This lesson discusses securing networks and making them
harder to attack. Objectives important to this lesson:
Physical security
Social engineering
Vulnerabilities and threats
Authentication
Secure protocols
Remote access
Troubleshooting security
Concepts:
Chapter 13, Network Security
Chapter
13 covers more material than most chapters. We will consider it by
itself this week.
The
idea of physical security may not seem to apply to networks, but it
does. It applies to all our assets, all our hardware, and all our
staff. Consider this list of ideas about physical security. It is a
list of major physical controls, a bit longer than the one in our
TestOut. It covers a few more ideas.
Walls, fences, and gates- obvious barriers make it
clear to peopple that they are not allowed to walk beyond a certain
point; gates are obvious points of access, but they are also filter
points if you require staff to show permission to pass through them;
these apply to external and internal environments
Guards- putting a guard on a
gate, a door, or an asset allows you to set rules for passage and usage
that can be interpreted by a human being or referred to an authorizing
level of management
Dogs- guard dogs should
probably appear as a subset of guards, whether they are working with
handlers or left to patrol a sealed environment; a dog can sense things
(noises, aromas) that a human guard cannot
ID cards(badges) - can be just a
token or a photo ID, and may have a magnetic stripe, a computer chip,
or an RFID; ID cards are both a proof of authorization and a problem:
they need to becollectedwhen an employee leaves
their job, regardless of who decided they were leaving; the text
describestailgating, the practice of passing
through a door that senses an authorization code by following someone
who actually has authorization when you a)forgotyours, b) decided to belazy, or c) arenot authorized; it is the last
variation we worry about, so some secure centers require that everyone
passing a control point show their badge to the sensor to count heads;
the text mentions the use of ID operatedturnstiles, which are effective in
metering traffic
Locks- as indicated above, some
locks are opened withcredentials; some locks require akey, and others require theinterventionof an operator (e.g. guard,
receptionist);biometriclocks may be the most
sophisticated locks: that means that unless they are sophisticated they
won't work well
A door thatstays lockedif the electronic lock
fails has afail-secure lock.
A door thatbecomes unlockedif the electronic lock
fails has afail-safe lock. Sincesafeandsecureare usually synonyms, this
makes no sense. You just have to know which is which.
Cable locks- Devices that are meant to
bemovedare often built with littleslotsthat may be used withcableswhich attach to desks,
tables, or other structural features in the workplace. The idea is that
if something is locked down, it is less likely to be stolen. It can
still be stolen if the thief has a tool to cut the cable, and if the
cable is securing your docking station, that means the thief may steal
it as well as your laptop.
Mantrap- a vestibule or airlock
with two doors thatbothlock if someone tries to
pass through the second door to a secure area and fails; the idea is to
alert security to a possible intrusion while containing the intruder
Video monitoring- allows recording of
events, also allows fewer guards to watch over more areas by watching
several screens at once; this typically adds a delay to response time,
and may only be useful for collecting data after an event
Alarm systems- commonly associated with
the opening of a door, may be triggered by sensors (motion, infrared,
touch plates)
I
had the pleasure once of visiting a facility that took a different
approach from most. There wasno signoutside the building,no numberon it, and few indications
that was a secure facility. The perimeter wasfenced, andgated, and the gate was operated
remotely by an unseen guard. The fence was surrounded by tall slenderyews, which blocked the view of the
perimeter from both sides. They were also frail enough that no one
could climb them. Yes, they made it difficult for people inside to
watch what was happening outside the building. However, the intention
was to block the view of the building from outsiders, and to draw no
attention. Huge trees with nasty thorns are unusual and they might draw
the attention of someone with an eye for what looks odd. Yews are just
nice landscaping. A good way to keep a secret is to never hint that the
secret even exists. That perimeter followed that logic.
Visibility
is what you think about when you planlightingandsurveillance cameras. Sometimes you
need more lights because something you can't remove casts a shadow.
Sometimes you need another camera, because you can't see through or
around that thing the way it is. Your surveillance system needs to
cover what your guards need to see even if they do walk around the
interior or the grounds. They cannot be everywhere at once, unless you
have lots of guards.
The
text mentions that tracking whoentersand wholeavesa location are equally
important. This is easier in a well run installation, where you use the
same protocols to enter and to leave. In most locations, people are in
more of a hurry to leave. The text suggests that keepingvideorecords of people entering
and exiting can provide a post-event record if you can live without a
live stream of information. Sometimes, theexitof a person is the moreimportantevent, such as the provided
example of a day care center, as well as in some hospitals and most
prisons. The text warns us thatexit
pointsmust be
watched carefully in such cases. It should observe that we should watchknownexit points, and be
watchful for exits that those seeking them maydiscover.
If
you want to allow foot traffic, but restrict the approach of vehicles,
you should consider a recommendation to usebollards. You may
not know the word, but you have probably seen these posts in parking
lots or outside buildings. Followthis
linkto a web page
that defines them as being available in several types: visual guides,
physical barriers, flexible, and decorative. We are most concerned with
the physical barrier type, which may simply be a painted concrete and
steel post, or it may have a decorative cover to make it look less like
a barrier. Some locations that require frequent traffic with the need
for restriction in emergencies may lead us to install bollards that are
retractable.
We
can also discuss physical access controlsinsidebuildings. One our our
security texts recommends thatguardsandcamerasshould be made visible in
general work areas, to act as deterrents to unwanted behavior.Barriersbetween general work areas
and sensitive areas should be clearly defined. The text mentionsbanksas a commonly available
example of businesses with areas for the general public, and areas that
are for staff only. Banks often have high counters, gates, security
barriers, guards, and bullet resistant glass or plastic barriers
between staff and customers. Data centers do not generally provide
service to the public, but is not uncommon to have a data center share
a building with another service from your company that does invite
customer traffic. When this is the case, there must be controls to
prevent access by people who should not have access.
Social engineeringis a label that is applied
to any attempt to convince someone to do something that is to your
benefit. In the context of IT security, a social engineer is often a
con artist who is asking, fooling, convincing, or otherwise
manipulating people into revealing secrets or granting access to
systems. These are a few classic social engineering methods:
Make a friend- Friends tend to confide
in friends, do favors for them, and show off what they know or can do.
A hacker may try to become a friend to someone with the next level of
access to harvest information from them.
Pretext- A pretext is apretense, a lie of some sort. A
pretexting attacker might pretend to be from the IT department, or
he/she might instead pretend to be a new user, an assistant to a high
level executive, or any other role that seems to fit the situation.
Think of Leonardo DiCaprio inCatch
Me If You Can, interviewing an airline official to get the
information he needed to impersonate a pilot. He was pretexting with
the airline official when he pretended to be a reporter for a student
newspaper. He then pretended to be a pilot in order to pass bad checks
at banks, hotels, and airline counters, which we could say was the real
exploit that his initial pretexting led to.
Ask for information- The author describes a
social engineerr asking a user to log in to a "test page", which in
reality has the purpose of collecting the user's ID and password. This
is similar tophishing, sending email to users
that ask them to do the same or similar things.
Impersonation- An attacker might
impersonate anyone who might seem to belong in the environment being
surveilled or attacked. It is common to impersonate a help desk
employee when calling a victim. It is also common to impersonate an
employee, a delivery person, or a repair person when the ploy calls for
infiltrating a site.
Phishing-Phishingis the solicitation of
personal or company information, typically through an official looking
email. Some variations on phishing:
Spear phishing- sending the email tospecificpeople,customizingit to look like a message
sent to them by an entity with some of their personal information
already
Whaling- This is spear phishing
but it focuses on big (wealthy or data rich) targets.
Pharming- sending an email that
takes the person directly to a web site (the phisher's site) instead of
asking the reader to follow a link
Google phishing- the phisher sets up a
fake search engiine that will send people to the phishing web site on
specific searches (presumably it returns real search results on
searches that would not lead to a page the phisher has prepared)
Spam- The section on spam,
unsolicited email, seems out of place in this discussion. Most spam may
only be looking for a customer, but some spam is sent with the intent
to steal, abuse, and sell the payment information that a person might
volunteer to provide.
Hoaxes- In the larger sense, all
social engineering involves a hoax of some kind. First the grifter
finds a mark, then he tells the mark the tale, and offers the deal. In
the sense that the text means here, a hoax is distraction from reality,
such as when the attacker pretends that there is a virus outbreak that
is affecting the potential victim. It sets the idea in the victim's
mind that the attacker is trying to help and should be assisted in
his/her efforts.
Typo squatting- Most people are not great
typists. The text explains that this is why other people (the bad ones)
register domain names that are similar but not identical to real
domains. They are hoping that the bad typists among us will misspell a
URL and find ourselves on their site instead of the one we wanted,
where we might volunteer information by trying to log in with
credentials that can then be abused, sold, or ransomed. This technique
is also calledURL hijackingby the text.
Watering hole attack- The attacker determines
that targets in the company/agency often visit a particular web site,
called the watering hole in this scenario. It may be easier to infectthatsite than to attack the
individuals directly, and then to take advantage of the real target.
The
author remarks that social engineering is often preferred to more
difficult hacking, because it is usually easy, fast, and effective.
That is true for someone with the right skill set. Many hackers are not
accomplished actors, but social engineers need to be. Think about it
the next time someone calls your home "from Microsoft" and tells you
they have noticed problems on your computer. Then hang up the phone,
there is no point in talking to them.
The
following is a list of six attitudes/approaches a social engineer might
take when making a request for a password change.
Authority - pretend to be someone who has the right to make
the request
Intimidation - in an oppressive environment, it may be easy
to use fear of what would happen if the request is not granted
Consensus/social proof - tell a believable lie that others
have granted this request in the past
Scarcity - tell the victim that you are short on time, or
you have to get this before it can't be done
Urgency - tell the victim that you need this right now, and
that you will complete the red tape later
Familiarity/Liking - act like one of the family, especially
one who appreciate the work the victim does for the company
Trust - use details about the organization to make it seem
like you are a part of it
Someone
who is practiced in manipulating people may be able to choose between
these approaches easily, based on the attitude of the person on the
other end of the phone, email, or messaging application. A skilled
operator may be able to do much more if they can manipulate the person
they are working on. Offering the person coffee, chocolate, or othersimple
giftsmay make it
easier to get them to do what you want.
The
termmalwaremeans any software that
does something harmful to a system. The CSS 211 text breaks malware in
tothree types,
based onwhichof three objectives the
malware follows:infectinga system,concealingits actions, or bringingprofitfrom its actions.
Infecting
Malware
Infecting
software is divided intovirusesandworms. Avirustypically requires a
carrier to infect a system, like an email, an instant message, or a
program that the user runs. A virus typically has two tasks: replicate
and damage. Some viruses have historically been rather benign, just
displaying a message to the user. The ones that cause damage to a
system are categorized by the method they use or the damage they cause:
file infector - the virus attaches itself to an executable
file; it is triggered when that file is run
resident (aka terminate and stay resident) virus - loads
into RAM, then does its damage based on actions the user takes through
the operating system
boot virus - infects the Master Boot Record of a hard disk,
which means the virus will load and run the next time the hard drive is
used to boot the computer; typically the virus will trash the hard drive
companion virus - found more on pre-Windows systems, loads
a program with a name similar to that of a real program, but with a
preferred extension so the companion (malware) program is run when the
user tries to run the real program from a command line; this seems like
it might have a resurgence in Windows Server 8 which has more command
line features
macro virus - a script virus that is typically placed in a
Microsoft Office file
Virus
protection programs typically recognize viruses bysignatures,
the way they look. This recognition method is complicated bymetamorphicviruses that change the way
they look over time, andpolymorphicviruses that change their
signature and their encryption methods.
A
major difference between worms
and viruses: once it is started, a worm can replicate itself across
connected computer systems by itself. It does not need a carrier. A
worm can attack any running computer that is connected to a network
that an infected computer is on: it does not require cooperation from
the user. Worms are more dangerous due to their self driven nature.
Once a worm is detected in a system, each device on the network must be
scanned for it, cleaned if necessary, and prevented from accessing the
network until this is done.
Concealing
Malware
The
text lists four types of malware that are first concerned with
remaining hidden from the user and from security personnel:Trojan horses,rootkits,logic bombs(not a terribly accurate
name), andprivilege
escalators.
Trojan
horseprograms
are named for themyth
of a wooden horsethat
was used to smuggle Greek soldiers inside the walls of Troy. A program
of this sort has two aspects: what we are told it does, and what it
actually does. In some cases,Trojansmay do what they say, but
they also have a hidden malicious purpose which is what puts them in
this category. A classic ploy used by Trojans is to pretend not to be a
program at all. The text gives an example of a file that has a .exe
extension, but the characters .docx occur in the name immediately
before it. If a Windows computer is using thedefault(idiotic!) configuration,
the actual .exe extension will behiddenfrom the user, and the user
may think it is only a Word document.
Students
should become familiar with the methods to turn off "Hide
extensions for known file types" in common versions of Windows.
The
text continues to discussrootkits.
At first, the rootkit sounds like a resident virus that replaces
operating system files with its own. There are similarities, but one
difference is that a rootkit is much moreextensive,
and another is that the rootkit obtainselevated privilegesto carry out itsstealthactions. The resident virus
may replaceoneprogram on the computer,
which will then do some harm to the system. The rootkit opens a door forlotsof malware. How?
Have
you ever seen a movie about a robbery in which the robbers sendfalse informationto security staff (like a
video loop) that shows all is well, while the robbers proceed to steal
whatever they want? That's kind of what a rootkit does. The rootkit
assumes the role of a trustworthy part of the operating system. It will
stand between theuserandsecuritysoftware on one side, and
othermalwaredoing whatever it wants on
the other.
Theintentionof the rootkit programmer
may not be malicious. The text discusses the example of Sony, who in
2005 installed a rootkit installer on their audio CDs which had the
goal of preventing computer users from copying those CDs. Their intent
was not malicious, but it changed a PC without the user's consent, and
it made the PC vulnerable to security exploits. The first is just
wrong, and the second is worse. As the saying goes, the road to hell is
paved with good intentions.
Detection
and removal of a rootkit can be difficult, but it is worth trying
before following the text's scenario offormattingthe hard drive andstarting over.
TheSophoscompany, for example, has afree
downloadthat is
supposed to be good atfindingandremovingthese problems. Here isanotherone fromKaspersky.
Students should do an internet search for tools from the vendor of
their choice.
Alogic bombis not a bomb. It is
malware that waits for alogical
conditionto
occur before it executes its mission. A classic case was theMichelangelo
virusthat only
executed on the birthday of Michelangelo Buonarroti (which, aseveryoneknows, is March 6th). Other
examples are given in the text. Some act like "dead man switches",
where the malware engages if it is not regularly reset, or if a
person's ID is removed from a network. A logic bomb can be hidden in a
much larger program, making it difficult to find.
Privilege
escalationis
a technique, not a type. The technique is commonly use by system
administrators. They log in to networks with an ID that has normal
privileges on the system, but they execute administrative tasks with an
ID that has elevated privileges. Of course, these are authorized users
who are supposed to do such things. Whenmalwaredoes this, it may do it in
one of two ways. It may use anexploitto escalate itsownprivileges, or it may
access the privileges ofanother
accountwhich
are greater than its own.
Malware
for Profit
The
first type in this category isspam.
Spam that is sent for profit is sent to as many addresses as possible
to maximize the potential of getting a sale. The cost to the spammer is
minimal (until they are arrested) and the returns are very large.
Some
techniques to make a spam email that will get by spam filters in many
security products:
image spam - words that would trigger spam filters are
presented in images (graphic art) instead of in text to avoid alerting
the spam filter that the email is about a trigger subject
GIF layering - the graphics that present the message are
placed in the message in layers, so a human reader will see the
intended message, but a spam filter will not notice the subject matter
word splitting - trigger words are shown as graphics, and
the graphics have white (or other color) bars running through them to
avoid optical character recognition, but still allow a human being to
recognize the message
geometric variance - the background, the font, and other
characteristics are varied from one spam message to another so the
messages from the spammer are not recognized as identical messages
Spywareis defined as software thatviolatesa user's security. More
informatively, spyware typically has one of three missions:advertising,collectionof personal information, or
changingconfigurationsettings. If other software
did what spyware doeswiththe user's permission, that
software wouldnotbe spyware. So the issue is
not what it does, as much as the fact that it is done in secret.
Another
type of malware isadware.
As its name suggests, adware is concerned with presenting
advertisements to the computer user.
The follow selected notes are taken from CSS 211, Introduction to Network
Security.
In
case you have forgotten (or do not know) some of these terms:
packet-
a generic term for message units on a network; all messages are broken
into pieces (packets), numbered, and sent across the network to be
reassembled into the original email, file, image, etc.
switch-
a device that connects assets to a network, a switch is a device that
several network assets (computers, printers, other connectivity
devices) can be plugged into; a switch receives packets, notes their
intended recipient, and sends them on a path that will lead to that
recipient without sending the signal to uninterested devices
router-
a device that connects networks together; the purpose of a router is to
provide or deny access to other networks
NIC-
Network Interface Card, the network connection interface (either
installed or built in) on network devices; a wireless (radio frequency)
NIC is still a NIC even if you don't plug in to connect to a network
Ethernet-
the most commonly used network methodology; it is based on contention,
which means that devices listen for a quiet line, then transmit their
signals, which results in collision of signals at times, which slows
the network throughput. Ethernets are typically limited to one
transmission at a time across any single LAN segment, and one broadcast
transmission at a time across a single network.
port-
a port can be a physical connection point in a device (like a port in a
switch) into which you plug connecting media (like an RJ-45 connector
on a UTP cable); a port can also be a location in server memory where a
program or service is running
Media
vulnerabilities
The
text tells us that we could configure amanagedswitch (one that can run
administration software) tomirrorall traffic for one or more
ports.Port
mirroringsends
that traffic to another specific port as well, where we would connect a
workstation to monitor the packets for signs of trouble. We would run a
protocol analyzer program on that workstation (such as Wireshark) to
determine what might be significant about traffic flowing through that
switch.
Another
method for monitoring traffic is using a network tap. Tap is an unusual
acronym: by convention it is not capitalized. It stands for test access
point which is what it is for: you install the tap between any two
network devices to monitor the traffic that flows between them.
The
author discusses attackers gaining access to a network's medium. He
makes a point that an attacker could, for instance, get access to
network cable through anacoustic
tile ceiling. His point is that such tiles are not secure, and
network cablemaybe run through that space.
Another way would be to look for wire that isenteringorleavinga building. In either of
these cases, the attacker could wire their own connection jack. With
standard Ethernet cable, however, this could be a problem for the
attacker. A length of UTP cable is meant to run from one device
directly to another. It is not like power cable, where you could break
into the circuit and steal some electrons. If you break the cable, you
make the connection to the switch, but you make the jack for the device
unusable while you are tapped in. A better method would be the author's
third idea: find anunused
network jack. Actually use it, or wire your break in
connection on that run of cable. (A wary administrator would make sure
that the port that jack connects to is disabled while the jack is not
assigned to a user. This is not always done.)
In
an example, a network administrator was advised to set the managed
switch to mirror traffic to a specific port. What will the attackers
do, assuming they do not have access to manage the switch? Several
methods could be used:
switch flooding - also calledMAC
flooding, the attacker feeds many MAC addresses (the unique
hardware addresses of NICs) to the switch, which can result in the
switch abandoning its programming and sending all received packets out
every port
MAC address impersonation - the attacker spoofs his MAC
address, pretends to have the address of a device whose traffic he
wants to receive
fake network redirect - the attacker sends signals
indicating that another device is on a separate network, and that his
device is the gateway to it
router advertisements - the attacker sends router
advertisements (announcements about services and connections available)
to get traffic routed through him
fake device redirect - another method to impersonate a real
device on the network
The
text lists some methods to overcome the above exploits: set the switch
to accept only one port assignment for each MAC address, set the switch
to allow only onespecificMAC address to use each
port, set the switch to use configured lists (entered by the
administrator, or provided by a server) instead of dynamically learning
what MAC addresses are on each port.
Device
vulnerabilities
Many
devices are protected by a combination of user ID and password. The ID
is generally less secure, often being a guessable combination of first
and last name. The password presents an opportunity to set something
hard to guess, but that also makes it hard to remember, which causes
many users to write it down and leave it in an accessible location,
such as on a Post-it note on their monitor.
The
more passwords a person has, the less often each is used, the more
likely it is that the password will be forgotten. Add the fact that
many systems require changes in password on a regular schedule, and
forbid the use of any of their last ten passwords as the next password.
This leads to users trying to go through the entire list of ten to get
back to their desired password on the change date. Administrators, in
turn, can set a minimum age for password change, which prevents the
user from running through a list in one day (or longer).
The
text presents a lists of bad practices regardingpasswords:
using a common word as a password - this makes the system
vulnerable to a dictionary attack: the attacker simply uses a program
that tries every word in a list (usually a dictionary file)
not changing passwords - if passwords are not changed
regularly, an attacker need only find out the password once to continue
to use the system
short passwords - even if they are not real words, short
passwords are easier for a brute force attack to break than longer ones
personal information in passwords - attackers often use
social engineering skills to learn about the person whose password they
are trying to guess; names of family and pets, birth dates, and
anniversaries are all bad choices since they are often easy to get
setting the same password on all accounts - this is easy
for the user, but offers great returns to the attacker
writing down the password - this is generally against every
security policy written, as is giving your password to anyone else, but
people do it regularly
The
text discusses default accounts. They exist on most systems, and most
administrators have been told to rename them, but not all do. For
example, how do you break into a router like the ones most people have
at home? If you have access to it, first you check on the Internet to
find the default administrator ID and password for that brand. Then you
press the reset button. Then you simply take over the router. On a
system where the administrator has never changed the default account,
or changed the default password, you don't even need a reset button.
(Do you suddenly want to make some changes to your wireless router?)
There is a common misunderstanding about the meanings of the
words authentication and authorization. A network can be protected by
both kinds of processes.
Authenticationis the process of proving
your stated identity to a system. This is commonly done by stating your
identity (entering a user ID), then providing the associated proof
(entering a password). This is the classic case of authentication bysomething you know. Authentication
is also commonly done by producing a card with computer chip or a
magnetic stripe that has been properly coded (something you have). Less
frequently, is is done by fingerprint, retinal scan, face or hand print
scan (something you are) or by
moving your finger over a scanner in a particular pattern (something you do)
Authorization- The process ofgrantingordenyingpermissions toauthenticatedusers. This is a step that
happens in the background. Users are typically unaware of it until
something doesn't work. The text reminds us that a common practice is
to follow the principle of least privilege, granting only those
permissions that permit a user to do an assigned job, and either
denying or choosing not to grant other permissions. The text mentions
that permissions are commonly assigned togroups, but does not
mention that it is done to make authorizationsuniform,consistent, andmanageablefor those groups
Review the material in Chapter 13 about authentication
protocols. Note that CHAP and MSCHAP are no longer considered secure.
Note the uses of EAP, Kerberos, and 802.1x protocols.
Know
some facts about PKI. Public
Key Infrastructure is not the only code system used in business or
government, but it is widely used by both, and by individuals to
protect personal or sensitive information. The text points out that
there is a difference between PKI and public key cryptography.
Public keycryptographyis a system in which each
entity hastwocryptographic keys,eachof which is the only means
todecryptwhat wasencryptedby theother.
Public KeyInfrastructureis a system ofusingpublic key cryptography,distributingkeys through trusted
sources, andrevokingkeys that have been
compromised.
Public
key cryptographyis a system that uses two
encryption/decryption keys. An entity, whether a person or company,
must have two keys in this system: apublickey and aprivatekey. They are created so
that whatever isencrypted
with onemust bedecrypted
with the other.
The owner of the keys gives thepublickey toanyonewho wants it, but keeps theprivatekeysafefrom anyone else.This
is howSSL
encryptionon a web site works. I
connect to a vendor's web site. I obtain the vendor's public key by
making the secure connection. My browser encrypts my credit card data
with the vendor's public key and sends the ciphertext to the vendor. If
the vendor's private key is secure, the vendor is the only one who can
decrypt the data sent through the public key.
That's
the way it is supposed to work in a perfect world. However, attackers
have created a need for a security net around the process. In a way,
PKI is the success story of businesses that have grown up around this
technology. The text lists components of public key infrastructure on
pages 289 and 290:
Certificate
authority- An
entity, typically a company, that creates digital certificates, which
are verified statements of a public key and its owner. They may also
create the key pair for the customer, and are responsible for storing
and providing certificates as needed.
Registration
authority- An
entity that receives requests for certificates, verifies the requests
are from recognized users (such as merchants processing credit cards),
and forwards the requests to certificate authorities.
Certificate server-
A service, or the device that runs the service, that responds to
certificate requests.
Certificate repository- A database for storing
digital certificates, sometimes including records of revoked
certificates.
Certificate revocation list- A list of certificates
that are no longer valid for various reasons.
Certificate
validation- A
process used to make sure that a request submitted for certificate
creation actually came from the organization it appears to come from,
and that the key submitted in the request is theirs.
Key Recovery Service- A service that stores and
recovers encryption keys in case they should be lost, for example in a
system crash or attack.
Time server-
A service that provides a standard time reference, used to mark the
time of requests and responses. Timestamps may be used to judge whether
requests are being processed by the entity we expect to process it.
Signing
server- In a
system that is increasingly automated, this is a central control over
related services.
Basic
Encryption and PKI
Some
encryption systems useonekey for encryption and
decryption, some usetwo.
Single key systems aresymmetricsystems, and the whole
system is worthless if the key is broken by a hacker. Two key systems
areasymmetricsystems.
Algorithms
use a set of values or characters to createkeysand toencryptmessages with those keys.
Thesetof values is thekeyspace. Larger
keyspaces mean more possible keys from the algorithm. This is what
makes it harder to guess the actual contents of a key. Think about
that. We rely on secrecy about the algorithm and on the complexity of
the keyspace to make security of this type possible. And unless we do
something special with the algorithm, most are known, so we only have
to know the key and right algorithm to be able to decrypt a message
sent in symmetric key system. Are you worried now?
In
its discussion of symmetric
systems, one of our texts makes an interesting point. To address
the problem of a symmetric key being exposed, we should consider how
manydifferentkeys we can make with such
a system. We need toswitchkeys from time to time for
security, and we want make sure we have adifferentkey for everyuseron our system. That is only
for communication between each user and the main system. The text
explains that this sort of system would also require adifferent keyfor everyconceivablepairof users on the system,
assuming that they all need to communicate securely with each other.
The text provides a formula for the number of keys we would need in a
system like that: number of users times (number of users minus 1)
divided by two. If we had a thousand users, how many keys does that
system have to make, just to work for a while? Four hundred ninety nine
thousand, five hundred keys. It should be obvious that we also want the
system to store those keys and make sure none are repeats. Oh, my.
Moving
on toasymmetric
encryption, the text explains the text explains public key
encryption, as noted above. It seems odd, at first, that a public key
can be given to everyone. It takes a moment to get the concept the
first time. The keys are created in pairs, and you give your public key
to me (or everyone who needs a copy). You keep theprivatekey secret. This enables me
(your customers) to send encrypted traffic to you that only you can
read. To turn that channel around, you need my public key, so you can
send an encrypted message only I can read. It is possible for you to
encrypt a message with your private key, and send it to me, but anyone
intercepting that message would be able to decrypt it. A message sent
to me that way proves you have the matching key, but it does not prove
you are who you say you are, unless Itrustthe method by which I
received the public key copy.
Thedifferencebetween thenumber of keysneeded for secure
transmission insymmetricversusasymmetricsystems is shown in a table
on page 294. Compare the example above (a thousand users) in the two
systems. In anasymmetricsystem we only needtwo thousand keys.
Using an asymmetric system with a large keyspace means we do not have
to switch systems just because we increase our user population by a
factor of ten, or because a particular key was exposed.
Digital
Certificates
The
following list is the standard contents of adigital certificate.
The most critical factor is the public key, but the other factors are
required by theX.509
standard. The link to Wikipedia tells us that X.509 is an
international standard for PKI. Some of the elements included in that
standard are:
Version Number
Serial Number
Signature Algorithm ID
Issuer Name
Validity period
Not Before
Not After
Subject name
Subject Public Key Info
Public Key Algorithm
Subject Public Key
Issuer Unique Identifier (optional)
Subject Unique Identifier (optional)
Extensions (optional)
Keys
aredestroyedwhen they arecompromisedand when they reach theendof their intended life.
This is more about private keys than public keys. Note thatlifetimeshould be related to thesensitivityof the use the key serves.
More sensitive equals shorter life.
What
PKI is and is not
PKI
can providesecurity,integrity, andnonrepudiation. It
is used for financial transactions and downloaded file integrity. PKI
is meant to be one layer of security.
It
doesnotincludeauthorizationfunctions. It does not
prove the identity of someone who isonlyusing thepublickey in a key pair.
Security Content Automation Protocol (SCAP) - A protocol developed by
NIST that supports tools and methods fo sharing common information.
Simple Network Management Protocol (SNMP) -This
protocol has been used to manage network devices for many years. A
security flaw in early versions was that commands sent to devices had
to include acommunity
string,
aprefixthat gave the command
permission to manage the device. The problem was that thedefaultstrings were well known.
(If the video below starts at the beginning, skip ahead to 6 minutes
and 35 seconds.)
Message integrity.authenticationof senders, andencryptionwere added in version 3 of
SNMP. Obviously, Star Fleet was using an earlier version at the time of
this encounter.
Web-Based Enterprise
Management(WBEM)- The text tells us that
this is a set of standards for the operation of web based tools,
developed by the Distributed Management Task Force. The link in this
bullet point leads to their site. So, not exactly a tool as much as
some standards for how tools should work.
Digital Signatures- A digital signature is
something that can accompany a file (such as a download) that offers
proof of the file's source and integrity.
SecuringVPNs- The text recommends we useNAT,firewalls,strong authentication, anddata encryptionfor
these connections. The text says that encryption is often done with IP
Security Protocol (IPsec). It is implemented at a lower layer in the
ISO network model (Network layer) than PGP (Application layer),
Kerberos, or SSL (both at the Session layer). As such, it is more
transparent to processes that occur at higher layers, to users, and to
software running on the workstation. It works well with several
security protocols, so it allows you to customize the solution.
File Transfer Protocol(FTP) -FTPdoes
what it sounds like, it moves or copies files in a TCP/IP environment;
the text describes its problem: no encryption, which makes it
vulnerable to man-in-the-middle attacks The text recommends using a secure protocol instead when updating web sites or moving sensitive data.Secure FTP(SFTP) can use either of thenext two protocolsas a basis.
Secure Sockets Layer(SSL)/Transport Layer Security(TLS) - You have probably usedSSLevery
time you have made a purchase across the Internet. The vendor site
sends a public key to your computer, your computer encrypts the
transaction, and the resulting SFTP data stream can only be decrypted
with the vendor's private key. (You should know this concept very well
by now.) The text explains thatTLSis an improvement over SSL.This linkgoes to a Wikipedia article that discusses the same point, as well as the uses of TLS which includeemail.
Secure Shell(SSH) -SSHis
another method used to implement SFTP. This is a Unix based protocol,
that can be used to replace Telnet, and it is used to provide secure
login, file operations, and command line operations on the remote
server. Management of switches, routers, and other networking devices should be done withnonstandard IDsandpasswords, using a protocol that allows secure access such asSecure Shell(SSH).
Web protocols- such asHTTPSandSHTTP, provide SSL versions of HTTP. Note the discussion of ports:HTTPtypically uses port80, whileHTTPStypically uses port443.
IP Security(IPsec)
- IPsec is described as a preferred prottocol because it is implemented
at a lower layer in the ISO network model (Network layer) than PGP
(Application layer), Kerberos, or SSL (both at the Session layer). As
such, it is more transparent to processes that occur at higher layers,
to users, and to software running on the workstation. The text
discusses the virtues of IPsec for several pages.
S/MIME -uses digital certificates to protect email. This protocol is built into most email applications.
Go over the troubleshooting material at the end of chapter 13 to get a feeling for applying some of these concepts.
Week 7 Assignment: Labs for Chapter 13 (and all the chapters after that)
Complete as many labs as you can, as soon as you can.
For this week, concentrate on doing the labs in Chapter 13 of the
TestOut lessons. Repeat the labs until you score at least 80% on them.
When you have done what you can for this week,
capture a screen that shows your current progress, and submit it to me
as this week's report of your progress.
