the Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol (CCMP), which is based on the AES
encryption scheme.
Understand EAP. EAP (Extensible Authentication Protocol) is not a
specific mechanism of authentication; rather it is an authentication
framework. Effectively, EAP allows for new authentication
technologies to be compatible with existing wireless or point-to-point
connection technologies.
Understand PEAP. PEAP (Protected Extensible Authentication
Protocol) encapsulates EAP methods within a TLS tunnel that
provides authentication and potentially encryption.
Understand LEAP. LEAP (Lightweight Extensible Authentication
Protocol) is a Cisco proprietary alternative to TKIP for WPA. This was
developed to address deficiencies in TKIP before the 802.11i/WPA2
system was ratified as a standard.
Understand MAC Filtering. A MAC filter is a list of authorized
wireless client interface MAC addresses that is used by a wireless
access point to block access to all nonauthorized devices.
Understand SSID Broadcast. Wireless networks traditionally
announce their SSID on a regular basis within a special packet known
as the beacon frame. When the SSID is broadcast, any device with an
automatic detect and connect feature is not only able to see the
network, but it can also initiate a connection with the network.
Understand TKIP. TKIP (Temporal Key Integrity Protocol) was
designed as the replacement for WEP without requiring replacement
of legacy wireless hardware. TKIP was implemented into 802.11
wireless networking under the name WPA (Wi-Fi Protected Access).
Understand CCMP. CCMP (Counter Mode with Cipher Block
Chaining Message Authentication Code Protocol) was created to
replace WEP and TKIP/WPA. CCMP uses AES (Advanced Encryption
Standard) with a 128-bit key.
Understand captive portals. A captive portal is an authentication
technique that redirects a newly connected wireless web client to a
portal access control page.
Understand antenna types. A wide variety of antenna types can be
used for wireless clients and base stations. These include
omnidirectional pole antennas as well as many directional antennas,
such as Yagi, cantenna, panel, and parabolic.
Know the standard network topologies. These are ring, bus,
star, and mesh.
Know the common network devices. Common network devices
are firewalls, routers, hubs, bridges, modems, repeaters, switches,
gateways, and proxies.
Understand the different types of firewalls. There are several
types of firewalls: static packet filtering, application-level gateway,
circuit-level gateway, stateful inspection, deep-packet inspection, and
next-gen.
Know the protocol services used to connect to LAN and WAN
communication technologies. These are Frame Relay, SMDS,
X.25, ATM, HSSI, SDLC, HDLC, and ISDN.
Written Lab
1. Name the layers of the OSI model and their numbers from top to
bottom.
2. Name three problems with cabling and the methods to counteract
those issues.
3. What are the various technologies employed by wireless devices to
maximize their use of the available radio frequencies?
4. Discuss methods used to secure 802.11 wireless networking.
5. Name the LAN shared media access technologies and examples of
their use, if known.
Review Questions
1. What is layer 4 of the OSI model?
A. Presentation
B. Network
C. Data Link
D. Transport
2. What is encapsulation?
A. Changing the source and destination addresses of a packet
B. Adding a header and footer to data as it moves down the OSI
stack
C. Verifying a person’s identity
D. Protecting evidence until it has been properly collected
3. Which OSI model layer manages communications in simplex, half-
duplex, and full-duplex modes?
A. Application
B. Session
C. Transport
D. Physical
4. Which of the following is the least resistant to EMI?
A. Thinnet
B. UTP
C. STP
D. Fiber
5. Which of the following is not an example of network segmentation?
A. Intranet
B. DMZ
C. Extranet
D. VPN
6. What is a field-powered technology that can be used for inventory
management without requiring direct physical contact?
A. IPX
B. RFID
C. SSID
D. SDN
7. If you are the victim of a bluejacking attack, what was
compromised?
A. Your firewall
B. Your switch
C. Your cell phone
D. Your web cookies
8. Which networking technology is based on the IEEE 802.3
standard?
A. Ethernet
B. Token Ring
C. FDDI
D. HDLC
9. What is a TCP wrapper?
A. An encapsulation protocol used by switches
B. An application that can serve as a basic firewall by restricting
access based on user IDs or system IDs
C. A security protocol used to protect TCP/IP traffic over WAN
links
D. A mechanism to tunnel TCP/IP through non-IP networks
10. What is both a benefit and a potentially harmful implication of
multilayer protocols?
A. Throughput
B. Encapsulation
C. Hash integrity checking
D. Logical addressing
11. By examining the source and destination addresses, the application
usage, the source of origin, and the relationship between current
packets with the previous packets of the same session,
______________ firewalls are able to grant a broader range of
access for authorized users and activities and actively watch for
and block unauthorized users and activities.
A. Static packet-filtering
B. Application-level gateway
C. Stateful inspection
D. Circuit-level gateway
12. ______________ firewalls are known as third-generation
firewalls.
A. Application-level gateway
B. Stateful inspection
C. Circuit-level gateway
D. Static packet-filtering
13. Which of the following is not true regarding firewalls?
A. They are able to log traffic information.
B. They are able to block viruses.
C. They are able to issue alarms based on suspected attacks.
D. They are unable to prevent internal attacks.
14. Which of the following is not a routing protocol?
A. OSPF
B. BGP
C. RPC
D. RIP
15. A ______________ is an intelligent hub because it knows the
addresses of the systems connected on each outbound port. Instead
of repeating traffic on every outbound port, it repeats traffic only
out of the port on which the destination is known to exist.
A. Repeater
B. Switch
C. Bridge
D. Router
16. Which of the following is not a technology specifically associated
with 802.11 wireless networking?
A. WAP
B. WPA
C. WEP
D. 802.11i
17. Which wireless frequency access method offers the greatest
throughput with the least interference?
A. FHSS
B. DSSS
C. OFDM
D. OSPF
18. What security concept encourages administrators to install
firewalls, malware scanners, and an IDS on every host?
A. Endpoint security
B. Network access control (NAC)
C. VLAN
D. RADIUS
19. What function does ARP perform?
A. It is a routing protocol.
B. It resolves IP addresses into MAC addresses.
C. It resolves physical addresses into logical addresses.
D. It manages multiplex streaming.
20. What form of infrastructure mode wireless networking deployment
supports large physical environments through the use of a single
SSID but numerous access points?
A. Stand-alone
B. Wired extension
C. Enterprise extension
D. Bridge
Chapter 12
Secure Communications and Network Attacks
THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER
INCLUDE:
Domain 4: Communication and Network Security
4.3 Implement secure communication channels according to
design
4.3.1 Voice
4.3.2 Multimedia collaboration
4.3.3 Remote access
4.3.4 Data communications
4.3.5 Virtualized networks
Data residing in a static form on a storage device is
fairly simple to secure. As long as physical access control is maintained
and reasonable logical access controls are implemented, stored files
remain confidential, retain their integrity, and are available to
authorized users. However, once data is used by an application or
transferred over a network connection, the process of securing it
becomes much more difficult.
Communications security covers a wide range of issues related to the
transportation of electronic information from one place to another.
That transportation may be between systems on opposite sides of the
planet or between systems on the same business network. Once it is
involved in any means of transportation, data becomes vulnerable to a
plethora of threats to its confidentiality, integrity, and availability.
Fortunately, many of these threats can be reduced or eliminated with
the appropriate countermeasures.
Communications security is designed to detect, prevent, and even
correct data transportation errors (that is, it provides integrity
protection as well as confidentiality). This is done to sustain the
security of networks while supporting the need to exchange and share
data. This chapter covers the many forms of communications security,
vulnerabilities, and countermeasures.
The Communication and Network Security domain for the CISSP
certification exam deals with topics related to network components
(i.e., network devices and protocols), specifically how they function
and how they are relevant to security. This domain is discussed in this
chapter and in Chapter 11, “Secure Network Architecture and Securing
Network Components.” Be sure to read and study the material in both
chapters to ensure complete coverage of the essential material for the
CISSP certification exam.
Network and Protocol Security Mechanisms
Transmission Control Protocol/Internet Protocol (TCP/IP) is the
primary protocol suite used on most networks and on the internet. It is
a robust protocol suite, but it has numerous security deficiencies. In an
effort to improve the security of TCP/IP, many subprotocols,
mechanisms, or applications have been developed to protect the
confidentiality, integrity, and availability of transmitted data. It is
important to remember that even with the foundational protocol suite
of TCP/IP, there are literally hundreds, if not thousands, of individual
protocols, mechanisms, and applications in use across the internet.
Some of them are designed to provide security services. Some protect
integrity, others protect confidentiality, and others provide
authentication and access control. In the next sections, we’ll discuss
some of the more common network and protocol security
mechanisms.
Secure Communications Protocols
Protocols that provide security services for application-specific
communication channels are called secure communication protocols.
The following list includes a small sampling of some of the options
available:
IPsec Internet Protocol security (IPsec) uses public key cryptography
to provide encryption, access control, nonrepudiation, and message
authentication, all using IP-based protocols. The primary use of IPsec
is for virtual private networks (VPNs), so IPsec can operate in either
transport or tunnel mode. IPsec is discussed further in Chapter 7, “PKI
and Cryptographic Applications.”
Kerberos Kerberos offers a single sign-on solution for users and
provides protection for logon credentials. Modern implementations of
Kerberos use hybrid encryption to provide reliable authentication
protection. Kerberos is discussed further in Chapter 13, “Cryptography
and Symmetric Key Algorithms.”
SSH Secure Shell (SSH) is a good example of an end-to-end
encryption technique. This security tool can be used to encrypt
numerous plaintext utilities (such as rcp, rlogin, rexec), serve as a
protocol encrypter (such as with SFTP), and function as a VPN.
Signal Protocol This is a cryptographic protocol that provides end-
to-end encryption for voice communications, videoconferencing, and
text message services. The Signal Protocol is nonfederated and is a
core element in the messaging app named Signal.
Secure Remote Procedure Call (S-RPC) This is an
authentication service and is simply a means to prevent unauthorized
execution of code on remote systems.
Secure Sockets Layer (SSL) This is an encryption protocol
developed by Netscape to protect the communications between a web
server and a web browser. SSL can be used to secure web, email, File
Transfer Protocol (FTP) or even Telnet traffic. It is a session-oriented
protocol that provides confidentiality and integrity. SSL is deployed
using a 40-bit key or a 128-bit key. SSL is superseded by Transport
Layer Security (TLS).
Transport Layer Security (TLS) TLS functions in the same
general manner as SSL, but it uses stronger authentication and
encryption protocols.
SSL and TLS both have the following features:
Support secure client-server communications across an insecure
network while preventing tampering, spoofing, and eavesdropping.
Support one-way authentication.
Support two-way authentication using digital certificates.
Often implemented as the initial payload of a TCP package,
allowing it to encapsulate all higher-layer protocol payloads.
Can be implemented at lower layers, such as layer 3 (the Network
layer) to operate as a VPN. This implementation is known as
OpenVPN.
In addition, TLS can be used to encrypt User Datagram Protocol
(UDP) and Session Initiation Protocol (SIP) connections. (SIP is a
protocol associated with Voice over IP [VoIP].)
Authentication Protocols
After a connection is initially established between a remote system and
a server or a network, the first activity that should take place is to
verify the identity of the remote user. This activity is known as
authentication. There are several authentication protocols that control
how the logon credentials are exchanged and whether those
credentials are encrypted during transport:
Challenge Handshake Authentication Protocol (CHAP) This
is one of the authentication protocols used over Point-to-Point
Protocol (PPP) links. CHAP encrypts usernames and passwords. It
performs authentication using a challenge-response dialogue that
cannot be replayed. CHAP also periodically reauthenticates the remote
system throughout an established communication session to verify a
persistent identity of the remote client. This activity is transparent to
the user.
Password Authentication Protocol (PAP) This is a standardized
authentication protocol for PPP. PAP transmits usernames and
passwords in cleartext. It offers no form of encryption; it simply
provides a means to transport the logon credentials from the client to
the authentication server.
Extensible Authentication Protocol (EAP) This is a framework
for authentication instead of an actual protocol. EAP allows
customized authentication security solutions, such as supporting
smart cards, tokens, and biometrics. (See the sidebar “EAP, PEAP, and
LEAP” for information about other protocols based on EAP.)
These three authentication protocols were initially used over dial-up
PPP connections. Today, these and many other, newer authentication
protocols (such as openID, OAuth, and Shibboleth) and concepts (such
as authentication federation and SAML) are in use over a wide number
of distance connection technologies, including broadband and virtual
private networks (VPNs), as well as expanding support and using
traditional authentication services, such as Kerberos, Remote
Authentication Dial-in User Service (RADIUS), and even Terminal
Access Controller Access Control System Plus (TACACS+).
EAP, PEAP, and LEAP
Protected Extensible Authentication Protocol (PEAP) encapsulates
EAP in a TLS tunnel. PEAP is preferred to EAP because EAP
assumes that the channel is already protected but PEAP imposes
its own security. PEAP is used for securing communications over
802.11 wireless connections. PEAP can be employed by Wi-Fi
Protected Access (WPA) and WPA-2 connections.
PEAP is also preferred over Cisco’s proprietary EAP known as
Lightweight Extensible Authentication Protocol (LEAP). LEAP
was Cisco’s initial response to insecure WEP. LEAP supported
frequent reauthentication and changing of WEP keys (whereas
WEP used single authentication and a static key). However, LEAP
is crackable using a variety of tools and techniques, including the
exploit tool Asleap.
Secure Voice Communications
The vulnerability of voice communication is tangentially related to
information technology (IT) system security. However, as voice
communication solutions move on to the network by employing digital
devices and VoIP, securing voice communications becomes an
increasingly important issue. When voice communications occur over
the IT infrastructure, it is important to implement mechanisms to
provide for authentication and integrity. Confidentiality should be
maintained by employing an encryption service or protocol to protect
the voice communications while in transit.
Normal private branch exchange (PBX) or POTS/public switched
telephone network (PSTN) voice communications are vulnerable to
interception, eavesdropping, tapping, and other exploitations. Often,
physical security is required to maintain control over voice
communications within the confines of your organization’s physical
locations. Security of voice communications outside your organization
is typically the responsibility of the phone company from which you
lease services. If voice communication vulnerabilities are an important
issue for sustaining your security policy, you should deploy an
encrypted communication mechanism and use it exclusively.
Voice over Internet Protocol (VoIP)
VoIP is a technology that encapsulates audio into IP packets to
support telephone calls over TCP/IP network connections. VoIP has
become a popular and inexpensive telephony solution for companies
and individuals worldwide.
It is important to keep security in mind when selecting a VoIP solution
to ensure that it provides the privacy and security you expect. Some
VoIP systems are essentially plain-form communications that are
easily intercepted and eavesdropped; others are highly encrypted, and
any attempt to interfere or wiretap is deterred and thwarted.
VoIP is not without its problems. Hackers can wage a wide range of
potential attacks against a VoIP solution:
Caller ID can be falsified easily using any number of VoIP tools, so
hackers can perform vishing (VoIP phishing) or Spam over
Internet Telephony (SPIT) attacks.
The call manager systems and the VoIP phones themselves might
be vulnerable to host operating system (OS) attacks and DoS
attacks. If a device’s or software’s host OS or firmware has
vulnerabilities, there is increased risk of exploits.
Attackers might be able to perform man-in-the-middle (MitM)
attacks by spoofing call managers or endpoint connection
negotiations and/or responses.
Depending on the deployment, there are also risks associated with
deploying VoIP phones off the same switches as desktop and server
systems. This could allow for 802.1X authentication falsification as
well as virtual local area network (VLAN) and VoIP hopping (i.e.,
jumping across authenticated channels).
Since VoIP traffic is just network traffic, it is often possible to listen
in on VoIP communications by decoding the VoIP traffic when it
isn’t encrypted.
Secure Real-Time Transport Protocol or SecureRTP (SRTP) is a
security improvement over the Real-Time Transport Protocol (RTP)
that is used in many VoIP communications. SRTP aims to minimize
the risk of VoIP DoS through robust encryption and reliable
authentication.
Social Engineering
Malicious individuals can exploit voice communications through a
technique known as social engineering. Social engineering is a means
by which an unknown, untrusted, or at least unauthorized person
gains the trust of someone inside your organization. Adept individuals
can convince employees that they are associated with upper
management, technical support, the help desk, and so on. Once
convinced, the victim is often encouraged to make a change to their
user account on the system, such as resetting their password. Other
attacks include instructing the victim to open specific email
attachments, launch an application, or connect to a specific uniform
resource locator (URL). Whatever the actual activity is, it is usually
directed toward opening a back door that the attacker can use to gain
network access.
The people within an organization make it vulnerable to social
engineering attacks. With just a little information or a few facts, it is
often possible to get a victim to disclose confidential information or
engage in irresponsible activity. Social engineering attacks exploit
human characteristics such as a basic trust in others, a desire to
provide assistance, or a propensity to show off. Overlooking
discrepancies, being distracted, following orders, assuming others
know more than they actually do, wanting to help others, and fearing
reprimands can also lead to attacks. Attackers are often able to bypass
extensive physical and logical security controls because the victim
opens an access pathway from the inside, effectively punching a hole
in the secured perimeter.
The Fascinating World of Social Engineering
Social engineering is a fascinating subject. It is the means to break
into the perfectly technically secured environment. Social
engineering is the art of using an organization’s own people against
it. Although not necessary for the CISSP exam, there are lots of
excellent resources, examples, and discussions of social
engineering that can increase your awareness of this security
problem. Some are also highly entertaining. We suggest doing
some searching on the term social engineering to discover books
and online videos. You’ll find the reading informative and the
video examples addicting.
The only way to protect against social engineering attacks is to teach
users how to respond and interact with any form of communications,
whether voice-only, face to face, IM, chat, or email. Here are some
guidelines:
Always err on the side of caution whenever voice communications
seem odd, out of place, or unexpected.
Always request proof of identity. This can be a driver’s license
number, Social Security number, employee ID number, customer
number, or a case or reference number, any of which can be easily
verified. It could also take the form of having a person in the office
that would recognize the caller’s voice take the call. For example, if
the caller claims to be a department manager, you could confirm
their identity by asking their administrative assistant to take the
call.
Require callback authorizations on all voice-only requests for
network alterations or activities. A callback authorization occurs
when the initial client connection is disconnected, and a person or
party would call the client on a predetermined number that would
usually be stored in a corporate directory in order to verify the
identity of the client.
Classify information (usernames, passwords, IP addresses,
manager names, dial-in numbers, and so on), and clearly indicate
which information can be discussed or even confirmed using voice
communications.
If privileged information is requested over the phone by an
individual who should know that giving out that particular
information over the phone is against the company’s security
policy, ask why the information is needed and verify their identity
again. This incident should also be reported to the security
administrator.
Never give out or change passwords via voice-only
communications.
When disposing of office documentation (according to policy and
regulation compliance) always use a secure disposal or destruction
process, especially for any paperwork or media that contains
information about the IT infrastructure or its security mechanisms.
Fraud and Abuse
Another voice communication threat is private branch exchange (PBX)
fraud and abuse. Many PBX systems can be exploited by malicious
individuals to avoid toll charges and hide their identity. Malicious
attackers known as phreakers abuse phone systems in much the same
way that attackers abuse computer networks. Phreakers may be able to
gain unauthorized access to personal voice mailboxes, redirect
messages, block access, and redirect inbound and outbound calls.
Countermeasures to PBX fraud and abuse include many of the same
precautions you would employ to protect a typical computer network:
logical or technical controls, administrative controls, and physical
controls. Here are several key points to keep in mind when designing a
PBX security solution:
Consider replacing remote access or long-distance calling through
the PBX with a credit card or calling card system.
Restrict dial-in and dial-out features to authorized individuals who
require such functionality for their work tasks.
If you still have dial-in modems, use unpublished phone numbers
that are outside the prefix block range of your voice numbers.
Protect administrative interfaces for the PBX.
Block or disable any unassigned access codes or accounts.
Define an acceptable use policy and train users on how to properly
use the system.
Log and audit all activities on the PBX and review the audit trails
for security and use violations.
Disable maintenance modems (i.e., remote access modems used by
the vendor to remotely manage, update, and tune a deployed
product) and/or any form of remote administrative access.
Change all default configurations, especially passwords and
capabilities related to administrative or privileged features.
Block remote calling (that is, allowing a remote caller to dial in to
your PBX and then dial out again, thus directing all toll charges to
the PBX host).
Deploy Direct Inward System Access (DISA) technologies to
reduce PBX fraud by external parties. (But be sure to configure it
properly; see the sidebar “DISA: A Disease and the Cure.”)
Keep the system current with vendor/service provider updates.
Additionally, maintaining physical access control to all PBX
connection centers, phone portals, and wiring closets prevents direct
intrusion from onsite attackers.
DISA: A Disease and the Cure
An often-touted “security” improvement to PBX systems is Direct
Inward System Access (DISA). This system is designed to help
manage external access and external control of a PBX by assigning
access codes to users. Although great in concept, this system is
being compromised and abused by phreakers. Once an outside
phreaker learns the PBX access codes, they can often fully control
and abuse the company’s telephone network. This can include
using the PBX to make long-distance calls that are charged to your
company’s telephone account rather than the phreaker’s phone.
DISA, like any other security feature, must be properly installed,
configured, and monitored in order to obtain the desired security
improvement. Simply having DISA is not sufficient. Be sure to disable
all features that are not required by the organization, craft user
codes/passwords that are complex and difficult to guess, and then turn
on auditing to keep watch on PBX activities. Phreaking is a specific
type of attack directed toward the telephone system. Phreakers use
various types of technology to circumvent the telephone system to
make free long-distance calls, to alter the function of telephone
service, to steal specialized services, and even to cause service
disruptions. Some phreaker tools are actual devices, whereas others
are just particular ways of using a regular telephone. No matter what
the tool or technology actually is, phreaker tools are referred to as
colored boxes (black box, red box, and so on). Over the years, many
box technologies have been developed and widely used by phreakers,
but only a few of them work against today’s telephone systems based
on packet switching. Here are a few of the phreaker tools often used to
attack telephone services:
Black boxes are used to manipulate line voltages to steal long-
distance services. They are often just custom-built circuit boards
with a battery and wire clips.
Red boxes are used to simulate tones of coins being deposited into
a pay phone. They are usually just small tape recorders.
Blue boxes are used to simulate 2600 Hz tones to interact directly
with telephone network trunk systems (that is, backbones). This
could be a whistle, a tape recorder, or a digital tone generator.
White boxes are used to control the phone system. A white box is a
dual-tone multifrequency (DTMF) generator (that is, a keypad). It
can be a custom-built device or one of the pieces of equipment that
most telephone repair personnel use.
As you probably know, cell phone security is a growing
concern. Captured electronic serial numbers (ESNs) and mobile
identification numbers (MINs) can be burned into blank phones to
create clones (even subscriber identity modules—SIMs—can be
duplicated). When a clone is used, the charges are billed to the
original owner’s cell phone account. Furthermore, conversations
and data transmission can be intercepted using radio frequency
scanners. Also, anyone in the immediate vicinity can overhear at
least one side of the conversation. So don’t talk about confidential,
private, or sensitive topics in public places.
Multimedia Collaboration
Multimedia collaboration is the use of various multimedia-supporting
communication solutions to enhance distance collaboration (people
working on a project together remotely). Often, collaboration allows
workers to work simultaneously as well as across different time
frames. Collaboration can also be used for tracking changes and
including multimedia functions. Collaboration can incorporate email,
chat, VoIP, videoconferencing, use of a whiteboard, online document
editing, real-time file exchange, versioning control, and other tools. It
is often a feature of advanced forms of remote meeting technology.
Remote Meeting
Remote meeting technology is used for any product, hardware, or
software that allows for interaction between remote parties. These
technologies and solutions are known by many other terms: digital
collaboration, virtual meetings, videoconferencing, software or
application collaboration, shared whiteboard services, virtual training
solutions, and so on. Any service that enables people to communicate,
exchange data, collaborate on materials/data/documents, and
otherwise perform work tasks together can be considered a remote
meeting technology service.
No matter what form of multimedia collaboration is implemented, the
attendant security implications must be evaluated. Does the service
use strong authentication techniques? Does the communication occur
across an open protocol or an encrypted tunnel? Does the solution
allow for true deletion of content? Are activities of users audited and
logged? Multimedia collaboration and other forms of remote meeting
technology can improve the work environment and allow for input
from a wider range of diverse workers across the globe, but this is only
a benefit if the security of the communications solution can be
ensured.
Instant Messaging
Instant messaging (IM) is a mechanism that allows for real-time text-
based chat between two users located anywhere on the internet. Some
IM utilities allow for file transfer, multimedia, voice and
videoconferencing, and more. Some forms of IM are based on a peer-
to-peer service while others use a centralized controlling server. Peer-
to-peer-based IM is easy for end users to deploy and use, but it’s
difficult to manage from a corporate perspective because it’s generally
insecure. It has numerous vulnerabilities: It’s susceptible to packet
sniffing, it lacks true native security capabilities, and it provides no
protection for privacy.
Many forms of traditional instant messaging lack common security
features, such as encryption or user privacy. Many stand-alone IM
clients have been susceptible to malicious code deposit or infection
through their file transfer capabilities. Also, IM users are often subject
to numerous forms of social-engineering attacks, such as
impersonation or convincing a victim to reveal information that
should remain confidential (such as passwords).
There are several modern instant messaging solutions to consider for
both person-to-person interactions and collaboration and
communications among a group. Some are public services, such as
Twitter, Facebook Messenger, and Snapchat. Others are designed for
private or internal use, such as Slack, Google Hangouts, Cisco Spark,
Workplace by Facebook, and Skype. Most of these messaging services
are designed with security as a key feature, often employing
multifactor authentication and transmission encryption.
Manage Email Security
Email is one of the most widely and commonly used internet services.
The email infrastructure employed on the internet primarily consists
of email servers using Simple Mail Transfer Protocol (SMTP) to
accept messages from clients, transport those messages to other
servers, and deposit them into a user’s server-based inbox. In addition
to email servers, the infrastructure includes email clients. Clients
retrieve email from their server-based inboxes using Post Office
Protocol version 3 (POP3) or Internet Message Access Protocol
(IMAP). Clients communicate with email servers using SMTP. Many
internet-compatible email systems rely on the X.400 standard for
addressing and message handling.
Sendmail is the most common SMTP server for Unix systems, and
Exchange is the most common SMTP server for Microsoft systems. In
addition to these three popular products, numerous alternatives exist,
but they all share the same basic functionality and compliance with
internet email standards.
If you deploy an SMTP server, it is imperative that you properly
configure authentication for both inbound and outbound mail. SMTP
is designed to be a mail relay system. This means it relays mail from
sender to intended recipient. However, you want to avoid turning your
SMTP server into an open relay (also known as an open relay agent or
relay agent), which is an SMTP server that does not authenticate
senders before accepting and relaying mail. Open relays are prime
targets for spammers because they allow spammers to send out floods
of emails by piggybacking on an insecure email infrastructure. As open
relays are locked down, becoming closed or authentication relays, a
growing number of SMTP attacks are occurring through hijacked
authenticated user accounts.
Another option to consider for corporate email is a SaaS email
solution. Examples of cloud or hosted email include Gmail (Google
Apps for Business) and Outlook/Exchange Online. SaaS email enables
you to leverage the security experience and management expertise of
some of the largest internet-focused organizations to support your
company’s communications. Benefits of SaaS email include high
availability, distributed architecture, ease of access, standardized
configuration, and physical location independence. However, there are
some potential risks using a hosted email solution, including
blacklisting issues, rate limiting, app/add-on restrictions, and what (if
any) additional security mechanisms you can deploy.
Email Security Goals
For email, the basic mechanism in use on the internet offers the
efficient delivery of messages but lacks controls to provide for
confidentiality, integrity, or even availability. In other words, basic
email is not secure. However, you can add security to email in many
ways. Adding security to email may satisfy one or more of the
following objectives:
Provide for nonrepudiation
Restrict access to messages to their intended recipients (i.e.,
privacy and confidentiality)
Maintain the integrity of messages
Authenticate and verify the source of messages
Verify the delivery of messages
Classify sensitive content within or attached to messages
As with any aspect of IT security, email security begins in a security
policy approved by upper management. Within the security policy, you
must address several issues:
Acceptable use policies for email
Access control
Privacy
Email management
Email backup and retention policies
Acceptable use policies define what activities can and cannot be
performed over an organization’s email infrastructure. It is often
stipulated that professional, business-oriented email and a limited
amount of personal email can be sent and received. Specific
restrictions are usually placed on performing personal business (that
is, work for another organization, including self-employment) and
sending or receiving illegal, immoral, or offensive communications as
well as on engaging in any other activities that would have a
detrimental effect on productivity, profitability, or public relations.
Access control over email should be maintained so that users have
access only to their specific inbox and email archive databases. An
extension of this rule implies that no other user, authorized or not, can
gain access to an individual’s email. Access control should provide for
both legitimate access and some level of privacy, at least from other
employees and unauthorized intruders.
The mechanisms and processes used to implement, maintain, and
administer email for an organization should be clarified. End users
may not need to know the specifics of email management, but they do
need to know whether email is considered private communication.
Email has recently been the focus of numerous court cases in which
archived messages were used as evidence—often to the chagrin of the
author or recipient of those messages. If email is to be retained (that
is, backed up and stored in archives for future use), users need to be
made aware of this. If email is to be reviewed for violations by an
auditor, users need to be informed of this as well. Some companies
have elected to retain only the last three months of email archives
before they are destroyed, whereas others have opted to retain email
for years. Depending upon your country and industry, there are often
regulations that dictate retention policies.
Understand Email Security Issues
The first step in deploying email security is to recognize the
vulnerabilities specific to email. The standard protocols used to
support email (i.e., SMTP, POP, and IMAP) do not employ encryption
natively. Thus, all messages are transmitted in the form in which they
are submitted to the email server, which is often plain text. This makes
interception and eavesdropping easy. However, the lack of native
encryption is one of the least important security issues related to
email.
Email is a common delivery mechanism for viruses, worms, Trojan
horses, documents with destructive macros, and other malicious code.
The proliferation of support for various scripting languages,
autodownload capabilities, and autoexecute features has transformed
hyperlinks within the content of email and attachments into a serious
threat to every system.
Email offers little in the way of source verification. Spoofing the source
address of email is a simple process for even a novice attacker. Email
headers can be modified at their source or at any point during transit.
Furthermore, it is also possible to deliver email directly to a user’s
inbox on an email server by directly connecting to the email server’s
SMTP port. And speaking of in-transit modification, there are no
native integrity checks to ensure that a message was not altered
between its source and destination.
In addition, email itself can be used as an attack mechanism. When
sufficient numbers of messages are directed to a single user’s inbox or
through a specific STMP server, a denial-of-service (DoS) attack can
result. This attack is often called mail-bombing and is simply a DoS
performed by inundating a system with messages. The DoS can be the
result of storage capacity consumption or processing capability
utilization. Either way, the result is the same: Legitimate messages
cannot be delivered.
Like email flooding and malicious code attachments, unwanted email
can be considered an attack. Sending unwanted, inappropriate, or
irrelevant messages is called spamming. Spamming is often little more
than a nuisance, but it does waste system resources both locally and
over the internet. It is often difficult to stop spam because the source
of the messages is usually spoofed.
Email Security Solutions
Imposing security on email is possible, but the efforts should be in
tune with the value and confidentiality of the messages being
exchanged. You can use several protocols, services, and solutions to
add security to email without requiring a complete overhaul of the
entire internet-based SMTP infrastructure. These include S/MIME,
MOSS, PEM, and PGP. We’ll S/MIME was discussed in Chapter 7,
“PKI and Cryptographic Applications.”
Secure Multipurpose Internet Mail Extensions (S/MIME)
Secure Multipurpose Internet Mail Extensions is an email security
standard that offers authentication and confidentiality to email
through public key encryption and digital signatures. Authentication is
provided through X.509 digital certificates. Privacy is provided
through the use of Public Key Cryptography Standard (PKCS)
encryption. Two types of messages can be formed using S/MIME:
signed messages and secured enveloped messages. A signed message
provides integrity, sender authentication, and nonrepudiation. An
enveloped message provides integrity, sender authentication, and
confidentiality.
MIME Object Security Services (MOSS) MIME Object Security
Services can provide authentication, confidentiality, integrity, and
nonrepudiation for email messages. MOSS employs Message Digest 2
(MD2) and MD5 algorithms; Rivest–Shamir–Adleman (RSA) public
key; and Data Encryption Standard (DES) to provide authentication
and encryption services.
Privacy Enhanced Mail (PEM) Privacy Enhanced Mail is an
email encryption mechanism that provides authentication, integrity,
confidentiality, and nonrepudiation. PEM uses RSA, DES, and X.509.
DomainKeys Identified Mail (DKIM) DKIM is a means to assert
that valid mail is sent by an organization through verification of
domain name identity. See http://www.dkim.org.
Pretty Good Privacy (PGP) Pretty Good Privacy (PGP) is a public-
private key system that uses a variety of encryption algorithms to
encrypt files and email messages. The first version of PGP used RSA,
the second version, International Data Encryption Algorithm (IDEA),
but later versions offered a spectrum of algorithm options. PGP is not
a standard but rather an independently developed product that has
wide internet grassroots support.
Opportunistic TLS for SMTP Gateways (RFC 3207) A lot of
organizations are using Secure SMTP over TLS nowadays; however,
it’s not as widespread as it should be because of a lack of awareness.
Opportunistic TLS for SMTP will attempt to set up an encrypted
connection with every other email server in the event that it is
supported. Otherwise, it will downgrade to plaintext. Using
opportunistic TLS for SMTP gateways reduces the opportunities for
casual sniffing of email.
Sender Policy Framework (SPF) To protect against spam and
email spoofing, an organization can also configure their SMTP servers
for Sender Policy Framework. SPF operates by checking that inbound
messages originate from a host authorized to send messages by the
owners of the SMTP origin domain. For example, if I receive a
message from mark.nugget@ abccorps.com, then SPF checks with the
administrators of smtp.abccorps.com that mark.nugget is authorized to
send messages through their system before the inbound message is
accepted and sent into a recipient inbox. There are pros and cons of
using it, so you’ll need to balance the needs of this extensive service
prior to including SPF.
Free PGP Solution
PGP started off as a free product for all to use, but it has since
splintered into various divergent products. PGP is a commercial
product, while OpenPGP is a developing standard that GnuPG is
compliant with and that was independently developed by the
Free Software Foundation. If you have not used PGP before, we
recommend downloading the appropriate GnuPG version for your
preferred email platform. This secure solution is sure to improve
your email privacy and integrity. You can learn more about GnuPG
at http://gnupg.org. You can learn more about PGP by visiting its
pages on Wikipedia.
By using these and other security mechanisms for email and
communication transmissions, you can reduce or eliminate many of
the security vulnerabilities of email. Digital signatures can help
eliminate impersonation. The encryption of messages reduces
eavesdropping. And the use of email filters keep spamming and mail-
bombing to a minimum.
Blocking attachments at the email gateway system on your network
can ease the threats from malicious attachments. You can have a 100
percent no-attachments policy or block only attachments that are
known or suspected to be malicious, such as attachments with
extensions that are used for executable and scripting files. If
attachments are an essential part of your email communications, you’ll
need to train your users and use antivirus tools for protection.
Training users to avoid contact with suspicious or unexpected
attachments greatly reduces the risk of malicious code transference via
email. Antivirus software is generally effective against known viruses,
but it offers little protection against new or unknown viruses.
Unwanted emails can be a hassle, a security risk, and a drain on
resources. Whether spam, malicious email, or just bulk advertising,
there are several ways to reduce the impact on your infrastructure.
Blacklist services offer a subscription system to a list of known email
abuse sources. You can integrate the blacklist into your email server so
that any message originating from a known abusive domain or IP
address is automatically discarded. Another option is to use a
challenge/response filter. In these services, when an email is received
from a new/unknown origin address, an autoresponder sends a
request for a confirmation message. Spammers and auto-emailers will
not respond to these requests, but valid humans will. Once they have
confirmed that they are human and agree not to spam the destination
address, their source address is added to a whitelist for future
communications.
Unwanted email can also be managed through the use of email
repudiation filtering. Several services maintain a grading system of
email services in order to determine which are used for
standard/normal communications and which are used for spam.
These services include senderscore.org, senderbase.org,
ReputationAuthority.org, trustedsource.org, and Barracuda Central.
These and other mechanisms are used as part of several spam filtering
technologies, such as Apache SpamAssassin and spamd.
Fax Security
Fax communications are waning in popularity because of the
widespread use of email. Electronic documents are easily
exchanged as attachments to email. Printed documents are just as
easy to scan and email as they are to fax. However, you must still
address faxing in your overall security plan. Most modems give
users the ability to connect to a remote computer system and send
and receive faxes. Many operating systems include built-in fax
capabilities, and there are numerous fax products for computer
systems. Faxes sent from a computer’s fax/modem can be received
by another computer, by a regular fax machine, or by a cloud-
based fax service.
Even with declining use, faxes still represent a communications
path that is vulnerable to attack. Like any other telephone
communication, faxes can be intercepted and are susceptible to
eavesdropping. If an entire fax transmission is recorded, it can be
played back by another fax machine to extract the transmitted
documents.
Some of the mechanisms that can be deployed to improve the
security of faxes are fax encryptors, link encryption, activity logs,
and exception reports. A fax encryptor gives a fax machine the
capability to use an encryption protocol to scramble the outgoing
fax signal. The use of an encryptor requires that the receiving fax
machine support the same encryption protocol so it can decrypt
the documents. Link encryption is the use of an encrypted
communication path, like a VPN link or a secured telephone link,
to transmit the fax. Activity logs and exception reports can be used
to detect anomalies in fax activity that could be symptoms of
attack.
In addition to the security of a fax transmission, it is important to
consider the security of a received fax. Faxes that are automatically
printed may sit in the out tray for a long period of time, therefore
making them subject to viewing by unintended recipients. Studies
have shown that adding banners of CONFIDENTIAL, PRIVATE,
and so on spur the curiosity of passersby. So disable automatic
printing. Also, avoid fax machines that retain a copy of the fax in
memory or on a local storage device. Consider integrating your fax
system with your network so you can email faxes to intended
recipients instead of printing them to paper.
Remote Access Security Management
Telecommuting, or working remotely, has become a common feature
of business computing. Telecommuting usually requires remote
access, the ability of a distant client to establish a communication
session with a network. Remote access can take the following forms
(among others):
Using a modem to dial up directly to a remote access server
Connecting to a network over the internet through a VPN
Connecting to a terminal server system through a thin-client
connection
Connecting to an office-located personal computer (PC) using a
remote desktop service, such as Microsoft’s Remote Desktop,
TeamViewer, GoToMyPC, Citirx’s XenDesktop, or VNC
Using cloud-based desktop solutions, such as Amazon’s
Workspaces
The first two examples use fully capable clients. They establish
connections just as if they were directly connected to the local area
network (LAN). In the last example, all computing activities occur on
the terminal server system rather than on the distant client.
Telephony is the collection of methods by which telephone services are
provided to an organization or the mechanisms by which an
organization uses telephone services for either voice and/or data
communications. Traditionally, telephony included plain old
telephone service (POTS)—also called public switched telephone
network (PSTN)—combined with modems. However, private branch
exchange (PBX), VoIP, and VPNs are commonly used for telephone
communications as well.
Remote Access and Telecommuting Techniques
Telecommuting is performing work at a remote location (i.e., other
than the primary office). In fact, there is a good chance that you
perform some form of telecommuting as part of your current job.
Telecommuting clients use many remote access techniques to
establish connectivity to the central office LAN. There are four
main types of remote access techniques:
Service Specific Service-specific remote access gives users the
ability to remotely connect to and manipulate or interact with a
single service, such as email.
Remote Control Remote-control remote access grants a remote
user the ability to fully control another system that is physically
distant from them. The monitor and keyboard act as if they are
directly connected to the remote system.
Screen Scraper/Scraping This term can be used in two
different circumstances. First, it is sometimes used to refer to
remote control, remote access, or remote desktop services. These
services are also called virtual applications or virtual desktops. The
idea is that the screen on the target machine is scraped and shown
to the remote operator. Since remote access to resources presents
additional risks of disclosure or compromise during the distance
transmission, it is important to employ encrypted screen scraper
solutions.
Second, screen scraping is a technology that can allow an
automated tool to interact with a human interface. For example,
some stand-alone data-gathering tools use search engines in their
operation. However, most search engines must be used through
their normal web interface. For example, Google requires that all
searches be performed through a Google web search form field. (In
the past, Google offered an API that enabled products to interact
with the backend directly. However, Google terminated this
practice to support the integration of advertisements with search
results.) Screen-scraping technology can interact with the human-
friendly designed web front end to the search engine and then
parse the web page results to extract just the relevant information.
SiteDigger from Foundstone/McAfee is a great example of this type
of product.
Remote Node Operation Remote node operation is just another
name for dial-up connectivity. A remote system connects to a
remote access server. That server provides the remote client with
network services and possible internet access.
POTS and PSTN refer to traditional landline telephone connections.
POTS/PSTN connections were the only or primary remote network
links for many businesses until high-speed, cost-effective, and
ubiquitous access methods were available. POTS/PSTN also waned in
use for home-user internet connectivity once broadband and wireless
services became more widely available. POTS/PSTN connections are
sometimes still used as a backup option for remote connections when
broadband solutions fail, as rural internet and remote connections,
and as standard voice lines when ISDN, VoIP, or broadband solutions
are unavailable or not cost effective.
When remote access capabilities are deployed in any environment,
security must be considered and implemented to provide protection
for your private network against remote access complications:
Remote access users should be stringently authenticated before
being granted access.
Only those users who specifically need remote access for their
assigned work tasks should be granted permission to establish
remote connections.
All remote communications should be protected from interception
and eavesdropping. This usually requires an encryption solution
that provides strong protection for the authentication traffic as well
as all data transmission.
It is important to establish secure communication channels before
initiating the transmission of sensitive, valuable, or personal
information. Remote access can pose several potential security
concerns if not protected and monitored sufficiently:
If anyone with a remote connection can attempt to breach the
security of your organization, the benefits of physical security are
reduced.
Telecommuters might use insecure or less-secure remote systems
to access sensitive data and thus expose it to greater risk of loss,
compromise, or disclosure.
Remote systems might be exposed to malicious code and could be
used as a carrier to bring malware into the private LAN.
Remote systems might be less physically secure and thus be at risk
of being used by unauthorized entities or stolen.
Remote systems might be more difficult to troubleshoot, especially
if the issues revolve around remote connection.
Remote systems might not be as easy to upgrade or patch due to
their potential infrequent connections or slow throughput links.
However, this issue is lessened when high-speed reliable
broadband links are present.
Plan Remote Access Security
When outlining your remote access security management strategy, be
sure to address the following issues:
Remote Connectivity Technology Each type of connection has its
own unique security issues. Fully examine every aspect of your
connection options. This can include cellular/mobile services,
modems, Digital Subscriber Line (DSL), Integrated Services Digital
Network (ISDN), wireless networking, satellite, and cable modems.
Transmission Protection There are several forms of encrypted
protocols, encrypted connection systems, and encrypted network
services or applications. Use the appropriate combination of secured
services for your remote connectivity needs. This can include VPNs,
SSL, TLS, Secure Shell (SSH), IPsec, and Layer 2 Tunneling Protocol
(L2TP).
Authentication Protection In addition to protecting data traffic,
you must ensure that all logon credentials are properly secured. This
requires the use of an authentication protocol and may mandate the
use of a centralized remote access authentication system. This can
include Password Authentication Protocol (PAP), Challenge
Handshake Authentication Protocol (CHAP), Extensible
Authentication Protocol (EAP, or its extensions PEAP or LEAP),
Remote Authentication Dial-In User Service (RADIUS), and Terminal
Access Controller Access-Control System Plus (TACACS+).
Remote User Assistance Remote access users may periodically
require technical assistance. You must have a means established to
provide this as efficiently as possible. This can include, for example,
addressing software and hardware issues and user training issues. If
an organization is unable to provide a reasonable solution for remote
user technical support, it could result in loss of productivity,
compromise of the remote system, or an overall breach of
organizational security.
If it is difficult or impossible to maintain a similar level of security on a
remote system as is maintained in the private LAN, remote access
should be reconsidered in light of the security risks it represents.
Network Access Control (NAC) can assist with this but may burden
slower connections with large update and patch transfers.
The ability to use remote access or establish a remote connection
should be tightly controlled. You can control and restrict the use of
remote connectivity by means of filters, rules, or access controls based
on user identity, workstation identity, protocol, application, content,
and time of day.
To restrict remote access to only authorized users, you can use
callback and caller ID. Callback is a mechanism that disconnects a
remote user upon initial contact and then immediately attempts to
reconnect to them using a predefined phone number (in other words,
the number defined in the user account’s security database). Callback
does have a user-defined mode. However, this mode is not used for
security; it is used to reverse toll charges to the company rather than
charging the remote client. Caller ID verification can be used for the
same purpose as callback—by potentially verifying the physical
location (via phone number) of the authorized user.
It should be a standard element in your security policy that no
unauthorized modems be present on any system connected to the
private network. You may need to further specify this policy by
indicating that those with portable systems must either remove their
modems before connecting to the network or boot with a hardware
profile that disables the modem’s device driver.
Dial-Up Protocols
When a remote connection link is established, a protocol must be used
to govern how the link is actually created and to establish a common
communication foundation over which other protocols can work. It is
important to select protocols that support security whenever possible.
At a minimum, a means to secure authentication is needed, but adding
the option for data encryption is also preferred. The two primary
examples of dial-up protocols, PPP and SLIP, provide link governance,
not only for true dial-up links but also for some VPN links:
Point-to-Point Protocol (PPP) This is a full-duplex protocol used
for transmitting TCP/IP packets over various non-LAN connections,
such as modems, ISDN, VPNs, Frame Relay, and so on. PPP is widely
supported and is the transport protocol of choice for dial-up internet
connections. PPP authentication is protected through the use of
various protocols, such as CHAP and PAP. PPP is a replacement for
SLIP and can support any LAN protocol, not just TCP/IP.
Serial Line Internet Protocol (SLIP) This is an older technology
developed to support TCP/IP communications over asynchronous
serial connections, such as serial cables or modem dial-up. SLIP is
rarely used but is still supported on many systems. It can support only
IP, requires static IP addresses, offers no error detection or correction,
and does not support compression.
Centralized Remote Authentication Services
As remote access becomes a key element in an organization’s business
functions, it is often important to add layers of security between
remote clients and the private network. Centralized remote
authentication services, such as RADIUS and TACACS+, provide this
extra layer of protection. These mechanisms provide a separation of
the authentication and authorization processes for remote clients that
performed for LAN or local clients. The separation is important for
security because if the RADIUS or TACACS+ servers are ever
compromised, then only remote connectivity is affected, not the rest of
the network.
Remote Authentication Dial-In User Service (RADIUS) This
is used to centralize the authentication of remote dial-up connections.
A network that employs a RADIUS server is configured so the remote
access server passes dial-up user logon credentials to the RADIUS
server for authentication. This process is similar to the process used by
domain clients sending logon credentials to a domain controller for
authentication. RADIUS operates over several ports; you should
recognize the original UDP 1812 port as well as that used by RADIUS
over TLS, which is TCP 2083. The TCP version of RADIUS was
designed in 2012 to take advantage of TLS encryption (see RFC 6614
at https://tools.ietf.org/html/rfc6614).
Terminal Access Controller Access-Control System
(TACACS+) This is an alternative to RADIUS. TACACS is available in
three versions: original TACACS, Extended TACACS (XTACACS), and
TACACS+. TACACS integrates the authentication and authorization
processes. XTACACS keeps the authentication, authorization, and
accounting processes separate. TACACS+ improves XTACACS by
adding two-factor authentication. TACACS+ is the most current and
relevant version of this product line. The primary port for TACACS+ is
TCP 49.
Virtual Private Network
A virtual private network (VPN) is a communication tunnel that
provides point-to-point transmission of both authentication and data
traffic over an intermediary untrusted network. Most VPNs use
encryption to protect the encapsulated traffic, but encryption is not
necessary for the connection to be considered a VPN.
VPNs are most commonly associated with establishing secure
communication paths through the internet between two distant
networks. However, they can exist anywhere, including within private
networks or between end-user systems connected to an ISP. The VPN
can link two networks or two individual systems. They can link clients,
servers, routers, firewalls, and switches. VPNs are also helpful in
providing security for legacy applications that rely on risky or
vulnerable communication protocols or methodologies, especially
when communication is across a network.
VPNs can provide confidentiality and integrity over insecure or
untrusted intermediary networks. They do not provide or guarantee
availability. VPNs also are in relatively widespread use to get around
location requirements for services like Netflix and Hulu and thus
provide a (at times questionable) level of anonymity.
Tunneling
Before you can truly understand VPNs, you must first understand
tunneling. Tunneling is the network communications process that
protects the contents of protocol packets by encapsulating them in
packets of another protocol. The encapsulation is what creates the
logical illusion of a communications tunnel over the untrusted
intermediary network. This virtual path exists between the
encapsulation and the de-encapsulation entities located at the ends of
the communication.
In fact, sending a snail mail letter to your grandmother involves the
use of a tunneling system. You create the personal letter (the primary
content protocol packet) and place it in an envelope (the tunneling
protocol). The envelope is delivered through the postal service (the
untrusted intermediary network) to its intended recipient. You can use
tunneling in many situations, such as when you’re bypassing firewalls,
gateways, proxies, or other traffic control devices. The bypass is
achieved by encapsulating the restricted content inside packets that
are authorized for transmission. The tunneling process prevents the
traffic control devices from blocking or dropping the communication
because such devices don’t know what the packets actually contain.
Tunneling is often used to enable communications between otherwise
disconnected systems. If two systems are separated by a lack of
network connectivity, a communication link can be established by a
modem dial-up link or other remote access or wide area network
(WAN) networking service. The actual LAN traffic is encapsulated in
whatever communication protocol is used by the temporary
connection, such as Point-to-Point Protocol in the case of modem dial-
up. If two networks are connected by a network employing a different
protocol, the protocol of the separated networks can often be
encapsulated within the intermediary network’s protocol to provide a
communication pathway.
Regardless of the actual situation, tunneling protects the contents of
the inner protocol and traffic packets by encasing, or wrapping, it in an
authorized protocol used by the intermediary network or connection.
Tunneling can be used if the primary protocol is not routable and to
keep the total number of protocols supported on the network to a
minimum.
The Proliferation of Tunneling
Tunneling is such a common activity within communication
systems that many of us use tunneling on a regular basis without
even recognizing it. For example, every time you access a website
using a secured SSL or TLS connection, you are using tunneling.
Your plaintext web communications are being tunneled within an
SSL or TLS session. Also, if you use internet telephone or VoIP
systems, your voice communication is being tunneled inside a VoIP
protocol.
How many other instances of tunneling can you pinpoint that you
encounter on a weekly basis?
If the act of encapsulating a protocol involves encryption, tunneling
can provide a means to transport sensitive data across untrusted
intermediary networks without fear of losing confidentiality and
integrity.
Tunneling is not without its problems. It is generally an inefficient
means of communicating because most protocols include their own
error detection, error handling, acknowledgment, and session
management features, so using more than one protocol at a time
compounds the overhead required to communicate a single message.
Furthermore, tunneling creates either larger packets or additional
packets that in turn consume additional network bandwidth.
Tunneling can quickly saturate a network if sufficient bandwidth is not
available. In addition, tunneling is a point-to-point communication
mechanism and is not designed to handle broadcast traffic. Tunneling
also makes it difficult, if not impossible, to monitor the content of the
traffic in some circumstances, creating issues for security
practitioners.
How VPNs Work
A VPN link can be established over any other network communication
connection. This could be a typical LAN cable connection, a wireless
LAN connection, a remote access dial-up connection, a WAN link, or
even a client using an internet connection for access to an office LAN.
A VPN link acts just like a typical direct LAN cable connection; the
only possible difference would be speed based on the intermediary
network and on the connection types between the client system and
the server system. Over a VPN link, a client can perform the same
activities and access the same resources as if they were directly
connected via a LAN cable.
VPNs can connect two individual systems or two entire networks. The
only difference is that the transmitted data is protected only while it is
within the VPN tunnel. Remote access servers or firewalls on the
network’s border act as the start points and endpoints for VPNs. Thus,
traffic is unprotected within the source LAN, protected between the
border VPN servers, and then unprotected again once it reaches the
destination LAN.
VPN links through the internet for connecting to distant networks are
often inexpensive alternatives to direct links or leased lines. The cost
of two high-speed internet links to local ISPs to support a VPN is often
significantly less than the cost of any other connection means
available.
Common VPN Protocols
VPNs can be implemented using software or hardware solutions. In
either case, there are four common VPN protocols: PPTP, L2F, L2TP,
and IPsec. PPTP, L2F, and L2TP operate at the Data Link layer (layer
2) of the OSI model. PPTP and IPsec are limited for use on IP
networks, whereas L2F and L2TP can be used to encapsulate any LAN
protocol.
SSL/TLS can also be used as a VPN protocol, not just as a
session encryption tool operating on top of TCP. The CISSP exam
does not seem to include SSL/TLS VPN content at this time.
Point-to-Point Tunneling Protocol
Point-to-Point Tunneling Protocol (PPTP) is an encapsulation
protocol developed from the dial-up Point-to-Point Protocol. It
operates at the Data Link layer (layer 2) of the OSI model and is used
on IP networks. PPTP creates a point-to-point tunnel between two
systems and encapsulates PPP packets. It offers protection for
authentication traffic through the same authentication protocols
supported by PPP:
Microsoft Challenge Handshake Authentication Protocol (MS-
CHAP)
Challenge Handshake Authentication Protocol (CHAP)
Password Authentication Protocol (PAP)
Extensible Authentication Protocol (EAP)
Shiva Password Authentication Protocol (SPAP)
The initial tunnel negotiation process used by PPTP is not encrypted.
Thus, the session establishment packets that include the IP address of
the sender and receiver—and can include usernames and hashed
passwords—could be intercepted by a third party. PPTP is used on
VPNs, but it is often replaced by the L2TP, which can use IPsec to
provide traffic encryption for VPNs. Most modern uses of PPTP have
adopted the Microsoft customized implementation which supports
data encryption using Microsoft Point-to-Point Encryption (MPPE)
and which supports various secure authentication options.
PPTP does not support TACACS+ and RADIUS.
Layer 2 Forwarding Protocol and Layer 2 Tunneling Protocol
Cisco developed its own VPN protocol called Layer 2 Forwarding
(L2F), which is a mutual authentication tunneling mechanism.
However, L2F does not offer encryption. L2F was not widely deployed
and was soon replaced by L2TP. As their names suggest, both operate
at layer 2. Both can encapsulate any LAN protocol.
Layer 2 Tunneling Protocol (L2TP) was derived by combining
elements from both PPTP and L2F. L2TP creates a point-to-point
tunnel between communication endpoints. It lacks a built-in
encryption scheme, but it typically relies on IPsec as its security
mechanism. L2TP also supports TACACS+ and RADIUS. IPsec is
commonly used as a security mechanism for L2TP.
IP Security Protocol
The most commonly used VPN protocol is now IPsec. IP Security
(IPsec) is both a stand-alone VPN protocol and the security
mechanism for L2TP, and it can be used only for IP traffic. IPsec
consists of the security elements of IPv6 crafted into an add-on
package for IPv4. IPsec works only on IP networks and provides for
secured authentication as well as encrypted data transmission. IPsec
has two primary components, or functions:
Authentication Header (AH) AH provides authentication,
integrity, and nonrepudiation.
Encapsulating Security Payload (ESP) ESP provides
encryption to protect the confidentiality of transmitted data, but it can
also perform limited authentication. It operates at the Network layer
(layer 3) and can be used in transport mode or tunnel mode. In
transport mode, the IP packet data is encrypted but the header of the
packet is not. In tunnel mode, the entire IP packet is encrypted and a
new header is added to the packet to govern transmission through the
tunnel.
Table 12.1 illustrates the main characteristics of VPN protocols.
TABLE 12.1 VPN characteristics
VPN Native Native Protocols Dial-Up Number of
Protocol Authentication Data Supported Links Simultaneous
Protection Encryption Supported Connections
PPTP Yes No PPP Yes Single point-to-
point
L2F Yes No PPP/SLIP Yes Single point-to-
point
L2TP Yes No (can use PPP Yes Single point-to-
IPsec) point
IPsec Yes Yes IP only No Multiple
The VPN protocols which encapsulate PPP are able to support any subprotocol compatible
with PPP, which includes IPv4, IPv6, IPX, and AppleTalk.
A VPN device is a network add-on device used to create VPN tunnels
separately from server or client OSs. The use of the VPN devices is
transparent to networked systems.
Virtual LAN
A virtual local area network (VLAN) is a hardware-imposed network
segmentation created by switches. By default, all ports on a switch are
part of VLAN 1. But as the switch administrator changes the VLAN
assignment on a port-by-port basis, various ports can be grouped
together and kept distinct from other VLAN port designations. VLANs
can also be assigned or created based on device MAC address,
mirroring the IP subnetting, around specified protocols, or based on
authentication. VLAN management is most commonly used to
distinguish between user traffic and management traffic. And VLAN 1
very typically is the designated management traffic VLAN.
VLANs are used for traffic management. Communications between
members of the same VLAN occur without hindrance, but
communications between VLANs require a routing function, which
can be provided either by an external router or by the switch’s internal
software (one reason for the terms L3 switch and multilayer switch).
VLANs are treated like subnets but aren’t subnets. VLANs are created
by switches. Subnets are created by IP address and subnet mask
assignments.
VLAN management is the use of VLANs to control traffic for security
or performance reasons. VLANs can be used to isolate traffic between
network segments. This can be accomplished by not defining a route
between different VLANs or by specifying a deny filter between certain
VLANs (or certain members of a VLAN). Any network segment that
doesn’t need to communicate with another in order to accomplish a
work task/function shouldn’t be able to do so. Use VLANs to allow
what is necessary and to block/deny anything that isn’t necessary.
Remember, “deny by default; allow by exception” isn’t a guideline just
for firewall rules but for security in general.
VLANs function in much the same way as traditional subnets. For
communications to travel from one VLAN to another, the switch
performs routing functions to control and filter traffic between its
VLANs.
VLANs are used to segment a network logically without altering its
physical topology. They are easy to implement, have little
administrative overhead, and are a hardware-based solution
(specifically a layer 3 switch). As networks are being crafted in virtual
environments or in the cloud, software switches are often used. In
these situations, VLANs are not hardware-based but instead are
switch-software-based implementations.
VLANs let you control and restrict broadcast traffic and reduce a
network’s vulnerability to sniffers because a switch treats each VLAN
as a separate network division. To communicate between segments,
the switch must provide a routing function. It’s the routing function
that blocks broadcasts between subnets and VLANs, because a router
(or any device performing layer 3 routing functions such as a layer 3
switch) doesn’t forward layer 2 Ethernet broadcasts. This feature of a
switch blocks Ethernet broadcasts between VLANs and so helps
protect against broadcast storms. A broadcast storm is a flood of
unwanted Ethernet broadcast network traffic.
Another element of some VLAN deployments is that of port isolation
or private ports. These are private VLANs that are configured to use a
dedicated or reserved uplink port. The members of a private VLAN or
a port-isolated VLAN can interact only with each other and over the
predetermined exit port or uplink port. A common implementation of
port isolation occurs in hotels. A hotel network can be configured so
that the Ethernet ports in each room or suite are isolated on unique
VLANs so that connections in the same unit can communicate, but
connections between units cannot. However, all of these private
VLANs have a path out to the internet (i.e., the uplink port).
VLANs work like subnets, but keep in mind that they are not
actual subnets. VLANs are created by switches at layer 2. Subnets
are created by IP address and subnet mask assignments at layer 3.
VLAN Management for Security
Any network segment that does not need to communicate with
another to accomplish a work task/function should not be able to
do so. Use VLANs to allow what is necessary, but block/deny
anything not necessary. Remember, “deny by default; allow by
exception” is not just a guideline for firewall rules but for security
in general.
Virtualization
Virtualization technology is used to host one or more operating
systems within the memory of a single host computer. This
mechanism allows virtually any OS to operate on any hardware. Such
an OS is also known as a guest operating system. From the perspective
that there is an original or host OS installed directly on the computer
hardware, the additional OSes hosted by the hypervisor system are
guests. It also allows multiple operating systems to work
simultaneously on the same hardware. Common examples include
VMware/vSphere, Microsoft’s Hyper-V, VirtualBox, XenServer, and
Apple’s Parallels.
Virtualized servers and services are indistinguishable from traditional
servers and services from a user’s perspective.
Virtualization has several benefits, such as being able to launch
individual instances of servers or services as needed, real-time
scalability, and being able to run the exact OS version needed for the
needed application. Additionally, recovery from damaged, crashed, or
corrupted virtual systems is often quick: Simply replace the virtual
system’s main hard drive file with a clean backup version and then
relaunch it.
In relation to security, virtualization offers several benefits. It is often
easier and faster to make backups of entire virtual systems than the
equivalent native hardware-installed system. Plus, when there is an
error or problem, the virtual system can be replaced by a backup in
minutes. Malicious code compromise or infection of virtual systems
rarely affects the host OS. This allows for safe testing and
experimentation.
VM escaping occurs when software within a guest OS is able to breach
the isolation protection provided by the hypervisor in order to violate
the container of other guest OSs or to infiltrate a host OS. Several
escaping vulnerabilities have been discovered in recent times.
Fortunately, the vendors have been fast to release patches. For
example, Virtualized Environment Neglected Operations
Manipulations (VENOM) was able to breach numerous VM products
that employed a compromised open-source virtual floppy disc driver
to allow malicious code to jump between VMs and even access the
host.
VM escaping can be a serious problem, but steps can be implemented
to minimize the risk. First, keep highly sensitive systems and data on
separate physical machines. An organization should already be
concerned about overconsolidation resulting in a single point of
failure, so running numerous hardware servers so each supports a
handful of guest OSs helps with this risk. Keeping enough physical
servers on hand to maintain physical isolation between highly
sensitive guest OSs will further protect against VM escaping. Second,
keep all hypervisor software current with vendor-released patches
(especially with updates related to VM escaping vulnerabilities). Third,
monitor attack, exposure, and abuse indexes for new threats to your
environment.
Virtualization is used for a wide variety of new architectures and
system design solutions. Cloud computing is ultimately a form of
virtualization (see Chapter 9, “Security Vulnerabilities, Threats, and
Countermeasures,” for more on cloud computing). Locally (or at least
within an organization’s private infrastructure), virtualization can be
used to host servers, client operating systems, limited user interfaces
(i.e., virtual desktops), applications, and more.
Virtual Software
A virtual application is a software product deployed in such a way that
it is fooled into believing it is interacting with a full host OS. A virtual
(or virtualized) application has been packaged or encapsulated to
make it portable and able to operate without the full installation of its
original host OS. A virtual application has enough of the original host
OS included in its encapsulation bubble (technically called a virtual
machine, or VM) that it operates/functions as if it were traditionally
installed. Some forms of virtual applications are used as portable apps
(short for applications) on USB drives. Other virtual applications are
designed to be executed on alternative host OS platforms—for
example, running a Windows application within a Linux OS.
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
(ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
- 1 - 50
- 51 - 100
- 101 - 150
- 151 - 200
- 201 - 250
- 251 - 300
- 301 - 350
- 351 - 400
- 401 - 450
- 451 - 500
- 501 - 550
- 551 - 600
- 601 - 650
- 651 - 700
- 701 - 750
- 751 - 800
- 801 - 850
- 851 - 900
- 901 - 950
- 951 - 1000
- 1001 - 1050
- 1051 - 1100
- 1101 - 1150
- 1151 - 1200
- 1201 - 1250
- 1251 - 1300
- 1301 - 1350
- 1351 - 1400
- 1401 - 1450
- 1451 - 1500
- 1501 - 1550
- 1551 - 1600
- 1601 - 1606
Pages:
- 1 - 50
- 51 - 100
- 101 - 150
- 151 - 200
- 201 - 250
- 251 - 300
- 301 - 350
- 351 - 400
- 401 - 450
- 451 - 500
- 501 - 550
- 551 - 600
- 601 - 650
- 651 - 700
- 701 - 750
- 751 - 800
- 801 - 850
- 851 - 900
- 901 - 950
- 951 - 1000
- 1001 - 1050
- 1051 - 1100
- 1101 - 1150
- 1151 - 1200
- 1201 - 1250
- 1251 - 1300
- 1301 - 1350
- 1351 - 1400
- 1401 - 1450
- 1451 - 1500
- 1501 - 1550
- 1551 - 1600
- 1601 - 1606
Pages: