chapter 11: internet security i-net+ guide to the internet third edition

Chapter 11: Internet Security

i-Net+ Guide to the Internet

Third Edition

iNet+ Guide to the Internet, Third Edition 2

Objectives

• Learn how computers and networks can be attacked

• Study solutions used to protect computers and networks

• Investigate network protection strategies

• Learn how virtual private networks ensure a secure data transmission over the Internet


Types of Attack

• The reasons hackers attack a Web site, server, or computer can vary.

• Hackers might want to:

– Seek a challenge or revenge against a business

– Gain bragging rights among peers

– Steal information, such as credit card numbers, that they can sell

– Hijack storage space on a computer or use Internet bandwith provided by a network

– Gain remote control of a computer to use in an attack against other servers.


Flooding

• A denial of service (DoS) attack is an attack

designed to overload the resources of a Web server

or other Internet device so that it can no longer

operate and provide Internet resources.

• A new form of DoS attack has appeared called

distributed denial of service (DDoS).


Flooding (Continued)

• In a DDoS attack, a hacker has remote control of

hundreds of computers over a large geographical

area and commands them to send false requests to a

Web server or other Internet device.

• Computers that are remotely controlled by hackers

and used in a DDoS attack are called bots.


SYN Flooding

• SYN flooding is a type of attack that takes advantage of the synchronization feature of TCP.

• When the first computer sends the initial SYN packet to begin the TCP connection process, instead of sending its own IP address as the source IP address in the data packet, it supplies an invalid IP address that cannot be accessed.

• When the server responds with the SYNACK packet, it responds to an IP address that seems valid, but is not available.


SYN Flooding (Continued)


Teardrop

• Teardrop attack sends a series of fragmented packets containing false reassembly instructions.

• As a result, the device is unable to reassemble the packet because the packet is invalid or incomplete.

• However, the device, often a computer or server, continues to allocate operating system resources to handle the invalid packets.

• Eventually, system resources are exhausted, causing the device to crash, hang, or reboot.


Ping Flooding

• The Ping program is very helpful for debugging network problems, but it also can be dangerous when used by hackers to implement a Ping flood.

• Ping flooding (also known as ICMP flooding) is when a host is flooded with Ping requests.

• As the host tries to respond to the requests, it get bogged down and cannot function, causing DoS.


Ping Flooding (Continued)

• This type of flooding is fairly common because it does

not require a lot of special knowledge.

• A variation of Ping flooding is the Ping of Death

attack, which occurs when a hacker uses the Ping

protocol to send a packet that is larger than the

65,536 bytes allowed by the IP protocol.


Mail Flooding

• Mail flooding is when hackers send numerous huge e-mail messages to an e-mail server.

• Spam is a form of mail flooding.

• Spam is unsolicited e-mail messages that usually are trying to sell a product, and are sent in bulk.


Data Theft

• A type of intrusion involves the theft of network data.

• If hackers find a working user ID and password, they can sign onto the network and appear as a legitimate user.

• Hackers also try to intercept data as it is transmitted across the LAN, an attack known as man in the middle.


Data Theft (Continued)

• The man in the middle attacks can include the interception of e-mail, files, chat dialogs, and data packets that are transmitted over the LAN.

• A man in the middle attack is most often perpetrated by hackers who have direct access to a LAN.

• Key-stroke logging is accomplished by installing software that records and transmits every character a user types on a keyboard.


Data Theft (Continued)

• Phishing occurs when an individual pretending to be a legitimate business sends fraudulent e-mail messages in hopes of enticing users to reveal sensitive information, such as bank account information, Social Security numbers, or credit card numbers.

• Phishing uses social engineering (it exploits social weaknesses in people, not software flaws) to steal personal data and sometimes commit identity theft.


Computer Infestations

• A virus is a program that spreads by attaching to other programs.

• Viruses usually spread through infected e-mail messages that arrive with a virus in an attachment.

• A virus is called a virus because:

1. It has an incubation period (it does not do damage immediately).

2. It is contagious

3. It can be destructive


Computer Infestations (Continued)

• A virus is different from a worm, which is a program that spreads copies of itself throughout the Internet or LAN without needing a host program such as a Microsoft Word file or other application.

• A Trojan horse is a third type of computer infestation that, like a worm, does not need a host program to work but instead substitutes itself for a legitimate program.

• A Trojan horse is an infestation that masquerades as a legitimate program.


Computer Infestations (Continued)

• Programs such as Kazaa Media Desktop can be used to unknowingly download Trojan horses from peer-to-peer file-sharing networks that masquerade as music files or software programs.

• Spyware is software used to collect and relay information about a user or the Web sites a user visits to advertisers.

• Spyware is often installed in addition to normal software that a user installs from the Web.


Cookies

• Cookies are considered by many people to be

another form of spyware.

• A cookie is data that is stored on the client’s system

by a Web site for later retrieval.

• When a user accesses a Web page that uses

cookies, the cookie is placed on the user’s hard drive.


Protection Solutions

• Security experts agree that the best approach to protecting computers and other network resources is to apply security measures in layers.

• For example, a home computer should run more than just antivirus software.

• You should also install the latest security patches for the operating system and applications on your computer.


Firewalls

• A firewall is hardware or software that can reside on the network’s gateway.

• Different types of firewalls can function in several ways. See the list on page 640.


Hardware Firewall

• A good firewall solution is a hardware firewall that stands between a LAN and the Internet.

• A hardware firewall is ideal for a home network consisting of two or more computers because it protects the entire network.

• For most home and small-office LANs that connect to the Internet through a single cable modem or DSL converter, a broadband router is used as a hardware firewall.


Software Firewall

• Use when the connection to the Internet is always on, such as a cable modem or DSL

• Layered security is the key to system protection.

• Requests permission from a user prior to accessing programs on the network.


A Proxy Server Used as a Firewall

• When a proxy server is acting as a firewall, it can

filter traffic in both directions.

• It can filter traffic that is coming into the network from

outside computers, and it can filter traffic that is

leaving the network.


Firewalls that Filter Ports and Packets

• When a firewall filters ports, it prevents software on the outside from using certain ports on the network, even though those ports have services listening at them.

• Sometimes, a problem arises when you want to allow certain ports to be accessed but others to be filtered, or allow packets that are not a part of a current TCP session, such as when there is a videoconference.


DMZ Configurations

• DMZ is an abbreviation for “Demilitarized Zone.”

• Refers to an area that is between the private network and the Internet, but is not a direct part of either network.

• It is often an additional network that is placed between the two networks to offer additional security, and is sometimes called a perimeter network.


Screened Host

• With a screened host, a router is used to filter all traffic to the private intranet but allow full access to the computer in the DMZ.

• The router is responsible for protecting the private network.


Bastion Host

• Another DMZ configuration is the bastion host.

• The word bastion means a protruding part of a fortified wall or rampart.

• Bastion hosts are computers that stand outside the protected network and are exposed to an attack by using two network cards, one for the DMZ and one for the intranet, as shown in Figure 11-22 on page 652.

• Bastion hosts also are known as dual-homed hosts or dual-homed firewalls.


Three-Homed Firewall

• Suppose there are several computers in the DMZ, a Web server, a DNS server, and an FTP server.

• With a large DMZ, a three-homed firewall can be used.

• The entry point to the DMZ requires three network cards.

• One network card is connected to the Internet, one to the DMZ network, and the final network card is connected to the intranet.


Three-Homed Firewall (Continued)


Back-to-Back Firewall

• The back-to-back firewall configuration offers some of the best protection for networks.

• In this design, the DMZ network is located between two firewalls, as shown in Figure 11-24.


Dead Zone

• A dead zone is a network between two routers that

uses another network protocol other than TCP/IP.

• If the DMZ is using some other protocol, such as

IPX/SPX, this network between the two routers is a

dead zone.


Intrusion Detection Software

• Intrusion detection software lets you know when someone has tried to break into your network.

• Because the Internet makes it so easy for people to try to gain access to your resources, it is necessary to have software installed to let you know when an attack has been attempted.

• Intrusion detection software, sometimes called intrusion prevention software, provides alarms that go off when suspicious activity is spotted.


Secure Sockets Layer

• SSL (Secure Sockets Layer) protocol was developed by Netscape to provide security between application protocols (such as FTP, HTTP, or Telnet) and TCP/IP.

• SSL provides data encryption and server authentication, and can provide client authentication for a TCP/IP connection.

• SSL uses public and private keys and is similar to the public key encryption method.

• Figure 11-25 on page 656 shows one of several ways that SSL can work.


Secure Electronics Transactions

• SET (Secure Electronics Transactions) is a protocol that is designed to offer a secure medium for credit card transactions.

• It uses digital signatures to verify that both parties involved in the transaction are who they say they are.

• SET also protects the information in the transaction from being stolen or altered during the transaction, which protects all parties, including the consumer.


Infection Methods

• Like any program, a virus is a program cannot function until it is executed.

• Unlike a virus, a worm creates copies of itself, which then spread throughout the Internet or LAN.

• In 2004, the Beagle worm arrived as a password protected compressed file that appeared to be sent by a network administrator on the user’s network.


Infection Methods (Continued)

• A e-mail used spoofing to replace the true sender’s

e-mail address with a fake e-mail address.

• Spoofing is the act of replacing the source of a data

transmission with fake information so the true identity

of the sender remains hidden.


Managing Antivirus Software

• A real-time antivirus scanner is software that is designed to scan every file accessed on a computer so that it can catch viruses and worms before they can infect a computer.

• This software runs each time a computer is turned on.

• Using a real-time scanner helps antivirus software stop infections from different sources, including a Web browser, e-mail attachment, storage media, or local area network.


Managing Antivirus Software (Continued)

• The process of calculating and recording checksums to protect against viruses and worms is called inoculation.

• Antivirus software must be updated to stay ahead of new viruses and worms.


Eliminating Spam

• To protect your privacy limit how much information you volunteer to people.

• Another option is to create a separate e-mail account just for junk mail.

• Many ISPs offer spam rejection services.

• Some spam rejection services allow a user to indicate that he does not want to receive any more messages from the sender by sending a message to their ISP e-mail system.


Stopping Pop-up Ads

• Follow the steps on page 664 to stop pop-up ads.

• Internet Explorer Pop-up Blocker offers three levels of protection.

• The pop-up blocker is set to ON by default.


Removing Spyware

• Spyware is often secretly installed in addition to normal software that a user installs from the Web.

• Spyware consumes system resources and can cause your computer to become unresponsive, crash, or reboot.

• The best recommendation is to minimize or refrain from installing free software from the Web or from peer-to-peer, file-sharing networks.


Controlling Cookies

• One of the first steps in protecting your privacy is to limit cookies.

• Internet Explorer users can control cookies through the Privacy tab of the Internet Options dialog box.


Controlling Cookies (Continued)


Protection Strategies

• A security system should:

– Provide privacy

– Provide authentication

– Protect data integrity

– Provide nonrepudiation

– Be easy to use


Authentication

• Different levels of authentication on a network exist:

– None

– Connect

– Call

– Packet

– Packet integrity

– Packet privacy


Users IDs and Passwords

• User IDs and passwords can be set at many levels, including:

– Individual computes can have a setup password installed in CMOS that is needed to access the hardware and is required when you first turn on the computer.

– The operating system on the computer can require a user ID and password to use the system.

– A network operating system can require a user ID and password to access the network.

– The remainder of this list appears on pages 672 and 673.


Choosing a Password

• A good, effective password has a mixture of letters,

numbers, and symbols, both uppercase and

lowercase, and does not have any logical meaning.

• To further secure passwords, system administrators

often put an expiration date on passwords meaning

that the user periodically must change her password.


Passwords on the Computer

• Passwords on a computer can be setup passwords, operating system passwords, and passwords on files, folders, and applications.

• Every computer has a microchip on the motherboard inside the computer that can hold some basic information about the setup of the system.

• To set or change the startup password, you must access the setup information when the computer first starts up.


User IDs and Passwords Required by the Network Operating System

• The network operating system allows the system administrator to define what files or folders the user has access to and what type of access the user has, which is called the user permissions.

• A user can have read, write, or no access permissions.

• Read access means that the user is allowed to read the file, but cannot make changes to it.

• Write access allows the user to read the file, make changes, save changes, and delete the file.

• No access, of course, denies the user any access to the file.


Securing User IDs and Passwords

• Several encryption services, called authentication protocols, transmit, store, and handle passwords safely.

• These include TACACS+ (Terminal Access Controller Access System), RADIUS (Remote Access Dial-In User Service), Kerberos, PAP (Password Authentication Protocol), SPAP (Shiva Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), and MS-CHAP (Microsoft CHAP),

• Of these, CHAP and Kerberos are the more popular protocols or methods.


Passing a User ID and Password in a URL

• Subscription Web sites usually require users to enter a user ID and password to access the Web site content.

• The user ID and password required to access a Web site can be passed to the Web site in the URL.

• Doing this saves the time of having to manually enter the user ID and password every time you visit a subscript Web site.


Smart Cards

• Smart cards are about the size of a credit card and

contain an embedded microchip.

• The chip enables the card to hold data or

programming that can authenticate a user who is

accessing a network.


Digital Certificates

• A digital certificate, sometimes called a digital ID, is a digital signature that verifies the sender’s identity.

• It is a binary file that is stored on your hard drive, usually as part of your Windows registry information.

• Another feature of digital certificates is to assist in nonrepudiation—a guarantee that provides proof of delivery to the data sender and assurance of the sender’s identity to the recipient.

• Nonrepudiation of origin prevents the person who sent the message from claiming not to be that person.


Digital Certificates (Continued)

• Non repudiation of delivery is used so that the receiver of the message cannot deny getting the message.

• The only way to obtain a digital certificate is through a certification authority (CA), and it is the CA’s job to verify that you are who you way you are.

• The two largest certification authorities are VeriSign (www.verisign.com) and Thawte (www.thawte.com).

• Digital certificates are sometimes used to help create a virtual private network (VPN), whereby hosts on the Internet can communicate with as much privacy as if they were on a private network.

http://www.verisign.com/

http://www.thawte.com/


Types of Digital Certificates

• A client SSL certificate

• A server SSL certificate

• An S/MIME certificate

• An object-signing certificate

• A CA certificate


What Is in a Digital Certificate?

• Most certificates today conform to the X.509

certificate specification.

• This specification is recommended by the

International Telecommunication Union (ITU), and

has been recommended since 1988.


How Digital Certificates Work

• The process of getting a digital certificate and using the certificate involves three parties: the person needing the certificate, the authority issuing the certificate, and the company with whom the person want to use the certificate


How to Protect Your Digital Certificate

• The easiest way to protect the information itself is to

require a password to access it.

• In addition, most software programs that use digital

certificates allow you to require a password before

the certificate is used.


Using Digital Certificates

• Digital certificates are commonly used on Web sites,

but digital certificates can also be used to secure

e-mail.

• One of the most popular certificate authorities used to

secure Web sites and e-mail is VeriSign

(www.verisign.com).


Encryption

• To be certain that data cannot be read if intercepted,

data can be coded in a way that allows only the

intended receiver to understand it.

• Encryption is the process of coding data to prevent

unauthorized parties from being able to change or

view it.


Symmetric or Private Key Encryption

• Symmetric encryption, also called private key encryption, is a very simple and fast encryption method that employs encryption software to convert data into a form that is unreadable, most often through the use of a mathematical formula.

• This unreadable data is called ciphertext.

• Part of the formula that is used to encode the data is called a key, session key, or secret key.


Length of Encryption Keys

• The longer the session key, the more secure the data, which makes sense because there are more possible combinations as the key length grows.

• It has been proven that a key that is 40 bits long can be cracked in about six hours by systematically using every combination of 40 bits until the correct combination is discovered.


Algorithms Used for Encryption

• DES was one of the first algorithms developed that used symmetric encryption.

• It uses a 64-bit key to encrypt and decrypt data, and runs the main algorithm 16 times to produce the encrypted data.

• DES can be used in one of four modes, listed on page 688 of the text.

• Additional examples of symmetric encryption include Skipjack and Blowfish.


Algorithms Used for Encryption (Continued)

• The U.S. National Security Agency (NSA) developed Skipjack.

• The Skipjack algorithm uses 80-bit keys and is repeated 32 times to produce ciphertext, and can run using all four modes that DES uses.

• Blowfish is an encryption algorithm that can use either fixed-length keys or variable-length keys, from 32 bits to 448 bits.


Asymmetric or Public Key Encryption

• RC2 was designed to replace DES, and uses the same 64-bit block size as DES but it processes data much faster.

• After the original data is encrypted, another block of data (40 to 88 bits long), called the salt, is appended to the encryption key to throw off hackers.

• Because RC2 can be exchanged for DES without a lot of reprogramming, it is called a drop-in technology.


Asymmetric or Public Key Encryption (Continued)

• RC4 is similar to RC2, but uses a variable key size and variable block sizes.

• RC5 is more advanced, using variable block and key sizes and varying the number of times the algorithm is applied.

• When a session key has been encrypted using asymmetric encryption, the session key said to be enclosed and called a digital envelope.


Pretty Good Privacy Encryption

• Pretty Good Privacy (PGP) encryption is another encryption protocol.

• It is used to:

– Encrypt and decrypt messages that are sent over the Internet.

– Send digital signatures to ensure the identity of the sender.

– Verify that the message was not altered during transmission.


Secure MIME

• The secure version of MIME is S/MIME

(Secure/Multipurpose Internet Mail Extensions).

• S/MIME works in a similar way as public key

encryption and is a competing technology.


Hashing

• With hashing, the already encrypted data is used for a series of calculations that produce a fixed-length output called a message digest, or hash.

• Because the hash sent to the receiver is not decoded, hashing is a one-way operation.

• Therefore, hashing is sometimes called one-way encryption.

• Some common algorithms used for hashing are SHA-1 (Secure Hash Algorithm 1) and MD5 (Message Digital 5), both invented by RSA Security.


Virtual Private Networks

• A virtual private network (VPN) uses a public network to provide a secure connection between two parts of a private network or between a remote user and the network.

• VPNs are gaining popularity with businesses because they offer networking capabilities at reduced costs.


Tunneling

• Tunneling is a process by which a packet is encapsulated in a secure protocol before it is sent over a public network.

• In VPNs that deal with the Internet, the packets are encapsulated in one of several competing secure protocols before they are embedded in the IP protocol to travel the Internet.

• Figure 11-51 shows an example of tunneling.


Tunneling (Continued)


Data Link Layer Protocols

• Three tunneling protocols operate at the Data Link layer of the OSI model: L2F, PPTP, and L2TP.

• PPTP (Point-to-Point Tunneling Protocol) is the most common tunneling protocol.

• PPTP is based on Point-to-Point Protocol (PPP), a remote-access standard that was created by Microsoft that is used by both the Windows and Macintosh operating systems for dial-up connections.


Data Link Layer Protocols (Continued)

• L2F (Layer 2 Forwarding) is a tunneling protocol that was developed by Cisco and which works in a way that is very similar to PPTP.

• It requires that the ISPs on both ends support the L2F protocol.

• L2TP (Layer 2 Tunneling Protocol) is a combination of PPTP and L2F that enables ISPs to operate VPNs.

• All of the Data Link layer protocols encode data so that it can be transmitted in private across the Internet.


IPsec

• IPsec (Internet Protocol Security) was developed by the Internet Engineering Task Force (IETF) to be used as a standard platform for creating secure networks and electronic tunnels.

• IPsec is a suite of protocols that is used for secure private communications over the Internet.

• IPsec uses three keys: a public key, a private key, and a session key. See Figure 11-53 on page 696.


VPN Hardware and Software

• A VPN needs three components for optimum performance, though not all parts are necessary if the network doesn’t need a high degree of security:

– A security gateway that controls access to the private network.

– A certificate authority (either internal or external to the company) to issue and revoke public keys, private keys, and digital certificates.

– A security policy server to authenticate users trying to access the network.


VPN Hardware and Software (Continued)

• A security gateway is a firewall that stands between the Internet and private network.

• The security policy server is responsible for authenticating those users who have access to the private network.

• It can be as simple as a Windows NT server that is managing user IDs and passwords, or it can be more sophisticated.


Summary

• In a DDoS attack, a hacker has remote control of hundreds of computers over a large geographical area and commands them to send false requests to a Web server or other Internet device.

• Most systems cannot handle Ping requests with packets over 64 bytes.

• Another form of mail flooding occurs when mailboxes are inundated with spam, or unsolicited e-mail messages.


Summary (Continued)

• Phishing occurs when an individual sends fraudulent e-mail messages pretending to be a legitimate business in hopes of enticing users to reveal sensitive information, such as bank account information, Social Security numbers, or credit card numbers.

• Worms are self-replicating and can infect computers attached to the Internet or a local area network.


Summary (Continued)

• A DMZ can be created using a screened host, a bastion host, a three-homed firewall, or a back-to-back firewall.

• Digital certificates provide digital signatures that verify that the sender is actually who he says he is.

• Four tunneling protocols are currently used for virtual private networks: L2F (Layer 2 Forwarding), PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol), and IPsec (Internet Protocol Security)

chapter 11: internet security i-net+ guide to the internet third edition

Documents

internet slide

internet device

internet resources

inet guide

internet bandwith

edition10 ping flooding

variation of ping flooding

ddos attack