Sample Scenario Using a PKI

Figure 2-29 shows an example of two entities communicating with a common CA, using digital certificates to validate public keys. Figure 2-29 Digital Certificate Communication Both routers and the CA have a public private key pair. Initially, the CA has to enroll an X.509 v3 certificate for both routers in a secure manner. Also, both routers must receive a copy of the CA's public key in a secure manner. Now, if the router in New York has traffic to send to the router in Paris and wants...

Security Policy Framework

Now that you have learned to deal with risk management, it is time to start looking at additional issues for creating the security policy for an enterprise network infrastructure. Special areas of more stringent security needs are places most vulnerable to attacks, such as network inter-connections, dial-up access points, and critical network infrastructure devices and servers. It is helpful to divide the corporate network into separate components that can be addressed separately. You also need...

Aaa accounting default listnamestartstop waitstart

stop-only none methodl method2 Five different event types are supported Event Description system Enables accounting for all system-level events not associated with users (such as reloads). network Enables accounting (including packet and byte counts) for all network-related requests, including SLIP, PPP, and ARAP sessions. connection Provides information about all outbound connections made from the NAS, such as Telnet, local-area transport (LAT), TN3270, packet assembler disassembler (PAD),...

Aaa authentication ftp http inbound 0000 0000 tacacs aaa authorization ftp http inbound 0000 0000

Tacacs-server host 144.254.5.9 sharedsecret When an outside user tries to access the corporate FTP server, the following sequence of steps occur Step 1 The user from the Internet initiates an HTTP or FTP request to a specified corporate server. Step 2 The firewall intercepts the connection and initiates the authentication process (in this case, using TACACS+). Step 3 If the user authenticates successfully, the firewall completes the HTTP or FTP connection to the specified corporate server. Step...

Accounting and Billing

In large corporations, accounting and billing are essential for keeping track of who is accessing which corporate resources. Although it is mostly a network management function, keeping a historical database of dial-in usage patterns can alert the network administrator to any unusual activity and can serve as a historical paper trail when an intrusion does occur. The important parameters to keep track of include the following

Additional Considerations

The security policy should address personnel security considerations as well. Personnel security issues include processes and procedures for establishing identity confirmation, privilege rights required to access certain information, accountability for the proper use and security of the systems being accessed, and proper training to make sure that employees understand and fulfill their security responsibilities. The most serious breaches of corporate security come from the inside (for example,...

Additional Considerations for Virtual DialIn Environments

When using a virtual dial-in environment in which dial-in access is provided by using an ISP's public infrastructure, additional security measures must be taken to ensure that the data traversing the public network is not modified in transit and is kept private. These additional security measures are implemented using a combination of various tunneling techniques, including GRE, L2F, L2TP, IPsec, and CET. Note The PPTP, L2F, and L2TP tunneling technologies were discussed in Chapter 2, Security...

Advanced Firewall Architecture

Although a screening router is a good first step at providing Internet access security, a more secure solution relies on a more robust firewall architecture. Typically, this is accomplished with both a screening router and more intense firewall capabilities. In addition to primitive filtering capabilities, a firewall typically has the capability to provide Advanced packet-by-packet inspection Application content filtering Application authentication authorization Network Address Translation...

Advanced Packet Session Filtering

A robust firewall must have the capability to do packet-by-packet inspection and filtering on specific packet session information. The firewall should inspect traffic that travels through it to discover and manage state information for TCP and UDP sessions. For many corporate environments, FTP, Telnet, HTTP traffic, Java applets, e-mail, DNS, and some popular voice and video applications must be supported. Controls must be in place to ensure as best as possible that any such traffic is valid...

Application Authentication Authorization

Authentication and authorization controls for device access should be configured on all infrastructure devices, including the routers and firewalls that provide Internet access. These controls were discussed in Chapter 8, Securing the Corporate Network Infrastructure. In addition, there may be a requirement to authenticate based on application access. For example, you may have a policy in place that requires all incoming HTTP sessions to be authenticated before they can access a specific Web...

Application Layer Security Protocols

There aren't many security protocols specifically designed for individual applications. There are too many applications to make such an approach scalable. However, because the World Wide Web has become one of the fastest growing applications in the Internet, a specific security protocol was designed to be used for secure Web transactions Secure HyperText Transport Protocol (SHTTP). SHTTP is a secure message-oriented communications protocol designed to be used for securing messages using the...

Assessing Incident Damage

A very time-consuming task is initially determining the impact of the attack and assessing the extent of any damages. When a breach has occurred, all parts of the network become suspect. You should start the process of a systematic check through the network infrastructure to see how many systems could have been impacted. Check all router, switch, network access server, and firewall configurations as well as all servers that have services that support the core network infrastructure. Traffic...

Attacks Against Internal Client Hosts

If internal client hosts have formed outgoing connections, they are exposing themselves to some return traffic. In general, attacks against internal clients can be conducted only by the server to which the client has connected---which includes someone impersonating that server using IP spoofing. To impersonate the server, the attacker obviously has to know which server the client has connected to. For any given attack, protection is generally complete for hosts that aren't actively talking to...

Audit

The audit element of the security architecture is necessary to verify and monitor the corporate security policy. A software audit verifies the correct implementation of the security policy in the corporate network infrastructure. Subsequent logging and monitoring of events can help detect any unusual behavior and possible intrusions. To test the effectiveness of the security infrastructure, security auditing should occur frequently and at regular intervals. Auditing should include new system...

Authenticating DialIn Users and Devices

A key element in allowing dial-in connectivity is to know who is accessing your corporate network by establishing an initial authentication mechanism. Authentication can be performed at the device level or at the user level. Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) are two common methods of sending IP packets over standard asynchronous serial lines with minimum line speeds of 1,200 baud. Using SLIP or PPP encapsulation over asynchronous lines is an inexpensive way...

Authentication and Authorization

Because authentication and authorization are critical parts of secure communications, they must be emphasized. Authentication establishes the identity of the sender and or the receiver of information. Any integrity check or confidential information is often meaningless if the identity of the sending or receiving party is not properly established. Authorization is usually tightly coupled to authentication in most network resource access requirements. Authorization establishes what you are...

Automated Double Authentication

You can make the double-authentication process easier for users by implementing automated double authentication. Automated double authentication provides all the security benefits of double authentication, but offers a simpler, more user-friendly interface for remote users. With double authentication, a second level of user authentication is achieved when the user Telnets to the NAS or router and enters a username and password. With automated double authentication, the user does not have to...

Basic Cryptography

This chapter details the basic building blocks and fundamental issues you need to understand before moving on to more complex security technologies. Cryptography is the basis for all secure communications it is, therefore, important that you understand three basic cryptographic functions symmetric encryption, asymmetric encryption, and one-way hash functions. Most current authentication, integrity, and confidentiality technologies are derived from these three cryptographic functions. This...

Building an Incident Response Team

An organization must first create a centralized group to be the primary focus when an incident happens. This group is usually a small core team whose responsibilities include the following Keeping up to date with the latest threats and incidents Being the main point of contact for incident reporting Notifying others of the incident Assessing the damage and impact of the incident Finding out how to avoid further exploitation of the same vulnerability Recovering from the incident

California State Laws

The following are the California state laws that are used in a majority of high-technology cases. They can 499c PC---Trade Secret Theft Trade secret means any information---including formula, pattern, compilation, program, device, method, technique, or process--- that derives independent economic value, actual or potential, from not being generally known to the public or to other persons who can obtain economic value from its disclosure or use. A felony. See the California Penal Code for...

Centralized Billing

For central control of dial-in use and a centralized billing strategy, it is often the requirement of large corporations to use a callback mechanism (see Figure 10-7). The steps for a callback are as follows Step 1 Remote user dials in to network access server. Step 2 The NAS disconnects the call. Step 3 The NAS authenticates the remote user. Step 4 If the user is authenticated, the NAS initiates a call to the remote user and a connection is established. Configurations for both the NAS and the...

Cisco Encryption Technology CET

CET is a proprietary security solution introduced in Cisco IOS Release 11.2. It provides network data encryption at the IP packet level and implements the following standards Digital Signature Standard (DSS) Diffie-Hellman (DH) public-key algorithm Data Encryption Standard (DES) Following is a simple configuration example of two routers that use CET to encrypt decrypt Telnet and WWW traffic between the branch office and the corporate campus network. Branch Router Configuration Commands hostname...

Cisco IOS

For critical network segments that cannot have any routing outages, the Cisco IOS devices supporting these segments should be configured with the Hot Standby Router Protocol (HSRP). HSRP provides high network availability because it routes IP traffic from hosts on Ethernet, FDDI, or Token Ring networks without relying on the availability of any single router. When HSRP is configured on a network segment, it provides a virtual MAC address and an IP address that is shared among routers in a group...

Cisco IOS Filters

The Cisco IOS software has an extended filtering capability to permit or deny specific traffic from entering or leaving the corporate network. These filters are called access lists. Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. Your router examines each packet to determine whether to forward or drop the packet, based on the criteria specified within the access lists. Access list criteria can include the source...

Cisco IOS Firewall

The Cisco IOS firewall includes features that enable the required functionality of a robust firewall. The advanced traffic session filtering is performed using the Content-Based Access Control (CBAC) mechanism (explained in the next section). The sample configuration is based on the network shown in Figure 9-9. Figure 9-9 The Sample Cisco IOS Firewall Implementation

Cisco PIX Firewall

The Cisco PIX firewall is usually a critical device in most corporate infrastructures. To eliminate it being a single point of failure, it is prudent to install a redundant PIX firewall and to use the failover command to ensure fast dynamic recovery in the event that the primary PIX has a power failure or some other type of failure. Use the failover command without an argument after you connect the optional failover cable between your primary firewall and a secondary firewall. Note Failover is...

Cisco Press Help

Basic notes about the Cisco Press site user interface. Instructions regarding use of the multi-document search feature provided with this product. HOME CONTENTS PREVIOUS NEXT GLOSSARY SEARCH Copyright 1988-1997 Cisco Systems Inc. HOME CONTENTS PREVIOUS NEXT GLOSSARY FEEDBACK SEARCH

Cisco Security Product Information

General information on Cisco security offerings PIX Firewall, a standalone firewall product NetRanger, a network intrusion detection system NetSonar, a vulnerability detection and reporting system Cisco IOS Firewall Feature Set, integrated firewall functionality for Cisco IOS software CiscoSecure, an access control server incorporating RADIUS and TACACS+ functionality Cisco IOS 12.0 Network Security. Indianapolis, IN Cisco Press, 1999. Provides information about Cisco IOS security features....

Common Vulnerabilities

Attacks exploit weaknesses in systems. These weaknesses can be caused by poorly designed networks or by poor planning. A good practice is to prevent any unauthorized system or user from gaining access to the network where weaknesses in products and technologies can be exploited. Spoofing attacks are well known on the Internet side of the world. Spoofing involves providing false information about a person or host's identity to obtain unauthorized access to a system. Spoofing can be done by...

Complex DialIn Environments

Configuring PAP or CHAP authentication on individual devices is manageable in simple environments. However, in corporations with hundreds or thousands of dial-in connections, a more scaleable approach must be used. To scale to a large number of users, consider incor-porating either TACACS+ or RADIUS as a better way to provide a manageable database of users. Both TACACS+ and RADIUS provide for separate authentication, authorization, and accounting facilities. When using either TACACS+ or RADIUS,...

Components of an Enterprise Network

Traditionally, in the days when network environments consisted primarily of a centralized point-to-point architecture with predetermined information paths, security was fairly straightforward. Securing the link itself provided reasonable assurance of maintaining the integrity, access, and privacy of the information. Modern enterprise internetworks provide a tremendous opportunity for corporations to remain competitive while increasing overall efficiency. This opportunity comes with a cost....

Computer and Network Systems

Make sure the audit or accounting functions are turned on. Have servers in a physically secure location to prevent unauthorized access. Control modem connections use smart cards or a call-back system. Make sure secure firewalls are set up and configured properly. On a regular basis, run programs (for example, Crack, Tiger, COPS, and Satan) to check for system weaknesses. Keep current on new programs designed to find system vulnerabilities. Use a virus-checker program. Have a password file in a...

Conducting an Investigation

To conduct an investigation, think of Smith's Seven Step System, which consists of the following 1. SPEED. The case should be handled quickly before evidence and property are destroyed. 2. STEALTH. The investigation must be done quietly or the suspect will learn of it. 3. SYSTEM SECURITY. No further damage should be allowed to your system. 4. SECURE EVIDENCE. Chain of possession to ensure it is admissible. 5. SUSPICIOUS SUSPECT EMPLOYEES. Most thefts are done by employees. 6. SHOW and TELL...

Configuration Verification

It is important to verify that network infrastructure device configurations are valid to ensure proper implementation behavior. Verification of configurations is usually performed with some kind of modeling or simulation tool that can access all the infrastructure device configurations and then provide a simulation model that can be tested. Here is a list of some areas to be modeled Mapping current network topology Identifying services on hosts Performing what-if scenarios to detect filtering...

Considerations for a Site Security Policy

Defining a site security policy is one of the basic building blocks of designing an enterprise network. It is as critical as defining bandwidth requirements or redundancy needs. As defined in RFC 2196, The Site Security Handbook. A security policy is a formal statement of rules by which people who are given access to an organization's technology and information assets must abide. The policy should be formed with representation from key corporate individuals management members Considerations for...

Content Based Access Control

Advanced packet session filtering in Cisco IOS software is supported as of Version 11.2 with the CBAC feature. By default, Cisco routers pass all routable traffic between all router interfaces. By configuring access control lists (ACLs), traffic can be permitted and denied from being processed and forwarded. CBAC not only examines network layer and transport layer information, it also examines the application layer protocol information (such as FTP connection information) to learn about the...

Controlling Network Device Access

If an intruder were to gain physical console access or logical terminal access into a networking device (such as a router, switch, firewall, or network access server), that person could do significant damage to your network. The intruder would be able to reconfigure devices or gain information about the device's configuration. Some common ways to get access to network devices are through console ports, virtual terminal (vty) ports, and auxiliary (aux) ports. At a minimum, users should be...

Copyright and License Information

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE...

Crypto map toNAS 10 ipsecisakmp set peer 144254520

Ip address 192.150.42.1 255.255.255.0 ip address unnumbered Ethernet 0 encapsulation ppp associate crypto map with BRI interface encrypt decrypt Telnet traffic between branch and campus access-list 106 permit ip 144.254.0.0 0.0.255.255 192.150.42.0 0.0.0.255 eq telnet encrypt decrypt WWW traffic between branch and campus access-list 106 permit ip 144.254.0.0 0.0.255.255 192.150.42.0 0.0.0.255 eq http crypto ipsec transform-set first ah-md5-hmac mode tunnel crypto ipsec transform-set second...

Cryptography

Cryptography is the science of writing or reading coded messages it is the basic building block that enables the mechanisms of authentication, integrity, and confidentiality. Authentication establishes the identity of both the sender and the receiver of information. Integrity ensures that the data has not been altered, and confidentiality ensures that no one except the sender and receiver of the data can actually understand the data. Usually, cryptographic mechanisms use both an algorithm (a...

Cryptography and Network Security Books

Information Warfare and Security. Reading, MA Addison-Wesley, 1999. Hughes, Larry J., Jr. Actually Useful Internet Security Techniques. Indianapolis, IN New Riders Publishing, 1995. Kaufman, C., R. Perlman, and M. Speciner. Network Security Private Communication in a Public World. Upper Saddle River, NJ Prentice-Hall, 1995. McCarthy, Linda. Intranet Security Stories from the Trenches. Palo Alto, CA Sun Microsystems Press, 1998. Schneier, Bruce. Applied Cryptography, Second...

Data Confidentiality

Data confidentiality pertains to encryption. The hardest aspect of this endeavor is deciding which data to encrypt and which to keep as cleartext. This decision should be made using the risk assessment procedure, in which data is classified according to various sensitivity levels. It is usually prudent to take a careful look at your data and to encrypt the data that would pose the greatest risk if it should ever be compromised. Network Address Translation (NAT) is often falsely regarded as a...

Data manipulation

If these threats are realized and networking devices or data is compromised, what are the immediate impacts and further consequences Will it result in embarrassment or bankruptcy The greater the possibility of bankruptcy, the more stringent the security measures should be. Let's take a look at some corporate impacts and consequences in the event of data compromise, loss of data integrity, and unavailability of networked resources. Any information stored or transferred electronically can...

Define the global idle timeout value for all reflexive access lists

If for 120 seconds there is no TCP traffic that is part of an established session, the corresponding reflexive access list entry will be removed. ip reflexive-list timeout 120 Define the outbound access list. This is the access list that evaluates all outbound traffic on interface Serial 1. ip access-list extended outboundfilters Define the reflexive access list tcptraffic. This entry permits all outbound TCP traffic and creates a new access list named tcptraffic. permit tcp any any reflect...

Description

Workstations, personal computers, printers, routers, switches, modems, terminal servers, and firewalls Source programs, object programs, utilities, diagnostic programs, operating systems, and communication programs Data stored online and archived offline, backups, audit logs, databases, and data in transit over communication media Users, administrators, and hardware maintainers Software programs, internal hardware and software evaluations, systems, and local administrative procedures The...

Design and Implementation of the Corporate Security Policy

The design and implementation of a corporate security policy is site-specific. After you have identified the critical assets and analyzed the risks, it is time to design the policy by defining the guidelines and procedures to be followed by corporate personnel. To be effective, the procedures should be concise and to the point. Don't write a large cumbersome document few people will actually read. A short document of less than 10 pages should suffice as a start. Technical implementation details...

Detecting an Incident

Determining whether or not some suspicious system or user behavior is really an incident is tricky. When looking for signs of a security breach, some of the areas to look for from a network viewpoint are Data modification and deletion Users complaining of poor system performance Atypical time of system use Large numbers of failed login attempts Detecting any anomalies in normal network behavior requires a knowledge of what is normal behavior. Using auditing tools that keep track of traffic...

Developing IP Multicast Networks

Introduction to IP Multicast Internet Group Management Protocol Mutlimedia Multicast Applications Distance Vector Multicast Routing Protocol Multicast Open Shortest Path First Connecting to DVMRP Networks Multicast over Campus Networks Multicast over NBMA Networks Multicast Traffic Engineering Inter-Domain Multicast Routing Appendix A-PIM Packet Formats HOME CONTENTS PREVIOUS NEXT GLOSSARY FEEDBACK SEARCH HELP Copyright 1989-2000 Cisco Systems Inc.

Dialin access

The campus network has a class B address of 144.254.0.0, which is subnetted into 256 distinct networks using an 8-bit subnet mask of 255.255.255.0. The Internet access is provided by an unnumbered interface. The dial-in access is provided by a subnetted class C address of 192.150.42.0 with a 5-bit subnet mask of 255.255.255.248. This corporation allows free access to all corporate campus servers but allows only the branch office network 192.150.42.32 to access the Internet through the campus...

DialIn Security Concerns

The dial-in environment has security considerations similar to those involved in securing a corporation's Internet access, discussed in the preceding chapter. It may be necessary to restrict access to certain areas of the corporate network depending on who the remote user is and from where they are trying to obtain the connection. It is usually a good idea to incorporate firewall functionality into the dial-in access perimeters and to implement some kind of auditing and intrusion detection...

Dialup2 which specifies that Radius authorization will be used

If the RADIUS server fails to respond, then local network authorization will be performed. aaa authorization network dialup2 radius local username and password to be used for the PPP CHAP selects CHAP as the method of PPP authentication and applies the dialup method list to the specified interfaces. ppp authentication chap dialup applies the dialup2 network authorization method list to the specified interfaces. ppp authorization dialup2 line 1 16 command used to...

Digital Signature Legislation

In the United States, many states are forming digital signature legislation to provide a way to give documents that exist only in electronic form the same legal status as paper documents. This legislation is aimed at providing a secure, reliable, and legally sanctioned method for signing electronic documents. Utah was the first jurisdiction in the United States to enact a statute that puts the force of law behind an electronic signature method. The legislation is known as the Utah Digital...

Digital Signatures

Digital signatures will be one of the key elements for the development of (online) financial and business transactions as well as electronic mail. A digital signature is an electronic identifier that uses cryptography to ensure the integrity, authenticity, and nonrepudiation of the information to which it corresponds. The legal requirements of a signature or other paper-based method of authentication is often perceived as an obstacle to the use of electronic technologies. Legislation efforts...

Document Control

Properly mark proprietary and confidential documents. The confidential markings can be minimized if they are seen on routine documents. Mark only proprietary documents, not everything. Do not have more than two security classifications. Have an easy-to-use accounting system in place to track who checks out and returns proprietary documents. Require that the document-control system be used and inspect its use. Have the document-control processes audited by management on a random basis. Track...

Documents on the Scope and Content of Network Security Policies

A guide created by the Internet Engineering Task Force (IETF) to develop computer security policies and procedures for sites that have systems on the Internet A technical guide created by the National Institute of Standards and Technology (NIST) to help an organization create a coherent Internet-specific information security policy FIPS PUB-191. Created by NIST. Although it is written specifically for LANs, this publication is applicable to any computer...

Double Authentication Authorization

When a remote user dials in to a local corporate perimeter host (a NAS or router) over PPP, CHAP or PAP can be used to authenticate the user. However, both of these authentication methods rely on a secret password (the secret) that must be stored on the local host and either remembered by a user or saved on the remote host. If either host ever comes under the control of a network attacker, the secret password is compromised. Consider a corporate user who often uses a laptop computer to log in...

Email and SMTP

Simple Mail Transfer Protocol (SMTP) is used to handle e-mail exchange between mail servers on the Internet. Many firewalls have the capability to check SMTP messages for illegal commands. Any packets with illegal commands are usually dropped, and the SMTP session will hang and eventually time out. For example, in a Cisco PIX firewall, an illegal command is any command except for the following legal commands

Employees

Several studies and my experience indicate that employees and other persons who are authorized to be on the company premises or who are in a trusted relationship commit most computer crimes. Do complete background checks before hiring someone or allowing someone access to company resources. In new employee indoctrination, stress the importance of proprietary data and that any compromise of Reporting and Prevention Guidelines Industrial Espionage and Network Intrusions proprietary data will...

Encryption

With the emergence of IPsec in many products, it is easier for corporate networks to implement authenticated and confidential data transfer sessions. Ideally, encrypted traffic (encrypted for the sake of authentication or for confidentiality) should stay encrypted from the sender to the recipient. However, if the corporate Internet access policy includes firewall operations, the firewall may have to look at the contents of the packet to carry out its function. The following three scenarios must...

Environmental Safeguards

Adequate environmental safeguards must be installed and implemented to protect critical networked resources. The sensitivity or criticality of the system determines whether security is adequate. The more critical a system, the more safeguards must be put in place to ensure that the resource is available at Design and Implementation of the Corporate Security Policy all costs. At a minimum, you should consider the following environmental safeguards Fire prevention, detection, suppression, and...

Establishing the Core Team

The core incident response team should consist of a well-rounded representation from the corporation. Essential are people who can diagnose and understand technical problems thus, technical knowledge is a primary qualification. Good communication skills are equally important. Because computer security incidents can provoke emotionally charged situations, a skilled communicator must know how to resolve technical problems without fueling emotions or adding complications. In addition, the...

Evaluating Risk

For all possible threats, you must evaluate the risk. Many methodologies are available to measure risk. The common approaches are to define risk in quantitative terms, qualitative terms, or a combination of both. Quantitative risk evaluation uses empirical data and known probabilities and statistics. Qualitative risk analysis uses an intuitive assessment. Regardless of the mechanism you use, the important aspect is that how you quantify the loss and the likelihood of the loss occurring should...

Examples of Cases in Santa Clara County Silicon Valley

The following are some of the more serious cases of proprietary theft and network intrusions that the Santa Clara County District Attorney's Office has investigated Kevin M. used the name of a victim company manager and obtained a modem account. He uploaded his own code and obtained superuser status on several systems. He then downloaded source code through cutouts and cellular phones. BV used cracking tools obtained on the Internet to gain system administration status at an Ivy League...

Export Controls on Cryptography

Historically, cryptography has been used as a way to send secret messages between warring nations as such, it became an important instrument in national security. With the increasing need for secure transactions for data traversing computer networks for medical, financial, and other critical applications, cryptography is now becoming a necessity for nongovernmental, nonmilitary applications. All over the globe, the laws and regulations concerning cryptography are undergoing a vast change. Legal...

External Screening Router Architecture

If your corporate network is small, the screening router model may be a sufficient solution to providing secure access to the Internet. It is possible that the security measures used will not always catch spoofed traffic, but at least it should provide a reasonable level of a basic buffer from the Internet. Note The screening router solution can also be used in larger networks to define a logical separation internally between some sensitive areas of your network---for example, using a firewall...

Figure 111 Establishing Secret Keys Using the Diffie Hellman Algorithm

The following steps are used in the Diffie-Hellman algorithm 1. Alice initiates the exchange and transmits two large numbers (p and q) to Bob. 2. Alice chooses a random large integer Xa and computes the following equation 3. Bob chooses a random large integer Xb and computes this equation Yb (qXB) mod p 4. Alice sends Ya to Bob. Bob sends Yb to Alice. 5. Alice computes the following equation Z (YB)XA mod p 6. Bob computes this equation Z' (YA)XB mod p The resulting shared secret key is as...

Figure 113 Obtaining a Digital Certificate Through a Certificate Authority

Assume that Alice has a valid certificate stored in the CA and that Bob has securely obtained the CA's public key. The steps that Bob follows to obtain Alice's public key in a reliable manner are as follows 1. Bob requests Alice's digital certificate from the CA. 2. The CA sends Alice's certificate, which is signed by the CA's private key. 3. Bob receives the certificate and verifies the CA's signature. 4. Because Alice's certificate contains her public key, Bob now has a notarized version of...

Figure 65 A True Starred Physical Topography

The cable infrastructure should also be well secured to prevent access to any part of it. If cables installed between buildings are buried underground, they must be buried a minimum of 40 inches, although local regulations might dictate other guidelines. Sometimes, cables can be encased in concrete to provide maximum protection. The International Telecommunication Union has a number of recommendations (the Series L Recommendations) that cover the construction, installation, and protection of...

For Immediate Problems

When a crime has been committed, do not confront or talk with the suspect. If you do, you give the suspect the opportunity to hide or destroy evidence. Know your options about talking with law enforcement. Most agencies will not start an investigation unless the victim wants to do so. An official report must be filed before a search warrant can be issued. Do not wait too long to call. It is best to immediately consult with law enforcement to learn about your options. Evidence can be lost if...

Foreign Competitor Contacts

Train employees in how to protect proprietary data when they are traveling. Discuss hazards and how employees can protect themselves or detect methods such as these Microphones in hotels, meeting rooms, and transportation Searches of rooms and briefcases by unknown persons Train employees in what to do when they are approached by representatives of a competitor, a foreign company, or a foreign country. Require that employees report when they are asked to be a guest or a speaker, to serve on a...

Functions of a PKI

The functions of a PKI can be summarized as follows Registration. The process whereby a subject first makes itself known to a CA (directly or through a registration authority RA ) before that CA issues a certificate or certificates for that subject. Initialization. The point at which the user or client system gets the values it needs to begin communicating with the PKI. For example, initialization can involve providing the client system with the public key or the certificate of a CA, or...

GRE Tunneling

The Generic Routing Encapsulation (GRE) protocol encapsulates various network protocols inside IP tunnels. With GRE tunneling, a router at each site encapsulates protocol-specific packets in an IP header, creating a virtual point-to-point link to routers at other ends of an IP cloud, where the IP header is stripped off. GRE is capable of handling the transportation of multiprotocol and IP multicast traffic between two sites that have only IP unicast connectivity. GRE tunneling involves three...

Handling an Incident

You must follow certain steps when you handle an incident. These steps should be clearly defined in security policies to ensure that all actions have a clear focus. The goals for handling any security breaches should be defined by management and legal counsel in advance. One of the most fundamental objectives is to restore control of the affected systems and to limit the impact and damage. In the worst-case scenario, shutting down the system, or disconnecting the system from the network, may be...

Historical Perspective on US Policy

In the United States, cryptography export used to be controlled by the International Traffic in Arms Regulation (ITAR) because cryptography was deemed to serve both civilian and military purposes and was placed on the United States Munitions List (USML). If an article or service is placed on the USML, its export is regulated exclusively by the State Department. ITAR controls software that includes but is not limited to the system functional design, logic flow, algorithms, application programs,...

Identify Network Assets

It is impossible to know who might be an organization's potential enemy. A better approach is for the organization to know itself. Companies must understand what they want to protect, what access is needed to those assets, and how these considerations work together. Companies should be more concerned about their assets and their associated value than about an attacker's motivation. The corporation must identify the things that require protection. Table 5-1 lists some possible network assets to...

Identity Technologies

This section describes the primary technologies used to establish identity for a host, an end-user, or both. Authentication is an extremely critical element because everything is based on who you are. In many corporate networks, you would not grant authorized access to specific parts of the network before establishing who is trying to gain access to restricted resources. How foolproof the authentication method is depends on the technology used. We can loosely categorize authentication methods...

IETF Working Groups and Sites for Standards and Drafts on Security Technologies Developed Through the IETF

Includes authentication and privacy technologies used with PPP Remote Authentication Dial-In User Service. Details the specifications of the RADIUS AAA protocol Authenticated Firewall Traversal. Includes SOCKS specifications Common Authentication Technology Includes specifications for Kerberos IP Security Protocol. Details specifications for IPsec One-Time Password Authentication. Details standards for one-time password technologies Public Key Infrastructure...

Image Authentication

When downloading images onto any network infrastructure device, you may want to ensure that the images have not been modified or changed in transit. Most devices have a checksum verification to ensure that the image will load correctly when the device is rebooted. Any time the checksum does not verify correctly, the image should be erased and replaced with an image containing a successful checksum. All Cisco software releases on Cisco Connection Online (CCO) and all floppy-based Cisco IOS...

Impersonation

Impersonation is closely related to unauthorized access but is significant enough to be discussed separately. Impersonation is the ability to present credentials as if you are something or someone you are not. These attacks can take several forms stealing a private key, gaining access to a cleartext user name password pair, or even recording an authorization sequence to replay at a later time. In large corporate networks, impersonation can be devastating because it bypasses the trust...

Implementation Example

This section shows configurations for the firewall, routers, and switches shown in Figure 8-1. These configurations show the commands that should be used for most Cisco infrastructure equipment to ensure security in the devices and the network infrastructure itself. Some features are shown that have not been discussed in detail in this chapter disable them if they are not used because they can cause some security risks. The authentication method for device access is TACACS+ wherever available...

Implementation Examples

A PIX firewall used in conjunction with a screening Cisco IOS router In both cases, an intrusion detection system should be used to help get more information in case an attack is attempted and to keep active audit logs of traffic coming into or leaving the corporate network. Note The intent of the following sections is to point out practical design examples for implementing robust firewall designs. Sample scenarios are given with configuration commands that may not have been covered in detail...

Incident Handling

A security breach is often referred to as an incident. An incident is any breach that is the result of an external intruder attack, unintentional damage, an employee testing some new program and inadvertently exploiting a software vulnerability, or a disgruntled employee causing intentional damage. Each of these possible events should be addressed in advance by adequate contingency plans. The time to think about how to handle a security incident is not after an intrusion has occurred. Planning...

Incident Response Teams

NIST Special Publication (SP) 800-3, Establishing a Computer Security Incident Response Capability (CSIRC). Computer Security Resource Clearinghouse (CSRC) The Danish Computer Emergency Response Team provides a pointer to a number of different Computer Emergency Response Teams (CERTs) around the world

Info

The authentication services that can be defined are listed here Service Description arap Set authentication list for AppleTalk Remote Access (ARA) users' attempts to log in to the router. nasi Set authentication list for NetWare Asynchronous Services Interface (NASI) users' attempts to log in to the router. enable Set authentication list for enable mode. login Set authentication lists for character mode connections. ppp Set authentication lists for PPP connections. You can specify up to four...

Infrastructure and Data Integrity

On the network infrastructure, you want to ensure as best you can that any traffic on the network is valid traffic. Valid traffic can be categorized as expected network traffic, such as the following Data that has not been altered Firewalls control the flow of traffic between networks and are often used to control the flow of supported network services. Authenticating data in the network infrastructure gives reasonable security against altered packets. Putting safeguards in place to deploy...

Integrity

Integrity is the element of the security architecture that encompasses network infrastructure device security (physical and logical access) and perimeter security. Physical access to a computer (or router or switch or firewall) usually gives a sufficiently sophisticated user total control over that device. Physical access to a network link usually allows a person to tap into that link, jam it, or inject traffic into it. Software security measures can often be circumvented when physical access...

Intelligence Gathering Methods

There are many ways for people to get at confidential information Obtaining your data from other companies Going through trash inside the building Monitoring unsecured faxes and telephones (particularly true in other countries) Voice gathering by using sound-directional equipment Foreign or competing representatives who visit or tour your facilities Interns or students assigned to your facilities

Intrusion Detection

Intrusion detection refers to the real-time monitoring of network activity and the analyzing of data for potential vulnerabilities and attacks in progress. Internal, authorized users conducting unauthorized activity on the network---such as trying to transmit confidential documents over the Internet or illegally modifying network access privileges---can be detected in real time and stopped immediately. An external intruder trying to break into the network can be handled in the same manner....

Ip address 1442541666 2552552550

Dialer map ip 171.73.34.33 name merike ip route 0.0.0.0 0.0.0.0 144.254.166.6 ip route 144.254.166.6 255.255.255.255 BRI0 allows Telnet from telecommuter to this router access-list 101 permit tcp any host 144.254.166.6 eq telnet allows telecommuter to have access anywhere inside campus after Telneting to router and successful authentication access-list 101 dynamic telecommuter timeout 120 permit ip any any dialer-list 1 protocol ip permit line vty 0

Isdn switchtype basicdms100

Ip address 144.254.166.6 255.255.255.0 interface BRI0 ip unnumbered Ethernet0 ip access-group 101 in no ip mroute-cache encapsulation ppp dialer idle-timeout 300 dialer map ip 192.150.42.1 name Branchrouter 97328866 ip route 0.0.0.0 0.0.0.0 192.150.42.1 ip route 192.150.42.1 255.255.255.255 BRIO allows Telnet from the branch hosts to this router access-list 101 permit tcp any host 144.254.166.6 eq telnet allows anybody inside campus to have access to the branch resources access-list 101 permit...

Keep Accurate Documentation

Documenting all details relating to the incident is crucial because doing so provides the information necessary to later analyze any cause-and-effect scenarios. Details recorded should include who was notified and what actions were taken---all with the proper date and time. A log book for incident response should be kept that will make it easier to sort through all the details later to reconstruct events in their proper chronological order. For legal purposes, all docu-mentation should be...

Key Management

Key management is a difficult problem in secure communications, mainly because of social rather than technical factors. Cryptographically secure ways of creating and distributing keys have been developed and are fairly robust. However, the weakest link in any secure system is that humans are responsible for keeping secret and private keys confidential. Keeping these keys in a secure place and not writing them down or telling other people what they are is a socially difficult task---especially...

Law and the Legal Process

Know the appropriate state and federal laws. Include copies of state and federal laws with your plan. Determine your guidelines for prosecuting. Prosecution is necessary for a law enforce-ment investigation and if you want to use the search warrant process. Know the appropriate local or federal law enforcement agency that has jurisdiction for any problems you might have. Establish the appropriate contacts. Keep names and phone numbers updated. Talk with law enforcement at least once a year....

Legal Considerations

Because of the nature of the content of audit data, a number of legal questions arise that you might want to bring to the attention of your legal counsel. If you collect and save audit data, be prepared for consequences resulting from both its existence and its content. One area of concern is the privacy of individuals. In certain instances, audit data might contain personal information. Searching through the data, even for a routine check of the system's security, might represent an invasion...

Legal Proof of Authenticity

Authentication of an original document is fundamental to the admissibility of the original document in a court of law. Any copying or conversion process (photocopy, microfilm, electronically scanned image, and so on) must be proven reliable---as must the authenticity of the original document. If there is no capability to authenticate the original document, no amount of reliability evidence with respect to the conversion process will serve to support credibility. If a court admits a record into...

Lightweight Directory Access Protocol

The Lightweight Directory Access Protocol (LDAP) is used for accessing online directory services. LDAP was developed by the University of Michigan in 1995 to make it easier to access X.500 directories. X.500 was too complicated and required too much computer power for many users so a simplified version was created. LDAP is specifically targeted at manage-ment applications and browser applications that provide read write interactive access to directories. When used with a directory that supports...

Lockand Key Authentication

There are three possible ways to configure an authentication query process Configure a security server. Use a network access security server such as a TACACS+ server. This method requires additional configuration steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking capabilities. Configure the username command. This method is more effective than the preceding one because authentication is determined on a user basis. Router username name...

Logical Access Control

Access to equipment and network segments should be restricted to individuals who require access. Two types of controls should be implemented Preventative controls, which are designed to uniquely identify every authorized user and to deny access to unauthorized users. Detective controls, which are designed to log and report the activities of authorized users and to log and report unauthorized access or attempted access to systems, programs, and data. The correct technical solution is one that...

Logical Security Controls

Logical security controls create boundaries between network segments. As such, they control the flow of traffic between different cable segments. When traffic is logically filtered between networks, logical access controls provide security. The example in Figure 6-6 shows three university buildings each connected by a router. The administration building has a LAN that allows only specific IP addresses from the engineering building (144.254.3.3 and 144.254.3.4) and the liberal arts building...

Look for Weak Links

Often, the employees who make the least money have the most access in a company security personnel, maintenance personnel, and janitors. The following are possible weak links Is the company contracting for services, and are those employees bonded or backgrounded Reporting and Prevention Guidelines Industrial Espionage and Network Intrusions Don't overlook trash being put in unlocked dumpsters. Social engineering of unsophisticated employees who talk about passwords in front of others. Employees...