Description

Network Defense and
Countermeasures
by Chuck Easttom
Chapter 10: Defending Against Trojan Horses, Spyware, and Adware
Objectives
◼
◼
◼
◼
◼
Describe Trojan horses
Take steps to prevent Trojan horse attacks
Describe spyware
Use antispyware software
Create antispyware policies
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
2
Introduction
Though not as common as viruses, Trojan
horses still pose a real threat to computer
systems. Spyware and adware continue to
grow and clutter computer networks and
individual computers. This chapter provides
ways to combat these particular types of
threats.
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
3
Trojan Horses
◼
Typical actions Trojan horses take:
❑
❑
❑
❑
❑
Delete files from a computer
Spread other malware
Use the computer to launch a DDoS
Search for personal information
Install “back door” to the computer
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
4
Some Notorious Trojan Horses
◼
◼
◼
◼
◼
◼
◼
Back Orifice
Anti-Spyware 2011
Sheldun
Brain Test
FinFisher
NetBus
FlashBack
© 2019 by Pearson Education, Inc.
Spyware, and Adware
◼
◼
◼
GameOver Zeus
Linux Trojan Horses
Portal of Doom
Chapter 10 Defending Against Trojan Horses,
5
Back Orifice
◼
◼
◼
◼
◼
Allows control over TCP/IP
Entirely self-installing
Can be attached to legitimate applications
Does not appear in the task list
Registry is the best way to remove
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
6
NetBus
◼
◼
◼
◼
◼
Similar to Back Orifice
Only works on port 20034
Simple to check infection
Removal through the registry
Easy-to-use GUI
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
7
Linux Trojan Horses
◼
◼
These Trojan horses are not new
One released in 1999
❑
❑
❑
Typical back door Trojan horse
Uploaded to at least one FTP server
Not known how many systems were compromised
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
8
Portal of Doom
◼
Back door tool allows remote users to
perform the following:
❑
❑
❑
❑
❑
❑
❑
Open and close the CD tray
Shut down the system
Open files or programs
Access drives
Change passwords
Log keystrokes
Take screenshots
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
9
Symptoms of a Trojan Horse
◼
◼
◼
◼
◼
Home page for your browser changes
Any change to passwords, usernames,
accounts, and so on
Any change to screen savers
Changes to mouse settings, backgrounds,
and such
Any device seeming to work on its own, such
as a CD door
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
10
Preventing Trojan Horses:
Technological Measures
◼
◼
◼
◼
Block unneeded ports (e.g. 20034)
Utilize antivirus software (most check for
Trojan horses)
Prevent active code in browsers
Limit user’s rights to just what is needed
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
11
Preventing Trojan Horses:
Policy Measures
◼
◼
◼
◼
◼
Never download any attachments unless
absolutely certain they are safe or expected
If a port is not needed, close it
Do not download browser skins, toolbars,
screen savers, or animations
Ask your IT department to scan any needed
downloads before use
Be cautious of hidden file extensions
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
12
Trojan Horse and Associated Port(s)
Table 10.1 Ports used by well-known Trojan horses
Port(s) Used
Trojan Horse
57341
NetRaider
54320
Back Orifice 2000
37651
Yet Another Trojan (YAT)
33270
Trinity
31337 and 31338
Back Orifice
12624
Buttman
9872-9872, 3700
Portal of Doom (POD)
7300-7308
Net Monitor
2583
WinCrash
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
13
Spyware and Adware
◼
◼
◼
◼
Becoming more and more intrusive
Can cause systems to crash
Made to gather information and send it to
third parties
Generates pop-ups not detected by pop-up
blockers
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
14
Spyware and Adware Examples
◼
Gator (Adware)
❑
Two methods of removal
◼
◼
◼
Add/remove programs
The registry
RedSheriff (Spyware)
❑
Twofold problem:
◼
◼
No one is certain what data is collected (except
manufacturer)
Many people have a negative reaction to website
monitoring
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
15
Antispyware Applications
◼
Two popular applications
❑
❑
◼
Spy Sweeper (www.webroot.com)
Zero Spyware
Research and compare products online
❑
❑
❑
PCMag Best Anti-spyware of 2018
IEEE Comparing Anti-Spyware Products
Digital Trends Best Free Antivirus
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
16
Antispyware Policies
◼
◼
◼
◼
Never download any attachments you are not
certain are safe
Configure browser to block cookies, or at
least third-party cookies
Configure browser to block scripts that run
without user awareness
Utilize browser pop-up blockers
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
17
Anti-Spyware Policies cont.
◼
Never download the following if you are
uncertain of their safety:
❑
❑
❑
❑
◼
Applications
Browser skins
Screen savers
Utilities
Block Java applets, or require manual
approval of such
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
18
Summary
◼
◼
◼
Both Trojan horses and spyware pose
significant dangers
Virus scanners and appropriate policies are
your only protection against Trojan horses
and spyware
Carefully develop and implement anti-Trojan
horse policies
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
19
Summary
◼
◼
◼
◼
Spyware and adware are growing problems
for networks
Spyware can compromise security
Confidential information can be compromised
by spyware
Adware is more of a nuisance than a real
security threat
❑
However, there is a threshold of adware that can
make a system unusable
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
20
Summary
◼
◼
◼
There are numerous utilities that can help
protect against Trojan horses (antivirus
software)
Available utilities can protect against spyware
and adware
Policies can work with utilities to further
protect systems
© 2019 by Pearson Education, Inc.
Chapter 10 Defending Against Trojan Horses, Spyware, and Adware
21
Network Defense and
Countermeasures
Principles and Practices
Third Edition
Chuck Easttom
800 East 96th Street, Indianapolis, Indiana 46240 USA
Network Defense and Countermeasures
Editor-in-Chief
Mark Taub
Copyright © 2018 by Pearson Education, Inc.
All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or
transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without
written permission from the publisher. No patent liability is assumed with respect to the use of
the information contained herein. Although every precaution has been taken in the preparation of
this book, the publisher and author assume no responsibility for errors or omissions. Nor is any
liability assumed for damages resulting from the use of the information contained herein.
Product Line Manager
Brett Bartow
ISBN-13: 978-0-7897-5996-2
Development Editor
Ellie C. Bru
ISBN-10: 0-7897-5996-9
Library of Congress Control Number: 2018933854
Printed in the United States of America
1
18
Trademarks
All terms mentioned in this book that are known to be trademarks or service marks have
been appropriately capitalized. Pearson IT Certification cannot attest to the accuracy of this
information. Use of a term in this book should not be regarded as affecting the validity of any
trademark or service mark.
Microsoft and/or its respective suppliers make no representations about the suitability of
the information contained in the documents and related graphics published as part of the
services for any purpose. All such documents and related graphics are provided “as is” without
warranty of any kind. Microsoft and/ or its respective suppliers hereby disclaim all warranties
and conditions with regard to this information, including all warranties and conditions of
merchantability, whether express, implied or statutory, fitness for a particular purpose, title and
non-infringement. In no event shall Microsoft and/or its respective suppliers be liable for any
special, indirect or consequential damages or any damages whatsoever resulting from loss of
use, data or profits, whether in an action of contract, negligence or other tortious action, arising
out of or in connection with the use or performance of information available from the services.
The documents and related graphics contained herein could include technical inaccuracies
or typographical errors. Changes are periodically added to the information herein. Microsoft
and/or its respective suppliers may make improvements and/or changes in the product(s)
and/or the program(s) described herein at any time. Partial screenshots may be viewed in full
within the software version specified.
Microsoft® and Windows® are registered trademarks of the Microsoft Corporation in
the U.S.A. and other countries. Screenshots and icons reprinted with permission from the
Microsoft Corporation. This book is not sponsored or endorsed by or affiliated with the
Microsoft Corporation.
Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as possible, but
no warranty or fitness is implied. The information provided is on an “as is” basis. The author
and the publisher shall have neither liability nor responsibility to any person or entity with
respect to any loss or damages arising from the information contained in this book.
Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities
(which may include electronic versions; custom cover designs; and content particular to your
business, training goals, marketing focus, or branding interests), please contact our corporate
sales department at corpsales@pearsoned.com or (800) 382-3419.
For government sales inquiries, please contact governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact intlcs@pearson.com.
Executive Editor
Mary Beth Ray
Managing Editor
Sandra Schroeder
Senior Project Editor
Tonya Simpson
Copy Editor
Bill McManus
Indexer
Erika Millen
Proofreader
Abigail Manheim
Technical Editors
Akhil Behl
Steve Kalman
Publishing Coordinator
Vanessa Evans
Cover Designer
Chuti Prasertsith
Compositor
codemantra
Contents at a Glance
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
1
Introduction to Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2
Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3
Fundamentals of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4
Firewall Practical Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5
Intrusion-Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
6
Encryption Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
7
Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
8
Operating System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
9
Defending Against Virus Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
10 Defending against Trojan Horses, Spyware, and Adware . . . . . . . . . . . . . . . . . . 268
11 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
12 Assessing System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
13 Security Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
14 Physical Security and Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
15 Techniques Used by Attackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
16 Introduction to Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
17 Cyber Terrorism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Appendix A: Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
iii
Table of Contents
Chapter 1: Introduction to Network Security
2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
The Basics of a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Basic Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Data Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Uniform Resource Locators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Basic Network Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
ipconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
tracert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
The OSI Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
What Does This Mean for Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Assessing Likely Threats to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Classifications of Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Compromising System Security—Intrusions . . . . . . . . . . . . . . . . . . . . . . 21
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Likely Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Threat Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Understanding Security Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Hacking Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Security Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Choosing a Network Security Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Perimeter Security Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
iv
Table of Contents
Layered Security Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Hybrid Security Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Network Security and the Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Using Security Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 2: Types of Attacks
40
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Understanding Denial of Service Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
DoS in Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
SYN Flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Smurf Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Ping of Death . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
UDP Flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
ICMP Flood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
DHCP Starvation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
HTTP Post DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
PDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Distributed Reflection Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . 50
DoS Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Defending Against DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Defending Against Buffer Overflow Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Defending Against IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Defending Against Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Blocking Virus and Trojan Horse Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Types of Viruses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Table of Contents
v
Chapter 3: Fundamentals of Firewalls
76
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
What Is a Firewall? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Types of Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Packet Filtering Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Stateful Packet Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Application Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Circuit Level Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Hybrid Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Blacklisting/Whitelisting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Implementing Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Host-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Dual-Homed Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Router-Based Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Screened Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Selecting and Using a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Using a Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Using Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
The WinGate Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Chapter 4: Firewall Practical Applications
100
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Using Single Machine Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Windows 10 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
User Account Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
vi
Table of Contents
Linux Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Iptables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Symantec Norton Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
McAfee Personal Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Using Small Office/Home Office Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
SonicWALL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
D-Link DFL-2560 Office Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Using Medium-Sized Network Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Check Point Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Cisco Next-Generation Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Using Enterprise Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Chapter 5: Intrusion-Detection Systems
122
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Understanding IDS Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Preemptive Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Anomaly Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
IDS Components and Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Understanding and Implementing IDSs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Cisco Intrusion-Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . 127
Understanding and Implementing Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Specter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Symantec Decoy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Intrusion Deflection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Intrusion Deterrence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Table of Contents
vii
Chapter 6: Encryption Fundamentals
140
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
The History of Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
The Caesar Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
ROT 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Atbash Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Multi-Alphabet Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Rail Fence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Vigenère . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Enigma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Binary Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Learning About Modern Encryption Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Key Stretching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
PRNG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Public Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Identifying Good Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Understanding Digital Signatures and Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
PGP Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
MD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
SHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
RIPEMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
HAVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Understanding and Using Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Cracking Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
John the Ripper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Using Rainbow Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
viii
Table of Contents
Using Other Password Crackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
General Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Steganalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Quantum Computing and Quantum Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Chapter 7: Virtual Private Networks
176
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Basic VPN Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Using VPN Protocols for VPN Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
PPTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
PPTP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
L2TP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
L2TP Compared to PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Implementing VPN Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Cisco Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Service Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Openswan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Other Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Chapter 8: Operating System Hardening
202
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Configuring Windows Properly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Accounts, Users, Groups, and Passwords . . . . . . . . . . . . . . . . . . . . . . . 203
Setting Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Table of Contents
ix
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Encrypting File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Configuring Linux Properly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Patching the Operating System . . . . . . . . .