Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
i
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
Professional Reference
New Riders Publishing, Indianapolis, IN
Derek Atkins
Paul Buis
Chris Hare
Robert Kelley
Carey Nachenberg
Anthony B. Nelson
Paul Phillips
Tim Ritchey
William Steen
INTERNET SECURITY
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
ii Internet Security Professional Reference
Acquisitions EditorMary Foote
Development EditorIan Sheeler
Project EditorJohn Sleeva
Copy EditorsPeter KuhnsCatherine ManshipAngie TrzepaczPhil Worthington
Technical EditorsJohn FisherPaul NelsonTom PeltierMichael Van Biesbrouck
Associate Marketing ManagerTamara Apple
Acquisitions CoordinatorStacia Mellinger
Publisher’s AssistantKaren Opal
Cover DesignerKaren Ruggles
Book DesignerSandra Schroeder
Production ManagerKelly D. Dobbs
Production Team SupervisorLaurie Casey
Graphics Image SpecialistsClint LahnenLaura Robbins
Production AnalystsJason HandBobbi Satterfield
Production TeamHeather Butler, Angela Calvert,Kim Cofer, Tricia Flodder,Aleata Howard, Erika Millen,Beth Rago, Regina Rexrode,Erich Richter, Jenny Shoemake,Christine Tyner, Karen Walsh
IndexersChristopher ClevelandTom Dinse
Internet Security Professional ReferenceBy Derek Atkins, Paul Buis, Chris Hare, Robert Kelley, Carey Nachenberg,Anthony B. Nelson, Paul Phillips, Tim Ritchey, and William Steen
Published by:New Riders Publishing201 West 103rd StreetIndianapolis, IN 46290 USA
All rights reserved. No part of this book may be reproduced or transmittedin any form or by any means, electronic or mechanical, including photo-copying, recording, or by any information storage and retrieval system,without written permission from the publisher, except for the inclusion ofbrief quotations in a review.
Copyright 1996 by New Riders Publishing
Printed in the United States of America 1 2 3 4 5 6 7 8 9 0
Warning and DisclaimerThis book is designed to provide information about Internet security. Everyeffort has been made to make this book as complete and as accurate aspossible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors and NewRiders Publishing shall have neither liability nor responsibility to anyperson or entity with respect to any loss or damages arising from theinformation contained in this book or from the use of the disks or programsthat may accompany it.
Publisher Don Fowley
Publishing Manager Emmett Dulaney
Marketing Manager Ray Robinson
Managing Editor Carla Hall
iii
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
About the AuthorsDerek Atkins grew up in Beachwood, Ohio, and gradu-ated from Beachwood City Schools. He followed thatwith schooling at MIT in Cambridge, Massachusetts.While working toward his B.S. degree, Derek becameinterested in computer security. He started working withKerberos, PGP, and other security systems before hegraduated. After receiving his degree, he went to the MITMedia Laboratory for his M.S. degree in Media Arts andSciences. His security background was used in his thesis,a payment system based on digital movie tickets. Today,Derek works at Sun Microsystems, programming thenext generation of system security applications.
Paul Buis started life in Kalamazoo, Michigan, movedabout in the midwest, and met his wife-to-be in a highschool German class. Paul attended Hope College inHolland, Michigan, where he majored in Physics andMathematics. Hope graduated him magna cum laudeand elected him to Phi Beta Kappa, a Liberal Artshonorary; Sigma Pi Sigma, a Physics honorary; and PiMu Epsilon, a Mathematics honorary. After marryinghis wife, Barbara, Paul went to Purdue University wherehe received M.S. degrees in both Mathematics andComputer Science.
While attending Purdue, Paul was the software architectfor a firm that sold veterinary cardiology systems toautomatically diagnose heart problems in dogs and cats.Eventually, Paul completed his doctoral work in com-puter science at Purdue and got a real job as a professorin the Computer Science Department at Ball StateUniversity in Muncie, Indiana. He is also an instructorfor the Technology Exchange Company, located inReading, Massachusetts, which sends him around thecountry to give workshops on TCP/IP networking, theX Window system, C++ programming, and Unix systemadministration.
Paul and Barbara are the parents of three delightfulchildren: Daniel, Jennifer, and Thomas.
Chris Hare is the Production Services Manager for aCanadian national Internet Service Provider, iSTARinternet. He started working in computer-based technol-ogy in 1986, after studying health sciences. Since that
time, he has worked in programming, system adminis-tration, quality assurance, training, network manage-ment, consulting, and technical management positions.
Chris has taught Unix courses all over the world, for hisprevious employers and for SCO. As a professionalwriter, Chris has authored almost 20 articles for SysAdmin magazine, and coauthored several books for NewRiders, including Inside Unix, Internet Firewalls andNetwork Security, and Building an Internet Server withLinux.
Chris lives in Ottawa, Canada, with his wife Terri andtheir children Meagan and Matthew.
Robert Kelley is currently a software engineer in thenetworking lab of Hewlett-Packard, supporting networksecurity and Internet services. He has held a variety ofpositions in marketing, support, and development. Hiseducational background includes a B.S. degree in Electri-cal Engineering from San Jose State University, anM.S. degree in Computer Science from California StateUniversity at Hayward, and graduate work at Santa ClaraUniversity. Mr. Kelley has written a number of whitepapers on topics ranging from disk drive manufacturingto microwave communications. He has created and pre-sented training to classes in Asia, Europe, and the UnitedStates, including video productions and live broadcastseminars. He created the [email protected] mailalias and has written many of HP’s security bulletins. Hiscurrent interests include compilers, cryptography, anddata compression.
Carey Nachenberg is a senior software engineer atSymantec Corporation. He researches, designs, and de-velops new antivirus technologies for the award-winningNorton Antivirus line of products. Mr. Nachenberg hasworked at Symantec for five years as a software engineerand architect on Norton Commander, Norton Desktopfor DOS, and Norton Antivirus. He holds B.S. and M.S.degrees in Computer Science and Engineering from theUniversity of California at Los Angeles. His master’sthesis covers the topic of polymorphic computer virusdetection.
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
iv Internet Security Professional Reference
Anthony B. Nelson is a management consultant special-izing in information security and business automation. Aregular contributor to the IT security industry, Mr.Nelson has 26 years of experience in the field, includingregular speaking engagements at international confer-ences on information security and auditing issues. He hasworked with a wide range of applications, from businessand government accounting to technical applicationssuch as Electronic and Mechanical Computer AssistedDrafting. He has worked on a variety of standard andproprietary platforms, including Unix, Microsoft Win-dows NT, PC DOS, Windows, and various networks.
Mr. Nelson has been involved in the security architecturedesign for a major West Coast utility. In addition, hedesigned their information security policy and devel-oped their security implementation. The environment isan integrated network running Banyan Vines, TCP/IP,DecNet, Appletalk, and SNA. Other security projectshave included disaster recovery projects, internetworkfile transfer security, and reviews of security for, andintrusion testing of, Internet firewalls.
Recently, Mr. Nelson has been involved with corporateinternal audit departments investigating IT-related prob-lems. These have involved intrusion tracing to determinethe source of system crashes, file damage, as well as fraudinvestigations in which the computer was the main pointof attack. He has been involved in intrusion testing ofclient/server applications to determine the security holesthat must be protected. Where companies have beeninvolved in remote communication, he has reviewedremote dial up security, and looked into single-point ofsign on solutions. Finally, he recently reviewed SCADAapplication security for master stations connected to thecorporate LAN/WAN.
Mr. Nelson also has software project management expe-rience. Project supervision has ranged from the initialsystems analysis to programming, debugging, imple-mentation, training, and after sales support for theapplications. Direct participation in each of the phaseshas resulted in a firm understanding of the problemsand pitfalls throughout the entire development cycle.In these projects, Mr. Nelson has been involved withimplementing security at the computer hardware level,the operating systems level, and at the applications level.
Paul Phillips is a programmer and author currentlyresiding in San Diego, California.
Tim Ritchey received his honors B.S. from Ball StateUniversity in Physics and Anthropology and is currentlyworking toward his Ph.D. in Archaeology from Cam-bridge University, England. He has worked on artificialintelligence, high-performance parallel architectures, andcomputer vision. His honors thesis was the developmentof an inexpensive 3D scanner using structured lighting.Present interests include artificial intelligence, distribut-ing computing, VRML, and Java. His Ph.D. includesadapting non-linear dynamics and artificial intelligencetechniques to archaeological theory. In addition to com-puting and archaeology, he enjoys scuba diving, flying,and riding his Harley Davidson motorcycle.
William Steen owns and operates a consulting firmspecializing in networking small businesses and localgovernmental agencies. He also works for BI Inc. as asenior customer support representative. He is the authorof Managing the NetWare 3.x Server and NetWare Secu-rity, and a contributing author for Implementing InternetSecurity, published by New Riders.
Trademark AcknowledgmentsAll terms mentioned in this book that are known to betrademarks or service marks have been appropriatelycapitalized. New Riders Publishing cannot attest to theaccuracy of this information. Use of a term in this bookshould not be regarded as affecting the validity of anytrademark or service mark.
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
vi Internet Security Professional Reference
Contents at a GlanceIntroduction .............................................................................................. 1
Part I: Managing Internet Security1 Understanding TCP/IP ............................................................................. 5
2 Understanding and Creating Daemons.................................................... 49
3 Using UUCP........................................................................................... 95
4 Audit Trails ........................................................................................... 145
5 RFC 1244—The Site Security Handbook ............................................ 169
Part II: Gaining Access and Securing the Gateway6 IP Spoofing and Sniffing ....................................................................... 257
7 How to Build a Firewall ........................................................................ 317
8 SATAN and the Internet Inferno .......................................................... 429
9 Kerberos ................................................................................................ 535
Part III: Messaging: Creating a Secure Channel10 Encryption Overview ............................................................................ 615
11 PGP ...................................................................................................... 633
Part IV: Modern Concerns12 Java Security .......................................................................................... 693
13 CGI Security ......................................................................................... 731
14 Viruses .................................................................................................. 751
Part V: AppendixesA Security Information Sources ................................................................ 845
B Internet Security References .................................................................. 849
Index ..................................................................................................... 855
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
viii Internet Security Professional Reference
Table of ContentsIntroduction 1
Part I: Managing Internet Security
1 Understanding TCP/IP 5The History of TCP/IP ...................................................................................... 6Exploring Addresses, Subnets, and Hostnames ................................................... 7
Address Classes .............................................................................................. 8Subnets .......................................................................................................... 9Hostnames .................................................................................................. 12
Working with Network Interfaces .................................................................... 14Configuration Using ifconfig ....................................................................... 15
Reviewing the Network Configuration Files ..................................................... 17The /etc/hosts File ....................................................................................... 17The /etc/ethers File ...................................................................................... 18The /etc/networks File ................................................................................. 18The /etc/protocols File ................................................................................ 19The /etc/services File ................................................................................... 19The /etc/inetd.conf File ............................................................................... 20
Understanding the Network Access Files .......................................................... 21/etc/hosts.equiv File ..................................................................................... 21The .rhosts File ............................................................................................ 21User and Host Equivalency ......................................................................... 21
Examining TCP/IP Daemons .......................................................................... 23The slink Daemon....................................................................................... 23The ldsocket Daemon ................................................................................. 23The cpd Daemon ........................................................................................ 23The Line Printer Daemon (lpd) ................................................................... 23The SNMP Daemon (snmpd) ..................................................................... 24The RARP Daemon (rarpd) ........................................................................ 24The BOOTP Daemon (bootpd) .................................................................. 24The ROUTE Daemon (routed) .................................................................. 24The Domain Name Service Daemon (named) ............................................. 25The System Logger Daemon (syslogd) ......................................................... 26Inetd—The Super-Server ............................................................................ 26The RWHO Daemon (rwhod).................................................................... 26
ix
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
Exploring TCP/IP Utilities .............................................................................. 26Administration Commands ......................................................................... 27User Commands ......................................................................................... 40
2 Understanding and Creating Daemons 49What Is a Daemon? .......................................................................................... 50Examining the System Daemons ...................................................................... 55
init .............................................................................................................. 55swapper ....................................................................................................... 55update and bdflush ...................................................................................... 55lpd ............................................................................................................... 56lpsched ........................................................................................................ 56cpd and sco_cpd (SCO) .............................................................................. 56cron ............................................................................................................. 56syslog ........................................................................................................... 57sendmail ...................................................................................................... 58getty ............................................................................................................ 59rlogind......................................................................................................... 59deliver ......................................................................................................... 59inetd ............................................................................................................ 59routed.......................................................................................................... 59nfsd ............................................................................................................. 60mountd ....................................................................................................... 60pcnfsd ......................................................................................................... 60statd, rpc.statd ............................................................................................. 60lockd, rpc.lockd ........................................................................................... 60
Creating Daemons with the Bourne Shell ........................................................ 61Handling Input and Output ........................................................................ 61Handling Messages ...................................................................................... 62Handling Signals ......................................................................................... 62The dfmon Program .................................................................................... 64
Creating Daemons with PERL ......................................................................... 65Handling Input and Output ........................................................................ 66Handling Signals ......................................................................................... 67The procmon Program ................................................................................ 67
Unix Run Levels ............................................................................................... 71Program Listings .............................................................................................. 74
Listing 2.1—The dfmon Program ............................................................... 74Listing 2.2—The dfmon Configuration File ................................................ 78Listing 2.3—The procmon Command ........................................................ 82Listing 2.4—The procmon.cfg File ............................................................. 94
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
x Internet Security Professional Reference
3 Using UUCP 95The History of UUCP ..................................................................................... 96The UUCP Network........................................................................................ 98
How UUCP Works ..................................................................................... 99Naming Your Host ........................................................................................ 100
The Naming Process ................................................................................. 101The System V Basic Networking Utilities UUCP........................................... 101
UUCP File Layout .................................................................................... 102Configuring UUCP ................................................................................... 103Testing the Connection ............................................................................. 106The Dialers File ......................................................................................... 106The Systems File ....................................................................................... 108
The UUCP Chat Script ................................................................................. 111Testing the Connection—Using uucico .................................................... 114Permissions File ......................................................................................... 118Allowing Anonymous UUCP Access ......................................................... 123UUCP Log Files ........................................................................................ 124Maintenance.............................................................................................. 126
Configuring Version 2 UUCP........................................................................ 128What Is Version 2 UUCP? ........................................................................ 128File Layout ................................................................................................ 128Configuring UUCP ................................................................................... 129The L-devices File ..................................................................................... 129Testing the Connection ............................................................................. 130The L.sys File ............................................................................................ 131Testing the Connection with uucico.......................................................... 133Version 2 Permissions................................................................................ 134Log Files .................................................................................................... 137Maintenance.............................................................................................. 138
Configuring UUCP over TCP/IP .................................................................. 139Code Listings ................................................................................................. 140
Listing 3.1—gtimes.c ................................................................................ 140Listing 3.2—genUSER .............................................................................. 142
4 Audit Trails 145Audit Trails under Unix ................................................................................. 146
Common Unix Logs .................................................................................. 146Process Accounting.................................................................................... 153Useful Utilities in Auditing ....................................................................... 155Other Reporting Tools Available Online ................................................... 158
xi
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
Audit Trails under Windows NT ................................................................... 160Using the Event Viewer ............................................................................. 161Logging the ftp Server Service ................................................................... 162Logging httpd Transactions ....................................................................... 163Logging by Other TCP/IP Applications under NT ................................... 163
Audit Trails under DOS ................................................................................ 164PC/DACS ................................................................................................. 164Watchdog .................................................................................................. 165LOCK ....................................................................................................... 165
Using System Logs to Discover Intruders ....................................................... 165Common Break-In Indications .................................................................. 165Potential Problems .................................................................................... 166
5 RFC 1244—The Site Security Handbook 169Contributing Authors ..................................................................................... 1701. Introduction ............................................................................................... 170
1.1 Purpose of this Work........................................................................... 1701.2 Audience ............................................................................................. 1711.3 Definitions .......................................................................................... 1711.4 Related Work ...................................................................................... 1711.5 Scope ................................................................................................... 1721.6 Why Do We Need Security Policies and Procedures? .......................... 1721.7 Basic Approach .................................................................................... 1741.8 Organization of this Document ........................................................... 174
2. Establishing Official Site Policy on Computer Security .............................. 1752.1 Brief Overview .................................................................................... 1752.2 Risk Assessment ................................................................................... 1772.3 Policy Issues ........................................................................................ 1792.4 What Happens When the Policy is Violated ........................................ 1842.5 Locking In or Out ............................................................................... 1862.6 Interpreting the Policy ......................................................................... 1872.7 Publicizing the Policy .......................................................................... 188
3. Establishing Procedures to Prevent Security Problems ................................ 1883.1 Security Policy Defines What Needs to be Protected ........................... 1883.2 Identifying Possible Problems .............................................................. 1893.3 Choose Controls to Protect Assets in a Cost-Effective Way ................. 1903.4 Use Multiple Strategies to Protect Assets ............................................. 1913.5 Physical Security .................................................................................. 1913.6 Procedures to Recognize Unauthorized Activity .................................. 1913.7 Define Actions to Take When UnauthorizedActivity is Suspected ................................................................................. 193
Table of Contents
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
xii Internet Security Professional Reference
3.8 Communicating Security Policy .......................................................... 1933.9 Resources to Prevent Security Breaches................................................ 197
4. Types of Security Procedures ...................................................................... 2144.1 System Security Audits ........................................................................ 2144.2 Account Management Procedures ....................................................... 2154.3 Password Management Procedures ...................................................... 2154.4 Configuration Management Procedures .............................................. 217
5. Incident Handling...................................................................................... 2185.1 Overview ............................................................................................. 2185.2 Evaluation ........................................................................................... 2225.3 Possible Types of Notification ............................................................. 2245.4 Response ............................................................................................. 2265.5 Legal/Investigative ............................................................................... 2295.6 Documentation Logs ........................................................................... 232
6. Establishing Post-Incident Procedures ........................................................ 2326.1 Overview ............................................................................................. 2326.2 Removing Vulnerabilities .................................................................... 2336.3 Capturing Lessons Learned .................................................................. 2346.4 Upgrading Policies and Procedures ...................................................... 235
7. References .................................................................................................. 2368. Annotated Bibliography ............................................................................. 237
8.1 Computer Law .................................................................................... 2388.2 Computer Security .............................................................................. 2398.3 Ethics .................................................................................................. 2448.4 The Internet Worm............................................................................. 2468.5 National Computer Security Center (NCSC)...................................... 2488.6 Security Checklists .............................................................................. 2518.7 Additional Publications ....................................................................... 251
9. Acknowledgments ...................................................................................... 25310. Security Considerations .............................................................................. 25311. Authors’ Addresses ..................................................................................... 253
Part II: Gaining Access and Securing the Gateway
6 IP Spoofing and Sniffing 257Sniffing .......................................................................................................... 258
Sniffing: How It Is Done ........................................................................... 258Sniffing: How It Threatens Security .......................................................... 260Protocol Sniffing: A Case Study ................................................................ 262Sniffing: How to Prevent It ....................................................................... 265Hardware Barriers ..................................................................................... 266Avoiding Transmission of Passwords ......................................................... 274
xiii
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
Spoofing ......................................................................................................... 279Hardware Address Spoofing ...................................................................... 279ARP Spoofing............................................................................................ 281Preventing an ARP Spoof .......................................................................... 284Sniffing Case Study Revisited .................................................................... 287Detecting an ARP Spoof ........................................................................... 288Spoofing the IP Routing System ................................................................ 293ICMP-Based Route Spoofing .................................................................... 293Misdirecting IP Datagrams from Hosts ..................................................... 297Preventing Route Spoofing ........................................................................ 298A Case Study Involving External Routing .................................................. 300Spoofing Domain Name System Names .................................................... 301Spoofing TCP Connections ...................................................................... 309
7 How to Build a Firewall 317The TIS Firewall Toolkit ............................................................................... 318
Understanding TIS .................................................................................... 318Where to Get TIS Toolkit ......................................................................... 319Compiling under SunOS 4.1.3 and 4.1.4 .................................................. 320Compiling under BSDI ............................................................................. 320Installing the Toolkit ................................................................................. 321
Preparing for Configuration ........................................................................... 322Configuring TCP/IP ...................................................................................... 326
IP Forwarding ........................................................................................... 326The netperm Table ........................................................................................ 328Configuring netacl ......................................................................................... 329
Connecting with netacl ............................................................................. 331Restarting inetd ......................................................................................... 333
Configuring the Telnet Proxy ........................................................................ 333Connecting through the Telnet Proxy ....................................................... 336Host Access Rules ...................................................................................... 337Verifying the Telnet Proxy ........................................................................ 338
Configuring the rlogin Gateway ..................................................................... 339Connecting through the rlogin Proxy ........................................................ 342Host Access Rules ...................................................................................... 342Verifying the rlogin Proxy ......................................................................... 343
Configuring the FTP Gateway ....................................................................... 343Host Access Rules ...................................................................................... 345Verifying the FTP Proxy ........................................................................... 346Connecting through the FTP Proxy .......................................................... 347Allowing FTP with netacl .......................................................................... 348
Table of Contents
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
xiv Internet Security Professional Reference
Configuring the Sendmail Proxy: smap and smapd ........................................ 348Installing the smap Client.......................................................................... 349Configuring the smap Client ..................................................................... 349Installing the smapd Application ............................................................... 351Configuring the smapd Application ........................................................... 351Configuring DNS for smap ....................................................................... 353
Configuring the HTTP Proxy ........................................................................ 354Non-Proxy Aware HTTP Clients .............................................................. 355Using a Proxy Aware HTTP Client ........................................................... 356Host Access Rules ...................................................................................... 357
Configuring the X Windows Proxy ................................................................ 359Understanding the Authentication Server ....................................................... 360
The Authentication Database .................................................................... 362Adding Users ............................................................................................. 364The Authentication Shell—authmgr ......................................................... 368Database Management .............................................................................. 368Authentication at Work............................................................................. 370
Using plug-gw for Other Services ................................................................... 372Configuring plug-gw ................................................................................. 372plug-gw and NNTP .................................................................................. 373plug-gw and POP ...................................................................................... 376
The Companion Administrative Tools ........................................................... 378portscan..................................................................................................... 378netscan ...................................................................................................... 379Reporting Tools ........................................................................................ 380
Where to Go for Help .................................................................................... 389Sample netperm-table File .............................................................................. 390Manual Reference Pages ................................................................................. 394
Authmgr—Network Authentication Client Program................................. 394authsrv—Network Authentication Third-Party Daemon .......................... 395ftp-gw—FTP Proxy Server ........................................................................ 402http-gw—Gopher/HTTP Proxy ................................................................ 406login-sh—Authenticating Login Shell ....................................................... 412netacl—TCP Network Access Control ...................................................... 414plug-gw—Generic TCP Plugboard Proxy ................................................. 416rlogin-gw—rlogin Proxy Server ................................................................. 418smap—Sendmail Wrapper Client .............................................................. 420smapd—Sendmail Wrapper Daemon ........................................................ 421tn-gw—telnet Proxy Server........................................................................ 423x-gw—X Gateway Service ......................................................................... 426
xv
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
8 SATAN and the Internet Inferno 429The Nature of Network Attacks ..................................................................... 431
Internet Threat Levels (ITL) ...................................................................... 432Common Attack Approaches ..................................................................... 435An Overview of Holes ............................................................................... 438Learning about New Security Holes .......................................................... 443
Thinking Like an Intruder ............................................................................. 445Gathering Information on Systems ............................................................ 445Know the Code ......................................................................................... 465Try All Known Problems........................................................................... 466Match Vulnerabilities with Opportunities ................................................. 466Look for Weak Links ................................................................................. 467Summarize the Remote Network Attack .................................................... 467Automate the Search ................................................................................. 467
The First Meeting with SATAN..................................................................... 468History ...................................................................................................... 468The Creators ............................................................................................. 469Comparison to Other Tools ...................................................................... 470Vendor Reactions ...................................................................................... 470Long-Term Impact .................................................................................... 470
Detecting SATAN.......................................................................................... 471Courtney ................................................................................................... 471Gabriel ...................................................................................................... 471TCP Wrappers .......................................................................................... 471netlog/TAMU ........................................................................................... 472Argus ......................................................................................................... 472
Using Secure Network Programs .................................................................... 472Kerberos .................................................................................................... 472Secure Shell (ssh) ....................................................................................... 474
SSL ................................................................................................................ 474Firewalls .................................................................................................... 475
Investigating What SATAN Does .................................................................. 477SATAN’s Information Gathering .............................................................. 477Vulnerabilities that SATAN Investigates .................................................... 478Other Network Vulnerabilities .................................................................. 488Investigating IP Spoofing .......................................................................... 492Examining Structural Internet Problems.................................................... 495
Rendezvous with SATAN .............................................................................. 499Getting SATAN ........................................................................................ 499Examining the SATAN Files ..................................................................... 500
Table of Contents
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
xvi Internet Security Professional Reference
Building SATAN ........................................................................................... 513Using SATAN’s HTML Interface ............................................................. 514Running a Scan ......................................................................................... 524Understanding the SATAN Database Record Format ............................... 525Understanding the SATAN Rulesets ......................................................... 529Extending SATAN .................................................................................... 532Long-Term Benefits of Using SATAN ...................................................... 534
Works Cited................................................................................................... 534
9 Kerberos 535How Kerberos Works ..................................................................................... 536The Kerberos Network ................................................................................... 537
RFCs ......................................................................................................... 538Goals of Kerberos ...................................................................................... 538
How Authentication Works ........................................................................... 539What Kerberos Doesn’t Do ....................................................................... 542
Encryption ..................................................................................................... 543Private, Public, Secret, or Shared Key Encryption...................................... 544Private or Secret Key Encryption ............................................................... 545DES and Its Variations .............................................................................. 545Encryption Export Issues ........................................................................... 547Encryption and Checksum Specifications .................................................. 548
Versions of Kerberos ...................................................................................... 555Versions of Kerberos V4 ............................................................................ 555Versions of Kerberos V5 ............................................................................ 556Bones ........................................................................................................ 556
Selecting a Vendor ......................................................................................... 557Vendor Interoperability Issues ........................................................................ 558
DEC ULTRIX Kerberos ........................................................................... 558Transarc’s Kerberos ................................................................................... 558DCE ......................................................................................................... 559Interoperability Requirements ................................................................... 559
Naming Constraints ....................................................................................... 561Realm Names ............................................................................................ 562Principal Names ........................................................................................ 563
Cross-Realm Operation .................................................................................. 564Ticket Flags .................................................................................................... 566
Initial and Preauthenticated Tickets .......................................................... 567Invalid Tickets ........................................................................................... 567Renewable Tickets ..................................................................................... 567Postdated Tickets ...................................................................................... 568
xvii
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
Proxiable and Proxy Tickets ...................................................................... 569Forwardable Tickets .................................................................................. 569Authentication Flags .................................................................................. 570Other Key Distribution Center Options .................................................... 570
Message Exchanges ......................................................................................... 571Tickets and Authenticators ........................................................................ 571The Authentication Service Exchange........................................................ 575The Ticket-Granting Service (TGS) Exchange .......................................... 578Specifications for the Authentication Server and TicketGranting Service Exchanges ..................................................................... 584
The Client/Server Authentication Exchange .............................................. 591Client/Server (CS) Message Specifications ................................................. 595The KRB_SAFE Exchange ........................................................................ 597KRB_SAFE Message Specification ............................................................ 598The KRB_PRIV Exchange ........................................................................ 600KRB_PRIV Message Specification ............................................................ 601The KRB_CRED Exchange ...................................................................... 602KRB_CRED Message Specification........................................................... 603Names ....................................................................................................... 605Time ......................................................................................................... 605Host Addresses .......................................................................................... 605Authorization Data .................................................................................... 606Last Request Data ..................................................................................... 606Error Message Specification ....................................................................... 607
Kerberos Workstation Authentication Problem .............................................. 609Kerberos Port Numbers ............................................................................. 609Kerberos Telnet ......................................................................................... 610Kerberos ftpd............................................................................................. 610
Other Sources of Information ........................................................................ 611
Part III: Messaging: Creating a Secure Channel
10 Encryption Overview 615What Is Encryption? ...................................................................................... 616Transposition ................................................................................................. 617
Deciphering .............................................................................................. 619Substitution ................................................................................................... 621
Caesar Cipher ............................................................................................ 621Monoalphabetic Substitutions ................................................................... 624Vigenere Encryption .................................................................................. 628
Table of Contents
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
xviii Internet Security Professional Reference
11 PGP 633PGP Overview ............................................................................................... 634
History of PGP ......................................................................................... 634Why Use PGP?.......................................................................................... 635Short Encryption Review........................................................................... 636
PGP How-To ................................................................................................ 637Before You Use PGP ................................................................................. 637Generate a PGP Key .................................................................................. 639Distributing the Public Key ....................................................................... 640Signing a Message...................................................................................... 641Adding Someone Else’s Key....................................................................... 642Encrypting a Message ................................................................................ 643Decrypting and Verifying a Message.......................................................... 644
PGP Keys ....................................................................................................... 645What’s in a Name? .................................................................................... 646PGP Key Rings.......................................................................................... 647The Web of Trust ..................................................................................... 648Degrees of Trust ........................................................................................ 649
Key Management ........................................................................................... 650Key Generation ......................................................................................... 651Adding Keys to the Public Key Ring ......................................................... 654Extracting Keys from the Public Key Ring ................................................. 656Signing Keys .............................................................................................. 657Viewing the Contents of a Key Ring ......................................................... 660Removing Keys and Signatures .................................................................. 661Key Fingerprints and Verifying Keys ......................................................... 663Revoking Your Key ................................................................................... 664
Basic Message Operations .............................................................................. 665PGP: Program or Filter? ............................................................................ 665Compressing the Message .......................................................................... 666Processing Text and Binary Files ............................................................... 666Sending PGP Messages via E-Mail ............................................................ 667Conventional Encryption .......................................................................... 668Signing a Message...................................................................................... 668Encrypting a Message Using Public Key .................................................... 669Signing and Encrypting Messages .............................................................. 670Decrypting and Verifying Messages ........................................................... 671
Advanced Message Operations ....................................................................... 673Clearsigning .............................................................................................. 674Detached Signatures .................................................................................. 675For Her Eyes Only .................................................................................... 676Wiping Files .............................................................................................. 676
xix
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
The PGP Configuration File .......................................................................... 677Security of PGP.............................................................................................. 682
The Brute Force Attack ............................................................................. 682Secret Keys and Pass Phrases ...................................................................... 683Public Key Ring Attacks ............................................................................ 684Program Security ....................................................................................... 685Other Attacks Against PGP ....................................................................... 685
PGP Add-Ons ................................................................................................ 686PGP Public Keyservers .............................................................................. 686PGPMenu: A Menu Interface to PGP for Unix ......................................... 687MITSign: A Kerberized PGP Key Signer ................................................... 687Windows Front-Ends ................................................................................ 688Unix Mailers ............................................................................................. 688Mac PGP .................................................................................................. 689
Part IV: Modern Concerns
12 Java Security 693Java’s Functionality ........................................................................................ 695
Java Is Portable .......................................................................................... 696Java Is Robust ............................................................................................ 697Java Is Secure ............................................................................................. 697Java Is Object-Oriented ............................................................................. 698Java Is High Performance .......................................................................... 698Java Is Easy ................................................................................................ 699
History of the Java Language .......................................................................... 699Main Features of the Java Environment ......................................................... 701
Features of the Java Language .................................................................... 703The Java Architecture ................................................................................ 707
From Class File to Execution ......................................................................... 712The Compilation of Code ......................................................................... 712Running Code ........................................................................................... 715
The Java Virtual Machine .............................................................................. 718Why a New Machine Code Specification? ................................................. 719The Java Virtual Machine Description ...................................................... 719
Setting Up Java Security Features ................................................................... 724Using the Appletviewer ............................................................................. 724Netscape 2.0 .............................................................................................. 727Other Issues in Using Java Programs ......................................................... 729
Table of Contents
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
xx Internet Security Professional Reference
13 CGI Security 731Introducing the CGI Interface ....................................................................... 732
Why CGI Is Dangerous ............................................................................ 733How CGI Works ...................................................................................... 733CGI Data: Encoding and Decoding .......................................................... 734CGI Libraries ............................................................................................ 735
Understanding Vulnerabilities ........................................................................ 736The HTTP Server ..................................................................................... 736The HTTP Protocol .................................................................................. 736The Environment Variables ....................................................................... 737GET and POST Input Data ...................................................................... 737
Minimizing Vulnerability ............................................................................... 738Restrict Access to CGI ............................................................................... 739Run CGIs with Minimum Privileges ......................................................... 739Execute in a chrooted Environment........................................................... 740Secure the HTTP Server Machine ............................................................. 740
CGIWrap: An Alternative Model ................................................................... 740Advantages and Disadvantages .................................................................. 741
Bypassing CGI ............................................................................................... 741Server Side Includes (SSI) ............................................................................... 742
Restrict Access to SSI ................................................................................. 742Alternatives to SSI ..................................................................................... 742
Language Issues .............................................................................................. 743PERL ........................................................................................................ 743C and C++ ................................................................................................ 746Safe Languages .......................................................................................... 746
Protecting Sensitive Data ............................................................................... 747Logging .......................................................................................................... 749
14 Viruses 751What Is a Computer Virus? ............................................................................ 752Most Likely Targets ....................................................................................... 753
Key Hardware ........................................................................................... 754Key Software ............................................................................................. 755Floppy Boot Records (FBRs) ..................................................................... 756Hard Drive Master Boot Record ............................................................... 757Partition Boot Records .............................................................................. 758System Services .......................................................................................... 760Program Files ............................................................................................ 762Data Files with Macro Capabilities ............................................................ 765
xxi
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
IBM PC Computer Virus Types .................................................................... 767Boot Record Viruses .................................................................................. 767Floppy Boot Record Viruses ...................................................................... 768Partition Boot Record Viruses ................................................................... 776Master Boot Record Viruses ...................................................................... 780Program File Viruses ................................................................................. 784SYS File Infections .................................................................................... 788Companion Viruses ................................................................................... 797Potential Damage by File Infecting Viruses ............................................... 798Macro Viruses ........................................................................................... 800Worms ...................................................................................................... 802
Network and Internet Virus Susceptibility ..................................................... 803Network Susceptibility to File Viruses ....................................................... 803Boot Viruses .............................................................................................. 805Macro Viruses ........................................................................................... 806
Virus Classes .................................................................................................. 806Polymorphic Viruses ................................................................................. 807Stealth Viruses ........................................................................................... 808Slow Viruses .............................................................................................. 812Retro Viruses ............................................................................................. 813Multipartite Viruses .................................................................................. 814
How Antivirus Programs Work ...................................................................... 814Virus Scanners ........................................................................................... 815Memory Scanners ...................................................................................... 820Integrity Checkers ..................................................................................... 822Behavior Blockers ...................................................................................... 825Heuristics .................................................................................................. 826
Preventative Measures and Cures ................................................................... 827Preventing and Repairing Boot Record Viruses ......................................... 827Preventing and Repairing Executable File Viruses ...................................... 830Repairing Files Infected with a Read-Stealth Virus .................................... 830Preventing and Repairing Macro Viruses ................................................... 832
Profile: Virus Behavior under Windows NT .................................................. 832Master Boot Record Viruses under Windows NT ..................................... 832The NT Bootup Process with MBR Infection ........................................... 833Boot Record Viruses under Windows NT ................................................. 834Possible Damage Due to Boot Record Virus Infection............................... 835Windows NT Installation with Existing Boot Record Infection ................ 836MBR and Boot Record Viruses—The Bottom Line .................................. 837
Table of Contents
p1vPHCP nhb1 Internet Security Pro Ref 557-7 angela 2-2-96 FM LP#4
xxii Internet Security Professional Reference
DOS File Viruses under a Windows NT DOS Box........................................ 837Damage by File Viruses under a Windows NT DOS Box ......................... 838
File Virus Infections under Windows NT—Outside a DOS Box ................... 839DOS File Viruses under Windows NT—System Susceptibility
during Bootup ............................................................................................. 839DOS File Viruses—The Bottom Line ............................................................ 839Windows 3.1 Viruses under Windows NT..................................................... 840Macro Viruses under Windows NT ............................................................... 841Native Windows NT Viruses ......................................................................... 841
Part V: Appendixes
A Security Information Sources 845CIAC ............................................................................................................. 846COAST ......................................................................................................... 846CERT ............................................................................................................ 846FIRST ............................................................................................................ 8478lgm: Eight Little Green Men ........................................................................ 848bugtraq........................................................................................................... 848Vendors.......................................................................................................... 848Others ............................................................................................................ 848
B Internet Security References 849
Index 855
1Introduction
p1vPHCP/tr2 Internet Security Pro Ref 577-7 angela 2-2-96 Intro LP#3
T
INTR
ODUCTION INTRODUCTIONINTRODUCTIONINTRODUCTION
INTR
ODUC
TION I N T R O D U C T I O N
he staff of New Riders Publishing is committed to
bringing you the very best in computer reference
material. Each New Riders book is the result of months
of work by authors and staff who research and refine
the information contained within its covers.
As part of this commitment to you, the NRP reader,
New Riders invites your input. Please let us know if you
enjoy this book, if you have trouble with the informa-
tion and examples presented, or if you have a suggestion
for the next edition.
Please note, though: New Riders staff cannot serve as a
technical resource for Internet security or for questions
about software- or hardware-related problems.
p1vPHCP/tr2 Internet Security Pro Ref 577-7 angela 2-2-96 Intro LP#3
2 Internet Security Professional Reference
If you have a question or comment about any New Riders book, there are several ways to contact NewRiders Publishing. We will respond to as many readers as we can. Your name, address, or phone numberwill never become part of a mailing list or be used for any purpose other than to help us continue to bringyou the best books possible. You can write us at the following address:
New Riders PublishingAttn: Publisher201 W. 103rd StreetIndianapolis, IN 46290
If you prefer, you can fax New Riders Publishing at (317) 581-4670.
You can also send e-mail to New Riders at the following Internet address:
NRP is an imprint of Macmillan Computer Publishing. To obtain a catalog or information, or to purchaseany Macmillan Computer Publishing book, call (800) 428-5331.
Thank you for selecting Internet Security Professional Reference!