You are on page 1of 749

Guide to Operating

System Security
Chapter 1
Operating Systems Security
Keeping Computers and
Networks Secure

Objectives

Explain what operating system and network


security means
Discuss why security is necessary
Explain the cost factors related to security
Describe the types of attacks on operating
systems and networks
Discuss system hardening, including features
in operating systems and networks that enable
hardening

Guide to Operating System Security

What Is Operating System and


Network Security?

Ability to reliably store, modify, protect, and


grant access to information, so that
information is only available to designated
users

Guide to Operating System Security

Operating Systems and Security

Operating systems

Provide basic programming instructions to


computer hardware
Interface with user application software and
computers BIOS to allow applications to interact
with hardware

Security issue

Potential to provide security functions at every


level of operation

Guide to Operating System Security

Operating System Components

Application programming interface (API)


Basic input/output system (BIOS)

Basic form of security: Configure BIOS password


security

Kernel
Resource managers
Device drivers

Guide to Operating System Security

Operating System Functions and


Components

Guide to Operating System Security

Computer Networks and


Security

Computer network

System of computers, print devices, network


devices, and computer software linked by
communications cabling or radio and microwaves

Security issue

All networks have vulnerable points that require


security

Guide to Operating System Security

Types of Networks

Classified by reach and complexity

Local area networks (LANs)


Metropolitan area networks (MANs)
Wide area networks (WANs)

Enterprise networks

Guide to Operating System Security

Resources in an Enterprise
Network

Guide to Operating System Security

Careers in Information Security

Number of jobs has increased by 100% per


year since 1998
Potential for healthy salaries and
organizational advancement

Guide to Operating System Security

10

Why Security Is Necessary

Protects information and resources


Ensures privacy
Facilitates workflow
Addresses security holes and software bugs
Compensates for human error or neglect

Guide to Operating System Security

11

Protecting Information and


Resources

Security protects information and resources of:

Businesses
Educational institutions
Government
Telecommuters
Personal users

Guide to Operating System Security

12

Ensuring Privacy

Potential for serious legal and business


consequences when an intruder accesses
private information

Guide to Operating System Security

13

Facilitating Workflow

Potential for loss of money, data, or both if a


step in the work process is compromised due
to a security problem

Guide to Operating System Security

14

Addressing Security Holes or


Software Bugs

After purchasing a new OS, software, or


hardware:

Test rigorously for security and reliability


Check security defaults
Install patches immediately

Guide to Operating System Security

15

Compensating for
Human Error or Neglect

Use an OS that enables the organization to set


up security policies
Develop written security policies
Implement training
Test security of new operating systems and
software

Guide to Operating System Security

16

Setting Up Local Security


Policies

Guide to Operating System Security

17

Cost Factors

Cost of deploying security

Should be an element in total cost of ownership


(TCO)

Cost of not deploying security

Guide to Operating System Security

18

Types of Attacks

Standalone
workstation or server
attacks
Attacks enabled by
access to passwords
Viruses, worms, and
Trojan horses

Guide to Operating System Security

Buffer attacks
Denial of service
Source routing attack
Spoofing
E-mail attack
Port scanning
Wireless attacks
19

Standalone Workstation
or Server Attacks

Easy to take advantage of a logged-on


computer that is unattended and unprotected
Avoid by setting up a password-protected
screen saver

Guide to Operating System Security

20

Attacks Enabled by Access to


Passwords

Users defeat password protection by

Sharing them with others


Writing them down and displaying them

Attackers have sophisticated ways of gaining


password access

Guide to Operating System Security

21

Attempting to Log On to a Telnet


Account

Guide to Operating System Security

22

Viruses

Virus

Able to replicate throughout a system


Infects a disk/file, which infects other disks/files
Some cause damage; some dont

Virus hoax

E-mail falsely warning of a virus

Guide to Operating System Security

23

Worm

Endlessly replicates on the same computer, or


sends itself to many other computers on a
network
Continues to create new files but does not
infect existing files

Guide to Operating System Security

24

Trojan Horse

Appears useful and harmless, but does harm


Can provide hacker with access to or control of
the computer

Guide to Operating System Security

25

Buffer Attacks

Attacker tricks buffer software into attempting


to store more information than it can contain
(buffer overflow)
The extra information can be malicious
software

Guide to Operating System Security

26

Denial of Service (DoS) Attacks

Interfere with normal access to network host,


Web site, or service by flooding network with:

Useless information, or
Frames or packets containing errors that are not
identified by a network service

Distributed DoS attack

One computer causes others to launch attacks


directed at one or more targets

Guide to Operating System Security

27

Source Routing Attack

Attacker modifies source address and routing


information to make a packet appear to come
from a different source
Can be used to breach a privately configured
network
A form of spoofing

Guide to Operating System Security

28

Spoofing

Address of source computer is changed to


make a packet appear to come from a different
computer
Can be used to initiate access to a computer
Can appear as just another transmission to a
computer from a legitimate source

Guide to Operating System Security

29

E-mail Attack

Attached file may contain:

Virus, worm, or Trojan horse


Macro that contains malicious code

E-mail may contain Web link to a rogue Web


site

Guide to Operating System Security

30

Port Scanning

Attacker determines live IP address, then runs


port scanning software (eg Nmap or Strobe) to
find a system on which a key port is open or
not in use
To block access through open ports:

Stop OS services or processes that are not in use


Configure a service only to start manually with
your knowledge
Unload unnecessary NLMs

Guide to Operating System Security

31

Sample TCP Ports

Guide to Operating System Security

32

Using the kill Command


in Red Hat Linux

Guide to Operating System Security

33

Managing Mac OS X Sharing


Services

Guide to Operating System Security

34

Wireless Attacks

Generally involve scanning multiple channels


Key elements

Wireless network interface card


Omnidirectional antenna
War-driving software

Difficult to determine when someone has


compromised a wireless network

Guide to Operating System Security

35

Organizations That Help


Prevent Attacks (Continued)

American Society for Industrial Security


(ASIS)
Computer Emergency Response Team
Coordination Center (CERT/CC)
Forum of Incident Response and Security
Teams (FIRST)
InfraGard

Guide to Operating System Security

36

Organizations That Help


Prevent Attacks (Continued)

Information Security Forum (ISF)


Information Systems Security Association
(ISSA)
National Security Institute (NSI)
SysAdmin, Audit, Network, Security (SANS)
Institute

Guide to Operating System Security

37

Hardening Your System

Taking specific actions to block or prevent


attacks by means of operating system and
network security methods

Guide to Operating System Security

38

General Steps to Harden a


System (Continued)

Learn about OS and network security features


Consult Web sites of security organizations
Only deploy services and processes that are
absolutely necessary
Deploy dedicated servers, firewalls, and
routers

Guide to Operating System Security

39

General Steps to Harden a


System (Continued)

Use OS features that are provided for security


Deploy as many obstructions as possible
Audit security regularly
Train users to be security conscious
Monitor OSs and networks regularly for
attackers

Guide to Operating System Security

40

Overview of Operating System


Security Features

Logon security
Digital certificate
security
File and folder
security
Shared resource
security

Guide to Operating System Security

Security policies
Remote access
security
Wireless security
Disaster recovery

41

Logon Security

Requires user account and password to access


OS or network
User account provides access to the domain

Guide to Operating System Security

42

Objects in a Domain

Guide to Operating System Security

43

Digital Certificate Security

Verifies authenticity of the communication to


ensure that communicating parties are who
they say they are

Guide to Operating System Security

44

File and Folder Security

Lists of users and user groups can be given


permission to access resources
Attributes can be associated with resources to
manage access and support creation of
backups

Guide to Operating System Security

45

Shared Resource Security

Ways to control access to resources:

Use a list of users and groups that should be


configured
Use domains
Publish resources in a directory service (eg, Active
Directory or NDS)

Guide to Operating System Security

46

Using an Access List

Guide to Operating System Security

47

Security Policies

Security default settings that apply to a


resource offered through an OS or directory
service
May apply only to local computer, or to other
computers
May specify that user account passwords must
be a minimum length and be changed at
regular intervals

Guide to Operating System Security

48

Remote Access Security

Enable remote access only when absolutely


necessary
Many forms, including:

Callback security
Data encryption
Access authentication
Password security

Guide to Operating System Security

49

Wireless Security

Implement Wired Equivalent Privacy (WEP)


Create a list of authorized wireless users based
on the permanent address assigned to the
wireless interface in the computer

Guide to Operating System Security

50

Disaster Recovery

Use of hardware and software techniques to


prevent loss of data

Perform backups
Store backups in a second location
Use redundant hard disks

Enables restoration of systems and data


without loss of critical information

Guide to Operating System Security

51

Overview of Network Security


Features

Authentication and encryption


Firewalls
Topology
Monitoring

Guide to Operating System Security

52

Authentication

Using a method to validate users who attempt


to access a network or resources, to ensure
they are authorized
Examples

User accounts with passwords


Smart cards
Biometrics

Guide to Operating System Security

53

Encryption

Protects information sent over a network by


making it appear unintelligible
Generally involves using a mathematical key

Guide to Operating System Security

54

Firewalls

Software or hardware placed between


networks that selectively allows or denies
access

Guide to Operating System Security

55

Topology

Different designs yield different results in


terms of security planning and hardening
Also affects security in terms of where specific
devices are placed

Guide to Operating System Security

56

Monitoring

Involves determining performance and use of


an OS or network
Enables you to determine weak points of a
system or network and address them before a
problem occurs

Guide to Operating System Security

57

Summary

Operating system and network security


Why such security is vital
Careers in information security
The cost of security; the cost of not having security
Common types of attacks
Techniques for guarding against attacks on operating
systems and on networks

Guide to Operating System Security

58

Guide to Operating
System Security
Chapter 2
Viruses, Worms, and
Malicious Software

Learning Objectives

Explain how viruses, worms, and Trojan


horses spread
Discuss typical forms of malicious software
and understand how they work
Use techniques to protect operating systems
from malicious software and to recover from
an attack

Guide to Operating System Security

Viruses, Worms, and Trojan


Horses

Different forms of malicious software


(malware)
Intended to

Cause distress to a user


Damage files or systems
Disrupt normal computer and network functions

Guide to Operating System Security

Viruses

Programs borne by a disk or a file that has the


ability to replicate
Typically affect

Executable program
Script or macro
Boot or partition sector of a drive

Guide to Operating System Security

How Viruses Spread

Transported from one medium or system to


another
Replicated throughout a system (eg,
W32.Pinfi)

Guide to Operating System Security

Virus Classification (Continued)

How they infect systems

Boot or partition sector


File infector
Macro
Multipartite

Guide to Operating System Security

Virus Classification (Continued)

How they protect themselves from detection or


from a virus scanner

Armored
Polymorphic
Stealth
Companion

Benign or destructive

Guide to Operating System Security

Worms

Programs that replicate on the same computer


or send themselves to many other computers
Can open a back door

Guide to Operating System Security

How Worms Spread

Buffer overflow (eg, Code Red and Code


Red II)
Port scanning or port flooding
Compromised passwords

Guide to Operating System Security

Trojan Horses and How They


Spread

Programs that at first appear useful, but can


cause damage or provide a back door
Examples

Backdoor.Egghead
AOL4FREE
Simpsons AppleScript Virus

Guide to Operating System Security

10

Locations for Viruses, Worms,


and Trojan Horses (Continued)

Guide to Operating System Security

11

Locations for Viruses, Worms,


and Trojan Horses (Continued)

Guide to Operating System Security

12

Locations for Viruses, Worms,


and Trojan Horses (Continued)

Guide to Operating System Security

13

Location for a UNIX/Linux


System

Guide to Operating System Security

14

Location for a Windows XP


System

Guide to Operating System Security

15

Typical Methods Used by


Malicious Software

Executable methods
Boot and partitions sector methods
Macro methods
E-mail methods
Software exploitation
Spyware

Guide to Operating System Security

16

Executable Methods

Files that contain lines of computer code that


can be run

Examples: .exe, .com, .bat, .bin, .btm, .cgi, .pl,


.cmd, .msi

Can infect source or execution code of a


program

Guide to Operating System Security

17

Boot and Partition Sector


Methods

Particularly affect Windows and UNIX systems


Typically infect/replace instructions in MBR or
Partition Boot Sector
Can corrupt address of primary partition
May move boot sector to another location if size of
virus exceeds space allocated for boot sector
Eradication typically involves recreating MBR and
Partition Boot Sector instructions

Guide to Operating System Security

18

Macro Methods

A virus can infect a macro and spread each


time the macro is used
Software is configured so that macros are
disabled unless digitally signed by a trusted
source

Guide to Operating System Security

19

Macro Protection

Guide to Operating System Security

20

E-Mail Methods

Sent as attachments to e-mail

Guide to Operating System Security

21

Software Exploitation

Particularly aimed at new software and new


software versions
Examples of potential vulnerabilities

DNS services
Messaging services
Remote access services
Network services and applications

Guide to Operating System Security

22

Spyware

Software placed on a computer

typically without users knowledge


reports back information about users activities

Some operate through monitoring cookies

Guide to Operating System Security

23

Protecting an OS from
Malicious Software

Install updates
View what is loaded when a system is booted
Use malicious software scanners
Use digital signatures for system and driver
files
Back up systems and create repair disks
Create and implement organizational policies

Guide to Operating System Security

24

Installing Updates for Windows

Windows Update

Provides access to patches that are regularly issued

Service packs

Address security issues and problems affecting


stability, performance, or operation of features
included with the OS

Guide to Operating System Security

25

Using Windows Update

Guide to Operating System Security

26

Using Windows Update

Guide to Operating System Security

27

Installing Updates for


Red Hat Linux (Continued)

Issued frequently; can be downloaded from


Web site
Red Hat Network Alert Notification Tool must
be configured

Guide to Operating System Security

28

Installing Updates for


Red Hat Linux (Continued)

Guide to Operating System Security

29

Installing Updates for NetWare

Download updates and/or consolidated support


packs from Novells Web site

Guide to Operating System Security

30

Installing Updates for Mac OS X

Software Update tool enables you to:

Configure the system to automatically check for


updates at specified intervals
Manually check for updates
View currently installed updates

Guide to Operating System Security

31

Installing Updates for Mac OS X

Guide to Operating System Security

32

Viewing What Is Loaded When


a System Is Booted

Windows 2000, Windows XP Professional,


and Windows Server 2003

Red Hat Linux and NetWare

View information on-screen


Have a log record information (Advanced Options
menu)
Automatically display boot load information

Mac OS X

Display boot process by booting into either single


user mode or verbose mode

Guide to Operating System Security

33

Advanced Options Menu

Guide to Operating System Security

34

Using Malicious Software


Scanners

Effective way to protect operating system


Scan systems for virus, worms, and Trojan
horses
Often Called Virus Scanners

Guide to Operating System Security

35

Malicious Software Scanners:


Features to Look For (Continued)

Scans memory and removes viruses


Continuous memory scanning
Scans hard and floppy disks and removes
viruses
Scans all know file formats
Scans HTML documents and e-mail
attachments

Guide to Operating System Security

36

Malicious Software Scanners:


Features to Look For (Continued)

Automatically runs at a scheduled time


Manual run option
Detects known and unknown malicious
software
Updates for new malicious software
Scans files that are downloaded
Uses protected or quarantined zones for
downloaded files

Guide to Operating System Security

37

Using a Virus Scanner

Guide to Operating System Security

38

Virus Scanning Software (Continued)

Guide to Operating System Security

continued 39

Virus Scanning Software (Continued)

Guide to Operating System Security

40

Using Digital Signatures for


System and Driver Files

Digital signature

Code placed in a file to verify its authenticity by


showing that it originated from a trusted source

Driver signing

Placing a digital signature in a device driver to


Show that the driver is from a trusted source
Indicate compatibility with an OS

Guide to Operating System Security

41

Backing Up Systems and


Creating Repair Disks

Most OSs offers ways to back up your system


Some OSs enable creation of a boot disk or
repair disk

Windows 2000
Emergency Repair Disk (ERD)

Windows XP or Windows Server 2003


Automated System Recovery (ASR) set

Red Hat Linux


Boot disk

Guide to Operating System Security

42

Creating a Windows 2000 ERD

Create a new ERD each time you:

Install software
Make a server configuration change
Install a new adapter
Add a NIC
Restructure a partition
Upgrade the OS

Enables you to fix problems with the server

Guide to Operating System Security

43

Creating a Windows 2000 ERD

Guide to Operating System Security

44

Creating an ASR Set

Two components

Backup of all system files (1.5 MB or more)


Backup of system settings (about 1.44 MB)

Does not back up application data files

Guide to Operating System Security

45

Creating an ASR Set

Guide to Operating System Security

46

Creating a Red Hat Linux


Boot Disk

Enables booting a system from a floppy disk

Guide to Operating System Security

47

Creating and Implementing


Organizational Policies (Continued)

Provide users with training in security techniques


Train users about common malicious software
Require users to scan floppies and CDs before use
Establish policies about types of media that can be
brought in from outside and how they can be used
Establish policies that discourage/prevent users from
installing their own software

Guide to Operating System Security

48

Creating and Implementing


Organizational Policies (Continued)

Define policies that minimize/prevent


downloading files; require users to use a virus
scanner on any downloaded files
Create quarantine areas for files of uncertain
origin
Use virus scanning on e-mail and attachments
Discard e-mail attachments from unknown or
untrusted sources

Guide to Operating System Security

49

Chapter Summary

Viruses, worms, and Trojan horses

Typical forms of malicious software

How they spread through operating systems and


across networks
What they target and why
Boot sector viruses
Viruses that attack through macros

How to set up defenses, such as operating


system patches and repair disks

Guide to Operating System Security

50

Guide to Operating
System Security
Chapter 3

Security Through
Authentication and
Encryption

Objectives

Explain encryption methods and how they are


used
Describe authentication methods and how they
are used
Explain and configure IP Security
Discuss attacks on encryption and
authentication methods

Guide to Operating System Security

Encryption

Uses a secret code to disguise data


Makes data unintelligible to everyone except
intended recipients
Protects data from attackers using a sniffer
Uses cryptography
Typically involves a key and an algorithm

Guide to Operating System Security

Encryption Methods (Continued)

Stream cipher and block cipher


Secret key
Public key
Hashing
Data encryption standard (DES)
RSA encryption

Guide to Operating System Security

Encryption Methods (Continued)

Pluggable authentication modules (PAMs)


Microsoft Point-to-Point Encryption (MPPE)
Encrypting File System (EFS)
Cryptographic File System (CFS)

Guide to Operating System Security

Stream Cipher and Block Cipher

Stream cipher

Every bit in a stream of data is encrypted

Block cipher

Encrypts groupings of data in blocks


Typically has specific block and key sizes

Guide to Operating System Security

Secret Key

Keeps encryption key secret from public


access, particularly over a network connection
Uses symmetrical encryption (same key to
encrypt and decrypt)

Guide to Operating System Security

Public Key

Uses public key and private key combination


(asymmetric encryption)
Public key can be communicated over an
unsecured connection

Guide to Operating System Security

Hashing

Uses one-way function to mix up message


contents

Scrambles message
Associates it with a unique digital signature
Enables it to be picked out of a table

Often used to create a digital signature


Hashing algorithms work on only one side of a
two-way communication

Guide to Operating System Security

Typically Used Hashing


Algorithms

Message Digest 2 (MD2)


Message Digest 4 (MD4)

MS-CHAP v1
MS-CHAP in Windows Server 2003

Message Digest 5 (MD5)


Secure Hash Algorithm 1 (SHA-1)

Guide to Operating System Security

10

MS-CHAP v1 or MS-CHAP
Encryption

Guide to Operating System Security

11

Data Encryption Standard

Developed by IBM; refined by the National


Bureau of Standards
Originally developed to use a 56-bit encryption
key
New version: 3DES (Triple DES)

Hashes data three times


Uses a key of up to 168 bits in length

Guide to Operating System Security

12

Using DES with IPSec in Windows


Server 2003

Guide to Operating System Security

13

Advanced Encryption Standard

Adopted by U.S. government to replace DES


and 3DES
Employs private-key block-cipher form of
encryption
Employs an algorithm called Rijndael

Guide to Operating System Security

14

RSA Encryption

Uses asymmetrical public and private keys


along with an algorithm that relies on factoring
large prime numbers
The algorithm uses a trapdoor function to
manipulate prime numbers
More secure than DES and 3DES
Used in Internet Explorer and Netscape
Navigator

Guide to Operating System Security

15

Pluggable Authentication
Modules

Can be installed in UNIX or Linux OS without


rewriting and recompiling existing code
Enable use of encryption techniques other than
DES for passwords and communications on a
network

Guide to Operating System Security

16

Microsoft Point-to-Point
Encryption

Used by Microsoft operating systems for


remote communications over PPP or PPTP
Uses RSA encryption

Basic encryption (40-bit key)


Strong encryption (56-bit key)
Strongest encryption (128-bit key)

Guide to Operating System Security

17

Encrypting File System

Set by an attribute of Windows OSs that use


NTFS
Protects folder/file contents on hard disk

Enables user to encrypt contents of folder/file so it


can only be accessed via private key code by user
who encrypted it

Employs DES for encryption


Uses a registered recovery agent

Guide to Operating System Security

18

How to Configure EFS

As an advanced folder attribute


By using cipher command in Command
Prompt window

Guide to Operating System Security

19

Configuring EFS as an
Advanced Folder Attribute

Guide to Operating System Security

20

Cipher Command-Line Parameters

Guide to Operating System Security

21

Cryptographic File System

File system add-on available as open source


software for UNIX and Linux systems
Enables encryption of disk file systems and
NFS files

Guide to Operating System Security

22

Summary of Encryption
Techniques (Continued)

Guide to Operating System Security

continued 23

Summary of Encryption
Techniques (Continued)

Guide to Operating System Security

24

Authentication

Process of verifying that a user is authorized to


access particular resources
Typically associated with logon process
Validates both user account name and
password before giving access to resources
Often uses encryption techniques to protect
user names and passwords

Guide to Operating System Security

25

Authentication Methods (Continued)

Session authentication
Digital certificates
NT LAN Manager
Kerberos
Extensible Authentication Protocol (EAP)
Secure Sockets Layer (SSL)

Guide to Operating System Security

26

Authentication Methods (Continued)

Transport Layer Security (TLS)


Secure Shell (SSH)
Security token

Guide to Operating System Security

27

Session Authentication

Ensures packets can be read in correct order


Provides a way to encrypt the sequence order
to discourage attackers

Guide to Operating System Security

28

Digital Certificate

Set of unique identification information


typically put at the end of the file or associated
with a computer communication
Shows that the source of the file or
communication is legitimate
Typically encrypted by a private key and
decrypted by a public key
Issued by a certificate authority

Guide to Operating System Security

29

Digital Certificate Contents

Version
Certificate serial number
Signature algorithm identifier
Name of issuer
Validity period
Subject name
Subject public key information

Guide to Operating System Security

30

NT LAN Manager

Form of session authentication and


challenge/response authentication compatible
with all Microsoft Windows operating systems
Challenge/response authentication

Hashes an accounts password


Uses a secret key

Guide to Operating System Security

31

Kerberos

Employs private-key security and use of


tickets that are exchanged between the client
who requests logon and network services
access and the server, application, or directory
service that grants access

Guide to Operating System Security

32

Kerberos Configuration Options

Guide to Operating System Security

33

Extensible Authentication
Protocol

Multipurpose authentication method used on


networks and in remote communications
Can employ many encryption methods (DES,
3DES, public key encryption, smart cards, and
certificates)
Typically provides an authentication
communication between a computer and a
server used to authenticate computers access

Guide to Operating System Security

34

Secure Sockets Layer

Service-independent; broad uses for


e-commerce, HTTP, HTTPS, FTP, SMTP, and
NNTP
Developed by Netscape
Uses RSA public-key encryption
Most commonly used form of security for
communications and transactions over the Web

Guide to Operating System Security

35

Transport Layer Security

Modeled after SSL


Uses private-key symmetric data encryption
and TLS Handshake Protocol

Guide to Operating System Security

36

Secure Shell

Developed for UNIX/Linux systems to provide


authentication security for TCP/IP
applications, including FTP and Telnet

Guide to Operating System Security

37

Using Secure Shell

Guide to Operating System Security

38

Security Token

Physical device, often resembling a credit card


or keyfob, used for authentication
Communicates with an authentication server to
generate the password, using encryption for
exchange of password-generating information

Guide to Operating System Security

39

Advantages of Security Token

User does not have to memorize password


Value of password only lasts as long as the
communications session; new password is
created next time the security token is used

Guide to Operating System Security

40

Guide to Operating System Security

41

IP Security (IPSec)

Set of IP-based secure communications and


encryption standards developed by the IETF
Protect network communications through IP
Elements that enable security measures

Authentication header
Encapsulating Security Payload (ESP)

Guide to Operating System Security

42

IPSec Security Roles

Guide to Operating System Security

43

Authentication Header (AH)

Ensures integrity of a data transmission


Ensures authentication of a packet by enabling
verification of its source

Guide to Operating System Security

44

Specific Fields in AH

Next header
Payload length
Reserved
Security Parameter Index (SPI)
Sequence number
Authentication Data

Guide to Operating System Security

45

Encapsulating Security Payload


(ESP)

Encrypts packet-based data


Authenticates data
Generally ensures security and confidentiality
of network layer information and data within
packet

Guide to Operating System Security

46

Specific Fields in ESP

Security Parameter Index (SPI)


Sequence number
Payload data
Padding
Pad length
Next header
Authentication date

Guide to Operating System Security

47

Attacks on Encryption and


Authentication

Guide to Operating System Security

48

Guidelines for Resisting Attacks

Use strong passwords


Use strongest forms of authentication and
encryption permitted by OS
Use longest encryption keys possible
Inventory encryption and authentication
methods used by OS; close any holes
Have administrators use personal accounts
with administrative privileges (rather than use
administrative account directly)

Guide to Operating System Security

49

Summary

Encryption methods and how operating


systems use them
How systems authenticate one another
How to configure Kerberos authentication
logon security
How to use IP security to keep your TCP/IP
network secure
Typical methods attackers use to defeat
encryption and authentication

Guide to Operating System Security

50

Guide to Operating
System Security
Chapter 4
Account-based Security

Objectives

Discuss how to develop account naming and security


policies
Explain and configure user accounts
Discuss and configure account policies and logon
security techniques
Discuss and implement global access privileges
Use group policies and security templates in
Windows 2000 Server and Windows Server 2003

Guide to Operating System Security

Account Naming

Provides orderly access to server and network


resources
Enables administrators to monitor security:

Which users are accessing the server


What resources they are using

Establish conventions for account names

Users actual name


Users function

Guide to Operating System Security

Security Policies

Apply to all accounts or to all accounts in a


particular directory service container
Affected elements:

Password security

Expiration period
Minimum length
Password recollection

Account lockout
Authentication method

Guide to Operating System Security

Creating User Accounts in


Windows 2000 Professional

Typically installed with:

Administrator account
Guest account

To create and manage user accounts:

Start Settings Control Panel Users and


Passwords, or
Right-click My Computer Manage Local Users
and Groups Users

Guide to Operating System Security

Creating User Accounts in


Windows XP Professional

Installed with:

Account that usually consists of users name


Administrator account
Guest account
HelpAssistant account for remote desktop help
Support accounts for Microsoft and computer manufacturer

To create and manage user accounts:

Start Control Panel User Accounts, or


Right-click My Computer Manage Local Users and
Groups Users

Guide to Operating System Security

Managing User Accounts in


Windows XP Professional

Guide to Operating System Security

Creating User Accounts in


Windows 2000 Server/Server 2003

Installed with:

Administrator account
Guest account
Other accounts, depending on services installed on
server

Create new accounts by entering account


information and password controls

Local user account on a server that is not part of a


domain
Account in the Active Directory

Guide to Operating System Security

Managing User Accounts in


Windows 2000 Server

Guide to Operating System Security

Creating a New User

Complete name, user logon name, password,


and password confirmation information

User must change password at next logon


User cannot change password
Password never expires
Account is disabled

Further configure associated properties

Guide to Operating System Security

10

Account Properties in Windows


Server 2003

General tab
Address tab
Account tab
Profile tab
Telephones tab
Organization tab
Member Of

Guide to Operating System Security

Dial-in
Environment
Sessions
Remote Control
Terminal Services
Profile
COM+ tab
11

Account Properties in Windows


Server 2003

Guide to Operating System Security

12

Account Tab

Guide to Operating System Security

13

Creating User Accounts in


Red Hat Linux 9.x

Each user account is associated with a user


identification number (UID)
Assign users with common access needs to a
group via a group identification number (GID)

Guide to Operating System Security

14

Contents of Linux Password File


(/etc/passwd)

Username
Encrypted password or reference to shadow
file
UID and GID
Information about the user
Location of users home directory
Command that is executed as user logs on

Guide to Operating System Security

15

Linux Shadow File


(/etc/shadow)

Available only to system administrator


Contains password restriction information

Minimum/maximum number of days between


password changes
When password was last changed
When password will expire
Amount of time account can be inactive before
access is prohibited

Guide to Operating System Security

16

Creating User Accounts and


Groups in Linux

Use command-line commands

Create new user with useradd


Modify parameters with usermod
Delete accounts with userdel

Use Red Hat User Manger from GNOME


desktop

Guide to Operating System Security

17

Creating Accounts with the


Command Line

Guide to Operating System Security

18

Creating Accounts with Red Hat


User Manager

Guide to Operating System Security

19

Creating User Accounts in


NetWare 6.x

Use ConsoleOne tool

Guide to Operating System Security

20

Creating User Accounts in


Mac OS X (Continued)

Choose Accounts icon in System Preferences


window

Name of account holder


Short name for logging on
Password
Password hint

Guide to Operating System Security

21

Creating User Accounts in


Mac OS X (Continued)

Tools that enable server management (Mac OS


X Server)

Server Admin
Macintosh Manager

Guide to Operating System Security

22

Accounts Option in Mac OS X

Guide to Operating System Security

23

Mac OS X Logon Options

Automatically log on to specific account when


computer is booted
Log on by viewing a name and password box,
or by seeing a list of user accounts
Hide Restart and Shut Down buttons
Show password hint after three unsuccessful
logon attempts

Guide to Operating System Security

24

Mac OS X Server

Tools

Server Admin
MacIntosh Manager

Guide to Operating System Security

25

Setting Account Policies and


Configuring Logon Security

Place restrictions on passwords


Automatically lock out accounts after a
specified number of unsuccessful logon
attempts

Guide to Operating System Security

26

Guidelines for Building Strong


Passwords
Do use

7+ characters
Combination of upper- and
lowercase letters, numbers,
and characters
Symbol character(s)
Coded phrase to help you
remember

Guide to Operating System Security

Do not use

Words in the dictionary or


proper names
Sports terms or names of
sports teams
Your account name
Consecutive characters
Common slang terms

27

Using Account Policies in Windows


Server 2000/Server 2003

Set up as part of group policy that applies to all


accounts in an Active Directory container
Can also be configured for a local computer
Account policy options affect:

Password security
Account lockout

Guide to Operating System Security

28

Password Security Options in


Windows Server 2000/Server 2003

Enforce password history


Maximum password age
Minimum password age
Minimum password length
Password(s) must meet complexity
requirements
Store password using reversible encryption

Guide to Operating System Security

29

Account Lockout Options in


Windows Server 2000/Server 2003

Account lockout duration


Account lockout threshold
Reset account lockout container after

Guide to Operating System Security

30

Account Security Options in


Red Hat Linux 9.x

No formal account security policies


Enables configuration of security options
associated with individual accounts (using Red
Hat User Manager)
Stores security information in shadow file
(/etc/shadow) as properties associated with
accounts

Guide to Operating System Security

31

Account Password Configuration


Options in Red Hat Linux

Setting an account to expire on a particular


date
Locking a user account
Expiration of account passwords so that users
have to reset them

Guide to Operating System Security

32

Red Hat Linux Account


Password Configuration

9.x
Guide to Operating System Security

33

Using Account Templates in


NetWare 6.x

Configure through user templates before


accounts are created
Use ConsoleOne utility to create user
templates

Guide to Operating System Security

34

Establishing Account Properties


with User Template (NetWare 6.x)
(Continued)

Home directory location and access rights to


that directory
Requirement for a password
Minimum password length
Requirement that password be changed
within specified interval of time
Grace period that limits number of times
user can log in after password has expired

Guide to Operating System Security

35

Establishing Account Properties


with User Template (NetWare 6.x)

Requirement that a new password be used each


time the old one is changed
Time restrictions
Intruder detection capabilities
Limit on number of simultaneous connections
Workstation logon restrictions

Guide to Operating System Security

36

Intruder Detection in
NetWare 6.x

Guide to Operating System Security

37

Using Global Access Privileges

Windows 2000 Server/Server 2003

User rights govern user and administrative


functions

NetWare 6.x

Uses access rights, applied in a different way, for


more fine-tuned access functions
Role-based security establishes administrative
roles for managing a server

Guide to Operating System Security

38

Windows Server 2000/


Server 2003 User Rights
(Continued)

Enable account or group to perform


predefined tasks

Basic rights: access a server


Advanced: create accounts and manage server
functions

Can be assigned to user accounts or to groups

Groups are more efficient (inherited rights)

Guide to Operating System Security

39

Windows Server 2000/


Server 2003 User Rights

(Continued)
Give server administrative security controls
over who can access server and Active
Directory resources
Two categories

Privileges

Manage server or Active Directory functions

Logon rights

Access accounts, computers, and services

Guide to Operating System Security

40

Windows Server 2000/


Server 2003 Privileges (Continued)

Guide to Operating System Security

41

Windows Server 2000/


Server 2003 Privileges (Continued)

Guide to Operating System Security

42

Windows Server 2000/


Server 2003 Privileges (Continued)

Guide to Operating System Security

43

Windows Server 2000/


Server 2003 Logon Rights

Guide to Operating System Security

44

Role-based Security in
NetWare 6.x

Allocated according to administrative roles


(managing tasks or network services)

DHCP Management
DNS Management
eDirectory
iPrint Management
License Management

Guide to Operating System Security

45

Using Group Policies in Windows


Server 2000/Server 2003

Enables standardization by setting policies in


Active Directory or on local computer (eg,
account policies, user rights, IPSec policies)
Evolved from Windows NT Server 4.0 concept
of system policy

Use Poledit.exe to configure basic user account


and computer parameters (domain-wide or
specific)

Guide to Operating System Security

46

Differences Between System


Policy and Group Policy
System policy

Group policy

Largest range is the domain

Can cover multiple domains in one site

Fewer objects to configure

More objects to configure

Focus on clients desktop


environment as controlled by
Registry settings

Set for more environments

Less secure

More secure

Can live on after no longer


needed

Dynamically updated and configured


to represent most current needs

Guide to Operating System Security

47

Defining Characteristics of
Group Policy

Can be set for a site, domain, OU, or local


computer
Stored in group policy objects
Local and nonlocal GPOs

Guide to Operating System Security

48

Configuring Client Security


Using Policies

Advantages to customizing settings used by


clients

Improved security
Consistent working environment

Customize settings by configuring policies on


Windows 2000/2003 servers that clients access

When client logs on, policies are applied

Guide to Operating System Security

49

Manually Configuring Policies


for Clients

Use either:

Group Policy Snap-in (Windows 2000 Server)


Group Policy Object Editor Snap-in (Windows
Server 2003)

Use Administrative Templates object under


User Configuration in a group policy object to
customize desktop settings for client
computers

Guide to Operating System Security

50

Manually Configuring Policies


for Clients

Guide to Operating System Security

51

Configuring Administrative
Templates

Guide to Operating System Security

52

Automated Configuration of
Administrative Templates

Guide to Operating System Security

53

Configuring Administrative
Templates

Guide to Operating System Security

54

Configuring Additional Security


Options

Fine-tune security on a server by configuring


security options within local policies in a GPO
Enables you to configure group policy security
for special needs

Guide to Operating System Security

55

Configuring Additional Security


Options

Guide to Operating System Security

56

Group Policy Security Options

Guide to Operating System Security

57

Configuring Additional Security


Options

Guide to Operating System Security

58

Summary

Considerations when creating formal policies


about account naming and security
How to set up accounts in different operating
systems
How to configure those accounts to implement
an organizations policies
User rights and role-based security
How to work with group policies and security
templates

Guide to Operating System Security

59

Guide to Operating
System Security
Chapter 5
File, Directory, and Shared
Resource Security

Objectives

Implement directory, folder, and file security


Configure shared resource security, using share
permissions in Windows 2000/XP/2003
Use groups to implement security
Troubleshoot security

Guide to Operating System Security

Directory, Folder, and File


Security (Continued)

Access control lists (security descriptors)


associate users and groups with specific access
capabilities
ACL components

Discretionary access control list (DACL)


System access control list (SACL)

Guide to Operating System Security

Directory, Folder, and File


Security (Continued)

Categories of information in an ACL

User accounts that can access the object


Rights and permissions that determine level of
access
Ownership of the object
Whether specific events associated with an object
are to be audited

Guide to Operating System Security

Windows 2000/XP/2003 Folder


and File Security

Use attributes and permissions related to file


system used with the OS
NTFS is better than FAT16 or FAT32

Able to set standard and special permissions


Supports use of EFS
Enables disk quotas to be set

Guide to Operating System Security

Configuring Folder and File


Attributes

Attributes in FAT16, FAT32, and NTFS are


stored as header information
Attributes available in FAT16/FAT32formatted disks

Read-only
Hidden
Archive

Guide to Operating System Security

Configuring Folder and File


Attributes

Guide to Operating System Security

NFTS Security Attributes

Read-only
Hidden
Archive
Index
Compress
Encrypt

Guide to Operating System Security

NFTS Security

Guide to Operating System Security

Configuring Folder and File


Permissions

Use Add and Remove buttons on folder


properties Security tab to change which users
and groups have permission
Modify existing permissions by clicking on the
group and checking or removing checks in
Allow and Deny columns

Guide to Operating System Security

10

Configuring Folder and File


Permissions

Guide to Operating System Security

11

Folder and File Permissions


Supported by NTFS

Guide to Operating System Security

12

Configuring Inheritable
Permissions

Guide to Operating System Security

13

UNIX and Linux Directory and


File Security (Continued)

Permissions

Read (r)
Write (w)
Execute (x)

Special permissions for executable programs

Set User ID (SUID)


Set Group ID (SGID)

Guide to Operating System Security

14

UNIX and Linux Directory and


File Security (Continued)

Permissions criteria

Use chmod command to set up permissions

Ownership (o)
Group membership (g)
Other (o)
All (a)
Symbolic format
Octal format

Use chown command to change ownership

Guide to Operating System Security

15

Viewing Permissions Settings

Guide to Operating System Security

16

Red Hat Linux 9.x System


Directories

Guide to Operating System Security

17

NetWare 6.x Directory and File


Security

Access controlled through:

Attributes associated with files and directories


Access rights granted to trustees

Guide to Operating System Security

18

NetWare Directory Attributes

Guide to Operating System Security

19

NetWare File Attributes (Continued)

Guide to Operating System Security

20

NetWare File Attributes (Continued)

Guide to Operating System Security

21

NetWare Directory Attributes

Guide to Operating System Security

22

NetWare Access Rights

Guide to Operating System Security

23

NetWare Access Rights

Guide to Operating System Security

24

NetWare Trustee Rights

Guide to Operating System Security

25

Mac OS X Folder and File


Security

Ways to configure file and folder permissions

Command-line commands
Set Get Info properties of a file

Guide to Operating System Security

26

Using Command-Line
Commands in Mac OS X

Guide to Operating System Security

27

Configuring Ownership &


Permission for a Mac OS x File

Guide to Operating System Security

28

Mac OS X Get Info Folder and


File Permissions

Guide to Operating System Security

29

Shared Resource Security

Sharing or accessing resources directories,


folders, files, and printers over a network

Windows 2000/XP/2003
Red Hat Linux 9.x
NetWare 6.x
Mac OS X

Guide to Operating System Security

30

Sharing Resources in Windows


2000/XP/2003

Use share permissions


Protecting a shared folder

Full Control
Change
Read

Protecting a shared printer

Guide to Operating System Security

31

Protecting a Shared Folder

Guide to Operating System Security

32

Protecting a Shared Printer

Print
Manage Documents
Manage Printers
Special Permissions

Read
Change
Take Ownership

Guide to Operating System Security

33

Sharing Resources in
Red Hat Linux 9.x

Enable access through:

Telnet and FTP

Use with Secure Shell capabilities

Network File System (NFS)

Protecting directory resources


Protecting printer resources

Queue-based printing
Novell Distributed Print Services (NDPS)

Guide to Operating System Security

34

Sharing Resources in
NetWare 6.x

Protecting directory resources

Mapping and search mapping

Protects through attributes and trustee access rights

Protecting printer resources

Guide to Operating System Security

35

NetWare Drive Mappings

Guide to Operating System Security

36

Sharing Resources in
Mac OS X

Enable access through System Preferences


Protecting a shared folder
Protecting a shared printer

Guide to Operating System Security

37

Using Security Groups

Group together accounts that have similar


characteristics
Eliminates repetitive steps in managing user
and resource access

Guide to Operating System Security

38

Using Groups in
Windows 2000/XP/2003

Related to concept of scope of influence


Types; used for security and distribution
groups

Local
Domain local
Global
Universal

Guide to Operating System Security

39

Implementing Local Groups

Used to manage resources in Windows


2000/XP Professional

Guide to Operating System Security

40

Implementing Local Groups

Guide to Operating System Security

41

Implementing Domain Local


Groups

Used when Active Directory is deployed


Used to manage resources in a domain
Give access to global groups from the
same/other domains access to those resources

Guide to Operating System Security

42

Implementing Domain Local


Groups

Guide to Operating System Security

43

Implementing Global Groups

Intended to contain user accounts from single


domain
Can be set up as member of a domain local
group in same or other domain

Guide to Operating System Security

44

Implementing Global Groups

Guide to Operating System Security

45

Implementing Universal Groups

Spans domains and trees within a Windows


Active Directory forest

Guide to Operating System Security

46

Guidelines for Using Groups

Global groups

Domain local groups

Hold accounts as members


Provide access to resources in a specific domain

Universal groups

Provide extensive access to resources

Guide to Operating System Security

47

Using Groups in
Red Hat Linux 9.x

Assign each group a unique group


identification number (GID)
Assign permissions to access resources to the
group

Guide to Operating System Security

48

Using Groups in NetWare 6.x

Create groups with ConsoleOne tool


Configure trustee access rights for the group
Assign accounts to the group
Assign specific login script to the group

Guide to Operating System Security

49

Using Groups in Mac OS X

Automatically managed and assigned by the


operating system

Guide to Operating System Security

50

Troubleshooting Security

Windows XP Professional and Windows


Server 2003

View the effective permissions

NetWare 6.x

View the effective rights

Guide to Operating System Security

51

Viewing Effective Rights in


NetWare 6.x

Guide to Operating System Security

52

Summary

How to configure directory, folder, and file


security for Windows 2000/XP/2003,
Linux 9.x, Netware 6.x, and Mac OS X
How to fine-tune security for common and
unique circumstances
Specialized share permissions for Windowsbased systems; used when folders are shared
across a network through FAT16/32 and NTFS

Guide to Operating System Security

continued 53

Summary

How to configure and use security groups to


manage access to shared resources
How to use effective permissions and effective
rights tools in Windows XP/2003 and
NetWare 6.x to ensure that directory, folder,
and file security is properly set and that there
are no security holes

Guide to Operating System Security

54

Guide to Operating
System Security
Chapter 6
Firewalls and Border
Security

Objectives

Understand how TCP, UDP, and IP work, and


the security vulnerabilities of these protocols
Explain the use of IP addressing on a network
and how it is used for security
Explain border and firewall security
Configure the firewall capabilities in operating
systems

Guide to Operating System Security

Transmission Control
Protocol/Internet Protocol

Networking protocol that serves as a universal


language of communication for networks and
operating systems
Ubiquity makes it a prime target for attackers
Three core component protocols

Transmission Control Protocol (TCP)


User Datagram Protocol (UDP)
Internet Protocol (IP)

Guide to Operating System Security

Understanding TCP

Establishes reliable connection-oriented


communications between communicating
devices on networks
Enables communications to operate in an
orderly fashion through use of sequence
numbers and acknowledgments

Guide to Operating System Security

Fields in a TCP Header

Guide to Operating System Security

TCP and UDP Ports in Relation


to Port Scanning

Guide to Operating System Security

continued

TCP and UDP Ports in Relation


to Port Scanning (Continued)

Guide to Operating System Security

TCP and UDP Ports in Relation


to Port Scanning (Continued)

Guide to Operating System Security

Understanding UDP

Connectionless protocol
Can be used instead of TCP
Faster communications when reliability is less
of a concern
Performs no flow control, sequencing, or
acknowledgment
Port-scanning attacks are less productive
against it

Guide to Operating System Security

Fields in a UDP Header

Guide to Operating System Security

10

Understanding How IP Works

Enables packet to reach different subnetworks


on a LAN and different networks on a WAN
Networks must use transport methods
compatible with TCP/IP

Guide to Operating System Security

11

Basic Functions of IP

Data transfer
Packet addressing
Packet routing
Fragmentation
Simple detection of packet errors

Guide to Operating System Security

12

IP as a Connectionless Protocol

Provides network-to-network addressing and


routing information
Changes size of packets when size varies from
network to network
Leaves reliability of communications in hands
of the embedded TCP segment

Guide to Operating System Security

13

TCP/IP Datagram

Guide to Operating System Security

14

Fields in an IP Packet Header

Guide to Operating System Security

15

How IP Addressing Works

Identifies a specific station and the network on


which it resides
Each IP address must be unique
Uses dotted decimal addressing
Enables use of network IDs and host IDs for
locating networks and specific devices on the
network

Guide to Operating System Security

16

IP Address Classes

Fives classes Class A through Class E each


used with different type of network
Reflect size of network and whether the packet
is unicast or multicast

Guide to Operating System Security

17

IP Address Classes

Guide to Operating System Security

18

IP Address Classes (Continued)

Guide to Operating System Security

19

IP Address Classes (Continued)

Guide to Operating System Security

20

Using a Subnet Mask

Required by TCP/IP addresses


Determine how portions of addresses on a
network are divided into network ID and host
ID
Divide a network into subnetworks to control
network traffic

Guide to Operating System Security

21

Creating Subnetworks

Subnet mask contains a subnet ID within network and


host IDs
Enables routing devices to ignore traditional class
designations

Creates more options for segmenting networks through


multiple subnets and additional network addresses
Overcomes four-octet limitation in IPv4

Newer way to ignore class designation

Classless interdomain routing (CIDR)

Guide to Operating System Security

22

Border and Firewall Security

Firewalls protect internal or private networks


Firewall functions

Packet filtering
Network address translation
Working as application gateways or proxies

Guide to Operating System Security

23

Implementing Border Security

Guide to Operating System Security

24

Packet Filtering

Use characteristics of a packet


Determines whether a packet should be
forwarded or blocked
Techniques

Stateless packet filtering


Stateful packet filtering

Guide to Operating System Security

25

Securing a Subnet with a


Firewall

Guide to Operating System Security

26

Network Address Translation


(NAT)

Discourages attackers; all protected network


addresses are seen by outsiders as a single
address
Enables a network to use IP addresses on the
internal network that are not formally
registered for Internet use

Guide to Operating System Security

27

Ways to Perform NAT


Translation

Dynamic translation (or IP masquerade)


Static translation
Network redundancy translation
Load balancing

Guide to Operating System Security

28

Proxy

Computer located between a computer on an


internal network and a computer on an external
network
Acts as a middleman to:

Filter application-level communications


Perform caching
Create virtual circuits with clients for safer
communications

Guide to Operating System Security

29

Proxy Configurations

Application-level gateways
Circuit-level gateways

Guide to Operating System Security

30

Proxy Firewall as an
Application-Level Gateway

Guide to Operating System Security

31

Proxy Firewall as a Circuit-Level


Gateway

Guide to Operating System Security

32

Using Routers for Border


Security (Continued)

Often used as firewalls because they can filter


packets and protocols
Forward packets and frames to networks using
a decision-making process based on:

Routing table data


Discovery of most efficient routes
Preprogrammed information

Guide to Operating System Security

33

Using Routers for Border


Security (Continued)

Protocols used by routers in a local system

Routing Information Protocol (RIP)

Uses only hop count as its metric

Open Shortest Path First (OSPF)

Router sends only the link-state routing message


Compact packet format
Shared updated routing table information among routers

Guide to Operating System Security

34

OSPF Border Areas

Guide to Operating System Security

35

Using Firewall Capabilities in


Operating Systems

Important when the computer:

On which OS is running is directly connected to


the Internet
Is in a demilitarized zone (DMZ)

Guide to Operating System Security

36

Configuring a Firewall in
Windows XP Professional

Enable Internet Connection Firewall (ICF)

Monitors source and destination addresses that


come in and go out of the computer via Internet
Maintains table of IP addresses allowed into OS
Discards communications from unauthorized IP
addresses
Discourages port scanning via an Internet
connection

Guide to Operating System Security

37

Configuring a Firewall in
Windows XP Professional

Guide to Operating System Security

38

Configuring a Firewall in
Windows Server 2003

Enable ICF, enabling only those services that


are needed on the server

Guide to Operating System Security

39

Configuring a Firewall in
Windows Server 2003

Guide to Operating System Security

40

Configuring NAT in Windows


Server 2003

Routing and Remote Access Services (RRAS)

Remote access (dial-up or VPN)


Network address translation (NAT)
Virtual Private Network (VPN)
Secure connection between two private networks
Custom configuration

Guide to Operating System Security

41

Configuring NAT in Windows


Server 2003

Guide to Operating System Security

42

Configuring NAT in Windows


Server 2003

Guide to Operating System Security

43

Configuring NAT in
Windows 2000 Server

Set up Windows server as an Internet


connection server with NAT in Windows
2000 Server Routing and Remote Access tool
Enables multiple computers to share a
connection to an external network
Provides address translation services for all
computers that share the connection, thus
protecting those computers

Guide to Operating System Security

44

Configuring a Firewall in
Red Hat Linux 9.x

Use Security Level Configuration tool (High,


Medium, No Firewall)
Customize firewall by designating trusted
devices
Allow or deny access to WWW (HTTP), FTP,
SSH, DHCP, mail (SMTP), or Telnet

Guide to Operating System Security

45

Configuring NAT and a Firewall


Using IPTables (Red Hat Linux 9.x)

Configure through a terminal window using


iptables command
Enables configuration of packet filter rules
through use of tables

Set of rules (chain) is applied to packets containing


specific information

Guide to Operating System Security

46

Sample Iptables Parameters

Guide to Operating System Security

47

Configuring NAT and a Firewall


Using IPTables (Red Hat Linux 9.x)

Make sure IPChains is turned off


Start IPTables service and ensure that it starts
automatically each time OS is booted
Configure firewall to deny incoming,
outgoing, and forwarded packets
Make sure all configured options are saved and
reused each time computer is booted

Guide to Operating System Security

48

Configuring a Mac OS X
Firewall

Use System Preferences via the Sharing icon


Allow or deny network communications
through TCP and UDP ports by turning
specific services on or off
Turn firewall on or off

Guide to Operating System Security

49

Summary

TCP, UDP, and IP protocols, their security


vulnerabilities and how to mitigate them
IP addressing and how it can be used to thwart
attacks
How border and firewall security use
characteristics of TCP, UDP, and IP to build
more secure networks
How to configure firewall capabilities of
operating systems

Guide to Operating System Security

50

Guide to Operating
System Security
Chapter 7
Physical and Network
Topology Security

Objectives

Explain physical security methods for


workstations, servers, and network devices
Implement a network topology for security
Explain network communications media in
relation to security
Use structured network design for security

Guide to Operating System Security

Physical Security

Limiting physical access


Location of equipment
Construction quality
Devices to protect

Workstations
Servers
Network devices and communications media

Guide to Operating System Security

Workstation Security

Password protect user accounts


Configure screen saver with a password
Log off or turn off computers when not in use
Lock office doors
Keep ventilation holes unobstructed
Keep liquids away from computer

Guide to Operating System Security

Workstation Security

Guide to Operating System Security

Server Security (Continued)

Centralized versus decentralized


considerations
Environmentally controlled computer room
Strong access controls
Cipher locks on locked doors
Power regulation devices

Guide to Operating System Security

Server Security (Continued)

Motion sensors
Camera-monitored entrances and equipment
Fire detection and suppression equipment
Screen savers for servers

Guide to Operating System Security

Configuring Screen Savers

Windows Server

Red Hat Linux 9.x

Use screen saver options with passwords for


servers
Lock a screen using screen saver

NetWare

SCRSAVER command at the console


SECURE CONSOLE command

Guide to Operating System Security

Configuring a NetWare Screen


Saver (Continued)

Guide to Operating System Security

Configuring a NetWare Screen


Saver

Guide to Operating System Security

10

Network Devices

Access servers
Bridges
Chassis hubs
Firewalls
Hubs
Multiplexers

Guide to Operating System Security

Repeaters
Routers
Switches
Transceivers
UPS

11

Securing Network Devices

Place central wiring and network devices in


wiring closets that follow EIA/TIA-569
standards

Telecommunications room
Main cross-connect
Intermediate cross-connect

Locate wiring closets away from sources of


EMI and RFI

Guide to Operating System Security

12

Designing a Network Topology


for Security

Main network topologies

Bus
Ring
Star
Bus-star

Guide to Operating System Security

13

Bus Topology

Cable runs from one computer to the next, like


a chain
Terminators connect to each bus cable segment
Disadvantages

Easily compromised by removing a terminator


Easy for unauthorized person to tap into cable
segment

Guide to Operating System Security

14

Bus Topology

Guide to Operating System Security

15

Ring Topology

Continuous path for data; no logical beginning


or ending point; no terminators
Easier to manage, more reliable, and more
secure than the bus
More expensive than the bus

Guide to Operating System Security

16

Ring Topology

Guide to Operating System Security

17

Star Topology

Multiple stations attached to central hub or


switch
Allows you to emphasize security, efficiency,
and reliability

Guide to Operating System Security

18

Star Topology

Guide to Operating System Security

19

Star Topology

Advantages

Wide variety of equipment available


Unauthorized taps are difficult
Easier to manage than the bus
Expansion options

Disadvantages

Hub or switch is single point of failure


Requires more cable than bus

Guide to Operating System Security

20

Logical Bus Networks in a


Physical Star Layout

Most common topology


Advantages

No exposed terminators to pose security risk


Expansion capabilities

Guide to Operating System Security

21

Communications Media and


Network Security

Coaxial cable
Twisted-pair cable
Fiber-optic cable
Wireless technologies

Guide to Operating System Security

22

Coaxial Cable

Copper wire construction


Thick and thin varieties
Suitability

Older LANs
LANs with strong sources of signal interference

Guide to Operating System Security

23

Thick Coaxial Cable

Guide to Operating System Security

24

Thin Coaxial Cable (Thinnet)

Guide to Operating System Security

25

Twisted-Pair Cable

Copper wire construction


Shielded twisted-pair (STP) and unshielded
twisted-pair (UTP)
Most commonly used cabling

Guide to Operating System Security

26

Twisted-Pair Cable

Guide to Operating System Security

27

Fiber-Optic Cable

Glass (usually) or plastic cable


Single mode and multimode
Suitability

High-speed LAN and WAN access


To connect networks between different locations
In situations with significant electrical interference
Where security is a concern

Guide to Operating System Security

28

Fiber-Optic Cable

Guide to Operating System Security

29

Wireless Technologies

Radio, infrared, or microwave


Suitability

Difficult or too expensive to use cable


When flexibility to move network hosts and
devices is required

Guide to Operating System Security

30

Comparing Cable Types

Guide to Operating System Security

31

Using Structured Design

Follow accepted guidelines for cable


installation
Deploy structured wiring design
Implement structured network design

Guide to Operating System Security

32

Guidelines for Cable Installation


(Continued)

Meet or exceed maximum bandwidth


requirements
Category 5 or better UTP cable
Multimode fiber-optic riser cable between
floors
IEEE specifications
Single-mode fiber-optic cable for long runs

Guide to Operating System Security

33

Guidelines for Cable Installation


(Continued)

Wireless options where needed


Star-based cable plants
High-quality cable
Building codes (eg, plenum cable)
Do not exceed tension limits of twisted-pair
cable

Guide to Operating System Security

34

Guidelines for Cable Installation


(Continued)

Follow rules for cable bend radius


Extra cable at endpoints
Qualified contractor
Label all cable
Ground cable plants (EIA/TIA-607 standard)

Guide to Operating System Security

35

Structured Wiring Requirements

Flexible cabling
Wiring stations into a physical star
Adherence to EIA/TIA-568-A/EIA-TIA-568-B
standards for horizontal wiring
Centralizing cable plant in chassis hubs or
switches

Guide to Operating System Security

continued 36

Structured Wiring Requirements

Intelligence built into chassis hubs and


switches to detect problems at stations
Ability to isolate hosts and servers on their
own cable segments
Ability to provide high-speed links to hosts
and servers and other network devices

Guide to Operating System Security

37

Structured Wiring Design

Guide to Operating System Security

38

Structured Network Design

Solid horizontal and vertical wiring design


enables:

Centralizing a network at strategic points


Customization for security and efficiency
Linking together by a fast backbone

Guide to Operating System Security

39

Structured Network for


Centralized Management

Figure 7-10 Structured network for centralized management


Guide to Operating System Security

40

Vertical Wiring Principles

Extended star topology between devices


High-speed cable
to reduce congestion
not susceptible to EMI and RFI
EIA/TIA-568-A/EIA-TIA-568-B standards for
vertical or backbone cabling
Riser-rated cable for cable runs through cable ports or
vertical shafts
Fire-stop material to cover cable between floors

Guide to Operating System Security

41

Centralized Management

Central points are established for critical


network functions
Simple Network Management Protocol
(SNMP)

Community name

Network management station (NMS)


Network agents

Guide to Operating System Security

42

Using Virtual LANs

Can be used as a central management tool


Potential problems

Improper configuration exposes network to


security risks
Trunks are vulnerable to attacks

Guide to Operating System Security

43

Using Network Redundancy for


Security

Vital network areas remain running even if


equipment fails or an attack occurs

Guide to Operating System Security

44

Designing for Redundancy

Figure 7-11 Designing for redundancy


Guide to Operating System Security

45

Building Multiple Redundant


Pathways

Figure 7-12 Building multiple redundant pathways


Guide to Operating System Security

46

Summary

How to physically secure workstations and


servers
How network topologies can be used to
enhance security
Which network media offer the best security
How to combine network topology and media
in a structured wiring and networking design
for efficiency and security

Guide to Operating System Security

47

Guide to Operating
System Security
Chapter 8
Wireless Security

Objectives

Explain wireless networking and why it is used


Describe IEEE 802.11 radio wave networking
Explain Bluetooth networking
Describe attacks on wireless networks
Discuss wireless security measures
Configure security for wireless interfaces in
workstation operating systems

Guide to Operating System Security

Introduction to Wireless
Networking

Enables communications where a wired


network is impractical
Reduces installation costs
Provides anywhere access
Enables easier small and home office
networking
Enables data access to fit the application

Guide to Operating System Security

Attacks on Wireless Networks

Many opportunities, particularly through


sniffer software
Difficult or impossible to detect

Guide to Operating System Security

Wireless Network Support


Organizations

Wireless LAN Association (WLANA)


WINLAB

Guide to Operating System Security

Why Use a Wireless Network


Instead of a Wired Network?

A wired network can be difficult or impossible


to install in some situations

Guide to Operating System Security

Radio Wave Technologies

Network applications use high frequencies


measured in hertz
Line-of-sight transmission
Spread spectrum technology
Popular technologies

IEEE 802.11 standard


Bluetooth

Guide to Operating System Security

Radio Wave Technologies

Guide to Operating System Security

Radio Wave Technologies

Advantages

Relatively inexpensive
Easy to install
Provide anywhere access
Offer an alternative for hard-to-cable areas

Disadvantages

Do not have speeds to match 100Mbps


communications
Frequencies may experience interference

Guide to Operating System Security

IEEE 802.11 Radio Wave


Networking (Continued)

Advantages in terms of compatibility and


reliability
Devices are not proprietary
Encompasses fixed and mobile stations
Recognizes indoor and outdoor
communications

Guide to Operating System Security

10

IEEE 802.11 Radio Wave


Networking (Continued)

Kinds of communication

Discrete units (asynchronous)


Governed by time restrictions

Guide to Operating System Security

11

How IEEE 802.11 Wireless


Networks Function

Components
Access methods
Handling of data errors
Transmission speeds
Authentication
Topologies
Multiple-cell wireless LANs

Guide to Operating System Security

12

Wireless Components

Wireless NIC (WNIC)

Functions as a transmitter/receiver (transceiver)

Access point
Antennas

Directional antenna
Omnidirectional antenna

Guide to Operating System Security

13

Directional Antenna

Guide to Operating System Security

14

Omnidirectional Antenna

Guide to Operating System Security

15

Wireless Networking Access


Methods

Priority-based access
Carrier Sense Multiple Access with Collision
Avoidance (CSMA/CA)

Guide to Operating System Security

16

Handling Data Errors

Automatic repeat request (ARQ) characteristic

Helps reduce communication errors created by


sources of interference

Guide to Operating System Security

17

Transmission Speeds

Guide to Operating System Security

18

Infrared Wireless Networking

802.11R standard
Can be broadcast in a single direction or in all
directions
Transmits in range of 100 GHz to 1000 THz

Guide to Operating System Security

19

Infrared Wireless Networking

Security factors

Difficult to intercept without someone knowing


Not susceptible to interference from RFI and EMI

Disadvantages (but also make it more secure)

Data transmission rates only reach up to 16 Mbps


(directional) and can be less than 1 Mbps
(omnidirectional)
Does not go through walls

Guide to Operating System Security

20

Diffused Infrared Wireless


Communication

Guide to Operating System Security

21

Using Authentication to
Disconnect

Prevents two communicating stations from


being inadvertently disconnected by a
nonauthorized station

Guide to Operating System Security

22

802.11 Network Topologies

Independent basic service set (IBSS) topology

Consists of two or more wireless stations that can


be in communication
Does not use an access point

Extended service set (ESS) topology

Uses one or more access points to provide a larger


service area than an IBSS topology

Guide to Operating System Security

23

IBSS Wireless Topology

Guide to Operating System Security

24

ESS Wireless Topology

Guide to Operating System Security

25

Multiple-Cell Wireless LANs

ESS wireless topology that employs two or


more access points
Inter-Access Point Protocol (IAPP)

Roaming protocol that enables a mobile station to


move from one cell to another without losing
connection

Guide to Operating System Security

26

Bluetooth Radio Wave


Networking

Uses frequency hopping in the 2.4-GHz band


designated by FCC for unlicensed ISM
transmissions
Uses time-division duplexing (TDD) for
packet transmissions

Guide to Operating System Security

27

Anatomy of Attacks on Wireless


Networks

Antenna
Wireless network interface card
GPS
War-driving software

Guide to Operating System Security

28

Rogue Access Point

Wireless access point installed without


knowledge of network administrator
Not configured to have security
Provides an attacker with an unsecured
entryway to packet communications

Guide to Operating System Security

29

Attacks Through Long-Range


Antennas

Increases reach of a signal


Enables network to be monitored from a
greater distance without being observed

Guide to Operating System Security

30

Man-in-the-Middle Attacks

Interception of a message meant for a different


computer
Attacker operates between two communicating
computers in order to:

Listen in on communications
Modify communications

Guide to Operating System Security

31

Pitfalls of Wireless
Communications

Inherently not secure because they are


transported over radio waves
Considerations

Avoid wireless communications for extremely


sensitive information
Configure tightest security available

Guide to Operating System Security

32

Wireless Security Measures

Open system authentication


Shared key authentication
Wired Equivalent Privacy (WEP)
Service set identifier (SSID)
802.1x security
802.1i security

Guide to Operating System Security

33

Open System Authentication

Two stations can authenticate each other


Provides little security, only mutual agreement
to authenticate
Default form of authentication in 802.11

Guide to Operating System Security

34

Shared Key Authentication

Uses symmetrical encryption

Same key for both encryption and decryption

Guide to Operating System Security

35

Wired Equivalent Privacy (WEP)

Same encryption key is used at both stations


that are communicating

Guide to Operating System Security

36

Wired Equivalent Privacy (WEP)

Guide to Operating System Security

37

Service Set Identifier (SSID)

Identification value:

typically up to 32 characters in length


defines a logical network for all devices that
belong to it

Each device is configured to have same SSID


Typically used in ESS, but not IBSS

Guide to Operating System Security

38

802.1x Security

Port-based form of authentication

Does not include encryption

Uncontrolled port
Controlled port
can be set up to work with EAP and its evolving
versions (EAP-TTLS and PEAP)

Use different computers for authentication


server and authenticator

Guide to Operating System Security

39

802.1i Security

Builds on 802.1x standard


Implements Temporal Key Integrity Protocol
(TKIP) for creating random encryption keys
from one master key

Guide to Operating System Security

40

Configuring Security for


Wireless Interfaces

Windows 2000/XP Professional

Red Hat Linux 9.x

Support use of WNICs


Supports use of WNICs (installed through
GNOME desktop Network Device Control tool)

Mac OS X

Built-in compatibility for AirPort WNICs and base


stations (access points)

Guide to Operating System Security

41

Windows 2000 Professional


Wireless Security Techniques

Open system
authentication
Shared key
authentication
WEP (40-bit and
104-bit keys)

Guide to Operating System Security

SSID
802.1x
EAP
Authentication
through RADIUS

42

Windows XP Professional
Wireless Security Techniques

Open system
authentication
Shared key
authentication
WEP (40-bit and
104-bit keys)

Guide to Operating System Security

SSID
802.1x
EAP and EAP-TLS
PEAP
Authentication
through RADIUS

43

Red Hat Linux Wireless Security


Techniques

Open system authentication


Shared key authentication
WEP (40-bit and 104-bit keys)
SSID
802.1x

Guide to Operating System Security

44

Mac OS X Wireless Security


Techniques

Open system authentication


Shared key authentication
WEP (40-bit and 104-bit keys)
SSID
RADIUS authentication
Firewall protection

Guide to Operating System Security

45

Summary

How wireless networks work


Popular approaches to wireless networking

IEEE 802.11
Bluetooth

Types of attacks against wireless networks


Wireless security measures and how to
implement them in client operating systems

Guide to Operating System Security

46

Guide to Operating
System Security
Chapter 9
Web, Remote Access, and
VPN Security

Objectives

Understand Internet security using protocols


and services
Configure Web browsers for security
Configure remote access services for security
Configure virtual private network services for
security

Guide to Operating System Security

Internet Security

Protocols and services must be kept secure

To ensure privacy of information


To discourage the spread of malicious software

Guide to Operating System Security

Internet Protocols and Services

Hypertext Transfer Protocol (HTTP)


Secure HTTP (S-HTTP) and Hypertext
Transfer Protocol Secure (HTTPS)
File Transfer Protocol (FTP)
Network File System (NFS)
Samba and Server Message Block (SMB)

Guide to Operating System Security

HTTP

TCP/IP-compatible application protocoltransports information over the Web


Most recent version: HTTP/1.1

Increases reliability of communications


Enables caching
Can send message responses before full control
information from a request is received
Permits multiple communications over a single
connection

Guide to Operating System Security

S-HTTP and HTTPS

Forms of HTTP used for more secure


communications
S-HTTP

Standards-based protocol that enables use of a variety of


security measures (including CMS and MOSS)

HTTPS

Essentially proprietary, but more compatible with


encryption for IP-level communications
Uses SSL as a subprotocol

Guide to Operating System Security

File Transfer Protocol (FTP)

TCP/IP protocol that transfers files in bulk data


streams
Uses two TCP ports (20 and 21)
Supports transmission of binary or ASCII
formatted files
Commonly used on the Internet
Downloading files can be risky

Guide to Operating System Security

File Transfer Protocol (FTP)

Guide to Operating System Security

Network File System (NFS)

Designed for UNIX/Linux systems for file


sharing
Connection-oriented protocol that runs within
TCP
Uses remote procedure calls via TCP port 111
Sends data in record streams
For security, let only authorized computers use
NFS on host computer

Guide to Operating System Security

Samba and Server Message


Block

Samba

Available for UNIX and Linux computers


Enables exchange of files and printer sharing with
Windows-based computers through SMB protocol

Server Message Block

Used by Windows-based systems


Enables sharing files and printers
Employed by Samba

Guide to Operating System Security

10

Using Samba

Guide to Operating System Security

11

Configuring Web Browsers for


Security

Applying security measures to popular Web


browsers

Internet Explorer
Mozilla
Netscape Navigator

Guide to Operating System Security

12

Configuring Internet Explorer


Security

Used with Windows and Mac OS X


Configure version of HTTP, use of HTTPS,
FTP, and download access
Configure security by zones

Internet
Local intranet
Trusted sites
Restricted sites

Guide to Operating System Security

13

Internet Explorer Security


Settings

Guide to Operating System Security

14

Configuring Internet Explorer


Security

Internet Explorer Enhanced Security


Configuration (Windows Server 2003)

Applies default security to protect server


Uses security zones and security parameters
preconfigured for each zone

Guide to Operating System Security

15

Installing IE Enhanced Security


Configuration

Guide to Operating System Security

16

Configuring Mozilla Security

Open-source Web browser


Can run on

Linux (by default with GNOME desktop)


UNIX
Mac OS X
OS/2
Windows-based systems

Security configuration is combined with


privacy configuration options

Guide to Operating System Security

17

Mozilla Security Categories

Guide to Operating System Security

18

Privacy & Security Option in Mozilla

Guide to Operating System Security

19

Configuring Netscape Navigator


Security

Nearly identical to Mozilla; GUI offers:

A buddy list
Link to Netscape channels
Different sidebar presentation

Guide to Operating System Security

20

Netscape Navigator in Windows


2000 Server

Guide to Operating System Security

21

Privacy & Security Options in


Netscape

Guide to Operating System Security

22

Configuring Remote Access


Services for Security

Remote access

Ability to access a workstation or server through a


remote connection (eg, dial-up telephone line and
modem)
Commonly used by telecommuters

Guide to Operating System Security

23

Microsoft Remote Access


Services

Enables off-site workstations to access a server


through telecommunications lines, the Internet,
or intranets

Guide to Operating System Security

24

Microsoft RAS

Guide to Operating System Security

25

Microsoft RAS - Supported


Clients

MS-DOS
Windows 3.1 and 3.11
Windows NT/95/98
Windows Millennium
Windows 2000
Windows Server 2003 and XP Professional

Guide to Operating System Security

26

Microsoft RAS

Supports different types of modems and


communications equipment
Compatible with many network transport and
remote communications protocols

Guide to Operating System Security

27

Microsoft RAS Supported


Connections (Continued)

Asynchronous modems
Synchronous modems
Null modem communications
Regular dial-up telephone lines
Leased telecommunication lines (eg, T-carrier)

Guide to Operating System Security

28

Microsoft RAS Supported


Connections (Continued)

ISDN lines (and digital modems)


X.25 lines
DSL lines
Cable modem lines
Frame relay lines

Guide to Operating System Security

29

Microsoft RAS Supported


Protocols

NetBEUI
TCP/IP
NWLink
PPP
PPTP
L2TP

Guide to Operating System Security

30

Understanding Remote Access


Protocols

Transport protocols

TCP/IP
IPX
NetBEUI

Remote access protocols

Serial Line Internet Protocol (SLIP)

CSLIP

Point-to-Point Protocol (PPP)

PPTP
L2TP

Guide to Operating System Security

31

Configuring a RAS Policy

Employ callback security options (No


Callback, Set by Caller, Always Callback to)
Install Internet Authentication Service (IAS)

Can be employed with Remote Authentication


Dial-In User Service (RADIUS) and RADIUS
server

Add participating RAS and VPN servers

Guide to Operating System Security

32

Remote Access Policies Objects in


the IAS Tree

Guide to Operating System Security

33

Granting Remote Access


Permission to RAS

Guide to Operating System Security

34

Enabling Access for a Users


Account via Remote Access Policy

Guide to Operating System Security

35

Configuring a RAS Policy

Use Remote Access Policies to configure


security types

Authentication
Encryption
Dial-in constraints

Guide to Operating System Security

36

RAS Authentication Types (Continued)

Challenge Handshake Authentication Protocol


(CHAP)
Extensible Authentication Protocol (EAP)
MS-CHAP v1 (aka CHAP with Microsoft
extensions)
MS-CHAP v2 (aka CHAP with Microsoft
extensions version 2)

Guide to Operating System Security

37

RAS Authentication Types (Continued)

Password Authentication Protocol (PAP)


Shiva Password Authentication Protocol
(SPAP)
Unauthenticated

Guide to Operating System Security

38

RAS Encryption Options

Guide to Operating System Security

39

RAS Dial-in Constraints Options

Idle and session timeouts


Day and time restrictions
Whether access is restricted to a single number
Whether access is restricted based on media
used

Guide to Operating System Security

40

Security on a Virtual Private


Network

VPN

An intranet designed for restricted access by


specific clients based on subnets, IP addresses,
user accounts, or a combination

Apply same remote access policies as to RAS


servers

Guide to Operating System Security

41

Summary

Protocols and services that enable Internet


security
Configuring Web browsers for security

Internet Explorer
Mozilla
Netscape Navigator

How to configure a servers remote access


services to enforce security
Applying security options to a VPN

Guide to Operating System Security

42

Guide to Operating
System Security
Chapter 10
E-mail Security

Objectives

Understand the use of SMTP in e-mail and


attacks on SMTP
Explain how e-mail can be secured through
certificates and encryption
Discuss general techniques for securing e-mail
Configure security in popular e-mail tools

Guide to Operating System Security

Overview of SMTP

Enables exchange of e-mail across networks


and the Internet
Provides reliable but not guaranteed
message transport
No logon ID or password required
A client and server process

Guide to Operating System Security

Sending E-Mail by SMTP

Guide to Operating System Security

Parts of SMTP Messages

Address header

Envelope
Message header
Domain literal
Multihomed host
Host names

Message text

Guide to Operating System Security

Overview of SMTP

Protocols used to store and retrieve e-mail

Post Office Protocol (POP)


Internet Message Access Protocol (IMAP)

Guide to Operating System Security

Operating Systems That Use


SMTP by Default

Microsoft Outlook Express on Windows


2000/XP/2003
Microsoft Outlook in Windows-based systems
that have Microsoft Office
Ximian Evolution Mail in Red Hat Linux 9.x
Mail in Mac OS X

Guide to Operating System Security

E-mail Server Software Systems


That Use SMTP

Eudora
Lotus Domino Mail Server
Mailtraq
Merak Email
Microsoft Exchange
Sendmail
SuSE Linux Open Exchange Server

Guide to Operating System Security

E-mail Attacks on SMTP

Surreptitious alteration of a DNS server


Direct use of command-line e-mail tools to
attack SMTP communications
Spread of unsolicited commercial e-mail
(spam)

Guide to Operating System Security

DNS Server Directing E-mail

Guide to Operating System Security

10

E-mail Attacks Through Altering


DNS Server Information

Guide to Operating System Security

11

Using Command-Line Tools for


E-mail Attacks

Windows 2000/XP/2003

Attacker can use maliciously constructed e-mail to


attack an SMTP server

UNIX/Linux

Easier; attacker can use built-in e-mail commandline options

Guide to Operating System Security

12

Unsolicited Commercial E-mail


(UCE)

Relatively inexpensive for sender


Expensive for users whose resources are
diminished by UCE traffic
Expensive in terms of wasted time (estimated
25% of all Internet e-mail traffic is spam)

Guide to Operating System Security

13

Ways to Control UCE (Spam)

Turn off open SMTP relay capability


Configure SMTP server to have restrictions
Require a computer to authenticate to
Microsoft Exchange before e-mail is relayed
Direct e-mail not addressed to internal
recipients to a bogus IP address
Obtain tools to block e-mail

Guide to Operating System Security

14

Securing E-mail Through


Certificates and Encryption

Ensures privacy
Reduces chances of forgery or someone other
than sender adding an attachment
Accepted methods

Secure Multipurpose Internet Mail Extensions


(S/MIME)
Pretty Good Privacy (PGP)

Guide to Operating System Security

15

Using S/MIME Encryption

Provides encryption and authentication for


e-mail transmissions
An extension of MIME

Guide to Operating System Security

16

MIME

Provides extensions to original SMTP address header


information
Different types of message content can be encoded
for transport over the Internet
Additional header fields

MIME-version
Content-type
Content-transfer-encoding
Content-ID
Content-description

Guide to Operating System Security

17

Using S/MIME Encryption

Uses digital certificates based on X.509


standard
Has flexibility to use 168-bit key Triple DES
Designed to follow Public-Key Cryptography
Standards (PKCS)

Guide to Operating System Security

18

Using PGP Security

Provides encryption and authentication for


e-mail transmissions
Sometimes preferred by users of open systems
(UNIX/Linux); enables use of X.509 or PGP
digital certificates
Unique characteristic of PGP certificate: web
of trust

Guide to Operating System Security

19

Contents of PGP Digital


Certificate

PGP version number


Public key
Information about certificate holder
Digital signature of certificate holder
Validity period of the certificate
Preferred algorithm for the key

Guide to Operating System Security

20

Typical Encryption Methods


Used by PGP

CAST
IDEA
Triple DES

Guide to Operating System Security

21

Other Techniques for Securing


E-mail

Train users
Scan e-mail
Control the use of attachments

Guide to Operating System Security

22

Training Users for E-mail


Security

Never send personal information or a password


response via e-mail
Delete e-mail from unrecognized sources
Use message filtering, if available

Guide to Operating System Security

23

Scanning E-mail

Place virus scanning software on e-mail


gateway
Update virus definitions frequently
Quarantine specific kinds of attachments
Scan zipped files
Scanner code should be written to be relatively
fast

Guide to Operating System Security

24

Controlling the Use of


Attachments

Delete attachments from unknown sources


Never configure software to automatically
open attachments
Avoid using HTML format for opening e-mail
Use virus scanner on e-mail before opening it
Place attachments in quarantine

Guide to Operating System Security

25

Backing Up E-mail

For storage
To ensure that unread e-mail is not lost if
server goes down

Guide to Operating System Security

26

Configuring Security in Popular


E-mail Tools

Microsoft Outlook Express


Microsoft Outlook
Ximian Evolution Mail in Red Hat Linux 9.x
Mail in Mac OS X

Guide to Operating System Security

27

Microsoft Outlook Express

Included with Windows 2000/XP/2003


Can obtain messages from SMTP-based
servers running e-mail server software
Can be used to access newsgroups

Guide to Operating System Security

28

Microsoft Outlook Express

Guide to Operating System Security

29

Security Measures Supported


by Outlook Express

S/MIME (version 3)
40-bit and 128-bit RC2 encryption
64-bit RC2 encryption
56-bit DES encryption
168-bit Triple DES encryption
Digital signatures encrypted using SHA-1

Guide to Operating System Security

30

Configuration Options for


Outlook Express

Guide to Operating System Security

31

Microsoft Outlook Express

Enables you to export e-mail to Microsoft


Outlook or a Microsoft Exchange server
Can be used to back up messages from other
systems
Enables you to block or filter messages from
unwanted sources

Guide to Operating System Security

32

Microsoft Outlook

Included with Microsoft Office


Has multiple capabilities

E-mail communications
Calendar
Ability to track tasks, list contacts, and make notes

Guide to Operating System Security

33

Microsoft Outlook Security


Features

S/MIME (version 3)
40-bit and 128-bit RC2 encryption
64-bit RC2 encryption
56-bit DES encryption
168-bit Triple DES encryption
Digital signatures encrypted using SHA-1
V1 Exchange Server Security certificates

Guide to Operating System Security

34

Configuration Options for


Microsoft Outlook

Guide to Operating System Security

35

Microsoft Outlook

Ability to back up messages by exporting to a


file (many file types available)
Ability to add specific Web sites to junk e-mail
list

Guide to Operating System Security

36

Ximian Evolution Mail in


Red Hat Linux 9.x

Processes e-mail
Schedules activities on a calendar
Records tasks
Creates list of contacts
Summary function (weather, inbox/outbox
totals, appointments, updates and errata)

Guide to Operating System Security

37

Ximian Evolution Mail in


Red Hat Linux 9.x

Guide to Operating System Security

38

Ximian Evolution Mail in


Red Hat Linux 9.x

Capability to configure more than one account


with unique properties
Can be configured to use either PGP security
or GnuPG

Guide to Operating System Security

39

Configuration Options for


Evolution Mail

Guide to Operating System Security

40

Apple Mail (Continued)

Comes with Mac OS X


Focuses on handling e-mail activities
Enables creation of filters to reject mail from
unwanted or unknown sources
Capability to configure different accounts

Guide to Operating System Security

41

Apple Mail (Continued)

Guide to Operating System Security

42

Apple Mail (Continued)

Uses PGP for security


Can specify use of SSL for security over
Internet links to e-mail
Provides different authentication methods for
verifying access to an e-mail account

Password authentication
Kerberos version 4 and version 5
MD5 challenge-response

Guide to Operating System Security

43

Summary

How operating systems use SMTP for e-mail


Sources of e-mail attacks

Over 90% of malicious software strikes through


e-mail

How certificates and encryption can protect


e-mail
How to configure security in e-mail software
typically used with operating systems

Guide to Operating System Security

44

Guide to Operating
System Security
Chapter 11
Security through Disaster
Recovery

Objectives

Deploy UPS systems


Create hardware redundancy and apply faulttolerance options
Deploy RAID
Back up data and operating system files

Guide to Operating System Security

Uninterruptible Power Supply

Best fault-tolerance method to prevent power


problems from causing data loss and
component damage
Provides immediate battery power to
equipment during unexpected power loss
Protects against lost data and downtime

Guide to Operating System Security

Uninterruptible Power Supply

Guide to Operating System Security

Selecting and Deploying a UPS


(Continued)

Online (inline)

Powered directly from batteries


More guaranteed protection

Offline (standby)

Switches to batteries when reduction in city power


is detected
Less expensive
Batteries can last longer, but may not switch to
battery in time for full protection

Guide to Operating System Security

Selecting and Deploying a UPS


(Continued)

Provides power for limited time period


Usually guards against power surges
Can communicate information to computers it
supports
Requires periodic testing to ensure it is
working

Guide to Operating System Security

Configuring a UPS in
Windows 2000/XP/2003

All support serial and USB communications


with a UPS

Guide to Operating System Security

Configuring a UPS in
Red Hat Linux

Supported by Red Hat Linux 9.x


Obtain UPS serial or USB communications
software from manufacturer
Use configuration software provided by UPS
manufacturer

Guide to Operating System Security

Configuring a UPS in
NetWare 6.x

Communicates through serial port connection


and employment of AIOCOMX and UPS_AIO
NLMs

Guide to Operating System Security

UPS_AIO Configuration Options


(Continued)
Option

Description

msgdelay=seconds

Configured in seconds, time to wait until a message


is sent to all users that power is out (default - 5
seconds)

msginterval=seconds

Configured in seconds, interval between multiple


warning messages sent to all users (default - 30
seconds; minimum interval - 20 seconds)

path

Location of UPS_AIO NLM if it is not in the


SYS:SYSTEM directory

downtime=seconds

Configured in seconds, amount of time to wait on


battery power (while main power is out) until
automatically shutting down

port=portnumber

Number of the port to which UPS is attached, such


as serial port 1(port=1)

Guide to Operating System Security

10

UPS_AIO Configuration Options


(Continued)
Option

Description

signal_high

Specifies that signal sent from UPS is a high signaling


value (most UPSs employ a low signal; this option is not
typically used; consult UPS manual)

drivertype=value

Driver loaded to enable UPS communications (AIOCOMX is


1; check documentation for the value associated with a
specialized driver accompanying UPS)

board=value

Value used with a specialized communications board


provided with UPS (consult UPS documentation)

Displays brief description of options used with UPS_AIO


NLM (options are not displayed in the graphicGUI
mode; press Alt+Esc after entering the command to see
description; press Alt+Esc repeatedly; click forward arrow to
return to graphic mode)

Guide to Operating System Security

11

Configuring a UPS in
Mac OS X

Obtain UPS serial or USB communications


software from manufacturer

Guide to Operating System Security

12

Creating Hardware Redundancy


and Fault Tolerance

Hardware redundancy includes

Using redundant components


Employing multiprocessor systems
Clustering services
Placing servers in different locations
Implementing data warehousing

Guide to Operating System Security

13

Using Redundant Components

Network interface cards (NICs)


Power supplies

Guide to Operating System Security

14

Using Redundant NICs

Designed to match particular network transport


methods, computer bus types, network media
Network connection requirements:

Appropriate connector for network medium


Transceiver
MAC controller
Protocol control firmware

Guide to Operating System Security

15

Considerations When Using


Redundant NICs

Fast speed (up to 100 Mbps for a workstation)


Match network transport method
Support both full-duplex and half-duplex
transmissions
Brand-name, high-quality NICs
Latest driver and protocol control firmware

Guide to Operating System Security

16

Using Redundant Power


Supplies

Can take over if main power supply fails


Consider for the following:

SMTP mail servers


Servers that authenticate users to a network
Web servers
Database servers

Guide to Operating System Security

17

Employing Multiprocessor
Systems

Symmetric multiprocessor (SMP) computers

Two or more computers share the processing load


If one stops working, remaining processors take
over

Make sure you understand the specific


requirements for adding CPUs to your OS

Guide to Operating System Security

18

Clustering Servers

Links multiple computers and their resources


Two models

Shared disk model


Shared nothing model

Guide to Operating System Security

19

Clustering Servers

Guide to Operating System Security

20

Shared Nothing Clustering


Model
Main connection

Backup connection is case of server failure

Main connection

Figure 11-3 Shared nothing clustering model


Guide to Operating System Security

21

Placing Servers in Different


Locations

Microsoft distributed file system (DFS)

Available in Windows 2000 Server/Server 2003


Provides fault tolerance by placing copies of the
same folders on computers in different locations

Folders appear to exist in one centralized hierarchy of


folders

Has many advantages

Guide to Operating System Security

22

Implementing Data
Warehousing

Duplicating a main databases data, typically


on another computer
Often created for queries and reporting and to
provide backup of the main database

Guide to Operating System Security

23

Fault-Tolerance Options

Disk mirroring
Disk duplexing
Redundant array of inexpensive (or
independent) disks (RAID)

Guide to Operating System Security

24

Disk Mirroring

Guide to Operating System Security

25

Disk Duplexing

Guide to Operating System Security

26

Using RAID

Set of standards for lengthening disk life and


preventing data loss
Goal: to spread disk activity equally across all
volumes

Guide to Operating System Security

27

Essential RAID levels

RAID level 0 (striping)


RAID level 1 (mirroring and duplexing)
RAID level 2
RAID level 3
RAID level 4
RAID level 5 (striping combined with error
correction and checksum verification)

Guide to Operating System Security

28

RAID Support in Windows 2000


Server/Server 2003

Support only RAID levels 0, 1, and 5 for disk


fault tolerance

Levels 1 and 5 recommended

Recognize two types of disks

Basic
Dynamic

Guide to Operating System Security

29

RAID Support in Windows 2000


Server/Server 2003 (Continued)

Configuration considerations

Boot and system files can be placed on RAID level


1, but not on RAID level 5
RAID level 1 uses two hard disks; RAID level 5
uses from 3 to 32
RAID level 1 is more expensive to implement than
RAID level 5

Guide to Operating System Security

30

RAID Support in Windows 2000


Server/Server 2003 (Continued)

Configuration considerations

RAID level 5 requires more memory than RAID


level 1
Disk read access is faster than write access in
RAID level 1 and RAID level 5
RAID level 5 has much faster read access than
RAID level 1

Guide to Operating System Security

31

Creating a RAID Volume in


Windows 2000 Server/Server 2003

Guide to Operating System Security

32

RAID Support in
Red Hat Linux 9.x

Supports RAID levels 0, 1, and 5


Configured at installation when using GUI
installation mode
First install all disks and associated hardware
Plan for the number of spare partitions
Choose Disk Druid from Disk Partitioning
Setup screen

Guide to Operating System Security

33

RAID Support in NetWare 6.x

Supports RAID levels 0, 1, and 5


Can manage RAID using Novell Storage
Services (NSS) tools from ConsoleOne
NetWare 6.5 offers iManage, a browser tool
for managing objects

Guide to Operating System Security

34

RAID Support in Mac OS X

Supports RAID levels 0 (striping) and 1


(mirroring)
Apple recommends not placing boot files on
RAID disks

Guide to Operating System Security

35

Software RAID versus


Hardware RAID

Software RAID

Implements fault tolerance through computers


operating system

Hardware RAID

Implemented through RAID hardware (eg,


adapter)
Independent of operating system
More expensive than software RAID

Guide to Operating System Security

36

Advantages of Hardware RAID

Faster read and write response


Ability to place boot and system files on
different RAID levels
Ability to hot swap a failed disk with one
that works or is new
More setup options to retrieve damaged data
and to combine different RAID levels within
one array of disks

Guide to Operating System Security

37

Backing Up Data

Binary backup
Full file-by-file backup
Partial backups

Differential
Incremental

Guide to Operating System Security

38

Advantages of Local Backups


over Remote Backups

No extra load on network


Enable backups on multiple computer network
Provide more assurance that the Registry is
backed up (Windows 2000/XP/2003)
Attacker using a sniffer cannot intercept
backup traffic over a network

Guide to Operating System Security

39

Tape Rotation

Ensures alternatives in case there is a bad or


worn tape
Tower of Hanoi procedure

Guide to Operating System Security

40

Tape Rotation

Guide to Operating System Security

41

Windows 2000/XP/2003
Backups

Normal
Incremental
Differential
Copy
Daily

Guide to Operating System Security

42

Backup Options

Guide to Operating System Security

43

UNIX and Red Hat Linux


Backup Tools

volcopy (not available in Red Hat Linux)

Sometimes used with labelit utility


Sometimes tar utility is used

dump

Commands used to restore

restore (Red Hat Linux)


ufsrestore
restor

Guide to Operating System Security

44

NetWare 6.x Backup Options

Uses Storage Management System (SMS)


NLMs are loaded at Server Console prior to
starting backup TSAs designed to read and
back up specific types of data

Guide to Operating System Security

45

Target Service Agents (TSAs)

TSA600 for NetWare 6.x


TSANDS to back up NDS database and
eDirectory
GWTSA for GroupWise information
Windows NT TSA to back up Windows NT,
2000, and XP data
W95TSA to back up Windows 95/98 data

Guide to Operating System Security

46

Starting a backup in Netware 6.0

Guide to Operating System Security

47

Choosing What to Backup in


Netware 6.0

Guide to Operating System Security

48

NetWare 6.x Backup Options

Guide to Operating System Security

49

Mac OS X

Supports use of dump and tar

From the terminal window, or


Obtain a third-party utility that uses these utilities
for backup

Can also use Copy utility on Edit menu

Guide to Operating System Security

50

Summary (Continued)

Using disaster recovery techniques to:

Secure operating systems


Prevent data loss
Reduce downtime

Selecting and deploying a UPS to prevent


power interruptions

Guide to Operating System Security

51

Summary (Continued)

Using redundant hardware components and


implementing RAID for secure data storage
Backing up data and operating system files to
minimize loss in the event of computer failure

Guide to Operating System Security

52

Guide to Operating
System Security
Chapter 12
Security through Monitoring
and Auditing

Objectives

Understand the relationship between


baselining and hardening
Explain intrusion-detection methods
Use audit trails and logs
Monitor logged-on users
Monitor a network

Guide to Operating System Security

Baselining and Hardening

Baselines

Measurement standards for hardware, software,


and network operations
Used to establish performance statistics under
varying loads or circumstances

Guide to Operating System Security

Overview of Intrusion Detection

Detects and reports possible network and


computer system intrusions or attacks
Main approaches

Passive
Active
Network-based
Inspectors
Auditors
Decoys and honeypots

Guide to Operating System Security

Passive Intrusion Detection

Detects and records intrusions; does not take


action on findings
Effective as long as administrator checks logs

Can create filters or traps

Examples of monitored activities

Login attempts
Changes to files
Port scans

Guide to Operating System Security

Third-Party Passive
Intrusion-Detection Tools

Klaxon
Loginlog
Lsof
Network Flight Recorder
RealSecure
Dragon Squire
PreCis

Guide to Operating System Security

Active Intrusion Detection

Detects an attack and sends alert to


administrator or takes action to block attack
May use logs, monitoring, and recording
devices

Guide to Operating System Security

Third-Party Active
Intrusion-Detection Tools

Entercept
AppShield
Snort
SecureHost
StormWatch

Guide to Operating System Security

Active Intrusion Detection

Guide to Operating System Security

Host-based Intrusion Detection

Software that monitors the computer on which


it is loaded

Logons
Files and folders
Applications
Network traffic
Changes to security

Host wrappers and host-based agents

Guide to Operating System Security

10

Host-based Intrusion Detection

Guide to Operating System Security

11

Network-based Intrusion
Detection

Monitors network traffic associated with a


specific network segment
Typically places NIC in promiscuous mode

Guide to Operating System Security

12

Network-based Intrusion
Detection

Guide to Operating System Security

13

Inspector

Examines captured data, logs, or other recorded


information
Determines if an intrusion is occurring or has
occurred
Administrator sets up inspection parameters, for
example:

Files changed/created under suspicious circumstances


Permissions unexpectedly changed
Excessive use of computers resources

Guide to Operating System Security

14

Auditor

Tracks full range of data and events normal


and suspicious, for example:

Every time services are started and stopped


Hardware events or problems
Every logon attempt
Every time permissions are changed
Network connection events

Records information to a log

Guide to Operating System Security

15

Decoys and Honeypots

Fully operational computers that contain no


information of value
Draw attackers away from critical targets
Provide a means to identify and catch or block
attackers before they harm other systems

Guide to Operating System Security

16

Using Audit Trails and Logs

A form of passive intrusion detection used by


most operating systems:

Windows 2000/XP/2003
Red Hat Linux 9.x
NetWare 6.x
Mac OS X

Guide to Operating System Security

17

Viewing Logs in Windows


2000/XP/2003 (Continued)

Accessed through Event Viewer


Event logs can help identify a security problem
Filter option can help quickly locate a problem

Guide to Operating System Security

18

Viewing Logs in Windows


2000/XP/2003 (Continued)

Principal event logs

System
Security
Application

Event logs for installed services

Directory Service
DNS Service
File Replication

Guide to Operating System Security

19

Event Viewer in Windows


Server 2003

Guide to Operating System Security

20

Viewing an Event in Windows


Server 2003

Guide to Operating System Security

21

Viewing Logs in Red Hat


Linux 9.x (Continued)

Offers a range of default logs


Log files

Have four rotation levels


Managed through syslogd

Guide to Operating System Security

22

Viewing Logs in Red Hat


Linux 9.x (Continued)

Two ways to view default logs

Open LogViewer (Main Menu System Tools


System Logs)

Enables creation of a filter on the basis of a keyword


(eg, failed, denied, rejected)

Use Emacs or vi editors or use cat command in a


terminal window

Guide to Operating System Security

23

Red Hat Linux 9.x Default Logs


(Continued)
Log Name

Location and
Filename

Description

Boot Log

/var/log/boot.log.x

Contains messages about processes and


events that occur during bootup or
shutdown

Cron Log

/var/log/cron.x

Provides information about jobs that are


scheduled to run or that have already run

Kernel Startup /var/log/dmesg.x


Log

Shows startup messages sent from the


kernel

Mail Log

/var/log/maillog.x

Contains messages about mail server


activities

News Log

/var/log/spooler.x

Provides messages from the news server

Guide to Operating System Security

24

Red Hat Linux 9.x Default Logs


(Continued)
Log Name

Location and
Filename

Description

RPM
Packages Log

/var/log/rpmpkgs.x

Shows list of software packages


currently installed; updated each day
through a job scheduled via cron
command

Security Log

/var/log/secure.x

Provides information about security


events and processes

System Log

/var/log/messages.x

Contains messages related to system


activities

Update Agent
Log

/var/log/up2date.x

Shows updates that have been


performed by the Update Agent

XFree86 Log

/var/log/xfree86.x.log Contains information about what is


installed from XFree86

Guide to Operating System Security

25

Viewing Logs in Red Hat


Linux 9.x

Guide to Operating System Security

26

Viewing Logs in NetWare 6.x


(Continued)
Log Name

Location & Filename

Description

Access Log SYS:NOVONYX\SUITESPOT\


Contains information about
ADMIN-SERV\LOGS\ACCESS.TXT access services to the
NetWare server
Audit Log

SYS:ETC\AUDIT.LOG

Contains an audit trial of


user account activities

Console
Log

SYS:ETC\CONSOLE.LOG

Traces activities performed


at the server console

Error Log

SYS:NOVONYX\SUITESPOT\
ADMIN-SERV\LOGS\ERROR.TXT

Contains error information


recorded for the NetWare
server

Guide to Operating System Security

27

Viewing Logs in NetWare 6.x


(Continued)
Log Name

Location & Filename

Module Log

SYS:ETC\CWCONSOL.LOG Contains a listing of modules that


have been loaded

NFS Server
Log

SYS:ETC\NFSSERV.LOG

Provides information about NFS


server services, including
changes to a service and
communications through TCP and
UDP

Schema
Instructions
Log

SYS:ETC\SCHINST.LOG

Tracks schema events, including


changes to the schema

Guide to Operating System Security

Description

28

Viewing Logs in Red Hat


Linux 9.x

Guide to Operating System Security

29

Viewing Logs in Mac OS X (Continued)


Log Name

Location and Filename

Description

FTP Service Log /var/log/ftp.log

Contains information about FTP


activity, including sessions,
uploads, downloads, etc.

Last.Login Log

/var/log/lastlog

Provides information about last


login activities

Directory
Service Log

/var/log/lookupd.log

Provides log of lookupd (look up


directory services) daemon,
including requests relating to
user accounts, printers, and
Internet resources

Mail.Service Log /var/log/mail.log

Guide to Operating System Security

Stores messages about e-mail


activities

30

Viewing Logs in Mac OS X (Continued)


Log Name

Location and Filename

Description

Network
Information
Log

/var/log/netinfo.log

Tracks messages related to network


activity

Print Service
Log

/var/log/lpr.log

Contains information about printing


activities

Security Log

/var/log/secure.log

Provides information about security


events

System Log

/var/log/system.log

Contains information about system


events, including processes that are
started or stopped, buffering
activities, console messages, etc.

Guide to Operating System Security

31

Viewing Logs in Mac OS X

Guide to Operating System Security

32

Reasons for Monitoring


Logged-on Users

Assess how many users are typically logged on


at given points in time

Baseline information
To determine when a shutdown would have the
least impact

Be aware of security or misuse problems

Guide to Operating System Security

33

Monitoring Users in Windows


2000/XP/2003

Use Computer Management tool to access


Shared Folders

Shared Folder options

Shares
Sessions
Open Files

Use Task Manager (Windows XP and


Windows Server 2003)

Guide to Operating System Security

34

Monitoring Users in
Windows XP Professional

Guide to Operating System Security

35

Monitoring Users in
Windows 2000 Server

Guide to Operating System Security

36

Monitoring Users in
Windows XP Professional

Guide to Operating System Security

37

Monitoring Users in Red Hat


Linux 9.x

Use the who command

Guide to Operating System Security

38

who Command Options


Option

Description

-a

Displays all users

-b

Shows the time when the system was last booted

-i

Shows the amount of time each user process has been idle

-q

Provides a quick list of logged-on users, and provides a user count

-r

Shows the run level

-s

Displays a short listing of usernames, line in use, and logon time

-u

Displays the long listing of usernames, line in use, logon time, and
process number

--help

Displays help information about the who command

-H

Displays who information with column headers

Guide to Operating System Security

39

Monitoring Users in Red Hat


Linux 9.x

Guide to Operating System Security

40

Monitoring Users in
NetWare 6.x

MONITOR

Connections
Loaded modules
File open/lock
Other server-monitoring functions

NetWare Remote Manager

View current connections


View files opened by particular users
Send messages to a particular user or all users
Clear connections

Guide to Operating System Security

41

Monitoring Users in Mac OS X

Use the who command in a terminal window

Supports few options (primarily -H and -u)

Process Viewer

Guide to Operating System Security

42

Monitoring a Network

Network Monitor

Network monitoring software with the most


features
Comes with Windows 2000 Server and Windows
Server 2003

Guide to Operating System Security

43

Why Network Monitoring Is


Important

Networks are dynamic


Administrator must distinguish an attack from
an equipment malfunction
Establish and use benchmarks to help quickly
identify and resolve problems

Guide to Operating System Security

44

Using Microsoft Network


Monitor

Uses Network Monitor Driver to monitor


network from servers NIC (promiscuous
mode)
Sample activities that can be monitored

Percent network utilization


Frames and bytes transported per second
Network station statistics
NIC statistics
Error data

Guide to Operating System Security

45

Network Monitor Driver

Detects many forms of network traffic


Captures packets and frames for analysis and
reporting by Network Monitor

Guide to Operating System Security

46

Using Microsoft Network


Monitor

Start from Administrative Tools menu


Four panes of information

Graph
Total Statistics
Session Statistics
Station Statistics

View captured information

Guide to Operating System Security

47

Using Microsoft Network


Monitor

Guide to Operating System Security

48

Network Monitor Panes


Pane

Information Provided in Pane

Graph

Provides bar graphs for %Network Utilization, Frames Per Second,


Bytes Per Second, Broadcasts Per Second, and Multicasts Per
Second

Total
Provides total statistics about network activity that originates from or
Statistics is sent to the computer (station) using Network Monitor; includes
statistics for Network Statistics, Captured Statistics, Per Second
Statistics, Network Card (MAC) Statistics, and Network Card (MAC)
Error Statistics
Session Provides statistics about traffic from other computers on the
Statistics network: MAC (device) address of each computer's NIC and data
about number of frames sent from and received by each computer
Station
Provides total statistics on all communicating network stations:
Statistics Network (device) address of each communicating computer,
Frames Sent, Frames Received, Bytes Sent, Bytes Received,
Directed Frames Sent, Multicasts Sent, and Broadcasts Sent
Guide to Operating System Security

49

Viewing Capture Summary Data

Guide to Operating System Security

50

Creating a Filter in Network


Monitor

Two property types

Service Access Point (SAP)


Ethertype (ETYPE)

Guide to Operating System Security

51

Using Capture Trigger

Software performs a specific function when a


predefined situation occurs

Guide to Operating System Security

52

Using Network Monitor to Set


Baselines

From the Graph pane

% Network Utilization
Frames Per Second
Broadcasts Per Second
Multicasts Per Second

Guide to Operating System Security

53

Summary (Continued)

Creating baselines to help quickly identify


when an attack is occurring
Intrusion-detection methods

Employed through an operating system


Third-party software

Using auditing and logging tools to track


intrusion events

Guide to Operating System Security

54

Summary

Monitoring user activities

GUI-based Computer Management tool in


Windows 2000/XP/2003
who command in Red Hat Linux and Mac OS X

Network monitoring with Microsoft Network


Monitor

Guide to Operating System Security

55

Operating System
Security

Lesson 1:
Security Principles

Objectives

Explain the need for security in Linux and


Windows 2000 environments
Describe industry evaluation criteria used
for security
Identify the guidelines for determining the
three general security levels
Discuss the security mechanisms used to
implement security systems

Objectives

(contd)

Identify the different areas of security


management
Describe Windows 2000 and Linux out-ofthe-box security measures
Implement tools to evaluate key security
parameters in Windows 2000 and Linux
Describe security components in the
Windows 2000 security architecture

Security
Services

Authentication
Access control
Data confidentiality
Data integrity
Nonrepudiation

Evaluation
Criteria

European Information Technology Security


Evaluation Criteria document BS 7799
Trusted Computer Systems Evaluation
Criteria
Common Criteria

Security Levels

Low
Medium
High

Security
Mechanisms

Specific
- Encipherment
- Digital signature
- Access control
- Data integrity
- Authentication
- Traffic padding

Wide
- Trusted
functionality
- Security labels
- Audit trails
- Security
recovery

Windows 2000
Security

Exploits
Windows 2000 registry

Windows 2000
Security Architecture

Windows 2000 security components


- C2 certification
Windows 2000 objects
Security components
- SIDs
- Access tokens
- Security descriptors
- Access control lists and entities
Security subsystem

Linux
Security

Configuration problems
- Misconfigured authentication settings
- Unnecessary services
- Default account policies
- Non-root user access to sensitive
commands

Pluggable
Authentication Modules

Editing PAM files


PAM directories
PAM entry format
Telnet access and the root account

Summary
Explain the need for security in Linux and
Windows 2000 environments

Describe industry evaluation criteria used


for security

Identify the guidelines for determining the


three general security levels

Discuss the security mechanisms used to


implement security systems

Summary

(contd)

Identify the different areas of security


management

Describe Windows 2000 and Linux out-ofthe-box security measures

Implement tools to evaluate key security


parameters in Windows 2000 and Linux

Describe security components in the


Windows 2000 security architecture

Lesson 2:
Account Security

Objectives

Describe the relationship between account


security and passwords
Explain techniques for securing accounts
in Windows 2000 and Linux
Prune users, detect account changes,
rename default accounts, and implement
password policies in Windows 2000 and
Linux

Objectives

(contd)

Identify Linux commands for password


aging and explain how to log unsuccessful
logon attempts
Explain Linux security threats, restrict
account access, and monitor accounts

Passwords

Windows 2000 and strong passwords


- Enforcing strong passwords
- Dictionary attacks
Linux and strong passwords
- Shadow passwords
- The root account

Verifying
System State

Cross-referencing information on nondomain controllers


Built-in and external tools
Renaming default accounts
Windows 2000 account policies
Password lockout

Password
Aging in Linux

Linux command options


Timing out users
Monitoring accounts
System-wide event logging facility

Summary
Describe the relationship between account
security and passwords

Explain techniques for securing accounts


in Windows 2000 and Linux

Prune users, detect account changes,


rename default accounts, and implement
password policies in Windows 2000 and
Linux

Summary

(contd)

Identify Linux commands for password


aging and explain how to log unsuccessful
logon attempts

Explain Linux security threats, restrict


account access, and monitor accounts

Lesson 3:
File System
Security

Objectives

Identify the Windows 2000 file-level


permissions
Assign NTFS permissions
Explain the importance of drive partitioning
and how it relates to security
Describe how copying and moving a file
affect file security
Identify remote file access control
permissions

Objectives

(contd)

Describe Linux file system security


concepts
Explain the function of the umask
command
Discuss the purpose of setuid, setgid,
and sticky bits

Windows 2000
File System Security

File-level permissions
Standard 2000 permissions
Drive partitioning
Copying and moving files

Remote File
Access Control

Remote access permissions


- Full Control
- Modify
- Read & Execute
- No Access
Share permissions

Linux
File System Security

Files
File information
Permissions
The umask command
The chmod command
UIDs and GIDs
The set bits: setuid, setgid and sticky
bits

Summary
Identify the Windows 2000 file-level
permissions

Assign NTFS permissions


Explain the importance of drive partitioning
and how it relates to security

Describe how copying and moving a file


affect file security

Identify remote file access control


permissions

Summary

(contd)

Describe Linux file system security


concepts

Explain the function of the umask


command

Discuss the purpose of setuid, setgid,


and sticky bits

Lesson 4:
Assessing Risk

Objectives

Identify general and specific operating


system attacks
Describe a keylogger programs function
Change Windows 2000 system defaults
Scan a system to determine security risks
Explain Linux security concerns

Security
Threats

Accidental threats
Intentional threats
- Passive threats
- Active threats

Types of
Attacks

Spoofing/masquerade
Replay
Denial of service
Insider
Trapdoor
Trojan horses

Windows 2000
Security Risks

Default directories
Default accounts
Default shares and services

General UNIX
Security Vulnerabilities

Viruses
Buffer overflows

Keyloggers

Invisible KeyLogger Stealth and Windows


2000
Keylogging and securing the Linux search
path
Protecting yourself against keyloggers

System
Port Scanning

Advanced security scanners


- WebTrends Security Analyzer

UNIX
Security Risks

The rlogin command


- Interactive sessions: Telnet vs. rlogin
Network Information System (NIS)
Network File System (NFS)

NIS
Security Concerns

NIS security problems


- No authentication requirements
- Contacting server by broadcast
- Plain-text distribution
- Encryption and authentication
- Portmapper processes and
TCPWrappers
- The securenets file
NIS+

NFS
Security Concerns

Users, groups and NFS


Secure RPC
NFS security summary

Summary
Identify general and specific operating
system attacks

Describe a keylogger programs function


Change Windows 2000 system defaults
Scan a system to determine security risks
Explain Linux security concerns

Lesson 5:
Reducing Risk

Objectives

Explain the purpose and importance of


system patches and fixes, and apply
system patches
Modify the Windows 2000 Registry for
security
Lock down and remove services for
effective security in Windows 2000 and
Linux

Patches
and Fixes

Microsoft service packs


Red Hat Linux errata

Windows 2000
Registry Security

Registry structure
- Subtrees and their uses
Auditing the registry
Setting registry permissions

Disabling and Removing


Services in Windows 2000

Securing network connectivity


Server Message Block
Miscellaneous configuration changes

Disabling and
Removing Services in UNIX

Bastille
- The tarball format
- Downloading and installing Bastille
- Running Bastille in text mode

Summary
Explain the purpose and importance of
system patches and fixes, and apply
system patches

Modify the Windows 2000 Registry for


security

Lock down and remove services for


effective security in Windows 2000 and
Linux

Operating
System Security
Security Principles
Account Security
File System Security
Assessing Risk
Reducing Risk

Operating System
Security

Lesson 1:
Security Principles

Objectives

Explain the need for security in Linux and


Windows 2000 environments
Describe industry evaluation criteria used
for security
Identify the guidelines for determining the
three general security levels
Discuss the security mechanisms used to
implement security systems

Objectives

(contd)

Identify the different areas of security


management
Describe Windows 2000 and Linux out-ofthe-box security measures
Implement tools to evaluate key security
parameters in Windows 2000 and Linux
Describe security components in the
Windows 2000 security architecture

Security
Services

Authentication
Access control
Data confidentiality
Data integrity
Nonrepudiation

Evaluation
Criteria

European Information Technology Security


Evaluation Criteria document BS 7799
Trusted Computer Systems Evaluation
Criteria
Common Criteria

Security Levels

Low
Medium
High

Security
Mechanisms

Specific
- Encipherment
- Digital signature
- Access control
- Data integrity
- Authentication
- Traffic padding

Wide
- Trusted
functionality
- Security labels
- Audit trails
- Security
recovery

Windows 2000
Security

Exploits
Windows 2000 registry

Windows 2000
Security Architecture

Windows 2000 security components


- C2 certification
Windows 2000 objects
Security components
- SIDs
- Access tokens
- Security descriptors
- Access control lists and entities
Security subsystem

Linux
Security

Configuration problems
- Misconfigured authentication settings
- Unnecessary services
- Default account policies
- Non-root user access to sensitive
commands

Pluggable
Authentication Modules

Editing PAM files


PAM directories
PAM entry format
Telnet access and the root account

Summary
Explain the need for security in Linux and
Windows 2000 environments

Describe industry evaluation criteria used


for security

Identify the guidelines for determining the


three general security levels

Discuss the security mechanisms used to


implement security systems

Summary

(contd)

Identify the different areas of security


management

Describe Windows 2000 and Linux out-ofthe-box security measures

Implement tools to evaluate key security


parameters in Windows 2000 and Linux

Describe security components in the


Windows 2000 security architecture

Lesson 2:
Account Security

Objectives

Describe the relationship between account


security and passwords
Explain techniques for securing accounts
in Windows 2000 and Linux
Prune users, detect account changes,
rename default accounts, and implement
password policies in Windows 2000 and
Linux

Objectives

(contd)

Identify Linux commands for password


aging and explain how to log unsuccessful
logon attempts
Explain Linux security threats, restrict
account access, and monitor accounts

Passwords

Windows 2000 and strong passwords


- Enforcing strong passwords
- Dictionary attacks
Linux and strong passwords
- Shadow passwords
- The root account

Verifying
System State

Cross-referencing information on nondomain controllers


Built-in and external tools
Renaming default accounts
Windows 2000 account policies
Password lockout

Password
Aging in Linux

Linux command options


Timing out users
Monitoring accounts
System-wide event logging facility

Summary
Describe the relationship between account
security and passwords

Explain techniques for securing accounts


in Windows 2000 and Linux

Prune users, detect account changes,


rename default accounts, and implement
password policies in Windows 2000 and
Linux

Summary

(contd)

Identify Linux commands for password


aging and explain how to log unsuccessful
logon attempts

Explain Linux security threats, restrict


account access, and monitor accounts

Lesson 3:
File System
Security

Objectives

Identify the Windows 2000 file-level


permissions
Assign NTFS permissions
Explain the importance of drive partitioning
and how it relates to security
Describe how copying and moving a file
affect file security
Identify remote file access control
permissions

Objectives

(contd)

Describe Linux file system security


concepts
Explain the function of the umask
command
Discuss the purpose of setuid, setgid,
and sticky bits

Windows 2000
File System Security

File-level permissions
Standard 2000 permissions
Drive partitioning
Copying and moving files

Remote File
Access Control

Remote access permissions


- Full Control
- Modify
- Read & Execute
- No Access
Share permissions

Linux
File System Security

Files
File information
Permissions
The umask command
The chmod command
UIDs and GIDs
The set bits: setuid, setgid and sticky
bits

Summary
Identify the Windows 2000 file-level
permissions

Assign NTFS permissions


Explain the importance of drive partitioning
and how it relates to security

Describe how copying and moving a file


affect file security

Identify remote file access control


permissions

Summary

(contd)

Describe Linux file system security


concepts

Explain the function of the umask


command

Discuss the purpose of setuid, setgid,


and sticky bits

Lesson 4:
Assessing Risk

Objectives

Identify general and specific operating


system attacks
Describe a keylogger programs function
Change Windows 2000 system defaults
Scan a system to determine security risks
Explain Linux security concerns

Security
Threats

Accidental threats
Intentional threats
- Passive threats
- Active threats

Types of
Attacks

Spoofing/masquerade
Replay
Denial of service
Insider
Trapdoor
Trojan horses

Windows 2000
Security Risks

Default directories
Default accounts
Default shares and services

General UNIX
Security Vulnerabilities

Viruses
Buffer overflows

Keyloggers

Invisible KeyLogger Stealth and Windows


2000
Keylogging and securing the Linux search
path
Protecting yourself against keyloggers

System
Port Scanning

Advanced security scanners


- WebTrends Security Analyzer

UNIX
Security Risks

The rlogin command


- Interactive sessions: Telnet vs. rlogin
Network Information System (NIS)
Network File System (NFS)

NIS
Security Concerns

NIS security problems


- No authentication requirements
- Contacting server by broadcast
- Plain-text distribution
- Encryption and authentication
- Portmapper processes and
TCPWrappers
- The securenets file
NIS+

NFS
Security Concerns

Users, groups and NFS


Secure RPC
NFS security summary

Summary
Identify general and specific operating
system attacks

Describe a keylogger programs function


Change Windows 2000 system defaults
Scan a system to determine security risks
Explain Linux security concerns

Lesson 5:
Reducing Risk

Objectives

Explain the purpose and importance of


system patches and fixes, and apply
system patches
Modify the Windows 2000 Registry for
security
Lock down and remove services for
effective security in Windows 2000 and
Linux

Patches
and Fixes

Microsoft service packs


Red Hat Linux errata

Windows 2000
Registry Security

Registry structure
- Subtrees and their uses
Auditing the registry
Setting registry permissions

Disabling and Removing


Services in Windows 2000

Securing network connectivity


Server Message Block
Miscellaneous configuration changes

Disabling and
Removing Services in UNIX

Bastille
- The tarball format
- Downloading and installing Bastille
- Running Bastille in text mode

Summary
Explain the purpose and importance of
system patches and fixes, and apply
system patches

Modify the Windows 2000 Registry for


security

Lock down and remove services for


effective security in Windows 2000 and
Linux

Operating
System Security
Security Principles
Account Security
File System Security
Assessing Risk
Reducing Risk

01/08/13

An Illustrated Guide to IPsec

Steve Friedl's Unixwiz.net Tech Tips


An Illustrated Guide to IPsec
IPsec is a suite of protocols for securing network connections, but the
details and many variations quickly become overwhelming. This is
particularly the case when trying to interoperate between disparate
systems, causing more than one engineer to just mindlessly turn the knobs
when attempting to bring up a new connection.
Table of Contents
1. So many flavors...
2. The IP Datagram
3. AH: Authentication only
4. ESP: Encapsulating Security
Payload
5. Building a real VPN
6. Other Matters

This Tech Tip means to give bottom-up


coverage of the low-level protocols used
in an IPv4 context (we provide no coverage of IPv6). This is not a
deployment guide or best-practices document we're looking at it
strictly at the protocol level on up, rather than from the big picture
on down.
NOTE: originally this was to be a pair of papers, with the second
covering Key Exchange and the like, but it appears that this was not
meant to be. Sorry.

So many flavors...
One of the first things that one notices when trying to set up IPsec is that there
are so many knobs and settings: even a pair of entirely standards-conforming
implementations sports a bewildering number of ways to impede a successful
connection. It's just an astonishingly-complex suite of protocols.
One cause of the complexity is that IPsec provides mechanism, not policy: rather
than define such-and-such encryption algorithm or a certain authentication
function, it provides a framework that allows an implementation to provide nearly
anything that both ends agree upon.
In this section, we'll touch on some of the items in the form of a glossary, with a
compare-and-contrast to show which terms relate to which other terms. This is
not even remotely complete.
AH versus ESP
"Authentication Header" (AH) and "Encapsulating Security Payload" (ESP) are
the two main wire-level protocols used by IPsec, and they authenticate (AH)
and encrypt+authenticate (ESP) the data flowing over that connection. They
are typically used independently, though it's possible (but uncommon) to use
them both together.
Tunnel mode versus Transport mode
Transport Mode provides a secure connection between two endpoints as it encapsulates IP's
payload, while Tunnel Mode encapsulates the entire IP packet to provide a virtual "secure hop"
between two gateways. The latter is used to form a traditional VPN, where the tunnel generally
creates a secure tunnel across an untrusted Internet.
MD5 versus SHA-1 versus DES versus 3DES versus AES versus blah blah blah
Setting up an IPsec connection involves all kinds of crypto choices, but this is simplified
substantially by the fact that any given connection can use at most two or (rarely) three at a
time.
unixwiz.net/techtips/iguide-ipsec.html

1/18

01/08/13

An Illustrated Guide to IPsec

Authentication calculates an Integrity Check Value (ICV) over the packet's contents, and it's
usually built on top of a cryptographic hash such as MD5 or SHA-1. It incorporates a secret key
known to both ends, and this allows the recipient to compute the ICV in the same way. If the
recipient gets the same value, the sender has effectively authenticated itself (relying on the
property that cryptographic hashes can't practically be reversed). AH always provides
authentication, and ESP does so optionally.
Encryption uses a secret key to encrypt the data before transmission, and this hides the actual
contents of the packet from eavesdroppers. There are quite a few choices for algorithms here,
with DES, 3DES, Blowfish and AES being common. Others are possible too.
IKE versus manual keys
Since both sides of the conversation need to know the secret values used in hashing or
encryption, there is the question of just how this data is exchanged. Manual keys require manual
entry of the secret values on both ends, presumably conveyed by some out-of-band mechanism,
and IKE (Internet Key Exchange) is a sophisticated mechanism for doing this online.
Main mode versus aggressive mode
These modes control an efficiency-versus-security tradeoff during initial IKE key exchange. "Main
mode" requires six packets back and forth, but affords complete security during the establishment
of an IPsec connection, while Aggressive mode uses half the exchanges providing a bit less
security because some information is transmitted in cleartext.
We'll certainly face more options as we unwrap IPsec.

The IP Datagram
Since we're looking at IPsec from the bottom up, we must first take a brief detour to revisit the IP
Header itself, which carries all of the traffic we'll be considering. Note that we are not trying to provide
comprehensive coverage to the IP header there are other excellent resources for that (the best
being TCP/IP Illustrated, vol 1).
ver
This is the version of the protocol, which is now
4=IPv4
hlen
IP Header length, as a four-bit number of 32-bit
words ranging from 0..15. A standard IPv4 header is
always 20 bytes long (5 words), and IP Options if
any are indicated by a larger hlen field up to at
most 60 bytes. This header length never includes
the size of payload or other headers that follow.
TOS
Type of Service
This field is a bitmask that gives some clues as to
the type of service this datagram should receive:
optimize for bandwidth? Latency? Low cost?
Reliability?
pkt len
Overall packet length in bytes, up to 65535. This
count includes the bytes of the header, so this
suggests that the maximum size of any payload is at
least 20 bytes less. The vast majority of IP
unixwiz.net/techtips/iguide-ipsec.html

2/18

01/08/13

An Illustrated Guide to IPsec

datagrams are much, much smaller.


ID
The ID field is used to associate related packets that have been fragmented (large packets broken
up into smaller ones).
flgs
These are small flags that mainly control fragmentation: one marks the packet as ineligible for
fragmentation, and the other says that more fragments follow.
frag offset
When a packet is fragmented, this shows where in the overall "virtual" packet this fragment
belongs.
TTL
This is the Time to Live, and is decremented by each router that passes this packet. When the
value reaches zero, it suggests some kind of routing loop, so it's discarded to prevent it from
running around the Internet forever.
proto
This represents the protocol carried within this packet, and it's going to be central to most of our
discussions. Though the datagram itself is IP, it always encapsulates a subsidiary protocol (TCP,
UDP, ICMP, etc. see the chart below) within. It can be thought of as giving the type of the
header that follows.
header cksum
This holds a checksum of the entire IP header, and it's designed to detect errors in transit. This is
not a cryptographic checksum, and it doesn't cover any part of the datagram that follow the IP
header.
src IP address
The 32-bit source IP address, which the recipient uses to reply to this datagram. Generally
speaking, it's possible to spoof these addresses (i.e., lie about where the datagram is coming
from).
dst IP address
The 32-bit destination IP address, which is where the packet is intended to arrive.
IP Options
These are an optional part of the IP header that contains application-specific information, though
they are not commonly used for routine traffic. The presence of IP options is indicated by a hlen
greater than 5, and they (if present) are included in the header checksum.
Payload
Each protocol type implies its own format for what follows the IP header, and we've used TCP here
just to show an example.
These proto codes are defined by IANA the Internet Assigned Numbers Authority and there are
many more than would ever be used by any single installation, but most will ring a bell with a networksavvy technician. These representative types are taken from the IANA website listing protocols:
Some IP protocol codes
Protocol
code

Protocol Description

ICMP Internet Control Message Protocol

IGMP Internet Group Management Protocol

unixwiz.net/techtips/iguide-ipsec.html

3/18

01/08/13

An Illustrated Guide to IPsec

IGMP Internet Group Management Protocol

IP within IP (a kind of encapsulation)

TCP Transmission Control Protocol

17

UDP User Datagram Protocol

41

IPv6 next-generation TCP/IP

47

GRE Generic Router Encapsulation (used by PPTP)

50

IPsec: ESP Encapsulating Security Payload

51

IPsec: AH Authentication Header

We'll be studying the last two in detail.

AH: Authentication Only


AH is used to authenticate but not encrypt IP traffic, and this serves the treble purpose of
ensuring that we're really talking to who we think we are, detecting alteration of data while in transit,
and (optionally) to guard against replay by attackers who capture data from the wire and attempt to
re-inject that data back onto the wire at a later date.
Authentication is performed by computing a cryptographic hash-based message authentication code
over nearly all the fields of the IP packet (excluding those which might be modified in transit, such as
TTL or the header checksum), and stores this in a newly-added AH header and sent to the other end.
This AH header contains just five interesting fields, and it's
injected between the original IP header and the payload. We'll
touch on each of the fields here, though their utility may not be
fully apparent until we see how they're used in the larger picture.
next hdr
This identifies the protocol type of the following payload, and
it's the original packet type being encapsulated: this is how
the IPsec header(s) are linked together.
AH len
This defines the length, in 32-bit words, of the whole AH
header, minus two words (this "minus two words" proviso
springs from the format of IPv6's RFC 1883 Extension Headers, of which AH is one).
Reserved
This field is reserved for future use and must be zero.
Security Parameters Index
This is an opaque 32-bit identifier that helps the recipient select which of possibly many ongoing
conversations this packet applies. Each AH-protected connection implies a hash algorithm (MD5,
SHA-1, etc.), some kind of secret data, and a host of other parameters. The SPI can be thought
of as an index into a table of these settings, allowing for easy association of packet with
parameter.
Sequence Number
This is a monotonically increasing identifier that's used to assist in antireplay protection. This
value is included in the authentication data, so modifications (intentional or otherwise) are
detected.
unixwiz.net/techtips/iguide-ipsec.html

4/18

01/08/13

An Illustrated Guide to IPsec

Authentication Data
This is the Integrity Check Value calculated over the entire packet including most of the
headers The recipient recomputes the same hash; Mismatched values mark the packet as either
damaged in transit, or not having the proper secret key. These are discarded.

Transport Mode
The easiest mode to understand is Transport Mode, which is used to protect an end-to-end
conversation between two hosts. This protection is either authentication or encryption (or both), but it
is not a tunneling protocol. It has nothing to do with a traditional VPN: it's simply a secured IP
connection.

In AH Transport Mode, the IP packet is modified only slightly to include the new AH header between the
IP header and the protocol payload (TCP, UDP, etc.), and there is a shuffling of the protocol code that
links the various headers together.
This protocol shuffling is required to allow the original IP packet to be reconstituted at the other end:
after the IPsec headers have been validated upon receipt, they're stripped off, and the original protocol
type (TCP, UDP, etc.) is stored back in the IP header. We'll see this chain of next header fields again
and again as we examine IPsec.
When the packet arrives at its destination and passes the authentication check, the AH header is
removed and the Proto=AH field in the IP header is replaced with the saved "Next Protocol". This puts
the IP datagram back to its original state, and it can be delivered to the waiting process.

Tunnel Mode
unixwiz.net/techtips/iguide-ipsec.html

5/18

01/08/13

An Illustrated Guide to IPsec

Tunnel Mode forms the more familiar VPN functionality, where entire IP packets are encapsulated inside
another and delivered to the destination.
Like Transport mode, the packet is sealed with an Integrity Check Value to authenticate the sender
and to prevent modification in transit. But unlike Transport mode, it encapsulates the full IP header as
well as the payload, and this allows the source and destination addresses to be different from those of
the encompassing packet: This allows formation of a tunnel.

When a Tunnel-mode packet arrives at its destination, it goes through the same authentication check
as any AH-type packet, and those passing the check have their entire IP and AH headers stripped off.
This effectively reconstitutes the original IP datagram, which is then injected into the usual routing
process.
Most implementations treat the Tunnel-mode endpoint as a virtual network interface just like an
Ethernet interface or localhost and the traffic entering or leaving it is subject to all the ordinary
routing decisions.
unixwiz.net/techtips/iguide-ipsec.html

6/18

01/08/13

An Illustrated Guide to IPsec

The reconstituted packet could be delivered to the local machine or routed elsewhere (according to the
destination IP address found in the encapsulated packet), though in any case is no longer subject to
the protections of IPsec. At this point, it's just a regular IP datagram.
Though Transport mode is used strictly to secure an end-to-end connection between two computers,
Tunnel mode is more typically used between gateways (routers, firewalls, or standalone VPN devices)
to provide a Virtual Private Network (VPN).

Transport or Tunnel?
Curiously, there is no explicit "Mode" field in IPsec: what distinguishes
Transport mode from Tunnel mode is the next header field in the AH
header.
When the next-header value is IP, it means that this packet
encapsulates an entire IP datagram (including the independent source
and destination IP addresses that allow separate routing after deencapsulation). This is Tunnel mode.
Any other value (TCP, UDP, ICMP, etc.) means that it's Transport
mode and is securing an endpoint-to-endpoint connection.
The top-level of the IP datagram is structured the same way
regardless of mode, and intermediate routers treat all flavors IPsec/AH
traffic identically without deeper inspection.
We'll note that a host as opposed to a gateway is required to
support both Transport and Tunnel modes, but when creating a hostto-host connection, it seems a little superfluous to use Tunnel mode.
Furthermore, a gateway (router, firewall, etc.) is only required to
support Tunnel mode, though supporting Transport mode is useful only
when creating an endpoint to the gateway itself, as in the case of
network management functions.

Authentication Algorithms
AH carries an Integrity Check Value in the Authentication Data portion of the header, and it's typically
(but not always) built on top of standard cryptographic hash algorithms such as MD5 or SHA-1.
Rather than use a straight checksum, which would provide no real security against intentional
tampering, it uses a Hashed Message Authentication Code (HMAC) which incorporates a secret value
while creating the ICV. Though an attacker can easily recompute a hash, without the secret value he
won't be able to recreate the proper ICV.
HMAC is described by RFC 2104, and this illustration shows how the message data and secret
contribute to the final Integrity Check Value:

unixwiz.net/techtips/iguide-ipsec.html

7/18

01/08/13

An Illustrated Guide to IPsec

We'll note that IPsec/AH doesn't define what the authentication function must be, it instead provides a
framework which allows any reasonable implementation agreed to by both ends to use. It's possible to
use other authentication functions, such as a digital signature or an encryption function as long as
both sides provide for it.

AH and NAT Not Gonna Happen


Though AH provides very strong protection of a packet's contents because it covers everything that
can be possibly considered immutable, this protection comes at a cost: AH is incompatible with NAT
(Network Address Translation).
NAT is used to map a range of private addresses (say, 192.168.1.X) to and from a (usually) smaller set
of public address, thereby reducing the demand for routable, public IP space. In this process, the IP
header is actually modified on the fly by the NAT device to change the source and/or destination IP
address.
When the appropriate source or header IP address is changed, it forces a recalculation of the header
checksum. This has to be done anyway, because the NAT device typically serves as one "hop" in the
path from source to destination, and this requires the decrement of the TTL (Time To Live) field.
Because the TTL and header checksum fields are always modified in flight, AH knows to excludes them
from coverage, but this does not apply to the IP addresses. These are included in the Integrity Check
Value, and any modification will cause the check to fail when verified by the recipient. Because the ICV
incorporates a secret key which is unknown by intermediate parties, the NAT router is not able to
recompute the ICV.
This same difficulty also applies to PAT (Port Address Translation), which maps multiple private IP
addresses into a single external IP address. Not only are the IP addresses modified on the fly, but the
unixwiz.net/techtips/iguide-ipsec.html

8/18

01/08/13

An Illustrated Guide to IPsec

UDP and TCP port numbers (and sometimes even to payload).


This requires much more intelligence on the part of the NAT
device, and more extensive modifications to the whole IP
datagram.
For this reason, AH whether in Tunnel or Transport mode is
entirely incompatible with NAT, and it may only be employed
when the source and destination networks are reachable
without translation.
We'll note that this particular difficulty doesn't apply to ESP, as
its authentication and encryption do not incorporate the IP
header being modified by NAT. Nevertheless, NAT does impose
some challenges even on ESP.
NAT translates IP addresses on the fly but it has to keep
track of which connections are flowing through it so that replies
can be properly associated with sources. When using TCP or
UDP, this is commonly done with port numbers (whether
rewritten on the fly or not), but IPsec provides no hook to allow
this.
At first one might suspect the SPI, which appears to be a useful
identifier, but because the SPI is different in both directions,
the NAT device has no way to associate the returning packet
with the outgoing connection.
Addressing this requires special facilities for NAT traversal,
something not covered in this paper.

ESP Encapsulating Security Payload


Adding encryption makes ESP a bit more complicated
because the encapsulation surrounds the payload rather
than precedes it as with AH: ESP includes header and
trailer fields to support the encryption and optional
authentication. It also provides Tunnel and Transport
modes which are used in by-now familiar ways.
The IPsec RFCs don't insist upon any particular encryption
algorithms, but we find DES, triple-DES, AES, and Blowfish
in common use to shield the payload from prying eyes. The
algorithm used for a particular connection is specified by
the Security Association (covered in a later section), and
this SA includes not only the algorithm, but the key used.
Unlike AH, which provides a small header before the
payload, ESP surrounds the payload it's protecting. The
Security Parameters Index and Sequence Number serve the
same purpose as in AH, but we find padding, the next header, and the optional Authentication Data at
the end, in the ESP Trailer.
It's possible to use ESP without any actual encryption (to use a NULL algorithm), which nonetheless
structures the packet the same way. This provides no confidentiality, and it only makes sense if
combined with ESP authentication. It's pointless to use ESP without either encryption or authentication
(unless one is simply doing protocol testing).
Padding is provided to allow block-oriented encryption algorithms room for multiples of their blocksize,
and the length of that padding is provided in the pad len field. The next hdr field gives the type
(IP, TCP, UDP, etc.) of the payload in the usual way, though it can be thought of as pointing
unixwiz.net/techtips/iguide-ipsec.html

9/18

01/08/13

An Illustrated Guide to IPsec

"backwards" into the packet rather than forward as we've seen in AH.
In addition to encryption, ESP can also optionally provide
authentication, with the same HMAC as found in AH. Unlike
AH, however, this authentication is only for the ESP header
and encrypted payload: it does not cover the full IP
packet. Surprisingly, this does not substantially weaken
the security of the authentication, but it does provide
some important benefits.
When an outsider examines an IP packet containing ESP
data, it's essentially impossible to make any real guesses
about what's inside save for the usual data found in the IP
header (particularly the source and destination IP
addresses). The attacker will certainly know that it's ESP
data that's also in the header but the type of the
payload is encrypted with the payload.
Even the presence or absence of Authentication Data can't
be determined by looking at the packet itself (this
determination is made by using the Security Parameters
Index to reference the preshared set of parameters and
algorithms for this connection).
However, it should be noted that sometimes the envelope provides hints that the payload does not.
With more people sending VoIP inside ESP over the internet, the QoS taggings are in the outside header
and is fairly obvious what traffic is VoIP signaling (IP precedence 3) and what is RTP traffic (IP
precedence 5). It's not a sure thing, but it might be enough of a clue to matter in some circumstances.

ESP in Transport Mode


As with AH, Transport Mode encapsulates just the datagram's payload and is designed strictly for hostto-host communications. The original IP header is left in place (except for the shuffled Protocol field),
and it means that among other things the source and destination IP addresses are unchanged.

unixwiz.net/techtips/iguide-ipsec.html

10/18

01/08/13

An Illustrated Guide to IPsec

ESP in Tunnel Mode


Our final look of standalone ESP is in Tunnel mode, which encapsulates an entire IP datagram inside the
encrypted shell:

unixwiz.net/techtips/iguide-ipsec.html

11/18

01/08/13

An Illustrated Guide to IPsec

Providing an encrypted Tunnel Mode connection is getting very close to the traditional VPN that springs
to mind when most of us think about IPsec, but we have to add authentication of one type or another
to complete the picture: this is covered in the following section.
Unlike AH, where an onlooker can easily tell whether traffic is in Tunnel or Transport mode, this
information is unavailable here: the fact that this is Tunnel mode (via next=IP) is part of the
encrypted payload, and is simply not visible to one unable to decrypt the packet.

Putting it all together: Building a real VPN


With coverage of the Authenticating Header and Encapsulating Security Payload complete, we're ready
to enable both encryption and authentication to build a real VPN. The whole purpose of a Virtual Private
Network is to join two trusted networks across an untrusted intermediate network, as is by stringing a
very long Ethernet cable between the two. This is commonly used to connect branch offices with
company headquarters, allowing all users to share sensitive resources without fear of interception.

unixwiz.net/techtips/iguide-ipsec.html

12/18

01/08/13

An Illustrated Guide to IPsec

Clearly, a secure VPN requires both authentication and encryption. We know that ESP is the only way
to provide encryption, but ESP and AH both can provide authentication: which one do we use?
The obvious solution of wrapping ESP inside of AH is technically possible, but in practice is not
commonly used because of AH's limitations with respect to Network Address Translation. By using
AH+ESP, this tunnel could never successfully traverse a NAT'ed device.
Instead, ESP+Auth is used in Tunnel mode to fully encapsulate the traffic on its way across an
untrusted network, protected by both encryption and authentication in the same thing.
Traffic protected in this manner yields nearly no useful information to an interloper save for the fact
that the two sites are connected by a VPN. This information might help an attacker understand trust
relationships, but nothing about the actual traffic itself is revealed. Even the type of encapsulated
protocol TCP, UDP, or ICMP is hidden from outsiders.
What's particularly nice about this mode of operation is that the end-user hosts generally know nothing
about the VPN or other security measures in place. Since a VPN implemented by a gateway device
treats the VPN as yet another interface, traffic destined for the other end is routed normally.
This packet-in-a-packet can actually be nested yet more levels: Host A and Host B can establish their
own authenticated connection (via AH), and have this routed over the VPN. This would put an AH inner
packet inside an enclosing ESP+Auth packet.
Update - it's important to use authentication even if encryption is used, because encrypt-only
implementations are subject to effective attack as described in the paper Cryptography in Theory and
Practice: The Case of Encryption in IPsec; see the Resources section for more information.

unixwiz.net/techtips/iguide-ipsec.html

13/18

01/08/13

An Illustrated Guide to IPsec

Touching on Other Matters


IPsec is a very complex suite of protocols, and this Tech Tip cannot possibly give proper justice to
more than a small part of it. In this section we'll mention a few areas that beg for more coverage.

Security Associations and the SPI


It seems self-evident that if two endpoints or gateways are going to establish a secure connection,
some kind of shared secret is required to seed the authentication function and/or key the encryption
algorithm. The matter of just how these are secrets are established is a substantial topic to be
addressed elsewhere, and for the purposes of this discussion we shall just assume that the keys have
magically landed where they belong.
When an IPsec datagram either AH or ESP arrives at an interface, just how does the interface
unixwiz.net/techtips/iguide-ipsec.html

14/18

01/08/13

An Illustrated Guide to IPsec

know which set of parameters (key, algorithm, and policies) to use? Any host could have many ongoing
conversations, each with a different set of keys and algorithms, and something must be able to direct
this processing.
This is specified by the Security Association (SA), a collection of
connection-specific parameters, and each partner can have one or
more Security Associations. When a datagram arrives, three pieces
of data are used to locate the correct SA inside the Security
Associations Database (SADB):
Partner IP address
IPsec Protocol (ESP or AH)
Security Parameters Index
In many ways this triple can be likened to an IP socket, which is
uniquely denoted by the remote IP address, protocol, and port
number.

Unsure!

It's been pointed out that the


SADB only uses the protocol
type and SPI to select an
entry, not the partner IP
address; we simply don't
know.
This might depend on whether
the association is configured
with main mode or aggressive
mode, but we welcome
clarifications.

Security Associations are one way, so a two-way connection (the


typical case) requires at least two. Furthermore, each protocol
(ESP/AH) has its own SA in each direction, so a full AH+ESP VPN requires four Security Associations.
These are all kept in the Security Associations Database.
A tremendous amount of information is kept in the SADB, and we can only touch on a few of them:
AH: authentication algorithm
AH: authentication secret
ESP: encryption algorithm
ESP: encryption secret key
ESP: authentication enabled yes/no
Many key-exchange parameters
Routing restrictions
IP filtering policy
Some implementations maintain the SPD (Security Policy Database) with command-line tools, others
with a GUI, while others provide a web-based interface over the network. The amount of detail
maintained by any particular implementation depends on the facilities offered, as well as whether it's
operating in Host or Gateway mode (or both).

Key Management
Finally, we briefly visit the very complex matter of key management. This area includes several
protocols and many options, and the bulk of this will be covered in a future paper. This section is
necessarily highly incomplete.
IPsec would be nearly useless without the cryptographic facilities of authentication and encryption, and
these require the use of secret keys known to the participants but not to anyone else.
The most obvious and straightforward way to establish these secrets is via manual configuration: one
party generates a set of secrets, and conveys them to all the partners. All parties install these secrets
in their appropriate Security Associations in the SPD.
But this process does not scale well, nor is it always terribly secure: the mere act of conveying the
secrets to another site's SPD may well expose them in transit. In a larger installation with many devices
using the same preshared key, compromise of that key makes for a very disruptive re-deployment of
new keys.
unixwiz.net/techtips/iguide-ipsec.html

15/18

01/08/13

An Illustrated Guide to IPsec

IKE Internet Key Exchange exists to allow two endpoints to properly set up their Security
Associations, including the secrets to be used. IKE uses the ISAKMP (Internet Security Association Key
Management Protocol) as a framework to support establishment of a security association compatible
with both ends.
Multiple key-exchange protocols themselves are supported, with Oakley being the most widely used.
We'll note that IPsec key exchange typically takes place over port 500/udp.

Resources
The Internet has a great many resources surrounding IPsec, some better than others. The starting
point, of course, is always with the RFCs (Requests for Comment) that form the Internet standards
defining the protocols. These are the main reference works upon which all other documentation
including this one is based.
Update: In December 2005, a whole new set of RFCs was issued by IETF, and the 43xx series largely
obsoleted the 24xx series. We included references to all the RFCs (old and new) below, though this
document has not really been updated for the new ones.
RFC 2401 Security Architecture for IPsec obsolete
RFC 4301 Security Architecture for IPsec new Dec 2005
This is the overview of the entire IPsec protocol suite from the point of view of the RFCs. This,
and the Documentation Roadmap (RFC 2411) are good places to start.
RFC 2402 AH: Authentication Header obsolete
RFC 4302 AH: Authentication Header new Dec 2005
This defines the format of the IPsec Authentication Header, in both Tunnel and Transport modes.
RFC 2403 Use of HMAC-MD5-96 within ESP and AH
RFC 2404 Use of HMAC-SHA-1-96 within ESP and AH
These two RFCs define authentication algorithms used in AH and ESP: MD5 and SHA-1 are both
cryptographic hashes, and they are part of a Hashed Message Authentication Code. AH always
performs authentication, while ESP does so optionally.
RFC 2104 HMAC: Keyed-Hashing for Message Authentication
This RFC defines the authentication algorithm that uses a cryptographic hash along with a secret
to verify the integrity and authenticity of a message. It's not written to be part of IPsec, but it's
referenced in RFC 2403 and RFC 2404.
RFC 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV
This defines the use of DES (the Data Encryption Standard) as a confidentiality algorithm in the
context of ESP.
RFC 2406 ESP: Encapsulating Security Payload obsolete
RFC 4303 ESP: Encapsulating Security Payload new Dec 2005
ESP is the encrypting companion to AH, and it affords confidentiality to the contents of its
payload. ESP by itself does not define any particular encryption algorithms but provides a
framework for them.
RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP
This RFC describes the use of ISAKMP Internet Security Association and Key Management
Protocol in the context of IPsec. It's a framework for key exchange at the start of a
conversation, and its use obviates the poor practice of using manual keys.
RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)
Hand in hand with RFC 2407, this RFC dives into much more detail on the ISAKMP protocol used to
support key exchange (though it doesn't define the key exchange protocols themselves).
unixwiz.net/techtips/iguide-ipsec.html

16/18

01/08/13

An Illustrated Guide to IPsec

RFC 2409 The Internet Key Exchange (IKE) Protocol obsolete


RFC 4306 The Internet Key Exchange (IKE) Protocol new Dec 2005
Though ISAKMP provides a framework for key-exchange, it doesn't define the protocols
themselves: this RFC does that. IKE includes initial authentication, as well as Oakley key
exchange.
RFC 2410 The NULL Encryption Algorithm and Its Use With IPsec
IPsec's ESP protocol performs encryption of payload using one of several available algorithms, but
a NULL encryption algorithm is typically made available for testing. Of course, this provides no
confidentiality for the "protected" data, but it may be useful for developers or those attempting to
understand IPsec by sniffing the wire. This RFC is written humorously and could have been (but
was not) written on April 1.
RFC 2411 IP Security Document Roadmap
This RFC provides an layout of the various IPsec-related RFCs, as well as provides a framework for
new RFCs of particular types ("authentication algorithms", "encryption algorithms"). It's a good
starting point.
RFC 2412 The OAKLEY Key Determination Protocol
OAKLEY forms part of IKE (Internet Key Exchange), and it provides a service where two
authenticated parties can agree on the secrets required for IPsec communications.
An Illustrated Guide to Cryptographic Hashes - Unixwiz.net Tech Tip
An introductory paper on the use of cryptographic hashes such as MD5 or SHA-1, which are used
in AH's HMAC for authentication.
IPsec Technical Reference by Microsoft
This provides information on Microsoft's implementation of IPsec in the Windows Server 2003
product, including a great deal about the larger infrastructure required to support IPsec in the
enterprise.
TCP/IP Illustrated, Volume 1, by W. Richard Stevens.
This is the classic textbook on the TCP/IP protocol, covering down to the packet header in
exquisite detail: This is an extraordinary resource.
A Cryptographic Evaluation of IPsec, by Bruce Schneier and Niels Ferguson.
An interesting paper on the security of IPsec, whose main point is that IPsec is far too complex to
ever really be secure (something which has crossed our minds as well). Among their proposals are
to eliminate both Transport Mode and AH: ESP in Tunnel mode can provide all this same
functionality.
RFC 3884 Use of IPsec Transport Mode for Dynamic Routing
In contrast to the Schneier paper, it's also been suggested that Transport Mode is the only one
that's strictly required to accomplish everything, and RFC 3884 shows a way of providing tunnel
mode. It's been suggested to us that this makes some implementation issues much easier, though
we've not really investigated any of it.
Cryptography in Theory and Practice: The Case of Encryption in IPsec ; Paterson & Yau
This very interesting paper discusses some of the dangers of encrypted but not authenticated
IPsec connections, with effective attacks on real systems (including the Linux kernel's
implementation of IPsec). It's a very clever paper.
Protocolo IPsec Alexandru Ionut Grama
This paper was translated into Spanish!
N.B. We are not IPsec experts, and though we've spent a great deal of time researching these
unixwiz.net/techtips/iguide-ipsec.html

17/18

01/08/13

An Illustrated Guide to IPsec

matters, we may have some details wrong. Feedback and corrections are very much welcome. We're
particularly grateful for the extensive technical feedback provided by IPsec architects at Sun and
Microsoft.
These original figures were produced by the author using Adobe Illustrator.
First published: 2005-08-24
Home

Stephen J. Friedl

unixwiz.net/techtips/iguide-ipsec.html

Software Consultant

Orange County, CA USA

18/18

Chapter 4
Authentication
Applications
Henric Johnson
Blekinge Institute of Technology,Sweden
http://www.its.bth.se/staff/hjo/
henric.johnson@bth.se
Henric Johnson

Outline

Security Concerns
Kerberos
X.509 Authentication Service
Recommended reading and Web Sites

Henric Johnson

Security Concerns
key concerns are confidentiality and
timeliness
to provide confidentiality must encrypt
identification and session key info
which requires the use of previously shared
private or public keys
need timeliness to prevent replay attacks
provided by using sequence numbers or
timestamps or challenge/response
Henric Johnson

KERBEROS

In Greek mythology, a many headed dog,


the guardian of the entrance of Hades
Henric Johnson

KERBEROS
Users wish to access services on
servers.
Three threats exist:
User pretend to be another user.
User alter the network address of a
workstation.
User eavesdrop on exchanges and use a
replay attack.
Henric Johnson

KERBEROS
Provides a centralized authentication
server to authenticate users to
servers and servers to users.
Relies on conventional encryption,
making no use of public-key
encryption
Two versions: version 4 and 5
Version 4 makes use of DES
Henric Johnson

Kerberos Version 4
Terms:

C = Client
AS = authentication server
V = server
IDc = identifier of user on C
IDv = identifier of V
Pc = password of user on C
ADc = network address of C
Kv = secret encryption key shared by AS an V
TS = timestamp
|| = concatenationHenric Johnson

A Simple Authentication
Dialogue
(1) C AS:
(2) AS C:
(3) C V:

IDc || Pc || IDv
Ticket

IDc || Ticket

Ticket = EKv[IDc || Pc || IDv]

Henric Johnson

Version 4 Authentication
Dialogue
Problems:
Lifetime associated with the ticket-granting
ticket
If too short repeatedly asked for password
If too long greater opportunity to replay

The threat is that an opponent will steal the


ticket and use it before it expires

Henric Johnson

Version 4 Authentication Dialogue


Authentication Service Exhange: To obtain Ticket-Granting Ticket
(1)

C AS:

(2)

AS C:

IDc || IDtgs ||TS1


EKc [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs]

Ticket-Granting Service Echange: To obtain Service-Granting Ticket


(3) C TGS:

IDv ||Tickettgs ||Authenticatorc

(4)

EKc [Kc,v|| IDv || TS4 || Ticketv]

TGS C:

Client/Server Authentication Exhange: To Obtain Service


(5) C V:
(6) V C:

Ticketv || Authenticatorc
EKc,v[TS5 +1]
Henric Johnson

10

Overview of Kerberos

Henric Johnson

11

Request for Service in


Another Realm

Henric Johnson

12

Difference Between
Version 4 and 5

Encryption system dependence (V.4 DES)


Internet protocol dependence
Message byte ordering
Ticket lifetime
Authentication forwarding
Interrealm authentication
Henric Johnson

13

Kerberos Encryption Techniques

Henric Johnson

14

PCBC Mode

Henric Johnson

15

Kerberos - in practice

Currently have two Kerberos versions:


4 : restricted to a single realm
5 : allows inter-realm authentication, in beta test
Kerberos v5 is an Internet standard
specified in RFC1510, and used by many utilities
To use Kerberos:
need to have a KDC on your network
need to have Kerberised applications running on all
participating systems
major problem - US export restrictions
Kerberos cannot be directly distributed outside the
US in source format (& binary versions must obscure
crypto routine entry points and have no encryption)
else crypto libraries must be reimplemented locally
Henric Johnson

16

X.509 Authentication
Service
Distributed set of servers that
maintains a database about users.
Each certificate contains the public
key of a user and is signed with the
private key of a CA.
Is used in S/MIME, IP Security,
SSL/TLS and SET.
RSA is recommended to use.
Henric Johnson

17

X.509 Formats

Henric Johnson

18

Typical Digital Signature


Approach

Henric Johnson

19

Obtaining a Users
Certificate
Characteristics of certificates
generated by CA:
Any user with access to the public key of
the CA can recover the user public key
that was certified.
No part other than the CA can modify
the certificate without this being
detected.
Henric Johnson

20

X.509 CA Hierarchy

Henric Johnson

21

Revocation of Certificates
Reasons for revocation:
The users secret key is assumed to be
compromised.
The user is no longer certified by this
CA.
The CAs certificate is assumed to be
compromised.

Henric Johnson

22

Authentication Procedures

Henric Johnson

23

Recommended Reading and


WEB Sites
www.whatis.com (search for kerberos)
Bryant, W. Designing an Authentication
System: A Dialogue in Four Scenes.
http://web.mit.edu/kerberos/www/dialogue.html

Kohl, J.; Neuman, B. The Evolotion of


the Kerberos Authentication Service
http://web.mit.edu/kerberos/www/papers.html

http://www.isi.edu/gost/info/kerberos/
Henric Johnson

24