucico.......................................................... 133Version 2 Permissions................................................................................ 134Log Files .................................................................................................... 137Maintenance.............................................................................................. 138

Configuring UUCP over TCP/IP .................................................................. 139Code Listings ................................................................................................. 140

Listing 3.1—gtimes.c ................................................................................ 140Listing 3.2—genUSER .............................................................................. 142

4 Audit Trails 145Audit Trails under Unix ................................................................................. 146

Common Unix Logs .................................................................................. 146Process Accounting.................................................................................... 153Useful Utilities in Auditing ....................................................................... 155Other Reporting Tools Available Online ................................................... 158

xi


Audit Trails under Windows NT ................................................................... 160Using the Event Viewer ............................................................................. 161Logging the ftp Server Service ................................................................... 162Logging httpd Transactions ....................................................................... 163Logging by Other TCP/IP Applications under NT ................................... 163

Audit Trails under DOS ................................................................................ 164PC/DACS ................................................................................................. 164Watchdog .................................................................................................. 165LOCK ....................................................................................................... 165

Using System Logs to Discover Intruders ....................................................... 165Common Break-In Indications .................................................................. 165Potential Problems .................................................................................... 166

5 RFC 1244—The Site Security Handbook 169Contributing Authors ..................................................................................... 1701. Introduction ............................................................................................... 170

1.1 Purpose of this Work........................................................................... 1701.2 Audience ............................................................................................. 1711.3 Definitions .......................................................................................... 1711.4 Related Work ...................................................................................... 1711.5 Scope ................................................................................................... 1721.6 Why Do We Need Security Policies and Procedures? .......................... 1721.7 Basic Approach .................................................................................... 1741.8 Organization of this Document ........................................................... 174

2. Establishing Official Site Policy on Computer Security .............................. 1752.1 Brief Overview .................................................................................... 1752.2 Risk Assessment ................................................................................... 1772.3 Policy Issues ........................................................................................ 1792.4 What Happens When the Policy is Violated ........................................ 1842.5 Locking In or Out ............................................................................... 1862.6 Interpreting the Policy ......................................................................... 1872.7 Publicizing the Policy .......................................................................... 188

3. Establishing Procedures to Prevent Security Problems ................................ 1883.1 Security Policy Defines What Needs to be Protected ........................... 1883.2 Identifying Possible Problems .............................................................. 1893.3 Choose Controls to Protect Assets in a Cost-Effective Way ................. 1903.4 Use Multiple Strategies to Protect Assets ............................................. 1913.5 Physical Security .................................................................................. 1913.6 Procedures to Recognize Unauthorized Activity .................................. 1913.7 Define Actions to Take When UnauthorizedActivity is Suspected ................................................................................. 193

Table of Contents


xii Internet Security Professional Reference

3.8 Communicating Security Policy .......................................................... 1933.9 Resources to Prevent Security Breaches................................................ 197

4. Types of Security Procedures ...................................................................... 2144.1 System Security Audits ........................................................................ 2144.2 Account Management Procedures ....................................................... 2154.3 Password Management Procedures ...................................................... 2154.4 Configuration Management Procedures .............................................. 217

5. Incident Handling...................................................................................... 2185.1 Overview ............................................................................................. 2185.2 Evaluation ........................................................................................... 2225.3 Possible Types of Notification ............................................................. 2245.4 Response ............................................................................................. 2265.5 Legal/Investigative ............................................................................... 2295.6 Documentation Logs ........................................................................... 232

6. Establishing Post-Incident Procedures ........................................................ 2326.1 Overview ............................................................................................. 2326.2 Removing Vulnerabilities .................................................................... 2336.3 Capturing Lessons Learned .................................................................. 2346.4 Upgrading Policies and Procedures ...................................................... 235

7. References .................................................................................................. 2368. Annotated Bibliography ............................................................................. 237

8.1 Computer Law .................................................................................... 2388.2 Computer Security .............................................................................. 2398.3 Ethics .................................................................................................. 2448.4 The Internet Worm............................................................................. 2468.5 National Computer Security Center (NCSC)...................................... 2488.6 Security Checklists .............................................................................. 2518.7 Additional Publications ....................................................................... 251

9. Acknowledgments ...................................................................................... 25310. Security Considerations .............................................................................. 25311. Authors’ Addresses ..................................................................................... 253

Part II: Gaining Access and Securing the Gateway

6 IP Spoofing and Sniffing 257Sniffing .......................................................................................................... 258

Sniffing: How It Is Done ........................................................................... 258Sniffing: How It Threatens Security .......................................................... 260Protocol Sniffing: A Case Study ................................................................ 262Sniffing: How to Prevent It ....................................................................... 265Hardware Barriers ..................................................................................... 266Avoiding Transmission of Passwords ......................................................... 274

xiii


Spoofing ......................................................................................................... 279Hardware Address Spoofing ...................................................................... 279ARP Spoofing............................................................................................ 281Preventing an ARP Spoof .......................................................................... 284Sniffing Case Study Revisited .................................................................... 287Detecting an ARP Spoof ........................................................................... 288Spoofing the IP Routing System ................................................................ 293ICMP-Based Route Spoofing .................................................................... 293Misdirecting IP Datagrams from Hosts ..................................................... 297Preventing Route Spoofing ........................................................................ 298A Case Study Involving External Routing .................................................. 300Spoofing Domain Name System Names .................................................... 301Spoofing TCP Connections ...................................................................... 309

7 How to Build a Firewall 317The TIS Firewall Toolkit ............................................................................... 318

Understanding TIS .................................................................................... 318Where to Get TIS Toolkit ......................................................................... 319Compiling under SunOS 4.1.3 and 4.1.4 .................................................. 320Compiling under BSDI ............................................................................. 320Installing the Toolkit ................................................................................. 321

Preparing for Configuration ........................................................................... 322Configuring TCP/IP ...................................................................................... 326

IP Forwarding ........................................................................................... 326The netperm Table ........................................................................................ 328Configuring netacl ......................................................................................... 329

Connecting with netacl ............................................................................. 331Restarting inetd ......................................................................................... 333

Configuring the Telnet Proxy ........................................................................ 333Connecting through the Telnet Proxy ....................................................... 336Host Access Rules ...................................................................................... 337Verifying the Telnet Proxy ........................................................................ 338

Configuring the rlogin Gateway ..................................................................... 339Connecting through the rlogin Proxy ........................................................ 342Host Access Rules ...................................................................................... 342Verifying the rlogin Proxy ......................................................................... 343

Configuring the FTP Gateway ....................................................................... 343Host Access Rules ...................................................................................... 345Verifying the FTP Proxy ........................................................................... 346Connecting through the FTP Proxy .......................................................... 347Allowing FTP with netacl .......................................................................... 348

Table of Contents


xiv Internet Security Professional Reference

Configuring the Sendmail Proxy: smap and smapd ........................................ 348Installing the smap Client.......................................................................... 349Configuring the smap Client ..................................................................... 349Installing the smapd Application ............................................................... 351Configuring the smapd Application ........................................................... 351Configuring DNS for smap ....................................................................... 353

Configuring the HTTP Proxy ........................................................................ 354Non-Proxy Aware HTTP Clients .............................................................. 355Using a Proxy Aware HTTP Client ........................................................... 356Host Access Rules ...................................................................................... 357

Configuring the X Windows Proxy ................................................................ 359Understanding the Authentication Server ....................................................... 360

The Authentication Database .................................................................... 362Adding Users ............................................................................................. 364The Authentication Shell—authmgr ......................................................... 368Database Management .............................................................................. 368Authentication at Work............................................................................. 370

Using plug-gw for Other Services ................................................................... 372Configuring plug-gw ................................................................................. 372plug-gw and NNTP .................................................................................. 373plug-gw and POP ...................................................................................... 376

The Companion Administrative Tools ........................................................... 378portscan..................................................................................................... 378netscan ...................................................................................................... 379Reporting Tools ........................................................................................ 380

Where to Go for Help .................................................................................... 389Sample netperm-table File .............................................................................. 390Manual Reference Pages ................................................................................. 394

Authmgr—Network Authentication Client Program................................. 394authsrv—Network Authentication Third-Party Daemon .......................... 395ftp-gw—FTP Proxy Server ........................................................................ 402http-gw—Gopher/HTTP Proxy ................................................................ 406login-sh—Authenticating Login Shell ....................................................... 412netacl—TCP Network Access Control ...................................................... 414plug-gw—Generic TCP Plugboard Proxy ................................................. 416rlogin-gw—rlogin Proxy Server ................................................................. 418smap—Sendmail Wrapper Client .............................................................. 420smapd—Sendmail Wrapper Daemon ........................................................ 421tn-gw—telnet Proxy Server........................................................................ 423x-gw—X Gateway Service ......................................................................... 426

xv


8 SATAN and the Internet Inferno 429The Nature of Network Attacks ..................................................................... 431

Internet Threat Levels (ITL) ...................................................................... 432Common Attack Approaches ..................................................................... 435An Overview of Holes ............................................................................... 438Learning about New Security Holes .......................................................... 443

Thinking Like an Intruder ............................................................................. 445Gathering Information on Systems ............................................................ 445Know the Code ......................................................................................... 465Try All Known Problems........................................................................... 466Match Vulnerabilities with Opportunities ................................................. 466Look for Weak Links ................................................................................. 467Summarize the Remote Network Attack .................................................... 467Automate the Search ................................................................................. 467

The First Meeting with SATAN..................................................................... 468History ...................................................................................................... 468The Creators ............................................................................................. 469Comparison to Other Tools ...................................................................... 470Vendor Reactions ...................................................................................... 470Long-Term Impact .................................................................................... 470

Detecting SATAN.......................................................................................... 471Courtney ................................................................................................... 471Gabriel ...................................................................................................... 471TCP Wrappers .......................................................................................... 471netlog/TAMU ........................................................................................... 472Argus ......................................................................................................... 472

Using Secure Network Programs .................................................................... 472Kerberos .................................................................................................... 472Secure Shell (ssh) ....................................................................................... 474

SSL ................................................................................................................ 474Firewalls .................................................................................................... 475

Investigating What SATAN Does .................................................................. 477SATAN’s Information Gathering .............................................................. 477Vulnerabilities that SATAN Investigates .................................................... 478Other Network Vulnerabilities .................................................................. 488Investigating IP Spoofing .......................................................................... 492Examining Structural Internet Problems.................................................... 495

Rendezvous with SATAN .............................................................................. 499Getting SATAN ........................................................................................ 499Examining the SATAN Files ..................................................................... 500

Table of Contents


xvi Internet Security Professional Reference

Building SATAN ........................................................................................... 513Using SATAN’s HTML Interface ............................................................. 514Running a Scan ......................................................................................... 524Understanding the SATAN Database Record Format ............................... 525Understanding the SATAN Rulesets ......................................................... 529Extending SATAN .................................................................................... 532Long-Term Benefits of Using SATAN ...................................................... 534

Works Cited................................................................................................... 534

9 Kerberos 535How Kerberos Works ..................................................................................... 536The Kerberos Network ................................................................................... 537

RFCs ......................................................................................................... 538Goals of Kerberos ...................................................................................... 538

How Authentication Works ........................................................................... 539What Kerberos Doesn’t Do ....................................................................... 542

Encryption ..................................................................................................... 543Private, Public, Secret, or Shared Key Encryption...................................... 544Private or Secret Key Encryption ............................................................... 545DES and Its Variations .............................................................................. 545Encryption Export Issues ........................................................................... 547Encryption and Checksum Specifications .................................................. 548

Versions of Kerberos ...................................................................................... 555Versions of Kerberos V4 ............................................................................ 555Versions of Kerberos V5 ............................................................................ 556Bones ........................................................................................................ 556

Selecting a Vendor ......................................................................................... 557Vendor Interoperability Issues ........................................................................ 558

DEC ULTRIX Kerberos ........................................................................... 558Transarc’s Kerberos ................................................................................... 558DCE ......................................................................................................... 559Interoperability Requirements ................................................................... 559

Naming Constraints ....................................................................................... 561Realm Names ............................................................................................ 562Principal Names ........................................................................................ 563

Cross-Realm Operation .................................................................................. 564Ticket Flags .................................................................................................... 566

Initial and Preauthenticated Tickets .......................................................... 567Invalid Tickets ........................................................................................... 567Renewable Tickets ..................................................................................... 567Postdated Tickets ...................................................................................... 568

xvii


Proxiable and Proxy Tickets ...................................................................... 569Forwardable Tickets .................................................................................. 569Authentication Flags .................................................................................. 570Other Key Distribution Center Options .................................................... 570

Message Exchanges ......................................................................................... 571Tickets and Authenticators ........................................................................ 571The Authentication Service Exchange........................................................ 575The Ticket-Granting Service (TGS) Exchange .......................................... 578Specifications for the Authentication Server and TicketGranting Service Exchanges ..................................................................... 584

The Client/Server Authentication Exchange .............................................. 591Client/Server (CS) Message Specifications ................................................. 595The KRB_SAFE Exchange ........................................................................ 597KRB_SAFE Message Specification ............................................................ 598The KRB_PRIV Exchange ........................................................................ 600KRB_PRIV Message Specification ............................................................ 601The KRB_CRED Exchange ...................................................................... 602KRB_CRED Message Specification........................................................... 603Names ....................................................................................................... 605Time ......................................................................................................... 605Host Addresses .......................................................................................... 605Authorization Data .................................................................................... 606Last Request Data ..................................................................................... 606Error Message Specification ....................................................................... 607

Kerberos Workstation Authentication Problem .............................................. 609Kerberos Port Numbers ............................................................................. 609Kerberos Telnet ......................................................................................... 610Kerberos ftpd............................................................................................. 610

Other Sources of Information ........................................................................ 611

Part III: Messaging: Creating a Secure Channel

10 Encryption Overview 615What Is Encryption? ...................................................................................... 616Transposition ................................................................................................. 617

Deciphering .............................................................................................. 619Substitution ................................................................................................... 621

Caesar Cipher ............................................................................................ 621Monoalphabetic Substitutions ................................................................... 624Vigenere Encryption .................................................................................. 628

Table of Contents


xviii Internet Security Professional Reference

11 PGP 633PGP Overview ............................................................................................... 634

History of PGP ......................................................................................... 634Why Use PGP?.......................................................................................... 635Short Encryption Review........................................................................... 636

PGP How-To ................................................................................................ 637Before You Use PGP ................................................................................. 637Generate a PGP Key .................................................................................. 639Distributing the Public Key ....................................................................... 640Signing a Message...................................................................................... 641Adding Someone Else’s Key....................................................................... 642Encrypting a Message ................................................................................ 643Decrypting and Verifying a Message.......................................................... 644

PGP Keys ....................................................................................................... 645What’s in a Name? .................................................................................... 646PGP Key Rings.......................................................................................... 647The Web of Trust ..................................................................................... 648Degrees of Trust ........................................................................................ 649

Key Management ........................................................................................... 650Key Generation ......................................................................................... 651Adding Keys to the Public Key Ring ......................................................... 654Extracting Keys from the Public Key Ring ................................................. 656Signing Keys .............................................................................................. 657Viewing the Contents of a Key Ring ......................................................... 660Removing Keys and Signatures .................................................................. 661Key Fingerprints and Verifying Keys ......................................................... 663Revoking Your Key ................................................................................... 664

Basic Message Operations .............................................................................. 665PGP: Program or Filter? ............................................................................ 665Compressing the Message .......................................................................... 666Processing Text and Binary Files ............................................................... 666Sending PGP Messages via E-Mail ............................................................ 667Conventional Encryption .......................................................................... 668Signing a Message...................................................................................... 668Encrypting a Message Using Public Key .................................................... 669Signing and Encrypting Messages .............................................................. 670Decrypting and Verifying Messages ........................................................... 671

Advanced Message Operations ....................................................................... 673Clearsigning .............................................................................................. 674Detached Signatures .................................................................................. 675For Her Eyes Only .................................................................................... 676Wiping Files .............................................................................................. 676

xix


The PGP Configuration File .......................................................................... 677Security of PGP.............................................................................................. 682

The Brute Force Attack ............................................................................. 682Secret Keys and Pass Phrases ...................................................................... 683Public Key Ring Attacks ............................................................................ 684Program Security ....................................................................................... 685Other Attacks Against PGP ....................................................................... 685

PGP Add-Ons ................................................................................................ 686PGP Public Keyservers .............................................................................. 686PGPMenu: A Menu Interface to PGP for Unix ......................................... 687MITSign: A Kerberized PGP Key Signer ................................................... 687Windows Front-Ends ................................................................................ 688Unix Mailers ............................................................................................. 688Mac PGP .................................................................................................. 689

Part IV: Modern Concerns

12 Java Security 693Java’s Functionality ........................................................................................ 695

Java Is Portable .......................................................................................... 696Java Is Robust ............................................................................................ 697Java Is Secure ............................................................................................. 697Java Is Object-Oriented ............................................................................. 698Java Is High Performance .......................................................................... 698Java Is Easy ................................................................................................ 699

History of the Java Language .......................................................................... 699Main Features of the Java Environment ......................................................... 701

Features of the Java Language .................................................................... 703The Java Architecture ................................................................................ 707

From Class File to Execution ......................................................................... 712The Compilation of Code ......................................................................... 712Running Code ........................................................................................... 715

The Java Virtual Machine .............................................................................. 718Why a New Machine Code Specification? ................................................. 719The Java Virtual Machine Description ...................................................... 719

Setting Up Java Security Features ................................................................... 724Using the Appletviewer ............................................................................. 724Netscape 2.0 .............................................................................................. 727Other Issues in Using Java Programs ......................................................... 729

Table of Contents


xx Internet Security Professional Reference

13 CGI Security 731Introducing the CGI Interface ....................................................................... 732

Why CGI Is Dangerous ............................................................................ 733How CGI Works ...................................................................................... 733CGI Data: Encoding and Decoding .......................................................... 734CGI Libraries ............................................................................................ 735

Understanding Vulnerabilities ........................................................................ 736The HTTP Server ..................................................................................... 736The HTTP Protocol .................................................................................. 736The Environment Variables ....................................................................... 737GET and POST Input Data ...................................................................... 737

Minimizing Vulnerability ............................................................................... 738Restrict Access to CGI ............................................................................... 739Run CGIs with Minimum Privileges ......................................................... 739Execute in a chrooted Environment........................................................... 740Secure the HTTP Server Machine ............................................................. 740

CGIWrap: An Alternative Model ................................................................... 740Advantages and Disadvantages .................................................................. 741

Bypassing CGI ............................................................................................... 741Server Side Includes (SSI) ............................................................................... 742

Restrict Access to SSI ................................................................................. 742Alternatives to SSI ..................................................................................... 742

Language Issues .............................................................................................. 743PERL ........................................................................................................ 743C and C++ ................................................................................................ 746Safe Languages .......................................................................................... 746

Protecting Sensitive Data ............................................................................... 747Logging .......................................................................................................... 749

14 Viruses 751What Is a Computer Virus? ............................................................................ 752Most Likely Targets ....................................................................................... 753

Key Hardware ........................................................................................... 754Key Software ............................................................................................. 755Floppy Boot Records (FBRs) ..................................................................... 756Hard Drive Master Boot Record ............................................................... 757Partition Boot Records .............................................................................. 758System Services .......................................................................................... 760Program Files ............................................................................................ 762Data Files with Macro Capabilities ............................................................ 765

xxi


IBM PC Computer Virus Types .................................................................... 767Boot Record Viruses .................................................................................. 767Floppy Boot Record Viruses ...................................................................... 768Partition Boot Record Viruses ................................................................... 776Master Boot Record Viruses ...................................................................... 780Program File Viruses ................................................................................. 784SYS File Infections .................................................................................... 788Companion Viruses ................................................................................... 797Potential Damage by File Infecting Viruses ............................................... 798Macro Viruses ........................................................................................... 800Worms ...................................................................................................... 802

Network and Internet Virus Susceptibility ..................................................... 803Network Susceptibility to File Viruses ....................................................... 803Boot Viruses .............................................................................................. 805Macro Viruses ........................................................................................... 806

Virus Classes .................................................................................................. 806Polymorphic Viruses ................................................................................. 807Stealth Viruses ........................................................................................... 808Slow Viruses .............................................................................................. 812Retro Viruses ............................................................................................. 813Multipartite Viruses .................................................................................. 814

How Antivirus Programs Work ...................................................................... 814Virus Scanners ........................................................................................... 815Memory Scanners ...................................................................................... 820Integrity Checkers ..................................................................................... 822Behavior Blockers ...................................................................................... 825Heuristics .................................................................................................. 826

Preventative Measures and Cures ................................................................... 827Preventing and Repairing Boot Record Viruses ......................................... 827Preventing and Repairing Executable File Viruses ...................................... 830Repairing Files Infected with a Read-Stealth Virus .................................... 830Preventing and Repairing Macro Viruses ................................................... 832

Profile: Virus Behavior under Windows NT .................................................. 832Master Boot Record Viruses under Windows NT ..................................... 832The NT Bootup Process with MBR Infection ........................................... 833Boot Record Viruses under Windows NT ................................................. 834Possible Damage Due to Boot Record Virus Infection............................... 835Windows NT Installation with Existing Boot Record Infection ................ 836MBR and Boot Record Viruses—The Bottom Line .................................. 837

Table of Contents


xxii Internet Security Professional Reference

DOS File Viruses under a Windows NT DOS Box........................................ 837Damage by File Viruses under a Windows NT DOS Box ......................... 838

File Virus Infections under Windows NT—Outside a DOS Box ................... 839DOS File Viruses under Windows NT—System Susceptibility

during Bootup ............................................................................................. 839DOS File Viruses—The Bottom Line ............................................................ 839Windows 3.1 Viruses under Windows NT..................................................... 840Macro Viruses under Windows NT ............................................................... 841Native Windows NT Viruses ......................................................................... 841

Part V: Appendixes

A Security Information Sources 845CIAC ............................................................................................................. 846COAST ......................................................................................................... 846CERT ............................................................................................................ 846FIRST ............................................................................................................ 8478lgm: Eight Little Green Men ........................................................................ 848bugtraq........................................................................................................... 848Vendors.......................................................................................................... 848Others ............................................................................................................ 848

B Internet Security References 849

Index 855

1Introduction

p1vPHCP/tr2 Internet Security Pro Ref 577-7 angela 2-2-96 Intro LP#3

T

INTR

ODUCTION INTRODUCTIONINTRODUCTIONINTRODUCTION

INTR

ODUC

TION I N T R O D U C T I O N

he staff of New Riders Publishing is committed to

bringing you the very best in computer reference

material. Each New Riders book is the result of months

of work by authors and staff who research and refine

the information contained within its covers.

As part of this commitment to you, the NRP reader,

New Riders invites your input. Please let us know if you

enjoy this book, if you have trouble with the informa-

tion and examples presented, or if you have a suggestion

for the next edition.

Please note, though: New Riders staff cannot serve as a

technical resource for Internet security or for questions

about software- or hardware-related problems.

p1vPHCP/tr2 Internet Security Pro Ref 577-7 angela 2-2-96 Intro LP#3

2 Internet Security Professional Reference

If you have a question or comment about any New Riders book, there are several ways to contact NewRiders Publishing. We will respond to as many readers as we can. Your name, address, or phone numberwill never become part of a mailing list or be used for any purpose other than to help us continue to bringyou the best books possible. You can write us at the following address:

New Riders PublishingAttn: Publisher201 W. 103rd StreetIndianapolis, IN 46290

If you prefer, you can fax New Riders Publishing at (317) 581-4670.

You can also send e-mail to New Riders at the following Internet address:

[email protected]

NRP is an imprint of Macmillan Computer Publishing. To obtain a catalog or information, or to purchaseany Macmillan Computer Publishing book, call (800) 428-5331.

Thank you for selecting Internet Security Professional Reference!

Documents

i INTERNET SECURITY Click anywhere on this page to jump to ...box.cs.istu.ru/public/docs/admin/hack-security/internet/toc.pdf · p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela