EVALUATION COPY - CIWCertified.com · EVALUATION COPY Web Security Associate Instructor Guide Web Security Series CCN02-CAWSAA-PR-1012 • version 1.0 • rd011111

EVAL

UAT

ION

CO

PY

Web Security AssociateInstructor Guide Web Security Series CCN02-CAWSAA-PR-1012 • version 1.0 • rd011111

EVAL

UAT

ION

CO

PY

EVAL

UAT

ION

CO

PY

Web Security Associate Instructor Guide

EVAL

UAT

ION

CO

PY

President/Chief Certification Architect James Stanger, Ph.D.

Vice President, Operations Todd Hopkins

Senior Content Developer Kenneth A. Kozakis

Managing Editor Susan M. Lane

Editor Sarah Skodak

Project Manager/Publisher Tina Strong

Customer Service Certification Partners, LLC 1230 W. Washington St., Ste. 111 Tempe, AZ 85281 (602) 275-7700

Copyright © 2011, All rights reserved.

EVAL

UAT

ION

CO

PY

Web Security Associate Developers

Timothy Crothers, James Stanger, Ph.D., Irina Heer and Kenneth A. Kozakis

Contributor Stephen Schneiter

Editor Susan M. Lane

Project Manager/Publisher Tina Strong

Trademarks Certification Partners is a trademark of Certification Partners, LLC. All product names and services identified throughout this book are trademarks or registered trademarks of their respective companies. They are used throughout this book in editorial fashion only. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with the book. Copyrights of any screen captures in this book are the property of the software's manufacturer.

Disclaimer Certification Partners, LLC, makes a genuine attempt to ensure the accuracy and quality of the content described herein; however, Certification Partners makes no warranty, express or implied, with respect to the quality, reliability, accuracy, or freedom from error of this document or the products it describes. Certification Partners makes no representation or warranty with respect to the contents hereof and specifically disclaims any implied warranties of fitness for any particular purpose. Certification Partners disclaims all liability for any direct, indirect, incidental or consequential, special or exemplary damages resulting from the use of the information in this document or from the use of any products described in this document. Mention of any product or organization does not constitute an endorsement by Certification Partners of that product or corporation. Data used in examples and labs is intended to be fictional even if actual data is used or accessed. Any resemblance to, or use of real persons or organizations should be treated as entirely coincidental. Certification Partners makes every effort to ensure the accuracy of URLs referenced in all its material, but cannot guarantee that all URLs will be available throughout the life of a course. When this course was published, all URLs were checked for accuracy and completeness. However, due to the ever-changing nature of the Internet, some URLs may no longer be available or may have been redirected.

Copyright Information This training manual is copyrighted and all rights are reserved by Certification Partners, LLC. No part of this publication may be reproduced, transmitted, stored in a retrieval system, modified, or translated into any language or computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual or otherwise without written permission of Certification Partners, 1230 W. Washington Street, Suite 111, Tempe, AZ 85281.

Copyright © 2011 by Certification Partners, LLC

All Rights Reserved

ISBN: 0-7423-2790-6

EVAL

UAT

ION

CO

PY

vi

© 2011 Certification Partners, LLC — All Rights Reserved. Version 1.0

EVAL

UAT

ION

CO

PY

vii


Table of Contents Course Description .................................................................................................................................xv Courseware ...........................................................................................................................................xvi Course Objectives ..................................................................................................................................xix Classroom Setup ...................................................................................................................................xix System Requirements ............................................................................................................................xix Conventions and Graphics Used in This Book......................................................................................xxiii Classroom Setup Guide ............................................................................. Classroom Setup Guide-1 Lesson 1: What Is Security? ........................................................................................................ 1-1

Pre-Assessment Questions ................................................................................................................1-2 Network Security Background ...........................................................................................................1-3 What Is Security? ..............................................................................................................................1-4 Hacker Statistics ...............................................................................................................................1-6 The Myth of 100-Percent Security......................................................................................................1-7 Attributes of an Effective Security Matrix...........................................................................................1-8 What You Are Trying to Protect..........................................................................................................1-8 Who Is the Threat? ..........................................................................................................................1-10 Security Standards..........................................................................................................................1-12 Case Study......................................................................................................................................1-16 Lesson 1 Review ..............................................................................................................................1-18 Lesson 1 Instructor Section.............................................................................................................1-19

Lesson 2: Elements of Security ................................................................................................... 2-1 Pre-Assessment Questions ................................................................................................................2-2 Security Elements and Mechanisms ..................................................................................................2-3 The Security Policy............................................................................................................................2-3 Determining Backups........................................................................................................................2-9 Encryption ........................................................................................................................................2-9 Authentication ................................................................................................................................2-12 Specific Authentication Techniques .................................................................................................2-17 Access Control ................................................................................................................................2-19 Auditing ..........................................................................................................................................2-28 Security Tradeoffs and Drawbacks ..................................................................................................2-29 Case Study......................................................................................................................................2-30 Lesson 2 Review ..............................................................................................................................2-32 Lesson 2 Instructor Section.............................................................................................................2-33

Lesson 3: Applied Encryption...................................................................................................... 3-1 Pre-Assessment Questions ................................................................................................................3-2 Reasons to Use Encryption................................................................................................................3-3 Creating Trust Relationships .............................................................................................................3-3 Symmetric-Key Encryption ................................................................................................................3-4 Symmetric Algorithms .......................................................................................................................3-5 Asymmetric-Key Encryption ............................................................................................................3-11 One-Way (Hash) Encryption ............................................................................................................3-12 Applied Encryption Processes..........................................................................................................3-15 Encryption Review...........................................................................................................................3-31 Case Study......................................................................................................................................3-32 Lesson 3 Review ..............................................................................................................................3-36 Lesson 3 Instructor Section.............................................................................................................3-37

Lesson 4: Types of Attacks .......................................................................................................... 4-1 Pre-Assessment Questions ................................................................................................................4-2 Network Attack Categories.................................................................................................................4-3 Brute-Force and Dictionary Attacks...................................................................................................4-4 System Bugs and Back Doors............................................................................................................4-7 Malware (Malicious Software) ............................................................................................................4-8 Social Engineering Attacks ..............................................................................................................4-17 Denial-of-Service (DOS) Attacks.......................................................................................................4-21

EVAL

UAT

ION

CO

PY

viii


Distributed Denial-of-Service (DDOS) Attacks..................................................................................4-24 Spoofing Attacks .............................................................................................................................4-31 Scanning Attacks ............................................................................................................................4-32 Man-in-the-Middle Attacks..............................................................................................................4-38 Bots and Botnets.............................................................................................................................4-43 SQL Injection ..................................................................................................................................4-44 Auditing ..........................................................................................................................................4-45 Case Study......................................................................................................................................4-47 Lesson 4 Review ..............................................................................................................................4-50 Lesson 4 Instructor Section.............................................................................................................4-51

Lesson 5: Recent Networking Vulnerability Considerations ......................................................... 5-1 Pre-Assessment Questions ................................................................................................................5-2 Networking Vulnerability Considerations ...........................................................................................5-3 Wireless Network Technologies and Security......................................................................................5-3 IEEE 802.11 Wireless Standards .......................................................................................................5-4 Wireless Networking Modes ...............................................................................................................5-6 Wireless Application Protocol (WAP)...................................................................................................5-9 Wireless Network Security Problems................................................................................................5-10 Wireless Network Security Solutions................................................................................................5-10 Site Surveys ....................................................................................................................................5-15 Convergence Networking and Security.............................................................................................5-23 Web 2.0 Technologies ......................................................................................................................5-26 Greynet Applications .......................................................................................................................5-31 Vulnerabilities with Data at Rest .....................................................................................................5-32 Security Threats from Trusted Users ...............................................................................................5-33 Anonymous Downloads and Indiscriminate Link-Clicking................................................................5-34 Case Study......................................................................................................................................5-36 Lesson 5 Review ..............................................................................................................................5-38 Lesson 5 Instructor Section.............................................................................................................5-40

Lesson 6: General Security Principles.......................................................................................... 6-1 Pre-Assessment Questions ................................................................................................................6-2 Common Security Principles..............................................................................................................6-3 Be Paranoid ......................................................................................................................................6-3 You Must Have a Security Policy .......................................................................................................6-4 No System or Technique Stands Alone...............................................................................................6-4 Minimize the Damage ........................................................................................................................6-5 Deploy Companywide Enforcement....................................................................................................6-5 Provide Training ................................................................................................................................6-5 Use an Integrated Security Strategy...................................................................................................6-6 Place Equipment According to Needs .................................................................................................6-7 Identify Security Business Issues ......................................................................................................6-7 Consider Physical Security ................................................................................................................6-8 Case Study......................................................................................................................................6-16 Lesson 6 Review ..............................................................................................................................6-18 Lesson 6 Instructor Section.............................................................................................................6-19

Lesson 7: Protocol Layers and Security ....................................................................................... 7-1 Pre-Assessment Questions ................................................................................................................7-2 TCP/IP Security Introduction ............................................................................................................7-3 OSI Reference Model Review..............................................................................................................7-3 Data Encapsulation...........................................................................................................................7-5 The TCP/IP Stack and the OSI Reference Model ................................................................................7-6 Link/Network Access Layer ...............................................................................................................7-7 Network/Internet Layer .....................................................................................................................7-8 Transport Layer...............................................................................................................................7-10 Application Layer ............................................................................................................................7-14 Protocol Analyzers ...........................................................................................................................7-23 Case Study......................................................................................................................................7-24 Lesson 7 Review ..............................................................................................................................7-26 Lesson 7 Instructor Section.............................................................................................................7-27

EVAL

UAT

ION

CO

PY

ix


Lesson 8: Securing Resources...................................................................................................... 8-1 Pre-Assessment Questions ................................................................................................................8-2 TCP/IP Security Vulnerabilities .........................................................................................................8-3 Implementing Security ......................................................................................................................8-4 Resources and Services .....................................................................................................................8-5 Protecting TCP/IP Services ................................................................................................................8-6 Simple Mail Transfer Protocol (SMTP) ..............................................................................................8-12 Physical Security.............................................................................................................................8-15 Testing Systems ..............................................................................................................................8-19 Security Testing Software ................................................................................................................8-19 Security and Repetition ...................................................................................................................8-21 Case Study......................................................................................................................................8-21 Lesson 8 Review ..............................................................................................................................8-24 Lesson 8 Instructor Section.............................................................................................................8-25

Lesson 9: Firewalls and Virtual Private Networks......................................................................... 9-1 Pre-Assessment Questions ................................................................................................................9-2 Access Control Overview....................................................................................................................9-3 Definition and Description of a Firewall .............................................................................................9-3 The Role of a Firewall ........................................................................................................................9-3 Firewall Terminology .........................................................................................................................9-4 Firewall Configuration Defaults .......................................................................................................9-10 Creating Packet Filter Rules ............................................................................................................9-11 Packet Filter Advantages and Disadvantages ...................................................................................9-13 Configuring Proxy Servers ...............................................................................................................9-22 URL Filtering...................................................................................................................................9-29 Remote Access and Virtual Private Networks (VPNs) ........................................................................9-30 Public Key Infrastructure (PKI) ........................................................................................................9-34 Case Study......................................................................................................................................9-36 Lesson 9 Review ..............................................................................................................................9-40 Lesson 9 Instructor Section.............................................................................................................9-41

Lesson 10: Levels of Firewall Protection.................................................................................... 10-1 Pre-Assessment Questions ..............................................................................................................10-2 Designing a Firewall ........................................................................................................................10-3 Types of Bastion Hosts ....................................................................................................................10-4 Hardware Issues .............................................................................................................................10-5 Common Firewall Designs ...............................................................................................................10-7 Putting It All Together ................................................................................................................... 10-11 Case Study.................................................................................................................................... 10-17 Lesson 10 Review .......................................................................................................................... 10-19 Lesson 10 Instructor Section ......................................................................................................... 10-20

Lesson 11: Detecting and Distracting Hackers........................................................................... 11-1 Pre-Assessment Questions ..............................................................................................................11-2 Proactive Detection..........................................................................................................................11-3 Distracting the Hacker ....................................................................................................................11-4 Deterring the Hacker..................................................................................................................... 11-10 Case Study.................................................................................................................................... 11-12 Lesson 11 Review .......................................................................................................................... 11-14 Lesson 11 Instructor Section ......................................................................................................... 11-15

Lesson 12: Incident Response ................................................................................................... 12-1 Pre-Assessment Questions ..............................................................................................................12-2 Creating an Incident Response Policy ..............................................................................................12-3 Determining If an Attack Has Occurred ...........................................................................................12-4 Executing the Response Plan...........................................................................................................12-5 Analyzing and Learning ...................................................................................................................12-8 Case Study......................................................................................................................................12-9 Lesson 12 Review .......................................................................................................................... 12-12 Lesson 12 Instructor Section ......................................................................................................... 12-13

EVAL

UAT

ION

CO

PY

x


Course Assessment...........................................................................................Course Assessment-1 Appendixes ................................................................................................................. Appendixes-1 Glossary ...........................................................................................................................Glossary-1 Index ................................................................................................................................... Index-1 Supplemental Files Contents.............................................................Supplemental Files Contents-1

List of Labs Lab 1-1: Causing a NetBus trojan infection...........................................................................................1-4 Lab 2-1: Viewing and modifying default access control settings in Windows Server 2003.....................2-21 Lab 2-2: Viewing the effects of hostile JavaScript in Mozilla Firefox .....................................................2-24 Lab 2-3: Configuring execution control lists in Windows Server 2003 ..................................................2-25 Lab 2-4: Creating an execution control list for the su command in Linux ............................................2-27 Lab 3-1: Using symmetric encryption algorithms...................................................................................3-9 Lab 3-2: Installing GPG4win 1.1.3 on Windows Server 2003 ...............................................................3-19 Lab 3-3: Generating a key pair using GPG4win ...................................................................................3-20 Lab 3-4: Exporting and signing public keys using GPG4win................................................................3-23 Lab 3-5: Exchanging encrypted messages using GPG4win ..................................................................3-26 Lab 3-6: Encrypting files with GPG4win..............................................................................................3-28 Lab 4-1: Using John the Ripper in Windows Server 2003 ......................................................................4-5 Lab 4-2: Conducting a virus scan in Windows to help thwart attacks ..................................................4-16 Lab 4-3: Sending fake e-mail messages ...............................................................................................4-19 Lab 4-4: Analyzing a SYN flood in a packet sniffer...............................................................................4-27 Lab 4-5: Identifying network-based attacks.........................................................................................4-31 Lab 4-6: Using Nmap to scan a system in Windows Server 2003 .........................................................4-35 Lab 4-7: Conducting a man-in-the-middle attack ................................................................................4-42 Lab 5-1: Installing a war-driving application and analyzing a site survey capture ................................5-19 Lab 5-2: Analyzing traffic captured from site survey software ..............................................................5-22 Lab 6-1: Conducting a physical attack against a Windows 2003 server ...............................................6-10 Lab 8-1: Securing an Apache2 Web server ............................................................................................8-8 Lab 8-2: Securing the FTP service .......................................................................................................8-10 Lab 9-1: Installing WinRoute Firewall in Windows Server 2003 ...........................................................9-14 Lab 9-2: Configuring packet filtering rules ..........................................................................................9-15 Lab 9-3: Configuring a proxy server in Windows Server 2003 ..............................................................9-25 Lab 10-1: Creating an internal network with WinRoute Firewall (instructor-led) ................................. 10-12 Lab 10-2: Denying HTTP access (instructor-led) ................................................................................. 10-14 Lab 10-3: Configuring an FTP packet-filtering rule for a specific host (instructor-led).......................... 10-16 Lab 11-1: Setting a logon tripwire script in Windows Server 2003 .......................................................11-6 Lab 11-2: Using Tripwire for Linux......................................................................................................11-8 Lab 12-1: Subscribing to security mailing lists....................................................................................12-7 List of Activities Activity 2-1: Identifying security practices ...........................................................................................2-34 Activity 3-1: Matching encryption elements .........................................................................................3-38 Activity 4-1: Identifying security attacks..............................................................................................4-52 Activity 5-1: Identifying wireless network security solutions ................................................................5-41 Activity 5-2: Identifying Web 2.0 technologies......................................................................................5-42 Activity 6-1: Identifying business security terminology and practices...................................................6-20 Activity 7-1: Reviewing the TCP handshake.........................................................................................7-28 Activity 8-1: Reviewing vulnerability scanners.....................................................................................8-26 Activity 9-1: Creating packet filter rules ..............................................................................................9-42 Activity 10-1: Identifying common firewall devices............................................................................. 10-21 Activity 11-1: Defining hacker and hacker-detection terms................................................................ 11-16

EVAL

UAT

ION

CO

PY

xi


List of Optional Labs Optional Lab 1-1: Viewing hacking and vulnerability statistics ............................................................1-20 Optional Lab 2-1: Creating an access control list for Apache Server ....................................................2-34 Optional Lab 3-1: Using MD5sum to create checksums in Ubuntu Linux............................................3-38 Optional Lab 3-2: Generating a key pair using GPG for Ubuntu Linux.................................................3-40 Optional Lab 3-3: Exchanging and signing public keys in Linux..........................................................3-41 Optional Lab 3-4: Encrypting and decrypting files using GPG .............................................................3-43 Optional Lab 3-5: Creating a signature file ..........................................................................................3-44 Optional Lab 3-6: Signing files with GPG.............................................................................................3-44 Optional Lab 3-7: Creating a key distribution center ...........................................................................3-45 Optional Lab 4-1: Analyzing a SYN flood using Linux and Windows Server 2003 .................................4-53 Optional Lab 4-2: Identifying and analyzing Land and Teardrop attacks..............................................4-54 Optional Lab 4-3: Analyzing a Smurf attack ........................................................................................4-56 Optional Lab 4-4: Using Ettercap to conduct a man-in-the-middle attack in a switched network.........4-58 Optional Lab 5-1: Analyzing captured wireless packets using Kismet (instructor-led)............................5-42 Optional Lab 6-1: Increasing physical security using the Syskey utility ...............................................6-20 Optional Lab 8-1: Scanning systems in Ubuntu Linux ........................................................................8-26 Optional Lab 9-1: Using the iptables command to create a personal firewall in Linux ..........................9-42 Optional Lab 10-1: Filtering zone transfers (instructor-led)................................................................. 10-21

List of Quizzes Lesson 1 Quiz .....................................................................................................................................1-21 Lesson 2 Quiz .....................................................................................................................................2-39 Lesson 3 Quiz .....................................................................................................................................3-46 Lesson 4 Quiz .....................................................................................................................................4-61 Lesson 5 Quiz .....................................................................................................................................5-46 Lesson 6 Quiz .....................................................................................................................................6-22 Lesson 7 Quiz .....................................................................................................................................7-30 Lesson 8 Quiz .....................................................................................................................................8-28 Lesson 9 Quiz .....................................................................................................................................9-46 Lesson 10 Quiz ................................................................................................................................. 10-22 Lesson 11 Quiz ................................................................................................................................. 11-17 Lesson 12 Quiz ................................................................................................................................. 12-15

List of Figures Figure i-1: Classroom configuration ......................................................................................................xxii Figure CS-1: Classroom configuration.................................................................Classroom Setup Guide-8 Figure CS-2: MailEnable Administrator window ................................................Classroom Setup Guide-14 Figure CS-3: Mailbox Properties dialog box .......................................................Classroom Setup Guide-15 Figure 1-1: NetBus client interface........................................................................................................1-5 Figure 1-2: Client connected to loopback address..................................................................................1-5 Figure 1-3: Remote File Manager dialog box ..........................................................................................1-6 Figure 2-1: Elements of effective security ..............................................................................................2-3 Figure 2-2: Policy and technology..........................................................................................................2-6 Figure 2-3: American Express ExpressPay Web site ............................................................................2-14 Figure 2-4: Microsoft Fingerprint Reader Web page .............................................................................2-16 Figure 2-5: Properties dialog box — General tab..................................................................................2-21 Figure 2-6: Properties dialog box — Security tab .................................................................................2-22 Figure 2-7: Permissions dialog box for Lessons folder..........................................................................2-22 Figure 2-8: Lockup.html alert screen ..................................................................................................2-24 Figure 2-9: Viewing Microsoft Management Console settings ...............................................................2-26 Figure 3-1: Symmetric or single-key encryption.....................................................................................3-4 Figure 3-2: RSA Home Page ..................................................................................................................3-6 Figure 3-3: AxCrypt dialog box — Create passphrase ............................................................................3-9 Figure 3-4: AxCrypt dialog box — Enter passphrase............................................................................3-10 Figure 3-5: Encrypting information into ciphertext, using public key...................................................3-11 Figure 3-6: Asymmetric-key encryption...............................................................................................3-17 Figure 3-7: Asymmetric-key decryption ...............................................................................................3-17

EVAL

UAT

ION

CO

PY

xii


Figure 3-8: PGP Corporation Web site .................................................................................................3-18 Figure 3-9: Gpg4win Welcome screen..................................................................................................3-20 Figure 3-10: GNU Privacy Assistant – Keyring Editor window ..............................................................3-21 Figure 3-11: New key pair ...................................................................................................................3-22 Figure 3-12: Key pair details ...............................................................................................................3-22 Figure 3-13: Export Public Keys To File dialog box ..............................................................................3-23 Figure 3-14: Public key in Notepad .....................................................................................................3-24 Figure 3-15: GPA window — Viewing imported key..............................................................................3-25 Figure 3-16: Encryption dialog box .....................................................................................................3-26 Figure 3-17: Message window with encrypted text...............................................................................3-27 Figure 3-18: Jetico Web site................................................................................................................3-29 Figure 3-19: Asymmetrically encrypted information passed through network ......................................3-30 Figure 3-20: Viewing data recovery agent for Windows Server 2003 system.........................................3-34 Figure 4-1: Using John the Ripper in brute-force mode .........................................................................4-6 Figure 4-2: Selecting folder to be scanned ...........................................................................................4-17 Figure 4-3: Smurf attack.....................................................................................................................4-25 Figure 4-4: Inspecting SYN flood packets using Wireshark ..................................................................4-28 Figure 4-5: Add Counters dialog box ...................................................................................................4-29 Figure 4-6: Viewing Performance snap-in during SYN flood .................................................................4-30 Figure 4-7: Using Nmap to scan Windows system ...............................................................................4-34 Figure 4-8: Examining spoofed packet — Internet Protocol..................................................................4-37 Figure 4-9: Ettercap capturing dictionary attack on switched network ................................................4-39 Figure OL4-1: Viewing effects of Smurf attack on intermediary host ....................................................4-57 Figure 5-1: Ad-hoc vs. infrastructure mode ...........................................................................................5-6 Figure 5-2: Configuration interface for common wireless AP..................................................................5-8 Figure 5-3: Creating MAC address filter ..............................................................................................5-11 Figure 5-4: Kismet, showing SSIDs obtained from war driving.............................................................5-17 Figure 5-5: War driving using AirSnort................................................................................................5-17 Figure 5-6: Network Stumbler.............................................................................................................5-18 Figure 5-7: Network Stumbler window ................................................................................................5-19 Figure 5-8: Viewing Network Stumbler capture file..............................................................................5-20 Figure 5-9: Network Stumbler showing traffic decrypted from channel ................................................5-21 Figure 5-10: Viewing network clients attached to wireless APs in Network Stumbler............................5-21 Figure 5-11: Using Wireshark to view WEP traffic captured and decrypted by Kismet ..........................5-23 Figure 5-12: Google Maps home page..................................................................................................5-27 Figure 5-13: Wikipedia home page ......................................................................................................5-28 Figure 5-14: RSS feed .........................................................................................................................5-29 Figure OL5-1: Kismet results ..............................................................................................................5-44 Figure 6-1: Booting from the NT Password And Registry Editor CD......................................................6-11 Figure 6-2: Specifying the Windows partition ......................................................................................6-11 Figure 6-3: Registry files .....................................................................................................................6-12 Figure 6-4: Options for loaded hives....................................................................................................6-12 Figure 6-5: Editing a user account......................................................................................................6-14 Figure 6-6: Edit complete....................................................................................................................6-14 Figure OL6-1: Running Syskey utility .................................................................................................6-21 Figure 7-1: OSI model layers.................................................................................................................7-4 Figure 7-2: Headers added at each level of the OSI/RM.........................................................................7-5 Figure 7-3: OSI model and TCP/IP stack...............................................................................................7-6 Figure 7-4: IPv4 header.........................................................................................................................7-8 Figure 7-5: Establishing TCP connection.............................................................................................7-11 Figure 7-6: Terminating TCP connection .............................................................................................7-12 Figure 7-7: XAMPP Control Panel Application......................................................................................7-20 Figure 7-8: Using a browser FTP client................................................................................................7-21 Figure 7-9: Connecting using an FTP client.........................................................................................7-22 Figure 7-10: TCP/IP Filtering dialog box .............................................................................................7-22 Figure OL7-1: Examining packet capture ............................................................................................7-29 Figure 8-1: XAMPP splash screen..........................................................................................................8-9 Figure 8-2: XAMPP Control Panel Application showing running services..............................................8-11 Figure 8-3: Users dialog box with new home directory.........................................................................8-11 Figure 8-4: Viewing permissions for C:\webfiles directory ...................................................................8-22 Figure 8-5: Viewing custom permissions for C:\webfiles directory .......................................................8-22

EVAL

UAT

ION

CO

PY

xiii


Figure 8-6: Viewing object permission entries for C:\webfiles directory................................................8-23 Figure OL8-1: Netcat scan of ports 20-80............................................................................................8-27 Figure 9-1: Implementing NAT in network.............................................................................................9-8 Figure 9-2: New Connection dialog box ...............................................................................................9-15 Figure 9-3: WinRoute Firewall Configuration window ..........................................................................9-16 Figure 9-4: WinRoute Firewall Interfaces window ................................................................................9-16 Figure 9-5: WinRoute Firewall Traffic Policy window............................................................................9-17 Figure 9-6: Editing new rule ...............................................................................................................9-17 Figure 9-7: New rule defined ...............................................................................................................9-18 Figure 9-8: Proxy server configuration.................................................................................................9-23 Figure 9-9: Proxy server settings .........................................................................................................9-26 Figure 9-10: URL Rule dialog box........................................................................................................9-27 Figure 9-11: Access denied message ...................................................................................................9-27 Figure 9-12: Add User dialog box ........................................................................................................9-28 Figure 9-13: Login Page dialog box......................................................................................................9-29 Figure 9-14: Understanding VPN connection.......................................................................................9-31 Figure 10-1: Triple-homed bastion host ..............................................................................................10-5 Figure 10-2: Screening router configuration........................................................................................10-8 Figure 10-3: Single-homed bastion configuration ................................................................................10-9 Figure 10-4: Dual-homed bastion configuration ................................................................................ 10-10 Figure 10-5: Screened subnet firewall configuration.......................................................................... 10-11 Figure 10-6: Network interfaces ........................................................................................................ 10-12 Figure 10-7: Verifying NAT rule......................................................................................................... 10-13 Figure 10-8: Editing NAT rule ........................................................................................................... 10-13 Figure 10-9: Interfaces on Trusted/Local network............................................................................. 10-14 Figure 10-10: New rule to block HTTP traffic from network host ........................................................ 10-15 Figure 10-11: Modified HTTP rule ..................................................................................................... 10-15 Figure 10-12: Rule denying FTP and FTPS access to single host........................................................ 10-16 Figure 11-1: Creating logon tripwire script with Notepad.....................................................................11-7 Figure 11-2: Adding logon script to Administrator account..................................................................11-7 Figure 11-3: Alert message..................................................................................................................11-8 Figure 12-1: CERT home page.............................................................................................................12-7

List of Tables Table 1-1: Effective security system attributes ......................................................................................1-8 Table 1-2: "Hot spot" resources and potential threats ..........................................................................1-10 Table 1-3: Security services ................................................................................................................1-12 Table 2-1: Typical tri-level resource classification scheme .....................................................................2-5 Table 2-2: Benefits of educating employees ...........................................................................................2-8 Table 2-3: Functions of encryption......................................................................................................2-10 Table 2-4: Biometric authentication strategies ....................................................................................2-15 Table 2-5: Kerberos terms...................................................................................................................2-18 Table 2-6: Universal permissions ........................................................................................................2-20 Table 3-1: Security technology summary.............................................................................................3-31 Table 4-1: Network attack types............................................................................................................4-3 Table 4-2: Computer virus types ...........................................................................................................4-9 Table 4-3: Illicit servers.......................................................................................................................4-13 Table 4-4: Common flooding techniques..............................................................................................4-22 Table 4-5: Types of scanning attacks...................................................................................................4-32 Table 4-6: Common man-in-the-middle attacks ..................................................................................4-38 Table 5-1: Wireless Ethernet elements ..................................................................................................5-3 Table 5-2: Authentication types in wireless networks ............................................................................5-7 Table 5-3: Common wireless network security problems......................................................................5-10 Table 5-4: Issues to consider before site survey...................................................................................5-15 Table 5-5: Site survey issues after wireless implementation.................................................................5-16 Table 6-1: Security management terminology........................................................................................6-7 Table 7-1: OSI/RM layers .....................................................................................................................7-3 Table 7-2: ICMP message types .............................................................................................................7-9 Table 7-3: Services and well-known ports............................................................................................7-13 Table 8-1: Security implementation model ............................................................................................8-4

EVAL

UAT

ION

CO

PY

xiv


Table 8-2: Common physical vulnerabilities and solutions ..................................................................8-15 Table 8-3: Physical access control techniques .....................................................................................8-16 Table 8-4: Network equipment shielding methods ...............................................................................8-17 Table 9-1: Telnet packet filter..............................................................................................................9-11 Table 9-2: FTP packet filter .................................................................................................................9-12 Table 9-3: Packet filter for internal passive FTP clients........................................................................9-13 Table 11-1: Tools for responding to attacks ....................................................................................... 11-10

EVAL

UAT

ION

CO

PY

xv


Course Description Web Security Associate teaches you how to secure your network from unauthorized activity. This course teaches you about security principles, such as establishing an effective security policy, and about the different types of hacker activities that you are most likely to encounter.

This course identifies security principles and techniques that enable you to stop a hacker by understanding how to implement access control lists, operating system hardening and firewall technology. It also teaches you how to personalize your network security system so you can create a solution that adheres to universal principles, but also conforms to your business needs in responding to specific hacker attacks.

You will learn about authentication procedures, encryption standards and implementations that help ensure proper user authentication. You will also learn about the specific ports and protocols that hackers manipulate, and about direct and indirect ways to protect your network operating systems. Finally, you will learn how to respond to and report hacker activity, engage in proactive detection, and always keep your company's needs in mind. Appendixes are included in the back of this coursebook to provide resources for you as you continue to learn about applying security measures to your network.

Guided, step-by-step labs provide opportunities to practice new skills. You can challenge yourself and review your skills after each lesson in the Lesson Summary and Lesson Review sections. Additional skill reinforcement is provided in Activities, Optional Labs, Lesson Quizzes and a Course Assessment that are available from your instructor.

This coursebook includes online materials containing the lab files used in class. To practice the skills presented in class or to perform any labs that were not completed, refer to the Classroom Setup section for information about system requirements and using the lab files.

Series The CIW Web Security series consists of one CIW course and corresponding CIW certification exam, plus advanced CIW credentials that you can obtain by earning additional certifications from third-party security-training providers. There are three levels of CIW Web Security certifications:

• CIW Web Security Associate

• CIW Web Security Specialist

• CIW Web Security Professional

Prerequisites There are no prerequisites for the Web Security Associate course. However, students should possess Internet and networking knowledge equivalent to what is presented in the CIW Web Foundations series courses. Web Security Associate builds upon this foundational knowledge to give students the skills and knowledge to manage and protect the security of online data, from a single computer to an entire corporate network.

Certification The Web Security Associate course prepares students to take the high-stakes CIW Web Security Associate certification exam. Those who pass the CIW Web Security Associate exam earn the CIW Web Security Associate certification, which is recognized throughout the industry as validating essential Internet skills for the workplace.

EVAL

UAT

ION

CO

PY

xvi


To earn the CIW Web Security Specialist certification, students must pass the CIW Web Security Associate certification exam, plus pass one additional exam from an approved vendor whose certification qualifies for the CIW Web Security program.

To earn the CIW Web Security Professional certification, students must pass the CIW Web Security Associate certification exam, plus pass two additional exams from approved vendors whose certifications qualify for the CIW Web Security program.

For information about taking the CIW Web Security Associate exam and other CIW exams, visit www.CIWcertified.com.

Target audience The CIW Web Security Associate course is for individuals who want to know how to secure networks from unauthorized activities. Individuals with these security skills can pursue or advance careers in many aspects of online and network security:

• Network server administrators

• Firewall administrators

• Systems administrators

• Application developers

• IT security officers

Courseware This coursebook was developed for instructor-led training and will assist you during class. Along with comprehensive instructional text and objectives checklists, this coursebook provides easy-to-follow hands-on labs and a glossary of course-specific terms. It also provides Internet addresses needed to complete some labs, although due to the constantly changing nature of the Internet, some addresses may no longer be valid. The student coursebook is organized in the following manner:

EVAL

UAT

ION

CO

PY

xvii


course title

table of contents

list of labs

list of figures

list of tables

appendixes

lessons

lesson objectives

narrative text

supplemental movie clips

lesson review

lesson summary

warnings

tech notes

graphics

tables and figures

pre-assessment questions

glossary

index

case study

exam objective callouts

warnings

tech notes

graphics

tables and figures

exam objective callouts

labs

supplemental CD

When you return to your home or office, you will find this coursebook to be a valuable resource for reviewing labs and applying the skills you have learned. Each lesson concludes with questions that review the material. Lesson review questions are provided as a study resource only and in no way guarantee a passing score on the CIW Web Security Associate certification exam.

Coursebook versions The CIW Web Security courseware is designed for various classroom environments: academic, learning center and corporate. These coursebooks are available in both instructor and student versions. Student versions are available for both the academic environment and the learning center/corporate environment. Check your book to verify which version you have.

• Instructor (Academic, Learning Center and Corporate) — Example syllabi for 10-week, 16-week and 32-week instruction periods are included with the instructor supplemental files available on CIW Online. Learning centers can teach this series at an accelerated pace; consult the implementation tables that can be found on CIW Online. The supplemental online files also include an appendix listing the CIW Web Security Associate certification exam objectives and locations of corresponding material in the coursebook. The instructor version of this book includes Instructor Notes in the margin, which provide additional tips and commentary for the instructor to supplement course narrative. Margin callouts also direct instructors to material that relates directly to specified CIW Web Security objectives. The instructor book and supplemental online files contain all answers to Activities (pen-and-paper-based), Optional Labs (computer-based), Lesson Quizzes and the Course Assessment. The supplemental online files also include handout versions of all Activities, Optional Labs, Lesson Quizzes and the Course Assessment, which the instructor can print and assign during class or as

EVAL

UAT

ION

CO

PY

xviii


homework. Lesson Quizzes and Course Assessments are provided as study and course-grading resources only; success on these materials in no way guarantees a passing score on the CIW Web Security Associate certification exam.

• Student (Academic) — The student book and supplemental online files include Pre-Assessment and Lesson Review questions for each lesson. However, the student book does not provide answers to these questions. It also does not include any Activities, Optional Labs, Quizzes or the Course Assessment. Students can obtain these elements and answers only from the instructor. The student supplemental materials include appendixes and files used to perform many of the labs in the coursebook. The supplemental files also include an appendix listing the CIW Web Security Associate certification exam objectives and locations of corresponding material in the coursebook. Lesson Quizzes and Course Assessments are provided as study and course-grading resources only; success on these materials in no way guarantees a passing score on the CIW Web Security Associate certification exam.

• Student (Learning Center/Corporate) — Designed for the learning center/corporate environment, this student book includes Pre-Assessment and Lesson Review questions. The student supplemental online materials include appendixes; files used to perform many of the labs in the coursebook; and answers to the Pre-Assessment Questions, Lesson Review Questions, Course Assessment, Activities, Optional Labs and Lesson Quizzes. The supplemental files also include an appendix listing the CIW Web Security Associate certification exam objectives and locations of corresponding material in the coursebook. Lesson Quizzes and Course Assessments are provided as study and course-grading resources only; success on these materials in no way guarantees a passing score on the CIW Web Security Associate certification exam.

Online resources You can visit CIW Online at http://education.certification-partners.com/ciw/ to access supplemental course materials and to get help in preparing for the CIW Web Foundations Associate certification exam. CIW Online provides a variety of online tools you can use to supplement the Official CIW Courseware.

CIW Courseware Supplemental Files This coursebook includes supplemental material that can be accessed from CIW Online. Online materials are provided for both instructors and students, and include some elements required to complete the coursework and other optional elements that are provided for your interest or further study. Student materials include lab files used to complete the course labs, answers to student exercises and quizzes, and appendixes with related information (including the CIW Web Security Associate Objectives And Locations Appendix). Instructor materials include course syllabi and implementation tables, answers to students exercises and quizzes, and appendixes with related information (including the CIW Web Security Associate Objectives And Locations Appendix). See the CIW Supplemental Files section under Classroom Setup for information about accessing these files.

CIW Certification Practice Exams After you have mastered the Web Foundations course material, you are ready to prepare for the high-stakes CIW Web Foundations Associate certification exam. The online CIW Certification Practice Exams program helps you build confidence with your knowledge of the CIW exam objectives. This program provides you with:

• Timed practice exams that simulate the high-stakes testing environment and help predict actual performance on CIW certification exams.

• A feedback review mode that allows you to check answers while taking the practice exam and gain valuable feedback that relates each question to a CIW exam objective and a lesson in the Official CIW Courseware.

EVAL

UAT

ION

CO

PY

xix


• Exam results that report on your mastery of each CIW exam objective.

• Personalized performance reports and study plans to track individual progress and view overall class trends.

Course Objectives After completing this class, you will be able to:

Define the significance of network security, and identify various elements of an effective security policy, including risk factors, security-related organizations, key resources to secure, general security threat types and access control.

Define encryption and the encryption methods used in internetworking.

Use universal guidelines and principles of effective network security to create effective specific solutions.

Apply security principles, and identify security attacks.

Identify firewall types, and define common firewall terminology.

Plan and deploy a firewall system that incorporates multiple levels of protection, including firewall system design, proactive detection, setting traps, security breach response, security alerting organizations.

Classroom Setup Your instructor has probably set up the classroom computers based on the system requirements listed below. Most software configurations on your computer are identical to those on your instructor's computer. However, your instructor may use additional software to demonstrate network interaction or related technologies.

Security disclaimer The code, examples and techniques found in this course are provided for the purposes of teaching about security concepts. Never, under any circumstances, use any of the software or techniques discussed in this course against any local or remote system that is not your own. Certification Partners, LLC, and its partners are not responsible or liable for illegal or unethical use of software or techniques discussed or used in this course.

System Requirements This section lists the hardware, software, and connectivity requirements to implement this course.

Hardware The following table summarizes the hardware requirements for all courses in the CIW program. Each classroom should be equipped with one instructor station and x number of student stations (i.e., in a classroom with 13 personal computers, set one up as the instructor station and the remaining 12 as student stations).

The CIW hardware requirements are similar to the minimum system requirements for Microsoft Windows Server 2003 Service Pack 2 Standard Edition implementation except that CIW requires increased hard disk space (20 GB).

EVAL

UAT

ION

CO

PY

xx


CIW hardware specifications Greater or equal to the following

Processor 133-MHz processor required; 550-MHz or faster processor recommended; support for up to four processors on one server

L2 cache At least 256 KB

Hard disk At least 20 GB

RAM 128 MB of RAM required; 256 MB or more recommended; 4 GB maximum

CD-ROM At least 32X

Network Interface Card (NIC) 10BaseT or 100BaseTX (10 or 100 Mbps)

Sound card/speakers Required for instructor's station, optional for student stations

Video adapter At least 4 MB

Monitor VGA or hardware that supports console redirection required; Super VGA supporting 800 x 600 or higher-resolution monitor recommended

Network hubs Enough 10-port 10BaseT or 100BaseTX (10 or 100 Mbps) hubs to allow classroom computers to communicate

Router Multi-homed system with three NICs*

* Must meet universal CIW hardware requirements.

Software The recommended software configurations for computers used to complete the labs in this book are as follows.

To be installed before class:

• Microsoft Windows Server 2003 Service Pack 2, including:

• Microsoft Internet Explorer 7 or later.

• Microsoft Outlook Express 6 or later.

• Full installation of Ubuntu Linux 8.0, available at www.ubuntu.com. See Linux installation instructions for component detail. For multi-boot systems, you will need to repartition the disk. Ubuntu requires its own hard disk partitions. It cannot be installed on Windows or MacOS partitions. At the very least, you will need a dedicated partition for the Ubuntu root.

• MailEnable e-mail server, available at www.mailenable.com. You can use any e-mail server you prefer, as long as you know how to configure it so that students can send e-mail, and as long as you can configure the e-mail server to allow relaying to explain how fake e-mail works.

• Mozilla Firefox 3.0 or later, available at www.mozilla.com. If you prefer, you can use only Microsoft Internet Explorer (with Outlook Express).

• XAMPP 1.6.6a, available at www.apachefriends.org/en/xampp.html.

• FileZilla 3.0.11, available at http://filezilla-project.org/.

You will need to obtain the following third-party Linux software (all files are available with the supplemental materials):

• targa2.c, available at http://packetstorm.linuxsecurity.com.

• papasmurf-linux.c, available at http://packetstorm.linuxsecurity.com.

• Tripwire 2.x, available at www.tripwire.org/.

EVAL

UAT

ION

CO

PY

xxi


To be installed by students during course labs (all files are available with the supplemental materials):

• NetBus 1.7, available at http://packetstormsecurity.org/.

• AxCrypt 1.6.4.4, available at www.axantum.com/AxCrypt/.

• GPG4win 1.1.3, available at www.gpg4win.org.

• John the Ripper 1.7.0.1, available at www.openwall.com/john/ or http://packetstorm.linuxsecurity.com.

• Wireshark 1.0.0, available at www.wireshark.org/.

• WinPcap 4.0.2, available at www.winpcap.org.

• Nmap 4.76, available at www.insecure.org.

• Ettercap NG 0.7.3, available at http://ettercap.sourceforge.net.

• NetStumbler 0.4.0, available at www.netstumbler.com.

• Windows NT Password And Registry Editor (also known as a Linux boot disk), available at http://home.eunet.no/~pnordahl/ntpasswd/.

• Kerio WinRoute Firewall 6.5.1, available at www.kerio.com.

Software necessary for the course but not included with the supplemental materials The following software is necessary for the course, but is not included with the supplemental materials:

• Spastic.exe (http://packetstorm.linuxsecurity.com or any other Packet Storm mirror) — Do not scan this file with an anti-virus program, as it contains a harmless trojan. Do not install this file on a workstation or server that you regularly use. This file is meant to be used in the classroom only. Do not allow students to conduct SYN floods against systems you do not own, or otherwise use this program illicitly. Students will use this in the local classroom for a lab in which they will discover that this file contains malware (some anti-virus applications call it a trojan), and students will then delete it from their systems.

Obtain the above software and place it on a CD before the course begins, especially if your classroom does not have Internet access.

Connectivity Due to the sensitive nature of some of the programs used, this course takes place in a special network classroom, closed off from the rest of the company network and from the Internet. The classroom is configured by the instructor. The instructor's computer must be able to communicate with all student computers, acting as a router. TCP/IP is the network protocol used in the course.

LAN requirements The course is designed for use with at least three physical networks, connected by an IP router (which can be a multi-homed computer). Network A (192.168.3.0) students will use odd-numbered IP addresses. Network B (192.168.4.0) students will use even-numbered IP addresses. The instructor will use a third network with the network address 192.168.2.0. The subnet mask is 255.255.255.0. Classroom configuration is illustrated in Figure i-1.

EVAL

UAT

ION

CO

PY

xxii


Figure i-1: Classroom configuration

The instructor's computer must be able to communicate with all the others through a router. The instructor can use a multi-homed Windows Server 2003 server computer as the router. If the instructor does not have a Windows system acting as a router, he or she can use whatever router is available.

Again, due to the sensitive nature of the information presented in this course, Internet connectivity is not recommended. TCP/IP is the only network protocol used in this course. The instructor will find specific instructions on how to configure the three subnets in the Classroom Setup Guide.

CIW supplemental files Each coursebook includes supplemental materials that are referenced and used throughout the course. These supplemental materials are provided online at http://education.certification-partners.com/ciw/.

You will need to create a directory for all supplemental materials for the course. The default location is C:\CIW\[Course_Title]. To view or download the materials, go to CIW Online, click the link for each file and save to this directory. You can then create a shortcut to this directory on your Desktop. As you conduct the course labs, you can use this shortcut to quickly access your lab files.

EVAL

UAT

ION

CO

PY

xxiii


Conventions and Graphics Used in This Book The following conventions are used in these coursebooks.

Terms Technology terms defined in the margins are indicated in bold the first time they appear in the text. However, not every word in bold is a term requiring definition.

Lab Text Text that you enter during a lab appears in italic bold type. Names of components that you access or change in a lab appear in bold type.

Notations Notations or comments regarding screenshots, labs or other text are indicated in italic type.

Program Code or Commands

Text used in program code or operating system commands appears in the Lucida Sans Typewriter font.

The following graphics are used in these coursebooks.

Tech Notes point out exceptions or special circumstances that you may find when working with a particular procedure. Tech Notes that occur within a lab are displayed without the graphic.

Tech Tips offer special-interest information about the current subject.

Warnings alert you about cautions to observe or actions to avoid.

This graphic signals the start of a lab or other hands-on activity.

Each lesson summary includes an Application Project. This project is designed to provoke interest and apply the skills taught in the lesson to your daily activities.

Each lesson concludes with a summary of the skills and objectives taught in that lesson. You can use the Skills Review checklist to evaluate what you have learned.

This graphic indicates a line of code that is completed on the following line.

EVAL

UAT

ION

CO

PY

xxiv


EVAL

UAT

ION

CO

PY

Classroom Setup Guide-1


Classroom Setup Guide The Classroom Setup Guide is divided into three sections:

1. Before You Begin — This section includes courseware update links for instructors, a revision history outlining the revisions made to a coursebook since the last version, an explanation of the requirements for preparing a classroom behind a proxy server, and additional notes that you should consider before you set up the classroom.

2. Classroom Requirements — This section lists the hardware, software and connectivity requirements to implement this course.

3. Setup Instructions — This section includes the configuration requirements for both instructor and student systems and a detailed list of required software installation procedures.

Before You Begin This section includes courseware update links for instructors, a revision history outlining the revisions made to a coursebook since the last version, an explanation of the requirements for preparing a classroom behind a proxy server, and additional notes that you should consider before you set up the classroom.

Courseware updates Instructors must download the latest courseware updates from the Instructor Community on the CIW Web site (www.ciwcertified.com) before teaching the course. CIW courseware is updated continually, and the courseware updates provide the most current changes, revisions and notes for all CIW courseware.

Courseware updates include feedback from ATPs, clients and instructors who implement the CIW program. Feedback is reviewed and updates are posted in dynamic documents for both students and instructors. Each updates document correlates with the identical version of the coursebook (e.g., v1.0 Update is designed to be used only with v1.0 of the coursebook). Updates are available for both the current version and some previous versions of the coursebooks. CIW does not provide support for coursebooks and instructor materials that are three or more versions removed from the current versions.

Revision history

Released October 2010 (Web Security Associate version 1.0) This release reflects a name change to the coursebook. The main differences between this Web Security Associate v1.0 course and the previous version, Network Security and Firewalls v7.0 (released January 2009) are as follows:

• Coursebook title was changed from Network Security and Firewalls to Web Security Associate to mirror the Web Security Associate exam name.

• Incorporated minor changes to the text and some labs, including corrections of typographical and content errors.

• Discontinued the supplemental CD-ROM and removed the handouts from the coursebook, and made these files available on CIW Online.

EVAL

UAT

ION

CO

PY



Released January 2009 (version 7.0) This release is considered a major course update. The main differences between this Network Security and Firewalls v7.0 and the previous version (v6.1 released October 2002) are as follows:

• Added objective callouts and case studies to each lesson.

• Updated course labs to use Windows Server 2003 R2, Ubuntu Linux (desktop edition) and open-source network monitoring, detection and hacking tools.

• Added content on wireless vulnerabilities and wireless security (802.11n, EAP, WPA2).

• Added content on connection hijacking and convergence security, including expanded discussion of TCP handshake and handshake exploitation.

• Added content on greynet applications (IM, VoIP, P2P) and the associated vulnerabilities.

• Added content on Web-borne threats (exploitation of Web 2.0 vulnerabilities, Ajax, bots and botnets).

• Expanded content on end-user education (particularly in the area of Web surfing, anonymous downloads and link-clicking).

• Expanded content on endpoint security to include protection of data that is not on the wire, establishing data classification, and identifying the vulnerabilities introduced by removable media such as USB drives, iPods, smart phones etc.

• Moved content on social engineering from the CIW Security Auditing, Attacks, and Threat Analysis course to this course, and expanded content to include phishing and pharming.

• Expanded content on access control

• Expanded content on security legislation (including Sarbanes-Oxley [SOX], HIPAA, FISMA Security standards and legislation and ISO 17799).

• Added correlations to real-world situations to illustrate business value of good security measures.

• Updated URL references.

• Updated screen shot references.

Released October 2002 (version 6.1) This release was considered a course enhancement. The main differences between Network Security and Firewalls v6.1 and the previous version (v6.07 released March 2002) were as follows:

• Applied new publishing template to course for more professional look and feel.

• Corrected errata (errors in writing or printing, including but not limited to spelling, style and code errors).

• Included additional Instructor margin notes.

• Updated labs for easier implementation in the classroom.

• Suggested updated Labfile Instructor Share (folders/subfolders) locations.

• Updated URL references.

• Updated screen shot references.

• Updated Windows 2000 software installation to include currently available service packs.

• Updated Linux software installation to version 7.3.

• Updated PGP software in labs.

EVAL

UAT

ION

CO

PY



• Updated Winfingerprint software in labs.

• Updated WinRoute Pro software in labs.

Released March 2002 (version 6.07) This release was considered a course enhancement. The main differences between this Network Security and Firewalls v6.07 and the previous version (v5.07 released August 1, 2001) were as follows:

• Introduction of separate instructor and student guides

• Pre-assessment questions

• Instructor margin notes

• Enhanced Lesson Summary

• Instructor Section containing Activities, Optional Labs and Quizzes

• Syllabi (for Academic instructors) and Implementation Tables (for Learning Center instructors)

Released August 2001 (version 5.07) This release was considered a course update. The main differences between this Network Security and Firewalls v5.07 and the previous version (v4.27 released December 1, 2000) were as follows:

• All narrative was updated to discuss Windows 2000 and Red Hat Professional Server 7.x

• All exercises were updated to discuss Windows 2000 and Red Hat Professional Server 7.x

• Exercises were removed to account for changes in the Windows 2000 and Linux operating systems

Preparing the classroom behind a proxy server If Internet access is required (or preferred) for a class and the classroom is behind a proxy server, you may have problems downloading programs during classroom setup and completing certain exercises during class. Most proxy servers already allow HTTP traffic. Difficulties may arise when you require additional services, such as e-mail, FTP and program downloads.

1. Talk with the network administrator at the location and make sure that:

a. The classroom has proper access to all Internet-related protocols used in the class. Examples include HTTP (TCP/UDP Port 80), SSL (TCP/UDP Port 443), FTP (TCP/UDP Ports 20, 21), Telnet (TCP/UDP Port 23), POP3 (TCP/UDP Port 110) and SMTP (TCP/UDP Port 25). For certain services, such as FTP, you will need all ports above 1023 (registered ports).

b. The IP addresses assigned to the computers in your classroom have permission to access the Internet.

2. Download all the required software (with proper licensing) for the course before you arrive at the site, and place the source files on the instructor's computer. Students can then access all source files from shares that you create. Perhaps an instructor can create a CD with the required software source files. This will not solve the issues addressed in suggestion one, but will solve any problems concerning downloads.

3. Take steps to isolate the classroom network. You do not want to allow students to use the software and the techniques discussed in this book in improper ways. The most common way to isolate the classroom network is to simply unplug the cable that connects the classroom to the switch or router.

EVAL

UAT

ION

CO

PY



Course preparation It is vital that you take the following measures:

• Be or become a certified CIW Web Security Associate, and you should have a solid understanding of this course before you teach it.

• Sit through a CIW Faculty Institute or otherwise engage in specific training from CIW before you teach this course or series.

• Read this guide and coursebook carefully several days before you teach this course. This series is intended to introduce experienced administrators to complex software. You must know how to use it in order for the course to succeed.

Suggestions Arrive to the course with all of the software. Do not take for granted that the training facility or college department has all of the software.

Again, download all the required software (with proper licensing) for the course before you teach it, and place the source files on the instructor's computer. Students can then access all source files from shares that you create. Perhaps an instructor can create a CD-ROM with the required software source files. This approach will solve any problems regarding downloads.

Because of the firewall labs in Lesson 10, this course requires a subnetted classroom. Linux and Windows Server 2003 systems should use a dual-boot configuration.

• Linux and Windows Server 2003 systems should use a dual-boot configuration.

• You may also want to have your students reset the default startup delay in Windows Server 2003 to 3 seconds. This startup delay will help you save time.

• Share resources (such as scanners and various tools) on the network only as you are ready to pursue a particular lab. This approach will allow you to control the classroom environment. Otherwise, students may begin to play with tools and conduct labs out of order, thereby deriving less benefit from class time than they should.

• The Linux labs assume the use of gedit, a standard text editor packaged with Ubuntu Linux. Students are free to use any text editor they want. However, gedit is a near-universal text editor for all UNIX systems.

• This course contains optional labs. You can safely omit these labs without affecting the integrity of later labs or affecting the students' chances of passing any CIW exams.

Any file pulled from a CD-ROM is likely to have the read-only attribute set when placed on Windows systems. This feature can create problems with some applications. Remove the attribute if you notice a problem.

Security disclaimer In light of recently proposed legislation in the United States and other countries, we now provide an optional security disclaimer form for our CIW CIs and CIW ATPs. It can be signed by CIW Web Security Associate students before they begin the CIW Web Security Associate course. The intent of this form is to protect CIW ATPs from being accused of teaching students how to hack Web sites and networks rather than teach the methods that hackers use. We suggest that this disclaimer be printed and handed out by the instructor to every student at the beginning of the first class. The signed forms should then be collected and filed by the CIW ATP. The optional disclaimer is included on the following page for you to print.

EVAL

UAT

ION

CO

PY



Disclaimer: CIW Web Security Series

The following applies to all students who participate in the CIW Web Security series courseware. The series consists of the Web Security Associate course.

Before you take this course, please read and sign the following agreement:

In light of recently proposed legislation in the United States and other countries, I understand and acknowledge that malicious computing practices, commonly known as "hacking," are illegal and may even be identified as terrorist activities. Hacking activities can include, but are not limited to, scanning systems for vulnerabilities; conducting denial-of-service attacks; and penetrating systems with the intent to view, delete or deposit files. They can also include defeating any authentication practice. I understand that in many countries and states, existing laws prohibit such activities, and that I may be liable to criminal or civil prosecution if I engage in such acts.

I understand and acknowledge that the CIW Web Security courseware is written to teach IT professionals to protect their Internet servers from malicious computing practices. I understand that its goal is not to teach me or any one else how to engage in illegal behavior (e.g., "hacking," as defined above). I acknowledge that I am not taking this course for any improper or illegal purpose. Furthermore, I understand that the CIW Web Security courseware does not explicitly or implicitly encourage me to use any tools, skills or knowledge I may obtain to conduct activities that are considered unethical and/or illegal.

I PROMISE THAT I WILL NOT USE ANY SKILLS AND KNOWLEDGE LEARNED IN THIS COURSE FOR ILLEGAL HACKING PURPOSES, EITHER DURING THE COURSE OR AFTERWARDS. I FURTHERMORE ACKNOWLEDGE THAT CERTIFICATION PARTNERS, LLC, ACTIVELY DISCOURAGES ANY MALICIOUS, UNETHICAL OR ILLEGAL USE OF SUCH KNOWLEDGE, AND THAT CERTIFICATION PARTNERS, LLC, AND ITS ASSOCIATED TRAINING CENTERS ARE RELEASED OF ANY AND ALL LIABILITY CONCERNING MY ACTIVITIES IN THIS REGARD, SHOULD I BE ACCUSED OF SUCH BEHAVIOR.

I release Certification Partners, LLC, and its partners from any liability concerning any applications that may be distributed to me before, during and after this course.

By my signature below, I hereby agree to the definitions, terms and limitations in this document.

___________________________________________________ Student Signature

_______/_______/_______ Date

Note: This disclaimer is provided as an optional tool as a safeguard to protect learning centers from liability. All training locations are responsible for collecting and storing this student disclaimer.

EVAL

UAT

ION

CO

PY



Classroom Requirements This section lists the hardware, software, and connectivity requirements to implement this course.

Hardware requirements The following table summarizes the hardware requirements for all courses in the CIW program. Each classroom should be equipped with one instructor station and x number of student stations (i.e., in a classroom with 13 personal computers, set one up as the instructor station and the remaining 12 as student stations).

The CIW hardware requirements are similar to the minimum system requirements for Microsoft Windows Server 2003 Service Pack 2 Standard Edition implementation except that CIW requires increased hard disk space (20 GB).

CIW hardware specifications Greater or equal to the following

Processor 133-MHz processor required; 550-MHz or faster processor recommended; support for up to four processors on one server

L2 cache At least 256 KB

Hard disk At least 20 GB

RAM 128 MB of RAM required; 256 MB or more recommended; 4 GB maximum

CD-ROM At least 32X

Network Interface Card (NIC) 10BaseT or 100BaseTX (10 or 100 Mbps)

Sound card/speakers Required for instructor's station, optional for student stations

Video adapter At least 4 MB

Monitor VGA or hardware that supports console redirection required; Super VGA supporting 800 x 600 or higher-resolution monitor recommended

Network hubs Enough 10-port 10BaseT or 100BaseTX (10 or 100 Mbps) hubs to allow classroom computers to communicate

Router Multi-homed system with three NICs*

* Must meet universal CIW hardware requirements.

Software requirements The instructor's system and the student systems require the following software to complete the labs in this book.

Not all the software is required to be installed before class. For more information, download the CIW software list in the Tools section of the Instructor community on the CIW Web site (www.CIWcertified.com).

To be installed before class:

• Microsoft Windows Server 2003 Service Pack 2, including:

• Microsoft Internet Explorer 7 or later.

• Microsoft Outlook Express 6 or later.

EVAL

UAT

ION

CO

PY



• Full installation of Ubuntu Linux 8.0, available at www.ubuntu.com. See Linux installation instructions for component detail. For multi-boot systems, you will need to repartition the disk. Ubuntu requires its own hard disk partitions. It cannot be installed on Windows or MacOS partitions. At the very least, you will need a dedicated partition for the Ubuntu root.

• MailEnable e-mail server, available at www.mailenable.com. You can use any e-mail server you prefer, as long as you know how to configure it so that students can send e-mail, and as long as you can configure the e-mail server to allow relaying to explain how fake e-mail works.

• Mozilla Firefox 3.0 or later, available at www.mozilla.com. If you prefer, you can use only Microsoft Internet Explorer (with Outlook Express).

• XAMPP 1.6.6a, available at www.apachefriends.org/en/xampp.html.

• FileZilla 3.0.11, available at http://filezilla-project.org/.

You will need to obtain the following third-party Linux software (all files are included with the supplemental materials):

• targa2.c, available at http://packetstorm.linuxsecurity.com.

• papasmurf-linux.c, available at http://packetstorm.linuxsecurity.com.

• Tripwire 2.x, available at www.tripwire.org/.

To be installed by students during course labs (all files are included with the supplemental materials):

• NetBus 1.7, available at http://packetstormsecurity.org/.

• AxCrypt 1.6.4.4, available at www.axantum.com/AxCrypt/.

• GPG4win 1.1.3, available at www.gpg4win.org.

• John the Ripper 1.7.0.1, available at www.openwall.com/john/ or http://packetstorm.linuxsecurity.com.

• Wireshark 1.0.0, available at www.wireshark.org/.

• WinPcap 4.0.2, available at www.winpcap.org.

• Nmap 4.76, available at www.insecure.org.

• Ettercap NG 0.7.3, available at http://ettercap.sourceforge.net.

• NetStumbler 0.4.0, available at www.netstumbler.com.

• Windows NT Password And Registry Editor (also known as a Linux boot disk), available at http://home.eunet.no/~pnordahl/ntpasswd/.

• Kerio WinRoute Firewall 6.5.1. Available at www.kerio.com.

Software necessary for the course but not included with the supplemental materials The following software is necessary for the course, but is not included with the supplemental materials:

• Spastic.exe (http://packetstorm.linuxsecurity.com or any other Packet Storm mirror) — Do not scan this file with an anti-virus program, as it contains a harmless trojan. Do not install this file on a workstation or server that you regularly use. This file is meant to be used in the classroom only. Do not allow students to conduct SYN floods against systems you do not own, or otherwise use this program illicitly. Students will use this in the local classroom for a lab in which they will discover that this file contains malware (some anti-virus applications call it a trojan), and students will then delete it from their systems.

Obtain the above software and place it on a CD before the course begins, especially if your classroom does not have Internet access.

EVAL

UAT

ION

CO

PY



Network requirements Internet connectivity is not recommended for this course. This step is necessary to ensure that students do not use the classroom to conduct experiments on remote systems. The instructor must, as a result, obtain all software and software licenses before class begins.

The course is designed for use with at least three physical networks, connected by an IP router (which can be a multi-homed computer). Network A (192.168.3.0) students will use odd-numbered IP addresses. Network B (192.168.4.0) students will use even-numbered IP addresses. The instructor will use a third network with the network address 192.168.2.0. The subnet mask is 255.255.255.0. Classroom configuration is illustrated in Figure CS-1.

Figure CS-1: Classroom configuration

The instructor's computer must be able to communicate with all the others through a router. The instructor can use a multi-homed Windows Server 2003 server computer as the router. If the instructor does not have a Windows system acting as a router, he or she can use whatever router is available.

Again, due to the sensitive nature of the information presented in this course, Internet connectivity is not recommended. TCP/IP is the only network protocol used in this course. The instructor will find specific instructions on how to configure the three subnets in this Classroom Setup Guide.

Creating a DNS structure In order for the Linux systems to communicate with each other efficiently, you must create a DNS structure for the entire classroom. Use a separate Linux or Windows Server 2003 system as the master DNS server. The DNS structure can be classroomx.com, where the x represents a number that makes the DNS name unique. Make both the Windows Server 2003 and Linux systems clients to this server.

You must create both primary forward and reverse zones that contain records for all systems used in the network.

As an instructor, you may need to contact the training center or college IT department to ensure that this is properly established. If you do not, you will need to create it yourself. Otherwise, many labs in this course will not work properly.

Consider establishing a DNS server on the instructor system. If you want to do this, remember that you will regularly reboot your system from Windows Server 2003 to Linux and back again. Therefore, you will need to configure DNS on both Windows Server 2003 and Linux.

EVAL

UAT

ION

CO

PY



Mail server Configure an e-mail server for the class. As an instructor, you may have to contact the training center or college IT department to ensure that this is properly established. If you do not, you will have to create one yourself. Otherwise, any e-mail lab for this course will not work properly. Instructions for configuring the MailEnable e-mail server are given in the following section.

Setup Instructions Use the following procedures to set up the computers for class. The instructor and student computer configurations are the same.

Before class, the instructor should install and configure the instructor and student systems using the following instructions. This course is written for Windows Server 2003 Service Pack 2 and Ubuntu Linux 8.0 on an Ethernet network.

You will also install software on your computer with the students during the labs.

System setup Use the following instructions to set up all systems.

To set up the hardware Set up the hardware according to the manufacturer's instructions. (Refer to the hardware requirements.)

To set up the software Before installing Windows Server 2003 and Ubuntu Linux, consult the appropriate hardware compatibility list (HCL) for each product. You should install Windows Server 2003 first, then Ubuntu Linux 8.0. The HCL for Windows Server 2003 is at www.windowsservercatalog.com/. The HCL for Ubuntu Linux is at www.ubuntuhcl.org/.

You have several separate options available to install Windows Server 2003 and Ubuntu Linux:

• You can create a dual boot between Windows Server 2003 and Ubuntu Linux. You can then simply reboot the system and load the relevant operating system, depending upon what the lab requires.

• You can create separate, stand-alone hosts. You can install Windows Server 2003 on the first system and Ubuntu Linux on the second.

• You can use virtual machines. Virtualization applications such as VMware (www.vmware.com) or Parallels (www.parallels.com) make it possible for you to easily run at least two virtual machines off of one system. Thus, you can run a standard Windows Server 2003 system, and then use virtualization to load an Ubuntu Linux system from within your Windows system. However, make sure that your system has at least 2 GB of RAM before you use virtualization.

EVAL

UAT

ION

CO

PY



To install and configure Windows Server 2003 Install Microsoft Windows Server 2003 with the following parameters.

When This Information Is Required Use

Phase 1 : Boot computer from installation CD

Partition C

Partition Size 8182 MB (maximum size for partition)

File System NTFS

Phase 2 : Graphical mode

Regional and Language Options Click Customize to change regional settings, if necessary.

Personalize Your Software Enter your name and organization.

Your Product Key Enter the product key for your copy of Windows Server 2003.

Licensing Modes Enter the appropriate license type (Per Server) and the number of purchased licenses. Enter at least the number of student computers in the classroom.

Computer Name and Administrator Password

Enter student1, student2, student3, and so forth. Name the instructor computer instructor. The password is password (all lower-case).

Date and Time Settings Enter the correct date and time for the computer.

Network Settings Select Custom Settings.

Networking Components Select Internet Protocol (TCP/IP) and click Properties.

Internet Protocol (TCP/IP) Properties Select Obtain An IP Address Automatically and Obtain DNS Server Address Automatically.

Workgroup or Computer Domain Set the workgroup to Classroom.

Phase 3 : After the system reboots, log on and insert CD 2

Location of Windows Server CD 2 files Specify the location where the Windows Server CD 2 files are stored (i.e., D:\).

Note: If you are teaching where several classrooms are connected, you may encounter name conflicts. If so, add a number to the name. For example, name the instructor computer Instructor1 and the workgroup Classroom1.

EVAL

UAT

ION

CO

PY



To install and configure Ubuntu Linux Use the following instructions to set up the instructor and student systems. If you are new to the Ubuntu Linux installation procedure, consult the users' guide, which you should have received when you obtained the software and documentation for more detailed instructions.

Install Ubuntu Linux on a Windows computer as follows:

1. Put the Ubuntu CD-ROM in the CD drive. The Menu screen will appear automatically.

2. Menu screen: Click the Install Inside Windows button. The Setup screen will appear.

3. Setup screen: Specify the following parameters:

When This Information Is Required Use

Installation Drive Select the Windows partition in which you want to install Ubuntu (i.e., E:\).

Installation Size Select the space you want to allocate to the Ubuntu installation (minimum 5 GB).

Desktop Environment Select the desktop environment (i.e., Gnome).

Language Select the language.

Username Enter student1, student2, student3, and so forth. Name the instructor computer instructor.

Password The password is password (all lowercase).

4. Setup screen: Click the Install button.

5. Setup screen: When the installation is complete, select Reboot Now, then click Finish. The Windows Boot Manager will appear.

6. Windows Boot Manager: Use the arrow key to select Ubuntu, then press ENTER. Ubuntu will set up the operating system. When it is finished, use the user name and password to log on.

Creating shares on the instructor's computer in Windows Server 2003 After you have installed Ubuntu Linux, boot into Windows Server 2003 and test functionality. Then create the following shares on the instructor computer in Windows Server 2003. Copy the listed contents to each directory. The students will access these shares during the class to install software.

Directory Share Name Permissions Contents

C:\i386 i386 Everyone: Read Windows Server 2003 installation files

C:\i386 SPx (x represents the service pack number)

Everyone: Read Windows Server 2003 Service Pack installation files

C:\Lab Files Lab Files Everyone: Read All supplemental course materials and applicable programs downloaded from Internet/FTP sites

EVAL

UAT

ION

CO

PY




C:\Lab Files\Lesson 1 Lab Files Same as Parent Folder NetBus170.zip

C:\Lab Files\Lesson 2 Lab Files Same as Parent Folder Lockup.html

C:\Lab Files\Lesson 3 Lab Files Same as Parent Folder AxCrypt-Setup.exe; gpg4win-1.1.3.exe

C:\Lab Files\Lesson 4 Lab Files Same as Parent Folder john171w.zip; john_wordfile.txt; netflood.cpp; papasmurf-linux.c; passwd; shadow; syn_v1_5.zip; targa2.c; wireshark-setup-1.0.0.exe

C:\Lab Files\Lesson 4\Ettercap

Lab Files Same as Parent Folder ettercap-NG-0.7.3-win32.exe

C:\Lab Files\Lesson 4\Nmap

Lab Files Same as Parent Folder nmap-4.76-setup.exe

C:\Lab Files\Lesson 4\packet_captures

Lab Files Same as Parent Folder ftp_active.cap; ftp_passive.cap; Internet_Explorer_Active.cap; kismet.dump; Netscape_Mozilla_passive.cap; packet_capture_1.cap; packet_capture_2.cap; packet_capture_3.cap; packet_capture_Land_attack.cap; packet_capture_smurf.cap; packet_capture_syn_flood.cap; packet_capture_teardrop.cap

C:\Lab Files\Lesson 4\WinPcap

Lab Files Same as Parent Folder WinPcap_4_0_2.exe

C:\Lab Files\Lesson 5 Lab Files Same as Parent Folder kismet.dump; netstumbler1.ns1; netstumbler2.ns1; netstumbler3.ns1; netstumbler4.ns1; netstumblerinstaller_0_4_0.exe; wireshark-setup-1.0.0.exe

C:\Lab Files\Lesson 6 Lab Files Same as Parent Folder cd080802.zip

C:\Lab Files\Lesson 7 Lab Files Same as Parent Folder FileZilla_3.0.11_win32-setup.exe; telnet.pcap; wireshark-setup-1.0.0.exe; xampp-win32-1.6.6a-installer.exe

C:\Lab Files\Lesson 9 Lab Files Same as Parent Folder kerio-kwfWhql-6.5.1-5000-win32.exe

EVAL

UAT

ION

CO

PY




C:\Lab Files\Lesson 11

Lab Files Same as Parent Folder SECREP.BAT; tripwire-2.4.1.2-src.tar.bz2

C:\Lab Files\MailEnable

Lab Files Same as Parent Folder mailenablestandard.exe

Placing relevant Linux files on your Linux or Windows Server 2003 FTP server After you have obtained the Linux files that students will need (targa2.c, papasmurf-linux.c and Tripwire), place them in your FTP directory so that students can obtain them easily. In Linux, you can place them in /home/ftp. In Windows Server 2003, place them in the applicable directory that allows students to access the files anonymously (you can specify any directory as the home directory, which is the root of your FTP content subdirectories). It does not matter whether you use a Linux or Windows Server 2003 FTP server. However, make sure you have the correct operating system running when students need the files.

Installing software on Windows Server 2003 before class This section will guide you through the software installation process for additional programs that must be installed on each system before class. The remainder of the software will be installed by students from the instructor's shares during class labs.

Creating Windows NT Password And Registry Editor CDs In the following procedure, you will create Linux boot CDs containing Windows NT Password And Registry Editor for all students.

1. The bootable CD image, cd080802.zip, should be available with the supplemental files in the Lab Files\Lesson 6 folder. If necessary, go to http://home.eunet.no/~pnordahl/ntpasswd/to obtain the latest files.

Note: The image file name may differ depending on the date of the latest release. For example, the "080802" part of the file name may be different if you retrieve the latest file from the Web site.

2. Unzip the cd080802.zip file to create a folder containing the cd080802.iso file.

3. Burn the ISO image file to CD using any burner program you prefer. Most burner programs support the writing of ISO-images.

4. Repeat Step 3 to create a classroom set of CDs.

5. After you create a classroom set of CDs, test your ability to conduct the lab. For more instructions, see Lab 6-1.

Installing MailEnable In the following procedure, you will install the MailEnable e-mail server on one computer in the classroom that will not be used for any other purpose during the course. If you like, you can install MailEnable on the instructor's computer running Windows Server 2003. However, if you do this, you will need to make sure that you have booted into Windows Server 2003 during any lab that requires an e-mail server. If you are particularly adept at using Sendmail and POP3 in Linux, you can configure these daemons to run when you boot into Linux. Thus, any e-mail lab would be supported regardless of which operating system is being used.

Note: Explicit installation instructions may be obtained at www.mailenable.com/documentation/MailEnable_Installation_Guide.htm.

EVAL

UAT

ION

CO

PY



1. Double-click the mailenablestandard.exe executable file. This file is located in the C:\Lab Files\MailEnable folder.

2. Follow the installation wizard instructions and provide the following information when prompted:

• The name and company of the owner of the MailEnable service.

• The Post Office name and password (e.g., the Post Office name can be "Classroom" and the password "password").

• The domain name of the organization that owns or is operating the server (e.g., "Classroom.com").

• The DNS host (e.g., the IP address of the computer on which MailEnable is being installed).

• The SMTP port (the default should be 25).

3. When the installation is complete, select Start | All Programs | Mail Enable | MailEnable Administrator. You will see the MailEnable Administrator window, shown in Figure CS-2. There are five services that are copied onto your computer when MailEnable is installed that run in the background and handle the sending, receiving and distribution of e-mail. Ensure that all five services are running. If a service is not running, right-click it and select Start.

Figure CS-2: MailEnable Administrator window

4. Now, you need to create mailboxes to populate your Post Office. In the left pane, expand Messaging Manager and navigate to the Post Offices | <Post Office Name> | Mailboxes folder. Initially, only the Postmaster mailbox exists.

5. Right-click Mailboxes and select New | Mailbox. The Mailbox Properties dialog box shown in Figure CS-3 will appear.

EVAL

UAT

ION

CO

PY



Figure CS-3: Mailbox Properties dialog box

6. Enter a mailbox name (e.g., student1) and password (e.g., password), then click OK. Create enough e-mail accounts for your classroom. Be prepared to explain these e-mail account names to your students for any labs involving e-mail.

7. In order to send and receive e-mail messages from an e-mail client such as Microsoft Outlook Express, you need to configure the client to connect to MailEnable. Specify the server name or IP address on which you are running MailEnable as the POP3 and SMTP servers. Make sure that you test your accounts before class begins.

Note: Make sure that students configure their e-mail clients to use your e-mail server exclusively.

CIW supplemental files Each coursebook includes supplemental materials that are referenced and used throughout the course. These supplemental materials are provided online at http://education.certification-partners.com/ciw/.

You will need to create a directory for all supplemental materials for the course. The default location is C:\CIW\[Course_Title]. To view or download the materials, go to CIW Online, click the link for each file and save to this directory. You can then create a shortcut to this directory on your Desktop. As you conduct the course labs, you can use this shortcut to quickly access your lab files.

EVAL

UAT

ION

CO

PY



EVAL

UAT

ION

CO

PY

1Lesson 1: What Is Security? Objectives By the end of this lesson, you will be able to:

1.1.1: Define security.

1.1.2: Identify the importance of network security.

1.1.3: Identify potential risk factors for data security, including improper authentication.

1.1.4: Identify security-related organizations, warning services and certifications.

1.1.5: Identify key resources that need specialized security measures.

1.1.6: Identify the general types of security threat/attacker.

1.2.6: Select security equipment and software based on ease of use.

EVAL

UAT

ION

CO

PY

1-2 Web Security Associate


Pre-Assessment Questions 1. What series of documents and procedures was developed by an international

consortium to serve as an international security standard that is used to help designate secure operating systems?

a. British Standard 7799 b. The Common Criteria c. The Orange Book d. A security matrix

2. Which term describes a mechanism that allows you to monitor and document your network's activities?

a. Threat identification b. Risk analysis c. Audit trail d. Event detection

3. To what kinds of attacks are network resources most vulnerable?

IP spoofing, system snooping and information theft

EVAL

UAT

ION

CO

PY

Lesson 1: What Is Security? 1-3


Network Security Background The media frequently relate sensational incidents concerning Internet-related security threats. From security problems with the popular Mozilla Firefox and Microsoft Internet Explorer browser applications to sophisticated attacks aimed at compromising e-commerce servers, computer and network administrators and users must contend with an increasingly complex security environment. Attacks by hackers, which include computer and e-mail viruses, have become increasingly common. Major online businesses have also proved vulnerable. Amazon.com and eBay, for example, have been victims of serious attacks.

Well-known hackers include Kevin Mitnick and John Draper (who is also known as Captain Crunch), but many more unknown hackers can wreak havoc across the Internet. Even though the following news passage reads like an excerpt from a spy novel, it actually did occur:

Hacker penetrates T-Mobile systems News Item: January 11, 2005 — SecurityFocus

A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned.

Twenty-one year-old Nicolas Jacobsen was quietly charged with the intrusions last October, after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms. The informant also produced evidence that Jacobsen was behind an offer to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board, according to court records.

The age of the preceding article is important. Consider that systems and software applications have become even more powerful and available. Also, now that the business community has embraced the Internet for commerce, communication and collaboration, the integrity of sensitive information and communication lines becomes an all-important concern. Responding to and countermanding threats such as viruses and hackers is an important part of any network administrator's job.

The Internet is available to anyone with a network connection and an Internet Service Provider (ISP) account. In fact, it was designed to be an open network, and therefore has little built-in capacity for securing information. From a security standpoint, the Internet is inherently unsecure. However, businesses and individuals now want to apply principles of security to the Internet, effectively using it in a way its inventors did not intend. For Internet users, the new challenge is to protect sensitive data while allowing authorized personnel to use it.

This course will introduce you to information security principles and teach you how to protect your systems from unauthorized access using the latest available technology. You will learn to deploy host-based solutions, along with network-based technologies, such as firewalls.

hacker An unauthorized user who penetrates a computer host or network to access and manipulate data.

OBJECTIVE 1.1.2: Importance of network security

INSTRUCTOR NOTE: The purpose behind this section is to make students aware that hacking has become a tradition, and that unprotected servers are vulnerable because hackers have a great deal of time to exploit Internet-based servers. Emphasize to students that the Internet is an open network, which means that it does not have built-in security procedures.

open network A group of servers and computers, such as the Internet, which allows free access.

EVAL

UAT

ION

CO

PY



What Is Security? Put simply, security in a networking environment is the ability to identify and eliminate threats and vulnerabilities. A general definition of security must also address the need to safeguard organizational assets, including information and physical items such as the computers themselves.

The idea of security is also intertwined with the notions of appropriateness and subordination. A specific person must be designated as the security manager. This person will be in charge of security, and must determine who can take appropriate actions on specific items and when. All people who enforce security on the network must act in roles subordinate to this leader. Regarding company security, what is appropriate varies greatly from organization to organization, but any company with a network must have a security policy that addresses appropriateness, subordination and physical security.

This course discusses security as it relates to the Internet. With the advent of modern, sophisticated technologies such as local area networks (LANs), wide area networks (WANs), the Internet, wireless networks, Web 2.0 technologies and virtual private networks (VPNs), the idea and practice of security have become more complex than simply patrolling the network perimeter. With regard to networking, one could define security as a continuing process in which an administrator ensures that information is shared only among authorized users.

By the end of this course, you will be familiar with the processes and technologies used to establish and limit behavior to what your organization considers appropriate. You will focus on the aspects of security that relate to connecting your organization to the Internet. Internet connectivity makes it extremely easy for unknown users to connect to exposed resources. You need to ensure that users can access only what you want them to access. This course will explore methods of controlling user and hacker access, and responding to events and minimizing damage when someone circumvents those controls.

The following lab gives an example of how a hacker can remotely control a vulnerable system through the use of an illicit server (service or daemon installed on a host that thwarts authentication by allowing remote users to avoid the password database). Suppose you are a security technician for the IT department of a midsize business. A user calls you to report that he is concerned about an e-mail he received. He opened the attached file before realizing he did not know the sender. Now he thinks his computer may have been infected with a virus of some sort. You can diagnose the security threat more quickly and easily if you are familiar with common exploits such as trojans, which are programs disguised as harmless applications that actually produces harmful results. Then you can begin to thwart this attempt to hack in to your company's systems. Although many hackers do not engage in such activities, you must understand that such practices can victimize an unsecured network.

Lab 1-1: Causing a NetBus trojan infection

In this lab, you will install NetBus and infect your machine with the NetBus server trojan program. NetBus is an example of a trojan that can remotely control your machine across the Internet. NetBus is often sent via an e-mail message, in hopes that an unsuspecting user will run the patch.exe program.

OBJECTIVE 1.1.1: Define security

INSTRUCTOR NOTE: Students will need to understand what a network perimeter is. They should also understand that a network perimeter is only one part of securing the network. The NetBus exploit, shown in Lab 1-1, is an important example because it can be used inside a firewall as well.

network perimeter The outer limit of a network as defined by a firewall.

OBJECTIVE 1.1.3: Risk factors for data security

EVAL

UAT

ION

CO

PY



The NetBus version 1.7 file that is used in this lab is named is NetBus170.zip and was downloaded from the Packet Storm Web site at the following address: www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchtype=archives&counts=26&searchvalue=netbus++

1. Disable all anti-virus and personal firewall applications on your system.

2. Obtain the NetBus file from your instructor, decompress it, then double-click Patch.exe. It will appear as if nothing has occurred, but you have just infected your computer with the NetBus illicit server.

3. Double-click NetBus.exe to display the NetBus client interface shown in Figure 1-1.

Figure 1-1: NetBus client interface

4. In the Host Name/IP field, type 127.0.0.1, then click the Connect! button. The NetBus interface should resemble Figure 1-2.

Note: This address is the loopback address to your system and allows you to use the client interface on yourself.

Figure 1-2: Client connected to loopback address

5. Click the File Manager button to display the Remote File Manager dialog box. Click the Show Files button, then expand the C: drive. The dialog box should resemble Figure 1-3. You can use this dialog box to download, upload or delete files from the infected system (in this case, your own). Do not delete files at this time.

INSTRUCTOR NOTE: Make sure that you obtain the NetBus file from your instructor, or from another site such as http://packetstorm. linuxsecurity.com.

INSTRUCTOR NOTE: When students click the Show Files button, it may take a minute or two for the files to appear.

EVAL

UAT

ION

CO

PY



Figure 1-3: Remote File Manager dialog box

6. Click Close to return to the NetBus interface.

7. Click the Server Admin button, then click the Remove Server button. When you are asked if you are sure you want to remove the server, click Yes. This action will remove the NetBus illicit server from your system.

8. Close all dialog boxes and the NetBus interface.

If time allows, the instructor will lead a lab in which you will connect to a remote host.

Note: Connecting to a remote system without permission is illegal. This lab is presented for informational purposes only.

In this lab, you installed NetBus and infected your machine with the NetBus server trojan program. Consider how you can protect your network hosts from this threat. Anti-virus applications generally find NetBus, but variants of NetBus that avoid detection do exist. Intrusion detection (the use of internal network hosts to detect and track network transmissions) is another method. For your network, however, the first line of defense against remote NetBus use is to implement a firewall.

Hacker Statistics In spite of the romantic representations of hackers in movies such as Sneakers, Hackers and War Games, hacker activity is proving to be costly. According to the Computer Security Institute and Computer Emergency Response Team (CERT), hacking is on the rise and is becoming increasingly destructive. The CERT Web site (www.cert.org/stats) has released the following statistics regarding the increase of reported attacks to show the effects of hacker activity:

INSTRUCTOR NOTE: Do not spend too much time with NetBus in this course. This lab is presented only to show students one example of an exploit. You may also want to explain to students that this exploit is an example of an illicit server.

OBJECTIVE 1.1.2: Importance of network security

OBJECTIVE 1.1.4: Security-related organizations and certifications

EVAL

UAT

ION

CO

PY



• Reported incidents have risen steadily, from 252 in 1990 to 9,859 in 1999 to 137,529 in 2003 (2003 is the last year for which incident statistics were kept by CERT).

• Total vulnerabilities cataloged have also risen steadily from 417 in 1999 to 3,784 in 2003 to 7,236 in 2007.

According to a survey of 2,066 organizations conducted by the U.S. Federal Bureau of Investigation (www.fbi.gov) in January 2006, online crime in the United States alone caused $67.2 billion in damages in 2005. Yet, it is estimated that about 90 percent of the attacks that occur every year are not reported. In addition, 90 percent of the respondents said they had experienced some form of attack, intrusion or leakage of proprietary information in the previous 12 months.

Many networking professionals make the distinction between "white hat" (i.e., "good guy") hackers, and "black hat" hackers (sometimes called "crackers").

The IT community has responded to such attacks. Most companies have created security policies. Businesses, organizations and e-commerce sites now implement firewalls, intrusion-detection systems and programs to help track network activity. You will learn more about some of these solutions in this course.

SANS (SysAdmin, Audit, Network, Security) Institute The SANS (SysAdmin, Audit, Network, Security) Institute is dedicated to providing advice and information regarding common systems vulnerabilities. Among other things, the SANS home page (www.sans.org) provides a helpful Top 20 list to help administrators remain aware of the most important security vulnerabilities.

The Myth of 100-Percent Security Connectivity implies risk. If you allow legitimate users to access your computers or networks, the opportunity exists for abuse. One popular saying is that the only secure computer is one that has been disconnected from the network, shut off and locked in a safe with the key thrown away. Although this solution might make the computer secure, it also makes the computer useless.

Although you can never reach a point of complete security, you can achieve a level that prevents all but the most determined and skilled hackers from accessing your system. Proper security techniques can minimize the negative effects of hacker activity on your organization. They can deter even the most determined hacker. Regarding Internet security, you can usually restrict the network permissions of legitimate users so they can still accomplish their tasks, but have no more access than necessary. The result of this simple measure is that even if a hacker can steal a legitimate user's identity and enter into the system, he or she will be able to gain only the level of access authorized for that user. Such a restriction will confine any possible damage that the hacker may cause using the stolen user name and password.

Balance in security A key security principle is to use solutions that are effective, but that do not improperly burden legitimate users who want access to needed information. Finding ways to actually apply this principle is often a difficult balancing act. This need for balance applies especially to Internet security. It is quite easy to employ security techniques that become so onerous that legitimate users disregard and even circumvent your security protocols. Hackers are always ready to capitalize on such seemingly innocent activity. Thus, having

Computer Emergency Response Team (CERT) An organization devoted to dealing with computer-related security issues. CERT is a part of the Internet Society (ISOC), which establishes the protocols that govern the Internet. Maintains information about how to solve specific security problems and publishes security advisories.

INSTRUCTOR NOTE: See Optional Lab 1-1: Viewing hacking and vulnerability statistics.

OBJECTIVE 1.1.3: Risk factors for data security

INSTRUCTOR NOTE: Students will need to understand the concept of balance. Explain to them that spending enormous amounts of money to secure a low-priority Web server is a waste of time. Also, making security measures too difficult for end users can reduce the effective level of security. The classic example in this case is forcing users to change their passwords too often. As a result, end users will begin to write down their passwords where they can be easily found by others.

EVAL

UAT

ION

CO

PY



an overzealous security policy could result in less effective security than if you had no security policy at all.

You always need to consider the effect that your security policy will have on legitimate users. In most cases, if the effort required by your users is greater than the resulting increase in security, your policy will actually reduce your company's effective level of security.

Attributes of an Effective Security Matrix Although the components and configurations of a security system vary from company to company, several characteristics remain constant. A reliable security matrix is necessary to ensure that all security measures are cost-effective and reasonable. A security matrix is composed of individual operating system security features, logging services and additional equipment including firewalls, intrusion-detection systems and auditing schemes.

Table 1-1 summarizes the most important aspects of an effective security system.

Table 1-1: Effective security system attributes

Attribute Description

Access control -You have achieved your goal of allowing access to only legitimate users. -You have maximized the ability to communicate while minimizing the possibility of hacker access. -You have minimized the possibility for damage in the event of hacker access.

Ease of use -If a security system is difficult to use, many employees will find ways to circumvent it. -You have ensured that the interface is intuitive.

Appropriate cost of ownership

-You have considered not only the initial purchase cost, but also the price of upgrades and service. -You have also considered the cost of administration. How many employees, at what skill level, are necessary to successfully implement and maintain the system?

Flexibility and scalability

-Your system allows your company to do business the way it wants to. -Your system can grow as the company grows.

Superior alarming and reporting

-In the event of a security breach, your system notifies the administrator quickly and in sufficient detail. -You have configured the system to alert you as efficiently as possible. Notification options include alerts by e-mail, computer screens, pagers and so forth.

What You Are Trying to Protect Now that you have learned about the general principles involved in a security system, we will discuss exactly what needs protection. As you construct the security profile for your network, it is helpful to classify your assets into four resource groups:

• End-user resources (Windows 2000/XP/2003, Linux or Macintosh hosts used by employees)

• Network resources (routers, switches, wiring closets, telephony)

• Server resources (including file, DNS, Web, FTP and e-mail servers)

security matrix All components used by a company to provide a security strategy. Includes hardware, software, employee training, security policy, etc.

OBJECTIVE 1.2.6: Selecting security equipment and software

INSTRUCTOR NOTE: This security matrix provides a way to implement a balanced approach to security.

OBJECTIVE 1.1.5: Key resources needing security

INSTRUCTOR NOTE: Make sure students understand these categories. They are useful for the CIW Web Security Associate exam, as well as for prioritizing resources.

EVAL

UAT

ION

CO

PY



• Information-storage resources (including human resources and e-commerce databases)

End-user resources Be sure you have enabled the members of your organization to protect their workstations. Not all damage to your resources is the result of malicious user activity, nor of hacker entry into your system. Often, computers are damaged by simple user error.

For example, many employees are largely unaware of the hazards involved in downloading ActiveX files and using Java applets. Still others have not enabled password-protected screen savers to prevent snooping while they are away from their desks for even short periods of time. Users can also inadvertently download viruses and trojans, thereby compromising your network's ability to function. As you learned earlier, a trojan is a file or program that purports to operate in a legitimate way, but which also has an alternative, secret operation, such as sending sensitive company information to a hacker via e-mail.

However, employees can improve security by making sure their browsers are configured for maximum-security settings for ActiveX and Java. You should also make sure that each employee uses a virus checker and observes caution when downloading anything from the Internet.

Protecting local resources is largely a matter of educating individual users about easily applied security techniques. However, Internet security involves more than protecting individual resources.

Network resources Your networks are the primary communications medium for the entire company. If a skilled hacker gains access to or control of your networks, he or she will probably gain access to most or all company data. You must be aware that many hackers can imitate any Internet Protocol (IP) device that has an IP address. Called IP spoofing, this activity allows hackers to engage in various activities with impunity, because it helps them thwart detection via audit trails. Because no inherent protection is available in the current version (v4) of the Transmission Control Protocol/Internet Protocol (TCP/IP), a hacker can take advantage of any device that does not have specific mechanisms in place. As a result, users can take control of network resources and then move on to system snooping.

Server resources Your World Wide Web, e-mail and FTP servers are vulnerable to attacks designed to crash the server so that its services are unavailable, or attacks designed to allow the hacker to log on and obtain or alter information. Often, server resources become a target because compromising one of these resources generally allows hackers to move on to controlling other resources. Some servers provide backbone services (e.g., DNS), whereas others provide mission-critical services (e.g., Web, e-mail and so forth). Regardless of category, it is vital that you find ways to protect each as much as resources allow.

Information-storage resources The most vital function of any company is the way it organizes and disseminates information. These server types represent a hacker's ultimate goal, because these databases contain sensitive information (e.g., credit card numbers, employee payroll records and so forth). Hackers want information for many reasons. Some are merely

Transmission Control Protocol/Internet Protocol (TCP/IP) A suite of protocols that turns information into blocks of information called packets. These are then sent across networks such as the Internet.

system snooping The action of a hacker who enters a computer network and begins mapping the contents of the system.

INSTRUCTOR NOTE: See Activity 1-1: Identifying common attacks against network resources.

EVAL

UAT

ION

CO

PY



curious, and others are malicious. Still others want to engage in theft or industrial espionage. Table 1-2 lists potentially vulnerable parts of a network.

Table 1-2: "Hot spot" resources and potential threats

"Hot Spot" Resource Potential Threat

End-user resources Viruses, trojans and applets can damage local systems. End users can also introduce problems through illicit activity.

Network resources IP spoofing, system snooping and obtaining information.

Server resources Unauthorized entry, interrupted service and trojans. Server resources are the primary targets in most cases.

Database and information resources

Obtaining trade secrets, customer data and so forth.

Who Is the Threat? Popular culture often represents the hacker as a brilliant, underachieving adolescent male who has a problem with authority. Although this description is sometimes accurate, categorizing hackers in terms of their attitude and motivation is probably more useful.

Malicious activity occurs for a number of reasons. However, such activity typically falls into four broad categories:

• The casual attacker

• The determined attacker

• The spy

• The end user

Perhaps the most important thing to consider when determining your company's security is to identify the type of attacker who will target your company and to anticipate that attacker's attitude.

Casual attackers The casual attacker is sometimes an information seeker, but most often he or she is a thrill seeker. The casual attacker has what might be called an "Everest mentality." In other words, the casual attacker is hacking into your system simply "because it is there." The vast majority of hackers fall into this category. They can be stopped with the proper application of security, especially if this security policy specifies that you find and respond to the hacker. Some casual attackers are teenage pranksters with access to a phone line. A large underground network of these attackers exists.

Determined attackers The determined hacker will gain access to your system, regardless of difficulty or consequence. This type of hacker is going to get in via the Internet, or by manipulating a careless or uninformed employee. These hackers have access to tested methods and tools specifically designed to allow access into your network. In spite of your effective equipment and clear security policy, this type of hacker's determination and willingness to employ any method will eventually lead him or her to success.

OBJECTIVE 1.1.6: General security threat types

INSTRUCTOR NOTE: Be prepared to discuss additional terms for hackers. These can include "white hat hacker" as well as "gray hat hacker," who will probe and penetrate sites legally and illegally.

EVAL

UAT

ION

CO

PY



Determined hackers will often break into highly sophisticated systems to prove their hacking prowess. Typically, these hackers are not out to destroy information, but will often obtain information about your company and network just because they can. Determined hackers have many motivations. One hacker might be a disgruntled employee, whereas another might be motivated by resentment toward large businesses or governments. Many attacks have occurred as the result of hackers' interest in removing the presence of what they consider to be objectionable or controversial content. Still others — the majority, perhaps — are motivated by financial gain.

Other hackers have more idiosyncratic motivations, which can be based upon an interest in achieving fame, a need to gain a sense of accomplishment, or a need to demonstrate their networking skills. Such motives may explain the majority of Web graffiti that has occurred over the past few years.

Spies and industrial espionage Spies have very specific targets and want to gain information or disrupt service. They are well-funded and have nearly unlimited access to resources. Primary motivations for spies include monetary gain and ideological beliefs. These hackers will stop at nothing to gain access to the networks they have targeted. Businesses interested in industrial espionage and various governments often fund spy groups, but some spies are mercenaries who will work for the highest bidder.

Later lessons discuss how to implement firewalls and offer specific ways to defend against hackers. For stopping a determined hacker, auditing is the most effective tool. With proper auditing, you can discover and stop a hacker as soon as possible. A more detailed discussion of auditing is presented in a later lesson, and another lesson offers a plan by which you might respond to the hacker and report such activity. Sometimes you need to contact law enforcement agencies, such as local authorities or possibly the U.S. Federal Bureau of Investigation (FBI).

End users End users constitute the first line of defense in network security. It is common for security professionals to blame specific vendors (e.g., Microsoft, Sun or Ubuntu), protocols (e.g., the fact that IPv4 does not require authentication) or operating systems (e.g., Windows Server 2003 or Solaris) for their security woes. However, most security breaches are caused by end users. End users may cause network security problems through ignorance, carelessness, or a lack of effective and continual awareness training.

End users may also cause network security problems because they are simply trying to do their jobs to the best of their abilities, using the tools they feel would best suit their needs. If end users feel that problems they encounter are not being addressed, they may try to start looking for their own solutions. Those "solutions" may end up circumventing network security policy, leading to security breaches.

To solve this problem, consider the following strategies:

• A short training session at the time of hire — This session can be led by an individual (e.g., an IT help desk worker, a security administrator or the employee's manager) or it can be self-paced. Such sessions should include a thorough review of the security policy.

• Continual training — Educate users at regular intervals so that they remain aware of the latest threats.

Web graffiti The act of defacing a Web site by replacing authorized content with illicit information.

auditing Reading and interpreting log files to identify hacker activity.

INSTRUCTOR NOTE: End-user awareness training is an essential part of protecting the network.

EVAL

UAT

ION

CO

PY



• Reminders — Issue e-mail reminders concerning standard practices, and have copies of the security policy readily available.

• Explain common procedures — Instruct end users not to click every attachment that they receive in e-mail, and that they should not try to repair their own systems when they perceive a threat. Show them steps that they can take to properly escalate a perceived problem, rather than trying to handle it themselves. You can also show them how to create client-side e-mail filters to avoid spam and dangerous attachments with the latest virus or worm on the Internet.

• Do not ignore end users — Solve the business needs of end users before they attempt to solve their own problems, to which they do not know the solutions. By so doing, you help end users accomplish their tasks without compromising network security.

With these strategies in mind, you can begin considering the end user as a security aid, rather than a liability.

Security Standards To complete our discussion of security basics, we must mention several standards that help provide security.

ISO 7498-2: Security Architecture The International Organization for Standardization (ISO) 7498-2 Security Architecture document defines security as minimizing the vulnerabilities of assets and resources. An asset is defined as anything of value. A vulnerability is any weakness that could be exploited to violate a system or the information it contains. A threat is a potential security violation.

ISO further classifies threats as either accidental or intentional, and active or passive. Accidental threats are those that occur with no premeditated intent. Such threats as natural disasters and system malfunctions fall within this group. Intentional threats may range from casual examination of computer or network data to sophisticated attacks using special system knowledge. Passive threats do not modify information contained in the systems; neither the operation nor the state of the system is changed. Alteration of information or changes to the system's state or operation is considered an active threat to the system.

Security services The ISO 7498-2 document further defines several security services, as summarized in Table 1-3. These services will be examined in more detail in upcoming lessons.

Table 1-3: Security services

Service Purpose

Authentication The process of proving identity. These services provide for the authentication of a communications peer entity and the source of data (origin).

Access control Determines what system resources a user or service may use, view or change. After a user has been authenticated, the access control service on an operating system determines where that authenticated user can go.

Data confidentiality

Protects data from unauthorized disclosure. Data confidentiality protects from passive threats, which include users who read data from the network wire using packet sniffers.

INSTRUCTOR NOTE: Emphasize the importance of auditing. The security standards, discussed below all mandate auditing. ISO 7498-2 explicitly requires it, for example.

OBJECTIVE 1.1.4: Security-related organizations and certifications

INSTRUCTOR NOTE: Make sure that students clearly understand each of these categories.

EVAL

UAT

ION

CO

PY



Table 1-3: Security services (cont’d)

Service Purpose

Data integrity Protects against active threats (such as altering data) by verifying or maintaining the consistency of information.

Non-repudiation Allows all parties to provide proof of origin and/or proof of delivery concerning any service, process or piece of information. By contrast, repudiation is the ability to deny participation in all or part of a transaction. For networking, one can repudiate an e-mail message or a piece of data, such as a traceroute ping packet or SYN packet, by saying "I did not send that."

Security mechanisms According to ISO, a security mechanism is a technology, a software program or a procedure that implements one or more security services. ISO classifies mechanisms as either specific or pervasive.

A specific security mechanism is a technology or software program that implements only one security service at a time. Encryption is an example of a specific security mechanism. Although you can use encryption to ensure data confidentiality, data integrity and non-repudiation (all services), the specific encryption technique you use requires various encryption mechanisms to implement each service.

You will learn more about the various uses of encryption throughout this course.

A pervasive security mechanism lists procedures that help implement one or more of the security services at a time. Another element that differentiates pervasive, or general, security mechanisms from specific mechanisms is that general mechanisms do not apply to any one layer of the Open Systems Interconnection reference model (OSI/RM). Examples of pervasive mechanisms include the following:

• Trusted functionality — any procedure that strengthens an existing mechanism. For example, when you update the TCP/IP stack or run some software to strengthen the ability of your Novell, Windows or UNIX system to authenticate, you are using a pervasive mechanism.

• Event detection — the ability to detect and report local and remote incidents.

• Audit trail — any mechanism that allows you to monitor and document your network's activities.

• Security recovery — the ability to react to an event, including creating short-term and long-term solutions to known vulnerabilities. Also includes the ability to repair damaged systems.

Additional security standards Many other government and industry standards exist in addition to ISO 7498-2. Although some standards may be falling out of favor in certain security circles, you will find that an awareness of past and present standards is useful, because some companies still apply these standards. A selected list of additional security standards includes:

• Trusted Computer Systems Evaluation Criteria (TCSEC) — also known as the "Orange Book" because of its color when first published. In an attempt to standardize levels of security, the U.S. government released a series of standards defining a

INSTRUCTOR NOTE: Notice that an audit trail is required at various levels of the OSI/RM. Have students provide examples of logging at the network layer (e.g., IP addresses) and the application layer (e.g., HTTP, DNS and so forth).

EVAL

UAT

ION

CO

PY



common set of security levels. These standards were released in a series of books commonly called the "Rainbow Series" because each book had a different color cover. The TCSEC standards begin with D (the lowest level) and continue through A1 (the most secure). TCSEC addresses data confidentiality concerns only. TCSEC has fallen out of favor with many in the networking industry because it does not address the specific business needs for using a network, which can lead to serious problems between the IT department and the rest of the company. However, some companies still apply standards from the Orange Book. You can learn more about the Orange Book at www.dynamoo.com/orange/.

• Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) — the Canadian implementation of TCSEC, focused on information integrity and availability. This and TCSEC began the push for the Common Criteria.

• European Information Technology Security Evaluation Criteria (ITSEC) — addresses the issues of integrity and availability, as well as confidentiality.

• The Common Criteria (CC) — created by European and American governments to unify various evaluation criteria documents. The Common Criteria supercedes TCSEC, CTCPEC and ITSEC. CC was adopted by ISO as ISO standard 15408. It is used to help designate secure operating systems, under specific circumstances. Whenever an operating system is certified according to the Common Criteria, it can then be used in government networks. You can learn more about the Common Criteria at www.commoncriteriaportal.org/.

• British Standard 7799 (BS 7799-3) — outlines specific "controls," such as the system access control, the use of a security policy and physical security measures. It was designed to help managers and IT professionals create procedures to keep information secure. BS 7799 describes how to plan, implement and correct network implementations. The latest document, published in 2005, is BS 7799-3, which also covers risk analysis and management.

• ISO 17799 — ISO adopted the BS 7799 document, making it an international standard formally known as BS ISO/IEC 17799. The ISO 17799 standard describes specific tasks and safeguards for IT professionals. This document is designed to provide a practical, operations-based approach to security. It is not designed to focus on specific issues, as are ITSEC and Common Criteria, nor was it enacted as a piece of country-specific legislation, as were HIPAA and GLBA (which are discussed next). You can obtain ISO documents (usually for a fee) at www.iso.ch.

• Health Insurance Portability and Accountability Act (HIPAA) — a law that affects health providers in the United States (e.g., doctors, dentists, health-care providers for senior citizens). Passed in 1996, HIPAA consists of two different sections: Title I (designed to protect workers and families so they can obtain health care) and Title II (which regulates how health-care providers and IT departments must secure patient information). Regulations include mandating standardized access to personal medical information by authorized parties, encrypting stored and transmitted information, and rules for how information can be passed from company to company. Whereas all of the previous standards are voluntary, HIPAA imposes fines and even jail time for those who break this law. For more information about HIPAA, visit www.hipaa.org and http://aspe.hhs.gov/admnsimp.

• Gramm-Leach-Bliley Act (GLBA) — an act passed by the U.S. government designed to ensure the privacy of financial information and other sensitive information such as Social Security numbers, phone numbers and bank account numbers. Also known as the Financial Services Modernization Act, GLBA was designed to control how financial service organizations store and transmit information, and it prohibits the

EVAL

UAT

ION

CO

PY



sharing of this information unless explicitly allowed by the customer. In many ways, GLBA is the financial services analog to HIPAA. Passed in 1999, GLBA was implemented in July 2001 for most banks, although some had a grace period until July 2003. Among other requirements, GLBA requires all financial service providers to implement a written, verified security policy designed to keep customer information safe from attackers and improper disclosure by companies. Fines of up to $500,000 are possible, by increments of $1000. For more information about GLBA, visit www.ftc.gov/privacy/privacyinitiatives/glbact.html or www.senate.gov/~banking/conf/confrpt.htm.

• Sarbanes-Oxley (SOX) — an act passed by the U.S. government in 2002 in response to a number of major corporate and accounting scandals, which took place between 2000 and 2002. Sarbanes-Oxley describes specific mandates and requirements for financial reporting, and establishes new or enhanced standards for all U.S. public company boards, management and public accounting firms. It does not apply to privately held companies. The act consists of 11 titles that are designed to improve the accuracy and reliability of corporate disclosure to reinforce investment confidence and protect investors. For more information about Sarbanes-Oxley, visit http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/.

• Federal Information Security Management Act of 2002 (FISMA) — an act passed by the U.S. government in 2002 that mandates annual audits to bolster computer and network security within the federal government (and affiliated parties, such as contractors working on behalf of a U.S. government agency). FISMA mandates a set of processes that must be followed for all information systems used or operated by the federal government. These processes must follow a combination of the special publications SP-800 series issued by NIST, the Federal Information Processing standards (FIPS) documents, and other legislation pertinent to federal information systems, such as HIPAA and the Privacy Act of 1974. For more information about FISMA, visit www.compliancehome.com/topics/FISMA/.

Implementing the Common Criteria does not necessarily exclude implementation of standards such as ISO 17799, GLBA or HIPAA because the CC does not discuss planning and procedures in detail as ISO 17799 does. Also, GLBA, HIPAA, SOX and FISMA are examples of mandated laws, as opposed to being security standards.

EVAL

UAT

ION

CO

PY



Case Study Think Like a Hacker Andre is a system administrator who is responsible for securing the new LAN that he has set up for Coffees R Us, a coffee distributor that sells its products wholesale in bulk to grocery stores and restaurants. Andre ensures that the desktop computers are free of malware and spyware, and that the network servers and applications are as secure as possible. However, despite his efforts, Andre discovers that the network has become infected with a trojan that allows the servers to be controlled remotely by external sources.

* * *

As a class, discuss this scenario and answer the following questions:

• Consider the components of an effective security matrix. Did Andre create a matrix that encompassed all aspects of an effective security system?

• Andre's security measures effectively patrolled the network perimeter. Is this enough? If not, what else does Andre need to consider?

• From what or whom is Andre trying to protect the LAN? If a determined hacker has successfully infiltrated the LAN, what can Andre do to remove the trojan and ensure that the LAN is less vulnerable to future attacks?

EVAL

UAT

ION

CO

PY



Lesson Summary

Application project In this lesson, you learned about specific risks to your computer systems, as well as some of the standards used to measure network security. Every organization has different security concerns. Compile a list of potential security threats to your organization or school. Determine which security elements can most effectively provide a countermeasure to your potential security problems.

Skills review In this lesson, you were introduced to the concept of security, and you saw demonstrations of actual security threats. You also learned about the categories of resources that need protection, the attributes of an effective security system, and the types of people who make security systems necessary.

Now that you have completed this lesson, you should be able to:

1.1.1: Define security.

1.1.2: Identify the importance of network security.

1.1.3: Identify potential risk factors for data security, including improper authentication.

1.1.4: Identify security-related organizations, warning services and certifications.

1.1.5: Identify key resources that need specialized security measures.

1.1.6: Identify the general types of security threat/attacker.

1.2.6: Select security equipment and software based on ease of use.

EVAL

UAT

ION

CO

PY



Lesson 1 Review 1. What is an open network?

An open network is a group of servers and computers that use protocols developed with

freely available information. The Internet is an open network because it uses TCP/IP.

Anyone can read about how to build TCP/IP applications. As a result, anyone with an

interest in defeating security measures built into this suite of protocols can read the

specifications for TCP/IP and build malicious applications.

2. The advent of sophisticated networking technologies has required network protection to become more sophisticated than simply patrolling the network perimeter. Give an example of an attack that could allow a computer to be controlled remotely.

A NetBus trojan infection or the use of an illicit server.

3. What is the Computer Emergency Response Team (CERT)?

An organization, based out of Carnegie Mellon University in Pittsburgh, Pennsylvania,

that is devoted to dealing with computer-related security issues. It is part of the

Internet Society (ISOC), which establishes the protocols that govern the Internet.

4. What are the components of an effective security matrix?

High security, ease of use, reasonable cost, flexibility and scalability, and superior

alarming and reporting capabilities.

5. To what kinds of attacks are server resources most vulnerable?

Attacks designed to crash the server so that its services are unavailable, or attacks

designed to allow a hacker to log on and obtain or alter information.

EVAL

UAT

ION

CO

PY



Lesson 1 Instructor Section This section is a supplement containing additional tasks for students to complete in conjunction with the lesson. The instructor may use all, some or none of these additional tools, as appropriate to the specific learning environment. These elements are:

• Activities Pen-and-paper activities to be completed during class or as homework.

• Optional Labs Computer-based labs to be completed during class or as homework.

• Lesson Quiz Multiple-choice test to assess student knowledge of lesson material.

EVAL

UAT

ION

CO

PY



Activity 1-1: Identifying common attacks against network resources

In this activity, you will recall and list the types of attacks waged against common resources.

1. The left column of the following table lists common "hot spot" resources. In the right column, fill in common attacks that are waged against each resource.

"Hot Spot" Resource Potential Threat

End-user resources Viruses, trojans and applets can damage local

systems. End users can also introduce problems

through illicit activity.

Network resources IP spoofing, system snooping and obtaining

information.

Server resources Unauthorized entry, interrupted service and trojans.

Server resources are the primary targets in most

cases.

Database and information resources

Obtaining trade secrets, customer data and so forth.

In this activity, you identified common threats to "hot spot" resources on your network.

Optional Lab 1-1: Viewing hacking and vulnerability statistics

In this optional lab, you will review statistics gathered by CERT and vulnerabilities reported by SANS.

1. Go to the following Web site:

www.cert.org/stats

2. Study the following elements and write your answers in the spaces provided.

How many incidents were reported for 2002-2003?

____________________________________________________________________________________

How many vulnerabilities were reported for 2005-2007?

____________________________________________________________________________________

How many security advisories have been published since 1988 (when CERT was first organized)?

____________________________________________________________________________________

INSTRUCTOR NOTE: This lab assumes Internet access.

EVAL

UAT

ION

CO

PY



3. Go to the following Web site:

www.sans.org

4. Click the Top 20 Vulnerabilities link.

5. Study these vulnerabilities. Which of the vulnerabilities listed might most affect your servers?

____________________________________________________________________________________

In this lab, you viewed the CERT and SANS Web sites to learn more about attack statistics and common server vulnerabilities.

Lesson 1 Quiz 1. The Internet has little built-in capacity for securing information because:

a. it operates behind a network perimeter. b. it operates behind a firewall. c. it is an open network. d. it is a closed network.

2. Which term describes the action of a hacker who enters a computer network and begins mapping the contents of the system?

a. A trojan b. System snooping c. Web graffiti d. A virus

3. Which service protects data from unauthorized disclosure?

a. Data confidentiality b. Access control c. Data integrity d. Non-repudiation

4. Which service represents the inability to deny participation in all or part of a transaction?

a. Data confidentiality b. Access control c. Data integrity d. Non-repudiation

5. Which term describes a procedure that strengthens an existing mechanism?

a. Trusted functionality b. Event detection c. Security recovery d. Audit trail

EVAL

UAT

ION

CO

PY



Documents

EVALUATION COPY - CIWCertified.com · EVALUATION COPY Web Security Associate Instructor Guide Web Security Series CCN02-CAWSAA-PR-1012 • version 1.0 • rd011111