Professional Documents
Culture Documents
Introduction To Information Security by Hassen (4th Copy)
Introduction To Information Security by Hassen (4th Copy)
Security can be defined as state of freedom from a danger, risk or attack. Information security can be
defined as the task of guarding information which is processed by a server, stored on a storage device,
and transmitted over a network like Local Area Network or the public Internet. Information security
means protecting information and information systems from unauthorized access, use, disclosure,
disruption, modification or destruction
Introduction to AAA
AAA stands for Authentication, Authorization and Accounting. AAA are a set of primary concepts that aid
in understanding computer and network security as well as access control. These concepts are used daily
to protect property, data, and systems from intentional or even unintentional damage. AAA is used to
support the Confidentiality, Integrity, and Availability (CIA) security concept.
Confidentiality: The term confidentiality means that the data which is confidential should remain
confidential. In other words, confidentiality means secret should stay secret.
Integrity: The term integrity means that the data being worked with is the correct data, which is not
tampered or altered.
Availability: The term availability means that the data you need should always be available to you.
Authentication provides a way of identifying a user, typically requiring a Userid/Password combo before
granting a session. Authentication process controls access by requiring valid user credentials. After the
Authentication process is completed successfully, a user must be given authorization (permission) for
carrying out tasks within the server. Authorization is the process that determines whether the user has
the authority to carry out a specific task. Authorization controls access to the resources after the user has
been authenticated. The last one is Accounting. Accounting keeps track of the activities the user has
performed in the server.
What is authentication? What is the need for authentication? Different
protocols for authentication
Authentication is the process which allows a sender and receiver of information to validate each other. If
the sender and receiver of information cannot properly authenticate each other, there is no trust in the
activities or information provided by either party. Authentication can involve highly complex and secure
methods or can be very simple. The simplest form of authentication is the transmission of a shared
password between entities wishing to authenticate each other. Today’s authentication methods uses
some of the below factors.
An example of this type of Authentication is a "Password". The simple logic here is that if you know the
secret password for an account, then you must be the owner of that account. The problems associated
with this type of Authentication is that the password can be stolen, someone might read it if you wrote it
somewhere. If anyone came to know your password, he might tell someone else. If you have a simple
dictionary password, it is easy to crack it by using password cracking software.
Examples of this type of Authentication are smart cards, tokens etc. The logic here is if you have the
smart card with you, you must be the owner of the account. The problems associated with this type of
authentication are you might lose the smart card, it can be stolen, or someone can duplicate the smart
card etc.
Examples of this type of authentication are your fingerprint, handprint, retina pattern, voice, keystroke
pattern etc. Problems associated with this type of authentication are that there is a chance of false
positives and false negatives. Chances are there that a valid user is rejected and an invalid user is
accepted. Often people are not comfortable with this type of authentication.
Kerberos was originally developed by Massachusetts Institute of Technology (MIT) Project Athena. It
was published as a suite of free software by Massachusetts Institute of Technology (MIT) that
implements this protocol. The name "Kerberos" is taken from the three-headed dog of Greek
mythology, Kerberos is designed to work across the Internet, an inherently insecure environment.
The Kerberos protocol is a secure protocol, and it provides mutual authentication between a client
and a server. In Kerberos protocol, the client authenticates against the server and also the server
authenticates itself against the client. With mutual authentication, each computer or a user and
computer can verify the identity of each other. Kerberos is extremely efficient for authenticating
clients in large enterprise network environments. Kerberos uses secret key encryption for
authentication traffic from the client.
The same secret key is also used by the Kerberos protocol on the server to decrypt the authentication
traffic.
Kerberos protocol is built on top of a trusted third party, called as Key Distribution Center (KDC). Key
Distribution Center (KDC) acts as both an Authentication Server and as a Ticket Granting Server.
When a client needs to access a resource on the server, the user credentials (password, Smart Card,
biometrics) are presented to the Key Distribution Center (KDC) for authentication. If the user
credentials are successfully verified in the Key Distribution Center (KDC), Key Distribution Center
(KDC) issues a Ticket Granting Ticket (TGT) to the client. The Ticket Granting Ticket (TGT) is cached in
the local machine for future use. The Ticket Granting Ticket (TGT) expires when the user disconnects
or log off the network, or after it expires. The default expiry time is one day (86400 seconds).
When the client wants to access a resource on a remote server, the client presents the previously
granted and cached Ticket Granting Ticket (TGT) to the authenticating KDC. The authenticating Key
Distribution Center (KDC) returns a session ticket to the client to access to the resource. The client
presents the session ticket to the remote resource server. The remote server allows the session to be
established to the resource after accepting the session ticket.
Challenge Handshake Authentication Protocol (CHAP) is a remote access authentication protocol used in
conjunction with Point to Point Protocol (PPP) to provide security and authentication to users of remote
resources. CHAP is described in RFC 1994, which can be viewed from http://www.rfc-editor.org/.
Challenge Handshake Authentication Protocol (CHAP) uses a challenge method for authentication.
Challenge Handshake Authentication Protocol (CHAP) doesn’t use a user ID/password mechanism. In
Challenge Handshake Authentication Protocol (CHAP), the initiator sends a logon request to the server.
The server sends a challenge back to the client. The challenge is encrypted and then sent back to the
server. The server compares the value from the client and, if the information matches, grants the session.
If the response fails, the session is denied, and the request phase starts over.
Challenge Handshake Authentication Protocol (CHAP) periodically verify the identity of the peer using a
three-way handshake. The verification the identity of the peer is done initially, and may be repeated
anytime after the link has been established.
Biometric identification systems normally work by obtaining unique characteristics from you, like a
handprint, a retina pattern etc. The biometric system then compares that to the specimen data stored in
the system.
Biometrics authentication is much better when compared with other types of authentication methods.
But the users are reluctant in using biometric authentication. For example, many users feel that retina
scanner biometric authentication system may cause loss of their vision. False positives and false negatives
are a serious problem with Biometric authentication.
The theoretical working of the fingerprint scanner is as described below. The user’s finger is placed on the
scanner surface. Light flashes inside the machine, and the reflection is captured by a scanner, and it is
used for analysis and then verified against the original specimen stored in the system. The user is allowed
or denied based on the result of this verification.
There are different types of tokens. A particular type token is a small device with a keypad to key in
values. The server issues a challenge with a number when the user try to login. The user keys this number
into the token card, and the card displays a response.
The user inputs this response and sends it to the server, which calculates the same result it expects to see
from the token. If the numbers match, the user is authenticated.
Another type of token is based on time. This type of token display numbers at different intervals of time.
The user who needs the authentication should key in this time based values also at the time of
authentication. If the value from the token matches a value the server has calculated, the account is
authenticated, the user is allowed access.
For example, most password-based single authentication methods use a password. In multi-factor
authentication methods, we can tighten the authentication by adding a finger print biometric scanner
system also.
Multi-factor authentication is more secure single factor authentication, because it adds steps that
increase the layers of security.
Discretionary Access Control (DAC) is the setting of permissions on files, folders, and shared resources.
The owner of the object (normally the user who created the object) in most operating system (OS)
environments applies discretionary access controls. This ownership may be transferred or controlled by
root/administrator accounts. Discretionary Access Control (DAC) is controlled by the owner or
root/administrator of the Operating System, rather than being hard coded into the system.
The Discretionary Access Control (DAC) mechanisms have a basic weakness, and that is they fail to
recognize a fundamental difference between human users and computer programs.
Mandatory Access Control (MAC) mechanism constrains the ability of a subject (users or processes) to
access or perform some sort of operation on an object (files, directories, TCP/UDP ports etc). Subjects and
objects each have a set of security attributes. Whenever a subject attempts to access an object, an
authorization rule enforced by the operating system kernel examines these security attributes and
decides whether the access can take place.
Under Mandatory Access Control (MAC), the super user (root) controls all interactions of software on the
system.
In contrast to DAC or MAC systems, where users have access to objects based on their own and the
object's permissions, users in an Role-based Access Control (RBAC) system must be members of the
appropriate group, or Role, before they can interact with files, directories, devices, etc.
Auditing
Auditing is useful in tracking and logging the activities on computers and computer networks. By
auditing, we can track the activities in computer or computer network and link these activities to
specific user accounts or sources of activity. By using auditing or audit logs, later we can collect
evidences for finding illegal activities.
All the latest Operating Systems include functions for auditing. Next lesson we will learn how to
configure auditing in Windows Server 2003 for illegal access to open files.
Auditing waits for a specific event to occur, and then reports on it within the Event Viewer. Auditing
events in Windows 2003 can be divided into two types and they are success events and failure events.
Auditing can be used for user logon/logoff events and file access events. Auditing can be turned on
through a Audit Policy, which is a part of Group Policy.
There arenine auditing settings that can be configured on Windows 2003 computer
Audit Account Logon Events: Tracks user logon and logoff events.
Audit Directory Service Access: Reports access and changes to the directory service.
Audit Logon Events: Reports user logging in and logging off or making a network connection to the
computer configured to audit logon events.
Audit privilege use: Reports events that is related to a user performing a task that is controlled by a user
right.
Audit process tracking: Reports events that is related to processes running on the computer.
Audit System Events: Reports standard system events. Not security related.
Auditing can be configured on Audit Policy, which is a part of Group Policy as shown below. You should
select the corresponding GPO according to your requirement.
Networks are always susceptible to unauthorized monitoring and different types of network attacks. If
you have not implemented proper security measures and controls in your network, there is a chance for
network attacks from inside and outside your network. Following chapters explain different types of
networks attacks, which are listed below.
• SYN attack
• Sniffer Attack
• Backdoor Attacks
• Attempts to disrupt connections between two machines, thereby preventing access to a service.
One simple DoS (Denial of Service) attack was called the "Ping of Death." The Ping of Death was able to
exploit simple TCP/IP troubleshooting ping tool. Using ping tool, hackers would flood a network with large
packet requests that may ultimately crash the target server.
• Monitor the server's system performance and tabulate normal operating activity for disk, CPU, and
network traffic. Monitor the server's system performance to detect any deviation from above values.
• Monitor the amount of network packets and the type of nature that travel through your network or
gateways.
• Update your softwares with any available update and always watch reports from security
organizations about any new threat.
• Implement network security devices which can detect any Denial of Service (DoS) attack.
• Record the details of any Denial of Service (DoS) attack to prevent future attacks. Log and report
the following details.
• Report the details of attack to your Service Provider and seek their help.
Types of attacks -Distributed Denial of Service (DDoS) attack
A Distributed Denial of Service (DDoS) attack is a type of Denial of Service (DoS). In Distributed Denial
of Service (DDoS) attack multiple systems flood the bandwidth or overload the resources of a
targeted server.
In Distributed Denial of Service (DDoS), an intruder compromise one computer and make it
Distributed Denial of Service (DDoS) master. Using this Distributed Denial of Service (DDoS) master,
the intruder identifies and communicates with other systems that can be compromised. Then the
intruder installs Distributed Denial of Service (DDoS) tools on all compromised systems. With a single
command, the intruder instructs the compromised computers to launch flood attacks against the
target server. Here thousands of compromised computers are flooding or overloading the resources
of the target server preventing the legitimate users from accessing the services offered by the
server.
The SYN flood attack is the most common type of flooding attack. The attack occurs when the attacker
sends large number of SYN packets to the victim, forcing them to wait for replies that never come. The
third part of the TCP three-way handshake is not executed. Since the host is waiting for large number of
replies, the real service requests are not processed, bringing down the service. The source address of
these SYN packets in a SYN flood attack is typically set to an unreachable host. As a result it is impossible
to find the attacking computer.
SYN cookies provide protection against the SYN flood. A SYN cookie is implemented by using a specific
initial TCP sequence number by TCP software and is used as a defense against SYN Flood attacks. By using
stateful firewalls which reset the pending TCP connections after a specific timeout, we can reduce the
effect of SYN attack.
Many sniffers are available for free download. Leading packet sniffers are wireshark, Dsniff, Etherpeek,
sniffit etc.
Types of attacks - Man-In-The-Middle (MITM) attack
Man-In-The-Middle (MITM) attack is the type of attack where attackers intrude into an existing
communication between two computers and then monitor, capture, and control the communication. In
Man-in-the-middle attack, an intruder assumes a legitimate users identity to gain control of the network
communication. The other end of the communication path might believe it is you and keep on exchanging
the data.
Man-in-the-Middle (MITM) attacks are also known as "session hijacking attacks", which means that the
attacker hijacks a legitimate user's session to control the communication.
Many preventive methods are available for Man-In-The-Middle (MITM) attack and some are listed below.
To explain this clearly, in IP address spoofing, the IP address information placed on the source field of the
IP header is not the real IP address of the source computer, where the packet was originated. By changing
the source IP address, the actual sender can make it look like the packet was sent by another computer
and therefore the response from the target computer will be sent to the fake address specified in the
packet and the identity of tha attacker is also protected.
Packet filtering is a method to prevent IP spoofing attacks. Blocking of packets from outside the network
with a source address inside the network (ingress filtering) and blocking of packets from inside the
network with a source address outside the network (egress filtering) can help preventing IP spoofing
attacks.
Backdoor Attacks
A backdoor in an Operating System or a complex application is a method of bypassing normal
authentication and gain access. During the development of an Operating System or application,
programmers add back doors for different purposes. The backdoors are removed when the product is
ready for shipping or production. When a backdoor is detected, which is not removed, the vendor
releases a maintenance upgrade or patch to close the back door.
Another type of back door can be an installed program or could be a modification to an existing program.
The installed program may allow a user log on to the computer without a password with administrative
privileges. Many programs ara available on internet to create back door attacks on systems. One of the
more popular tools is Back Orifice which is also available for free download on internet.
Password Guessing Attacks, Brute Force Attack, Dictionary Attack
Another type of network attack is Password Guessing attack. Here a legitimate users access rights to
a computer and network resources are compromised by identifying the user id/password
combination of the legitimate user.
Brute Force Attack: A Brute Force attack is a type of password guessing attack and it consists of trying
every possible code, combination, or password until you find the correct one. This type of attack may
take long time to complete. A complex password can make the time for identifying the password by
brute force long.
Dictionary Attack: A dictionary attack is another type of password guessing attack which uses a
dictionary of common words to identify the user’s password.
Configuration Management
The main weapon in network attack defence is tight configuration management. The following measures
should be strictly implemented as part of configuration management.
• If the machines in your network should be running up-to-date copies of the operating system and they
are immediately updated whenever a new service pack or patch is released.
• All your configuration files in your Operating Systems or Applications should have enough security.
• All the default passwords in your Operating Systems or Applications should be changed after the
installation.
Firewalls
Another weapon for defense against network attack is Firewall. Firewall is a device and/or a sotware that
stands between a local network and the Internet, and filters traffic that might be harmful. Firewalls can be
classified in to four based on whether they filter at the IP packet level, at the TCP session level, at the
application level or hybrid.
1. Packet Filtering: Packet filtering firewalls are functioning at the IP packet level. Packet filtering firewalls
filters packets based on addresses and port number. Packet filtering firewalls can be used as a weapon in
network attack defense against Denial of Service (DoS) attacks and IP Spoofing attacks.
2. Circuit Gateways: Circuit gateways firewalls operate at the transport layer, which means that they can
reassemble, examine or block all the packets in a TCP or UDP connection. Circuit gateway firewalls can
also Virtual Private Network (VPN) over the Internet by doing encryption from firewall to firewall.
3. Application Proxies: Application proxy-based firewalls function at the application level. At this level, you
can block or control traffic generated by applications. Application Proxies can provide very comprehensive
protection against a wide range of threats.
4. Hybrid: A hybrid firewall may consist of a pocket filtering combined with an application proxy firewall,
or a circuit gateway combined with an application proxy firewall.
Encryption
Encryption is another great weapon used in defense against network attacks. Click the following link to
get a basic idea of encryption.
Encryption can provide protection against eavesdropping and sniffer attacks. Private Key Infrastructure
(PKI) Technologies, Internet Protocol Security (IPSec), and Virtual Private Networks (VPN) when
implemented properly, can secure you network against network attacks.
Following lessons give you a basic knowledge in different types of malwares like
• Keyloggers
• Computer Viruses
• Worms
• Logic Bombs
• Trojan Horses
• Rootkits
Toolbars
Toolbars are available as plug-ins to browsers which provide additional functionality such as search forms
or pop-up blockers. Examples of useful toolbars are Google Toolbar, Yahoo toolbar, Ask toolbar etc. There
are malware toolbar plug-ins which are installed without the users consent and display advertisements
and perform other nuisance activities.
Hijackers
Hijackers are another type of malware that take control of the behavior of your web browser like the
home page, default search pages, toolbar etc. Hijackers redirect your browser to another URL if you
mistype the URL of the website you want to visit. Hijackers can also prevent you from opening a particular
web site. Hijackers are annoyance to the users who use the browser often.
A hardware key logger is a small hardware device which is normally installed between the keyboard
port and the keyboard. The hardware key logger then track all user keystrokes and save the
keystrokes to it's internal memory. Hardware keyloggers is available in different memory capacities.
A software keylogger is a program which can track and save all the key strokes of the user in to
computer. Software keyloggers are normally cheaper than hardware keyloggers. The software
keyloggers run invisibly to the user being monitored and hide itself from the Task Manager and from
the Add/Remove Programs. Many software keyloggers support remote installation also.
Computer Viruses
A Computer Virus is another type of malware which when executed tries to replicate itself into other
executable code which is available in the infected computer. If the virus was able to replicate it to
other executable code, it is then infected with the computer virus. When the infected executable
code is executed can infect again other executable codes. The key difference between virus and other
malwares is this self-replication capability.
Normally, viruses propagate within a single computer, or may travel from one computer to another
using storage media like CD-ROM, DVD-ROM, USB flash drive etc.
• A replication mechanism that allows the virus to attach itself to another executable program.
• A trigger mechanism that is designed to execute the replication mechanism of the virus.
• Boot Sector Virus: A Boot Sector Virus infects the first sector of the hard drive, where the Master Boot
Record (MBR) is stored. The Master Boot Record (MBR) stores the disk's primary partition table and to
store bootstrapping instructions which are executed after the computer's BIOS passes execution to
machine code. If a computer is infected with Boot Sector Virus, when the computer is turned on, the virus
launches immediately and is loaded into memory, enabling it to control the computer.
• File Deleting Viruses: A File Deleting Virus is designed to delete critical files which are the part of
Operating System or data files.
• Mass Mailer Viruses: Mass Mailer Viruses search e-mail programs like MS outlook for e-mail addresses
which are stored in the address book and replicate by e-mailing themselves to the addresses stored in the
address book of the e-mail program.
• Macro viruses: Macro viruses are written by using the Macro programming languages like VBA, which is
a feature of MS office package. A macro is a way to automate and simplify a task that you perform
repeatedly in MS office suit (MS Excel, MS word etc). These macros are usually stored as part of the
document or spreadsheet and can travel to other systems when these files are transferred to another
computers.
• Polymorphic Viruses: Polymorphic Viruses have the capability to change their appearance and change
their code every time they infect a different system. This helps the Polymorphic Viruses to hide from anti-
virus software.
• Armored Viruses: Armored Viruses are type of viruses that are designed and written to make itself
difficult to detect or analyze. An Armored Virus may also have the ability to protect itself from antivirus
programs, making it more difficult to disinfect.
• Stealth viruses: Stealth viruses have the capability to hide from operating system or anti-virus software
by making changes to file sizes or directory structure. Stealth viruses are anti-heuristic nature which helps
them to hide from heuristic detection.
• Polymorphic Viruses: Polymorphic viruses change their form in order to avoid detection and
disinfection by anti-virus applications. After the work, these types of viruses try to hide from the anti-virus
application by encrypting parts of the virus itself. This is known as mutation.
• Retrovirus: Retrovirus is another type virus which tries to attack and disable the anti-virus application
running on the computer. A retrovirus can be considered anti-antivirus. Some Retroviruses attack the anti-
virus application and stop it from running or some other destroys the virus definition database.
• Multiple Characteristic viruses: Multiple Characteristic viruses has different characteristics of viruses
and have different capabilities.
Due to the nature of replication through the network, a worm normally consumes much system resources
including network bandwidth, causing network servers to stop responding.
• Email Worms: Email Worms spread through infected email messages as an attachment or a link of an
infected website.
• Instant Messaging Worms: Instant Messaging Worms spread by sending links to the contact list of
instant messaging applications.
• Internet Worms: Internet worm will scan all available network resources using local operating system
services and/or scan the Internet for vulnerable machines. If a computer is found vulnerable it will
attempt to connect and gain access to them.
• IRC Worms: IRC Worms spread through IRC chat channels, sending infected files or links to infected
websites.
• File-sharing Networks Worms:File-sharing Networks Worms place a copy of them in a shared folder
and spread via P2P network.
• A pay load, which is an action to perform which normally, has malicious effect.
• A trigger, a Boolean condition that is evaluated and controls when the payload is executed. The trigger
can be date, the user logged in conditions, network conditions etc.
Trojan Horses can alter or delete files from the infected computer, download files to the infected
computer, modify registry settings, steal passwords, log keystrokes, disable anti-virus applications etc.
Rootkits are installed by an attacker for a variety of purposes. Root kits can provide the attacker root
level access to the computer via a back door, rootkits can conceal other malwares which are installed
on the target computer, rootkits can make the installed computer as a zombie computer for network
attacks, Rootkits can be used to hack encryption keys and passwords etc. Rootkits are more
dangerous than other types of malware because they are difficult to detect and cure.
Application Level Rootkits: Application level rootkits operate inside the victim computer by changing
standard application files with rootkit files, or changing the behavior of present applications with
patches, injected code etc.
Kernel Level Rootkits: Kernel is the core of the Operating System and Kernel Level Rootkits are
created by adding additional code or replacing portions of the core operating system, with modified
code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can
have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are
difficult to detect because they have the same privileges of the Operating System, and therefore they
can intercept or subvert operating system operations.
Boot loader Level (Bootkit) Rootkits: Boot loader Level (Bootkit) Rootkits replaces or modifies the
legitimate boot loader with another one thus enabling the Boot loader Level (Bootkit) to be activated
even before the operating system is started. Boot loader Level (Bootkit) Rootkits are serious threat to
security because they can be used to hack the encryption keys and passwords.
• Firewall
• Routers
• Hubs
• Modems
Hardware firewalls are separate devices which function as dedicated firewalls (They also contain
software but normally stored in ROM to prevent tampering). Cisco and Checkpoint are the two
leading companies which make hardware firewalls.
Software firewalls can be installed on servers or workstations and they help to prevent unwanted
inbound and outbound traffic. Microsoft ISA Server, Zone Alarm, Comodo etc are some leading
software based firewalls. Linux Operating System include and Open Source firewall called iptables.
Firewalls can be classified in to four based on whether they filter at the IP packet level, at the TCP
session level, at the application level or hybrid.
1. Packet Filtering Firewalls: Packet filtering firewalls are functioning at the IP packet level. Packet
filtering firewalls filters packets based on addresses and port number. Packet filtering firewalls can
be used as a weapon in network attack defense against Denial of Service (DoS) attacks and IP
Spoofing attacks.
2. Circuit Gateways: Circuit gateways firewalls operate at the transport layer, which means that
they can reassemble, examine or block all the packets in a TCP or UDP connection. Circuit gateway
firewalls can also Virtual Private Network (VPN) over the Internet by doing encryption from firewall
to firewall.
3. Application Level Firewalls (Proxies): Application proxies are configured in multi-homed server
and they are often used instead of router-based traffic controls, to prevent traffic from passing
directly between networks. Application proxy-based firewalls function at the application level. At
this level, you can block or control traffic generated by applications. Application-Level Firewalls can
enforce correct application behavior, and can help to block malicious. Application-Level Firewalls
can log user activity also. Application-level firewalls may also include protection against spam and
viruses. Application-Level Firewalls can block Web sites based on its content rather than just IP
address. Application Proxies can provide very comprehensive protection against a wide range of
threats.
4. Hybrid Firewalls: A hybrid firewall may consist of a pocket filtering combined with an application
proxy firewall, or a circuit gateway combined with an application proxy firewall.
Routers segment large networks into logical segments called subnets. The division of the network is
based on the Layer 3 addressing system, like IP addresses. If the Network Layer (Layer 3) Data
packet (IP Datagram) is addressed to another device on the local subnet, the packet does not cross
the router and create a traffic congestion problem in another network. If data is addressed to a
computer outside the subnet, the router forwards the data to the addressed network. Thus routing
of network data helps conserve network bandwidth.
Routers are the first line of defense for your netwprk and they must be configured to pass only
traffic that is authorized by the network administrators. Thus a router can function as a firewall if
it’s configured properly.
Hubs were the common network infrastructure devices used for LAN connectivity but switches are
rapidly replacing hubs. Hubs function as the central connection point for LANs. Hubs are designed to
work with Twisted pair cabling and normally use RJ45 jack to connect the devices. Network devices
(Servers, Workstations, Printers, Scanners etc) are attached to the hub by individual network cables.
Hubs usually come in different shapes and different numbers of ports.
When a hub receives a packet of data (an Ethernet frame) at one of its ports from a network device, it
transmits (repeats) the packet to all of its ports to all of the other network devices. If two network
devices on the same network try to send packets at the same time a collision is said to occur.
Hubs operate in such a way that all data received through one port is sent to all other ports. This type
of operation creates an extremely unsecure environment and anyone can sniff the network using a
sniffer and any unencrypted traffic over the network is not secure. Hubs are unsecure LAN devices
that should be replaced with switches for security and increased bandwidth.
Hubs are considered to operate at Physical Layer (Layer 1) of OSI model. An 8 port hub is shown
below.
What are bridges and switches
A bridge is a network device that operates at the Data Link layer (Layer 2) of OSI model. There are
many different types of bridges and include Transparent bridges, Encapsulation bridges, Source-
route bridges. Source-route bridges are for Token Ring network. Bridges allow segmenting a Local
Network into multiple segments, thus reducing the network traffic. A bridge performs the
segmenting function by examining the Data Link Layer (Layer 2) data packet (Ethernet Frame) and
forwarding the packet to other physical segments only if necessary. Both swiches and bridges
function using Data Link Layer (Layer 2) addressing system, also known as MAC addresses.
Bridge can connect only two Networks, LANs or Hosts, which means that bridge has only two ports.
While Switch can connect more than two networks or LANs or Hosts because normally switch has
more than two ports (usually 24 ports or 48 ports). Simply you can say that a Bridge with more than
two ports is known as a Switch. Brides and Switches are considered to operate at Data Link Layer
(Layer 2) of OSI model.
The following picture shows a 24 port, 10/100, Cisco 2500 Catalist Switch.
• 56 Kbps - 1998
Modems normally respond to any call made to them when connected to an outside line and allow a
connection. This may allow instant unsecured access to the network or the computers. If the modem
is not really required, it should be disabled or removed from network work stations. If disabling the
modem is not possible, it should be configured to prevent auto-answer.
Corporate users can connect to the corporate network using direct Dial-up network or
through Virtual Private Network (VPN), where a low cost intermediate network (such as the Internet)
to connect to the corporate network. Microsoft Routing and Remote Access Services is an example
for Remote Access Services (RAS).
Dial-up networking is a Remote Access connection when a remote access client makes a
nonpermanent, dial-up connection to a physical port on a Remote Access server by using the service
of a third party telecom service provider using analog phone or ISDNconnection.
Virtual Private Networking (VPN) is a logical, indirect connection between the Virtual Private
Networking (VPN) client and the Virtual Private Networking (VPN) server over a low cost public
network such as the Internet. A Virtual Private Networking (VPN) client uses Virtual Private
Networking (VPN) protocols called tunneling protocols to make a virtual call to a virtual port on a
Virtual Private Networking (VPN) server.
Virtual Private Network (VPN) connections use either Point-to-Point Tunneling Protocol (PPTP) or
Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPSec) over internet. Internet
connections are usually cheaper than leased line, Dial-up, ISDN or similar type of connections. Since
Internet is the connection medium, Virtual Private Network (VPN) can save huge telecom costs.
Point-to-Point Tunneling Protocol (PPTP)
PPTP was created by Microsoft and available since Windows NT 4.0 Routing and Remote Access
Services. Point-to-Point Tunneling Protocol (PPTP) encrypts the data it encapsulates, but the header
is not encrypted. Since the VPN header is not encrypted, an eavesdropper can read the VPN header
but the data is somewhat secure since the contents are encrypted.
Intrusion Detection Systems (IDS), Network Intrusion Detection System (NIDS), Host Intrusion
Detection System (HIDS), Signatures, Alerts, Logs, False Alarms. Sensor
Intrusion detection is a set of techniques and methods that are used to detect suspicious activity
both at the network and host level. Intrusion detection is the act of detecting a hostile user or
intruder who is attempting to gain unauthorized access or trying to disturb the services or deny the
services to legitimate users. An Intrusion Detection System (IDS) is software or a device or a
combination of both that monitors and track network intrusion attempts, malicious activities or
policy violations and produces reports for the security administrators.
Basically an Intrusion Detection System (IDS) is also a sniffer. An Intrusion Detection System (IDS)
detect an intrusion by sniffing and analysing the network packets.
The most popular Open Source Intrusion Detection System (IDS) is Snort, developed
by SourceFire. Snort can detect thousands of worms, vulnerability exploit attempts, port scans, and
other suspicious activities. Snort is available for both Linux and Windows platforms as source files
and binaries. Click the following link to download Snort.
Following are some defenitions which are related with Intrusion Detection System (IDS).
Signatures
Signature is the pattern that you look for inside a data packet. Each attack has its own specific
signatures and a signature is used to detect one or multiple types of attacks. Signatures can be
identified from IP header, transport layer protocol header (TCP or UDP header) or from data.
Alerts
Alerts are any sort of user notification of an intruder activity. When an IDS detects an intruder, it
has to inform security administrator about this using alerts.
Logs
The log messages are usually saved in file for future analysis.
False Alarms
False alarms are alerts generated due to an indication that is not an intruder activity.
Sensor
The machine on which an intrusion detection system is running is also called the sensor in the
literature because it is used to "sense" the network.
An Intrusion Detection System (IDS) is a software or hardware device installed on the network
(NIDS) or host (HIDS) to detect and report intrusion attempts to the network.
We can think a firewall as security personnel at the gate and an IDS device is a security camera
after the gate. A firewall can block connection, while a Intrusion Detection System (IDS) cannot
block connection. An Intrusion Detection System (IDS) alert any intrusion attempts to the security
administrator.
However an Intrusion Detection and Prevention System (IDPS) can block connections if it finds the
connections is an intrusion attempt.
A passive IDS is a system that’s configured to only monitor and analyze network traffic activity and
alert an operator to potential vulnerabilities and attacks. A passive IDS is not capable of performing
any protective or corrective functions on its own.
A Host Intrusion Detection Systems (HIDS) and software applications (agents) installed on
workstations which are to be monitored. The agents monitor the operating system and write data
to log files and/or trigger alarms. A host Intrusion detection systems (HIDS) can only monitor the
individual workstations on which the agents are installed and it cannot monitor the entire network.
Host based IDS systems are used to monitor any intrusion attempts on critical servers.
• Host Intrusion Detection Systems (HIDS) can be very difficult to maintain in large networks with
different operating systems and configurations
• Host Intrusion Detection Systems (HIDS) can be disabled by attackers after the system is
compromised.
The disadvantages of Signature-based Intrusion Detection Systems (IDS) are signature database
must be continually updated and maintained and Signature-based Intrusion Detection Systems
(IDS) may fail to identify a unique attacks.
Higher false alarms are often related with Behavior-based Intrusion Detection Systems (IDS).
• Snort
Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed
by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is
the most widely deployed IDS/IPS technology worldwide. With millions of downloads and
approximately 300,000 registered users, Snort has become the de facto standard for IPS.
• CounterAct
CounterACT Edge security appliance delivers an entirely unique approach to preventing network
intrusions: Stop attackers based on their "proven intent" to attack without using signatures,
anomaly detection or pattern matching of any kind.
Attackers follow a consistent pattern. To launch an attack, they need knowledge about a network's
resources. Potential intruders, whether humans or self-propagating threats, compile vulnerability
and configuration information through scanning and probing prior to an attack. The information
received is then used to launch attacks based on the unique structure and characteristics of the
targeted network.
• AirMagnet
AirMagnet Enterprise provides a simple, scalable WLAN monitoring solution that enables any
organization to proactively mitigate all types of wireless threats, enforce enterprise policies,
prevent performance problems and audit the regulatory compliance of all their WiFi assets and
users worldwide.
Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively
monitors network traffic and looks for suspicious activity. Bro detects intrusions by first parsing
network traffic to extract its application-level semantics and then executing event-oriented
analyzers that compare the activity with patterns deemed troublesome. Its analysis includes
detection of specific attacks (including those defined by signatures, but also those defined in terms
of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of
failed connection attempts).
Cisco IPS is one of the most widely deployed intrusion prevention systems, providing:
Protection against more than 30,000 known threats, Timely signature updates and Cisco Global
Correlation to dynamically recognize, evaluate, and stop emerging Internet threats
Cisco IPS includes industry-leading research and the expertise of Cisco Security Intelligence
Operations.
Cisco IPS protects against increasingly sophisticated attacks, including Directed attacks, Worms,
Botnets, Malware, Application abuse.
Cisco IPS also helps your organization comply with government regulations and consumer privacy
laws. It provides intrusion prevention that Stops outbreaks at the network level, before they reach
the desktop, Prevents losses from disruptions, theft, or defacement, Collaborates with other
network components, for end-to-end, networkwide intrusion prevention, Supports a wide range of
deployment options, with near-real-time updates for the most recent threat, Decreases legal
liability, protects brand reputation, and safeguards intellectual property.
Juniper Networks IDP Series Intrusion Detection and Prevention Appliances with Multi-Method
Detection (MMD), offers comprehensive coverage by leveraging multiple detection mechanisms.
For example, by utilizing signatures, as well as other detection methods including protocol anomaly
traffic anomaly detection, the Juniper Networks IDP Series appliances can thwart known attacks as
well as possible future variations of the attack. Backed by Juniper Networks Security Lab, signatures
for detection of new attacks are generated on a daily basis. Working very closely with many
software vendors to assess new vulnerabilities, it’s not uncommon for IDP Series to be equipped to
thwart attacks which have not yet occurred. Such day-zero coverage ensures that you’re not
merely reacting to new attacks, but proactively securing your network from future attacks.
Defend your servers from known and new zero-day attacks with McAfee Host Intrusion Prevention.
Boost security, lower costs by reducing the frequency and urgency of patching, and simplify
compliance.
Built on the foundation of the award-winning Snort® rules-based detection engine, Sourcefire IPS™
(Intrusion Prevention System) uses a powerful combination of vulnerability- and anomaly-based
inspection methods—at throughputs up to 10 Gbps—to analyze network traffic and prevent critical
threats from damaging your network. Whether deployed at the perimeter, in the DMZ, in the core,
or at critical network segments, and whether placed in inline or passive mode, Sourcefire’s easy-to-
use IPS appliances provide comprehensive threat protection.
The award-winning Strata Guard® high-speed intrusion detection/prevention system (IDS/IPS) gives
you real-time, zero-day protection from network attacks and malicious traffic, preventing Malware,
spyware, port scans, viruses, and DoS and DDoS from compromising hosts, Device and network
outages, Data leakage, High-risk protocols, such as BitTorrent™, Kazaa™, and TelNet, from running
on your network, Unauthorized access to sensitive data.
Introduction to Honeypots
A honeypot is a closely monitored computing resource that we want to be probed, intruded,
attacked, or compromised. A honeypot is defined as "an information system resource whose value
lies in unauthorized or illicit use of that resource". A honeypot can capture every action an intruder
or attacker makes inside the honeypot. A honeypot can log access attempts, can capture
keystrokes, can identify the files accessed and modified, can identify the programs executed within
honeypot. If an attacker is unaware that he’s inside a honeypot, we can even identify his ultimate
intentions.
Honeypots can be placed inside the network, outside the network or inside DMZ (Demilitarized
Zone). They can even be placed in all of the above locations.
Honeypots are necessary to learn how intruders and attackers probe and attempt to gain access to
your systems. By learning and recording how intruders and attackers probe and attempt to gain
access to the systems, we can gain insight into attack methodologies to protect our real production
systems.
Honeypots are also necessary to record and provide forensic information of an attack to
government law enforcement agencies. These records generated by the honeypots are required to
prosecute the intruders and attackers.
•Honeyd
Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run
arbitrary services, and their personality can be adapted so that they appear to be running certain
operating systems. Honeyd enables a single host to claim multiple addresses - I have tested up to
65536 - on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms
for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of
virtual systems. Honeyd is created for Unix Operating Systems and Honeyd is open source software
released under GNU General Public License.
•HoneyBOT
HoneyBOT is a windows based low interaction honeypot solution. HoneyBOT works by opening a
large range of listening sockets on your computer from which a selection of these sockets are
designed to mimic vulnerable services. When an attacker connects to these services they are fooled
into thinking they are attacking a real server. The honeypot safely captures all communications with
the attacker and logs these results for future analysis. Should an attacker attempt an exploit or
upload a rootkit or trojan to the server the honeypot environment can safely store these files on your
computer for malware collection and analysis purposes.
• MultiPot
Multipot is a emulation based honeypot designed to capture malicious code which spreads through
various exploits across the net. Design specifications for this project mandated that the captures be
done in such a way so that the host machine would require only minimal supervision and would not
itself risk getting infected. Multipot was designed to emulate exploitable services to safely collect
malicious code.
• Glastopf Project
Many of today's most advanced attacks now happen at the web application layer. This solution is
designed to capture information on the latest web application attacks using scalable and easy to
deploy low-interaction server honeypots. Glastopf is a minimalistic web server emulator written in
Python. The honeypot tool collects information about web application-based attacks like for example
remote file inclusion, SQL injection, and local file inclusion attacks. Glastopf scans the incoming
request for strings like "=http://" or "=ftp://". If this matches, we try to download and analyze the file
and respond as close as possible to the attacker's expectations. If we fulfill them, the attacker sends
us for example a bot, shell or spreader. Those files could for example be analyzed for IRC information
to infiltrate the botnet behind this kind of attacks. The collected data is stored in a MySQL database
that can be browsed via a web interface.
• Argos
Argos is a full and secure system emulator designed for use in honeypots. It is based on Qemu, an
open source emulator that uses dynamic translation to achieve a fairly good emulation speed.
Argos extends Qemu to enable it to detect remote attempts to compromise the emulated guest
operating system. Using dynamic taint analysis it tracks network data throughtout execution and
detects any attempts to use them in an illegal way. When an attack is detected the memory footprint
of the attack is logged.
• KFSensor
It acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system
services and trojans.
By acting as a decoy server it can divert attacks from critical systems and provide a higher level of
information than can be achieved by using firewalls and NIDS alone.
•NetBait
NetBait is a proprietary technology developed by NetBait, Inc. to prevent, detect and analyze
intruders' attacks on companies' networks. NetBait is based on the concept of a "Honeypot," which
means that it is a decoy which lures intruders away from actual network data and instead gives them
"bait" with false information.
Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers.
GHH is a “Google Hack” honeypot. It is designed to provide reconaissance against attackers that use
search engines as a hacking tool against your resources. GHH implements honeypot theory to provide
additional security to your web presence.
• HoneyC
HoneyC is a low interaction client honeypot / honeyclient that allows to identify malicious
servers on the web. Instead of using a fully functional operating system and client to perform
this task (which is done by high interaction client honeypots, such as Honeymonkey or
Honeyclient), HoneyC uses emulated clients that are able to solicit as much of a response from a
server that is necessary for analysis of malicious content. HoneyC is expandable in a variety of
ways: it can use different visitor clients, search schemes, and analysis algorithms.
• Shelia
Shelia is an intrusion detection system for the client side. It comes with a client emulator that
scans through a mail folder specified on the command line. Typically, this would be the spam
folder. In this folder the client emulator is capable of following every url and opening every
attachment.
Strider HoneyMonkey is a Microsoft Research project to detect and analyze Web sites hosting
malicious code. The intent is to help stop attacks that use Web servers to exploit unpatched
browser vulnerabilities and install malware on the computers of unsuspecting users.
The network protocol analyzer (Sniffer) can analyze large number of network protocols including
ARP, IP, ICMP, TCP, UDP, DCCP, HTTP, FTP, DNS, and DHCP.
Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure)
standard across many industries and educational institutions.
• tcpdump
tcpdump is a common packet analyzer that runs under the command line. It allows the user to
intercept and display TCP/IP and other packets being transmitted or received over a network to
which the computer is attached. Distributed under the BSD license,[1] tcpdump is free software.
WinDump is the Windows version of tcpdump, the command line network analyzer for UNIX.
WinDump is fully compatible with tcpdump and can be used to watch, diagnose and save to disk
network traffic according to various complex rules.
OmniPeek is a commercial Network Protocol Analyzer (Sniffer). OmniPeek gives network engineers
real-time visibility and Expert Analysis into every part of the network from a single interface,
including Ethernet, Gigabit, 10 Gigabit, 802.11a/b/g/n wireless, VoIP, and Video to remote offices.
Using OmniPeek’s intuitive user interface and "top-down" approach to visualizing network
conditions, network engineers—even junior staff—can quickly analyze, drill down and fix
performance bottlenecks across multiple network segments, maximizing uptime and user
satisfaction.
Windows Network Monitor is a built-in Network Protocol Analyzer (Sniffer) product for Windows
Server Operating Systems.
• dsniff
dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf,
msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail,
files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally
unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active
monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings
in ad-hoc PKI.
• Ettercap
Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections,
content filtering on the fly and many other interesting tricks. It supports active and passive dissection
of many protocols (even ciphered ones) and includes many feature for network and host analysis.
• ntop
ntop is a network traffic probe that shows the network usage, similar to what the popular top Unix
command does. ntop is based on libpcap and it has been written in a portable way in order to
virtually run on every Unix platform and on Win32 as well. ntop users can use a a web browser (e.g.
netscape) to navigate through ntop (that acts as a web server) traffic information and get a dump of
the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an
embedded web interface.
• EtherApe
EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip
and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic.
Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It
can filter traffic to be shown, and can read traffic from a file as well as live from the network.
• Kismet
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet
will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate
hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins
which allow sniffing other media such as DECT. Kismet identifies networks by passively collecting
packets and detecting standard named networks, detecting (and given time, decloaking) hidden
networks, and infering the presence of nonbeaconing networks via data traffic.
Other command which can be used to detect is promiscuous mode in UNIX type operating systems "ip
link".
Latency Method
In Latency Method, huge amount of data is sent on the network and the suspect machine is pinged before
and after flooding. If sniffer is running on the machine it will be in promiscuous mode and it may need to
parse the data thus increasing the load on it. Because of the load, it will take extra time to respond to the
ping request. This latency may indicate a sniffer running in the target machine.
Networks contain many networking devices like hubs, switches, routers, firewalls, wireless access
points, cabling systems, workstations, servers, different software applications etc. Maintaining
security with multiple devices and many different software applications is a serious issue. Every new
device added or software installed may create a security hole. Network Access Control (NAC) can be
defined as a method of enforcing endpoint security (Anti-virus, Anti-virus status, Host Intrusion
Detection System, vulnerability assessment), user security, system authentication and network
security. Two major Network Access Control (NAC) implementations are Network Access Protection
(NAP) which is a Microsoft technology for controlling network access of a computer host, and
Network Admission Control (NAC) is Cisco’s technology for controlling network admission.
Microsoft’s Network Access Protection (NAP) measure the connecting system’s health like anti-virus
protection, anti-virus status, OS patches and updates, and system policies.
DMZ (Demilitarized Zone) is also known as Perimeter Network. DMZ (Demilitarized Zone) add an
additional layer of security to an organization's internal network and an external attacker has only
has access to network devices and servers in the DMZ (Demilitarized Zone). By creating a DMZ
(Demilitarized Zone) an outside user need to make at least one hop in the DMZ (Demilitarized Zone)
before he can access sensitive information inside the trusted network.
DMZ (Demilitarized Zone) normally hold Web servers, FTP servers, Name servers (DNS), E-mail
Servers, Honeypots.
How to secure Workstations and Servers
Workstations are normally operated by end users with limited computer knowledge and hence
they require much attention. Workstations communicate with other workstations and servers
using services such as file sharing, network services, and other applications programs.
• Select an operating system which is more secure and has less vulnerability. Download and
install hot fixes, Service Packs and updates without delay.
• Install Host Intrusion Detection System (HIDS) software such as ossec, tripwire or rkhunter.
• Install good firewall and configure it properly for workstations and servers. Close all ports
which are not required.
• Enforce strong password policy to users, which may protect against brute force and dictionary
attacks.
• Select a web browser which is more stable and secure, because attacks can be launched using
browsers. If possible disable scripts execution.
• Download and install software’s from trusted site only. Try to install digitally signed software’s
and view the digital certificate to check whether the certificate is OK.
• Close all services and protocols and run only the services and protocols which are necessary.
Many services have known vulnerabilities and the attacker may exploit these vulnerabilities to
gain access to your workstation or server.
• Attackers can launch attacks targeted at specific Operating System and services once the
Operating System and server application is identified. Example: By default, many web server
applications show information regarding the web server application name, web server
application version, Operating System and Operating System version in error messages. This may
help an attacker to exploit vulnerabilities of the web server application and Operating System.
Web server application should be configured to hide this information.
• If possible, try to change default administrative account names and passwords for Operating
Systems, Databases and other sensitive applications and services.
• Physical security is an important factor and if there is no physical security all the above tips are
of NO use.
The advantages are wireless networks over wired networks are easy to troubleshoot and need less
cabling. Main disadvantage of wireless networks is that they can be extremely unsecure if not
configured properly. Other disadvantages are greater chance of signal interference, blockage, and
interception.
Institute of Electrical and Electronics Engineers (IEEE) 802.11
Wireless Standards
Wireless LANs are specified by the Institute of Electrical and Electronics Engineers (IEEE) 802.11 series
standard. IEEE 802.11 series standard defines technologies and protocols for wireless LANs operating
from 2 Mbps to 248 Mbps.
The Institute of Electrical and Electronics Engineers (IEEE), started development for a standard for
WLANs that operate at a speed of 1 and 2 Mbps in 1990. Institute of Electrical and Electronics
Engineers (IEEE) 802.11 WLAN standard was approved in 1997. Since the bandwidth of 2 Mbps was
not sufficiant for new networks, a new IEEE 802.11b amendment was created and added 5.5 Mbps
and 11 Mbps with a support of wireless devices that are up to 115 meters at 2.4 GHz frequency in
1999.
Institute of Electrical and Electronics Engineers (IEEE) proposed another standard 802.11a which
specifies a maximum speed of 54 Mbps using the 5 GHz spectrum. The IEEE 802.11g standard was
ratified in 2003 and can support devices transmitting at 54 Mbps.
802.11n is another amendment which improves the previous standards by adding multiple-input
multiple-output antennas (MIMO) and other newer features. The IEEE has approved the 802.11n
amendment and it was published in October 2009.
Standar
Description
d
Beause of the nature of operation, the original IEEE 802.11 committee identified the possible threats
of wireless networks and the members implemented several wireless security protections in the
original 802.11 standard. These can be divided into three categories: controlling access, Wired
Equivalent Privacy (WEP) encryption, and device authentication.
Wireless Application Protocol (WAP) is an open international standard designed for use with wireless
devices. The Wireless Application Protocol (WAP) protocol was designed to show internet contents on
wireless clients, like mobile phones. The idea behind Wireless Application Protocol (WAP) was to show
internet contents on wireless clients. Wireless Application Protocol (WAP) is an application
communication protocol and Wireless Application Protocol (WAP) is used to access services and
information
Wireless Application Protocol (WAP) has become a standard adopted by many wireless equipment
manufacturers, including Motorola and Nokia. Wireless Application Protocol (WAP) functions are
equivalent to TCP/IP functions in the wired network. The Wireless Application Protocol (WAP) standard is
based on other leading internet standards like.HTML, XML. It consists of a WML language specification, a
WMLScript specification, and a Wireless Telephony Application Interface (WTAI) specification.
Wireless Application Protocol (WAP) uses a markup language called Wireless Markup Language (WML) to
display internet content, which is a tag based language, similar to.HTML. Wireless Markup Language
(WML) uses WMLScript to run simple code on the client. WMLScript is a similar to JavaScript which is used
along with.HTML to generate dynamic content at browser side.
Wired Equivalent Privacy (WEP) uses the RC4 encryption algorithm for encryption.
The plaintext message is run through an integrity check algorithm and the Integrity Check Value (ICV)
is appended to the end of the original plaintext message. A 24-bit initialization vector (IV) is
generated and added to the beginning of the secret key that is then input to the RC4 Key Scheduling
Algorithm (KSA) to generate a seed value for the Wired Equivalent Privacy (WEP) Pseudo-Random
Number Generator (PRNG). The Wired Equivalent Privacy (WEP) Pseudo-Random Number Generator
(PRNG) then generates the encrypting cipher-stream. The above generated cipher-stream is then
XOR’d with the plaintext/ICV message to create the Wired Equivalent Privacy (WEP) cipher text. Last
the cipher text is then added with the IV (in plaintext) and then transmitted.
The decryption process is the reverse of the encryption process. First, the Initialization Vector (IV) is
removed from the data packet and merged with the shared password. This value is then used with
KSA, and subsequently used to recreate the key stream. The stream and encrypted data packet are
XORed together, which results in the plaintext output. The Integrity Check Value (ICV) is then
removed from the plaintext and compared against a recalculated Integrity Check Value (ICV) and the
packet is then either accepted or rejected according to the results of calculation.
The weakness of Wired Equivalent Privacy (WEP) is because of the small value of IVs. Within a short
period of time all keys are reused. This weakness of Wired Equivalent Privacy (WEP) is the same for
different encryption levels, because all use the 24 bit IV.
The original Wi-Fi Protected Access (WPA) was implemented in such a way that it can communicate
with older wireless hardware. The WPA2 implements the full standard and is not compatible with
older hardware.
WPA uses Temporal Key Integrity Protocol (TKIP) based on the RC4 cipher, which dynamically
changes keys. Temporal Key Integrity Protocol (TKIP) was designed by the IEEE 802.11i task group
and the Wi-Fi Alliance as a solution to replace WEP without requiring the replacement of legacy
hardware. WPA also support for Extensible Authentication Protocol (EAP), Extensible Authentication
Protocol Transport Layer Security (EAP-TLS), Extensible Authentication Protocol-Tunneled Transport
Layer Security (EAP-TTLS), or Protected Extensible Authentication Protocol (PEAP).
War Driving
War Driving is defined as the act of searching for Wi-Fi wireless networks by a person in a moving
vehicle, using a portable computer or PDA. The term War Driving is derived from the 1980s phone
hacking method known as war dialing. War dialing involves dialing all the phone numbers in a given
sequence to search for modems. The War Driving gained popularity in 2001, because that time
wireless network scanning tools became widely available.
Some people do War Driving as a hobby and map out different wireless networks. But hackers will
look for wireless networks and then break into the networks to steal data or to perform malicious
activities.
The initial war driving tools included simple software coupled with the WNIC (Wide-area Network
Interface Coprocessor). Many organizations are not worried about their wireless networks because
they could spot the war drive attacker inside their parking space and have onsite security pick and
throw them out. But recent wireless technology developments enable a network to extend far
beyond the parking space of an office building. In some cases, a wireless network has the ability to
span several miles. Now an attacker can stay far away from the building and still catch a strong signal
The rogue access points are normally installed by employees who need additional freedom to move
about at work. These types of rogue access points can be very dangerous since most users are not
aware of all the security issues associated with wireless devices.
An E-Mail server is an application that receives incoming e-mail from local users and
remote senders and forwards outgoing e-mail for delivery. Example: MS Exchange
Server, SendMail, QMail etc. All recent E-mail servers work on Simple Mail Transfer
Protocol (SMTP).
E-Mail clients are programs which are used to create, send, receive, and view e-mails.
Example: Mozilla Thunderbird, MS Outlook etc. All recent versions of E-mail clients allow
messages to be formatted in plain text or.HTML (Hypertext Markup Language).
E-mails and mail system are also targets of attackers. Some common E-Mail threats are
explained below.
Eavesdropping
Normally all E-mail messages (including userids and passwords) are transmitted between
computer and E-mail servers as plain text. This is not secure and anyone who can
intercept this can read your email and obtain your userids, passwords and sensitive E-
mail content.
Spam E-mails
Spam is flooding the internet with many copies of unsolicited bulk E-mail messages.
Spam E-mails are usually commercial advertisements like replica watches, cheap drugs,
get rich quick and other dubious products. Spam E-mails decreases productivity and
increases the cost of email use. Many legitimate E-mails are also filtered by spam filters.
Many viruses and worms are spread as attachment of emails. Once your computer is
infected, the Viruses and Worms may spread your network computers also. These
malwares can send your private information to attackers, destroy your precious data or
disrupt productivity.
Your E-mail server should be equipped with strong anti-virus application and spam filters
to stop spam, viruses, and other unwanted content before they reach your
infrastructure and users. Anti-virus application and spam filters should actively protect
you against email bombs and other attacks, and greatly reduce the impact of spam and
viruses.
E-mail Bombs
Email Bombs are a type of Denial of Service (DoS) attack which target mail servers.
“Email bombs” occur when you receive a large number of E-mail messages in a very
short time to overflow the mailbox or overload the server. Different types of E-mail
bombs are Mass mailing (sending mass emails to the victims E-mail inbox), link listing
(linking the victims E-mail address to different E-mail lists, so that the inbox is flooded
with unwanted e-mails) and Zip bombing (a type of attack targeted to server where large
number of compressed files are sent to servers).
Your E-mail server should be equipped with a trusted and updated anti-virus application
and spam filters to stop spam, viruses, and other unwanted content before they reach
your infrastructure and users. Anti-virus application and spam filters should actively
protect you against email bombs and other attacks, and greatly reduce the impact of
spam and viruses.
PGP (Pretty Good Privacy): PGP (Pretty Good Privacy) is another encryption method
for E-mails. PGP (Pretty Good Privacy) uses both symmetric encryption and asymmetric
encryption. PGP uses symmetric encryption algorithm to encrypt the E-mail message to
be sent. After encrypting the E-mail message PGP (Pretty Good Privacy) encrypts the
symmetric key used to encrypt the E-mail message with the public key of the intended
recipient. The encrypted key and E-mail message are then sent to the intended recipient.
At The receiving side, PGP (Pretty Good Privacy) will first decrypt the symmetric key with
the private key supplied by the recipient and will then use the decrypted symmetric key
to decrypt the E-mail message.
Note: Visit Public Key Infrastructure section to learn more about the terms encryption,
symmetric encryption, asymmetric encryption, public key, private key and other related
terms.
Web Servers usually store the content which are available for the public like product information, pricing,
technical support, contact information etc. The contents of the websites are normally stored as
Hypertext Markup Language .HTML) files, Dynamic Hypertext Markup Language (.HTML) files, Active
Server Pages (ASP) files, Extensible Markup Language (XML) files, Cascading Style Sheets (CSS) files,
JavaScript files, graphics, sounds etc.
Web Servers may also contain other business data that may be confidential. Since the Web Servers are
accessible for the public, there is a chance for it to get compromised by the malicious users. Small
businesses often have a single physical server that performs many server functions for the organization,
like a Web Server, Database Server, E-mail Server etc. Here compromising a single server can expose the
entire business data of the organization to a malicious user. Dedicated Web server also may also pose
threat to security, since it is publicly available and compromising the mail server may help the malicious
user to compromise other servers also. So the securing Web Servers are very important and vital to
secure the IT infrastructure.
How a Web Server Serve Clients
The Web Servers serve the contents to the clients using Hyper Text Transfer Protocol. The process is
explained as below.
1. The end user opens the browser in client machine and enters the desired URL (normally a Fully
Qualified Domain Name (FQDN)).
2. The client computer sends the request to the Domain Name Server (DNS server) to resolve the Fully
Qualified Domain Name (FQDN) to an IP address. Domain names are created for humans to remember
the names easily. Computers communicate with each other using IP Addresses. To start communicating
with the Web Server, the Fully Qualified Domain Name (FQDN) of the web server must be resolved to an
IP address.
3. The DNS server checks its own records to find a mapping for the Fully Qualified Domain Name (FQDN)
to an IP address. If it is unable to resolve itself, it will query another DNS server until it finds a record for
the requested Fully Qualified Domain Name (FQDN).
4. The DNS server responds to the original Fully Qualified Domain Name (FQDN) resolution request with
the IP address of the web site.
5. The client checks whether the IP address of the web site is in local network. If it cannot find the web
site in local network, it uses Address Resolution Protocol (ARP) to locate the hardware address of the
router (gateway) that forwards the network traffic to reach the remote network.
6. The client then sends an HTTP GET request to the Web site.
7. After receiving the HTTP request, the web server checks to see if the requesting user has the proper
permissions to access the file. If so, the server sends back the requested document.
Leading Web Server Software products are Apache Web Server, Internet Information Services (IIS), Zeus
Web Server, AOL Server, Oracle iPlanet Web Server (Formerly Sun Java System Web Server) etc.
Internet Information Services (IIS) is a Microsoft product and it is designed to use with Windows Server
products. Internet Information Services (IIS) was initially available with Windows NT 3.51. Internet
Information Services (IIS) 2.0 was available with Windows NT 4.0. The support for server side scripting
Active Server Pages (ASP) for dynamic content was included in IIS 3.0.
Internet Information Services (IIS) 7 is a major upgrade of IIS, and it is available with Windows Vista and
Windows 2008 Server. It includes several new functionalities and some of them are listed below.
• The ability to have HttpModules and HttpHandlers participate in all requests to a server. No need to
map requests to the ASP.NET ISAPI in order to write managed modules that participate in requests.
• Integration of the ASP.NET configuration system with IIS. IIS now uses the same web.config
configuration model as ASP.NET, which means you can have both ASP.NET and IIS configuration settings in
the same file together.
• An integrated management tool that manages both IIS and ASP.NET settings together.
1) To install Internet Information Services (IIS) 7 on Windows 2008 Server, open the Server Manager by
clicking Start > Administrative Tools > Server Manager. Right Click the Roles node and select "Add Roles"
from the context menu.
4) Click Next in the Introduction to Web Server (IIS) screen.
5) Select any additional Role Services you need in the next screen and click "Next" to continue.
6) Confirm the installation in next screen and click "Install" to install Internet Information Services (IIS) 7
Web Server. The wizard will now display the progress of installation.
Securing Access Control in Internet Information Services (IIS) 7 , Anonymous Web Server Access,
IUSER accout
Internet Information Services (IIS) 7 uses a named user account to authenticate anonymous web site
visitors. This account on Internet Information Services (IIS) 7 server is created when you install
Internet Information Services (IIS) 7 on Windows Operating System. The used account which is used
to authenticate anonymous web site visitors to Internet Information Services (IIS) 7 web site is called
IUSER_<computer_name>. This user account is visible when you open Local Users and Groups node
in Server Manager, as shown below.
When a Web visitor accesses a Web site, the Internet Information Services (IIS) 7 will automatically
logs that user on using the IUSER_<computer_name> account. This method of authenticate
anonymous web site visitors using the IUSER_<computer_name> account allows system
administrators granular access control on a Web server so that all anonymous users have the same
level of access. This also allows the users who accessing the web site through their own user accounts
for another level of access.
The access permissions of the web user accounts for anonymous logins should be restricted to the
lowest level, so they cannot log on locally to the server nor access any resource outside the root of
the web site.
IUSER_<computer_name> account ideally should not have the permission to write server hard disk or
execute programs on server. If there is a need for other user accounts to grant certain users a higher
level of access permission than the anonymous IUSER_<computer_name> account, administrator
should create user accounts in server only to access the web site. Internal user accounts should not
be used to login to the web server. It is a great threat to security if internal users, who can logon
locally to internal machines, are exposed outside.
Another important feature available with latest Web Servers including Internet Information Services
(IIS) 7 is Virtual Directories. Virtual directories are folders that are not contained within the Web server
file system hierarchy (they can even be on a file system on a different computer), but appear to the
user to be part of file system hierarchy of the web site. This is a great feature which helps to conceal
the real file system structure of the web site. It is always ideal to configure the Virtual Directories
within DMZ itself and not to configure Virtual Directories in an internal computer. If the Web Server
is compromised by an intruder, he may then gain access to internal computer.
If the web users need access to data within a database, it is ideal to configure a database for the web
server, which is only read only to the web user or web server process. Any write to the database for
the web server should be only from the protected internal database server. It the user input from the
web pages is need to be stored inside the database server, all the server-side sripts and the SQL
queries should be verified thorughly for any any vulnerability and all the inputs should be validated to
prevent attacks like SQL injection.
If the web users need access to data within a database, it is ideal to configure a database for the web
server, which is only read only to the web user or web server process. Any write to the database for
the web server should be only from the protected internal database server. It the user input from the
web pages is need to be stored inside the database server, all the server-side scripts and the SQL
queries should be tested and verified thoroughly for any vulnerability and all the inputs should be
validated at client-side and also at server-side to prevent attacks like SQL Injection.
1) To create a Virtual Directory, open the Internet Information Services (IIS) Manager by clicking Start >
Administrativr Tools > Internet Information Services (IIS) Manager.
2) Right click the site you want to create the Virtual Directory and select "Add Virtual Directory" from
the context menu.
3) Enter the alias and the real Physical Path to the directory in "Add Virtual Directory" dialog box. Click
"OK" to create new Virtual Directory.
4) New Virtual directory is created and is listed as shown below. Now the new Virtual Directory is
accessible using the URL http://www.omnisecu.com/engineering and the real Physical Path is
concealed.
Configuring IP address and domain name restrictions in Internet Information Services (IIS)
allows you to permit or deny access to the web server, web sites, folders, or files. Rules can be
configured for remote IP addresses or based on the Domain name.
When a remote client that is not permitted access requests a resource, a 403.6 (“Forbidden: IP
address of the client has been rejected”) or 403.8 (“DNS name of the client is rejected”) HTTP
status will be logged by Internet Information Services (IIS).
IP and Domain Restrictions option is not enabled by default when you install Internet
Information Services (IIS). You can enable IP and Domain Restrictions option by adding the
above Role Service as shown below.
1) Open the Server Manager by selecting the path Start > Administrative Tools > Server
Manager.
2) Click "Add Role Services" link to add the required Role. Check the "IP and Domain
Restrictions" check box in "Select Role Services" screen and click "Next" to continue.
3) Click "Install" in the "Confirm Installation Selections" screen, to add the "IP and Domain
Restrictions" Role Service.
4) Click Close in the installation results to close the "Add Role Services" wizard.
5) After adding the "IP and Domain Restrictions" Role Service, you can configure IP and
Domain Restrictions by opening the Internet Information Services (IIS) Manager and selecting
IPv4 Address and Domain Restrictions, as shown below.
6) Inside IPv4 Addresses and Domain Restrictions, select "Add Allow Entry" or "Add Deny
Entry" to add Allow or Deny entries.
7) The "Add Allow Entry" and "Add Deny Entry" dialog box is shown below.
You can specify and IP address, an IP address range or a Domain Name in above dialog boxes.
Please note that configuring Allow or Deny restrictions using Domain name require reverse
DNS look up every time a request arrives the server. Performing reverse DNS lookups is a
potentially expensive operation that can severely degrade the performance of your IIS server.
Configuring MIME (Multipurpose Internet Mail Extensions) Types in
Internet Information Services (IIS) 7
MIME (Multipurpose Internet Mail Extensions) restrictions prevent undefined file types from being served
by Internet Information Services (IIS). MIME (Multipurpose Internet Mail Extensions) Types help protect
the Internet Information Services (IIS) server by preventing malicious attackers from downloading
sensitive files. When a client attempts to download a file that does not have MIME type defined on the
server, a 404.3 HTTP status is logged in the IIS log files.
1) Open the IIS Manager by clicking Start > Administrative Tools > Internet Information Services (IIS)
Manager. Select MIME Types on the site you want to configure as shown below.
3) Enter the file extension and an appropriate MIME type in the "Add MIME Type" dialog box shown
below.
If you want to remove any existing MIME Type you no longer wish to serve, Select the MIME type and
then click the Remove link from the Actions pane.
Authentication is the process of determining whether an entity (normally a remote user or computer)
is in fact what it claims to be.
Normally authentication require an entity (user in this case) to provide an identifier (username) and
then prove the identity by providing something you know (a password), something you have (security
token), or something you are (biometric identification).
Multifactor authentication combines multiple factors of authentication information to improve
security. Multifactor authentication normally combines something you know (a password) with
something you are (biometric identification).
The process of Authorization occurs once the user is authenticated. Authorization is the process
which system uses to determine what a user is allowed to do once he/she is authenticated.
Whenever the authenticated user need to access some file or resource, the system verifies that
operation against an Access Control List (ACL) maintained for the file or resource. The ACL consists of
a set of Access Control Entries (ACEs) that define which users can or cannot perform certain
operations. These operations include read a file, modify a file’s contents, update a file’s properties,
perform a backup, shut down a system etc.
Basic Authentication: In Basic Authentication the end-user is prompted to supply credentials, which
are then transmitted unencrypted across the network.
Digest Authentication: In Digest Authentication the user’s password is not passed in clear text across
the network. Digest authentication hashes the user’s password using MD5 and sent across the
network. Windows is unable to store MD5 hashes of passwords for local accounts, thus Digest
authentication is only available for Active Directory accounts.
Client Certificate Authentication: In Client Certificate Authentication the client presents a certificate
to the server. The server is configured to map certificates to one or more Windows user accounts.
SSL/TLS must be enabled for this authentication.
2) On the Authentication page, select Basic Authentication. In the Actions pane, click Enable to use
Basic authentication with the default settings. Click edit to type the default domain and realm.
3) In the Edit Basic Authentication Settings dialog box, in the Default domain text box, type a default
domain or leave it blank. Users who do not provide a domain when they log on to your site are
authenticated against this domain.
In the Realm text box, type a realm or leave it blank. In general, you can use the same value for the
realm name as you used for the default domain. f you enter the default domain name in the Realm
text box, your internal Microsoft Windows domain name may be exposed to external users during
the user name and password challenge.
Windows Authentication in IIS 7.0 supports two protocols one is NTLM (NT LAN Manager) and other
is Kerberos. NTLM (NT LAN Manager) is a Microsoft protocol suite that can be used both for HTTP-
based authentication and non-HTTP-based authentication.
Windows authentication is best suited for an intranet environment for the following reasons:
• HTTP proxy connections are not required (NTLM doesn’t support HTTP Proxy).
To configure Windows Authentication, open the Internet Information Services (IIS) 7 Manager and
open the site you want to configure Windows authentication. In Features View, double-click
Authentication.
2) On the Authentication page, select Windows Authentication. In the Actions pane, click Enable to
enable Windows authentication.
Internet Protocol Security IPSec Tutorial
Internet Protocol has many weaknesses. The following points describe some of the weaknesses of
Internet Protocol.
• IP data packet (Internet Protocol Datagram) contains the logical addressing information (IP
addresses). It is easy to forge the logical addresses of IP datagram.
• It is possible to view the contents of an IP datagram, since there is no inbuilt encryption for IP
datagram.
•Replay attack is a type of network attack in which attackers capture packets whenever packets pass
between two hosts on a network. The packets are then analyzed and passwords, encryption keys, or
digital signatures are extracted from the captured packets. Later the attacker can send the captured
password to the host and gain authentication.
Hence we cannot make sure that the IP datagram’s received by a computer are from the claimed
sender, the data received is not tampered by an attacker and the datagram was not inspected by the
attacker while the packet was travelling the network.
The purpose of Internet Protocol Security or IPsec is for protecting communications over Internet
Protocol (IP) communications using cryptographic security services. IPsec is a security tunneling
protocol, defining a mechanism that allows a device to encrypt and/or authenticate data packets and
encapsulate the data packets. Internet Protocol Security (IPsec) enhances your network security to a
very high level.
3) Confidentiality – The confidential data cannot be inspected by others. The term confidentiality
means the data expected to remain private should be seen only by those who should see it.
• IPsec can be implemented as a stand-alone device, and can be implemented as a part of the router
or firewall.
Authentication Header (AH): AH is a protocol that provides data origin authentication, data integrity,
and anti-replay protection.
Encapsulating Security Payload (ESP): ESP is a a protocol that provides data origin authentication, data
integrity, and anti-replay protection and it provides confidentiality by encrypting the traffic.
Internet Key Exchange (IKE): IKE is a protocol that provides the key-management function. IKE helps
in setting up Security Associations.
In this lesson you have learned what is Internet Protocol Security (IPsec), why we need Internet
Protocol Security (IPsec), the goals of Internet Protocol Security (IPsec) and the ways Internet
Protocol Security (IPsec) can be implemented. Authentication Header (AH), Encapsulating Security
Payload (ESP and Internet Key Exchange (IKE) are the key protocols associated with Internet Protocol
Security (IPSec). Click "Next" to continue.
A Security Association (SA) is a simplex (one-way channel) and logical connection that provides
relationship between two or more systems to build a unique secure connection. A Security
Association (SA) can be viewed as an agreement between two devices about how to protect
information during transit.
The Security Association (SA) are one way (simplex). If two devices, Dev-A and Dev-B, are
communicating using IPSec, then the DevA will have two Security Association's. One Security
Association is used for processing out-bound packets and other Security Association is used for
processing inbound packets.
2) An IP destination address
3) A IPSec Protocol Identifier. IPSec protocols are Authentication Header (AH) and Encapsulating
Security Payload (ESP).
The protocol Internet Key Exchange (IKE or IKEv2) is used to set up Security Associations (SAs)
between two devices. IKE uses a Diffie-Hellman key exchange to set up a shared secret key, from
which cryptographic keys are derived. Diffie-Hellman (developed by Whitfield Diffie and Martin
Hellman) algorithm is a method for securely exchanging a shared secret (key) between two devices
over an untrusted network. The secret key is generated at two devices and it is never transmitted
over the network.
Internet Key Exchange (IKE) protocol used for generating Security Association is a two-phase process.
The first phase (also known as Main Mode negotiation) is a policy negotiation phase in which four
parameters are negotiated.
• The hash algorithm (MD5 (Message Digest 5) or SHA (Secure Hash Algorithm)).
In the second phase (also known as Quick Mode negotiation), the following parameters are
negotiated.
After Main Mode and Quick Mode negotiations, common agreement is reached, and two Security
Associations (SAs) are established. One Security Association (SA) is for inbound communication and
the other Security Association (SA) is for outbound communication. As part of the second phase
(Quick Mode), session key material is refreshed, and a new pair of keys is generated. This can prevent
the cracking of session key by an attacker.
Security Parameter Index SPI, Security Policy Database SPD, Security Association Database SAD
The Security Parameter Index (SPI) is a very important element in the SA. An SPI is a 32-bit number
that is used to uniquely identify a particular SA for any connected device.
A Security Association (SA) is an agreement between two devices about how to protect information
during communication. It also indicates the parameters, such as keys and algorithms. SPI provides a
mechanism for the destination to identify which SA to use to check the security of the received
packet. The SPI is provided to map the incoming packet to an SA at the destination
The SPI is a 32-bit random number generated by the sender to identify the SA to the recipient.
IPsec Transport mode protects upper-layer protocols (Ex: TCP or UDP) and Transport mode is used to
secure end-to-end (device to device) communications.
When IPSec is enabled, the transport layer packets (TCP Segments and UDP Datagrams) reach the IPSec
module. When IPSec is implemented as a part of TCP/IP protocol suit, the IPSec module is a of the
network layer (OSI Layer 3). The IPSec then adds the Authentication Header (AH), Encapsulating Security
Payload (ESP), or both headers, and then IP header is added.
When IPSec is operating at Transport mode, IPSec header is inserted between the IP header and the
Transport Layer protocol header (TCP or UDP).
Figure 2: In Transport mode, IPSec Header is inserted between IP header and TCP Header
In Transport Mode, if the packet needs to be secured using both Authentication Header (AH) and
Encapsulating Security Payload (ESP), the packet is first protected using Encapsulating Security Payload
(ESP) and then it is secured using Authentication Header. This helps to bring the data integrity to the
Encapsulating Security Payload (ESP) payload also.
You have learned what is IPSec Transport mode and IPSec Transport mode can protect end-to-end data
transmission. Click "Next" to continue.
When we use IPSec Tunnel mode, the IP datagram is encapsulated in another IP datagram and an
IPSec header is inserted between two IP headers.
An IPSec tunneled mode packet has outer IP header and inner IP header. The inner header is the host
IP header itself and the outer header is added by the security gateway.
Authentication Header (AH) is an IP protocol and has been assigned the protocol number 51 by IANA. In
the IP header of Authentication Header (AH) protected datagram, the 8-bit protocol field will be 51,
indicating that following the IP header is an Authentication Header (AH) header.
Figure 6: Authentication Header (AH) - Header
Next Header: Next header field points to next protocol header that follows the AH header. It can be a
Encapsulating Security Payload (ESP) header, a TCP header or a UDP header (depending on the network
application).
Payload Length: specifies the length of AH in 32-bit words (4-byte units), minus 2.
Security Parameter Index (SPI): The Security Parameter Index (SPI) field contains the Security Parameter
Index, is used to identify the security association used to authenticate this packet.
Sequence Number: Sequence Number field is the number of messages sent from the sender to the
receiver using the current SA. The initial value of the counter is 1. The function of this field is to enable
replay protection, if required.
Authentication Data: The Authentication Data field contains the result of the Integrity Check Value
calculation, that can be used by the receiver to check the authentication and integrity of the packet. This
field is padded to make total length of the AH is an exact number of 32-bit words. RFC 2402 requires that
all AH implementations support at least HMAC-MD5-96 and HMAC-SHA1-96.
The Encapsulating Security Payload (ESP) protocol provides all the functions of Authentication
Header (Authentication, Data Integrity, and anti-replay protection). The difference here is that the
Encapsulating Security Payload (ESP) provides the most critical security function, data confidentiality. The
benifits of using Encapsulating Security Payload (ESP) are listed below.
Security Parameter Index (SPI): Security Parameter Index (SPI) field in the Encapsulating Security Payload
(ESP) header along with the destination address, and the IPsec protocol are used to uniquely identify the
SA that applies to this packet.
Sequence Number: The sequence number in the Encapsulating Security Payload (ESP) header provides
antireplay services to Encapsulating Security Payload (ESP).
Protected Data: Protected Data field in the Encapsulating Security Payload (ESP) heade is the actual data
being protected by Encapsulating Security Payload (ESP). The length of this field is variable and depends
on the size of the data. The protected data field also contain any initialization vector for encryption
algorithm.
Padding: Block ciphers require that plaintext be padded to a multiple of the block size. If any padding is
needed, it follows immediately after the payload data in the padding field.
Next Header: The next header field indicates what type of data is in the payload data field.
Authentication Data: The authentication data field contains an integrity check value for the Encapsulating
Security Payload (ESP) packet.
This lesson explains Encapsulating Security Payload (ESP), Encapsulating Security Payload (ESP) Header
and trailer, Encapsulating Security Payload (ESP) Header and trailer fields description.
The Encapsulating Security Payload (ESP) protocol provides all the functions of Authentication
Header (Authentication, Data Integrity, and anti-replay protection). The difference here is that the
Encapsulating Security Payload (ESP) provides the most critical security function, data confidentiality. The
benifits of using Encapsulating Security Payload (ESP) are listed below.
Security Parameter Index (SPI): Security Parameter Index (SPI) field in the Encapsulating Security Payload
(ESP) header along with the destination address, and the IPsec protocol are used to uniquely identify the
SA that applies to this packet.
Sequence Number: The sequence number in the Encapsulating Security Payload (ESP) header provides
antireplay services to Encapsulating Security Payload (ESP).
Protected Data: Protected Data field in the Encapsulating Security Payload (ESP) heade is the actual data
being protected by Encapsulating Security Payload (ESP). The length of this field is variable and depends
on the size of the data. The protected data field also contain any initialization vector for encryption
algorithm.
Padding: Block ciphers require that plaintext be padded to a multiple of the block size. If any padding is
needed, it follows immediately after the payload data in the padding field.
Next Header: The next header field indicates what type of data is in the payload data field.
Authentication Data: The authentication data field contains an integrity check value for the Encapsulating
Security Payload (ESP) packet.
Windows 2003 IPSec implementaion is policy based. Administrators need to work in Group Policy to
configure IPSec in Windows 2003.
Windows 2003 IPSec implementaion can use Kerberos v5, a digital certificate, or a shared secret
(string) for user authentication.
Windows 2003 IPSec implementaion uses Data Encryption Standard (DES) or Triple DES (3DES) for
encryption.
Windows 2003 IPSec implementaion uses MD5 (Message Digest) or SHA1 (Secure Hash Algorithm)
algorithm for data hashing.
IPSec is transparant to users. IPSec operate at OSI Layer 3 and there is no need for users and
applications to directly interact with IPSec.
Windows 2003 IPSec implementaion supports 2048 bit Diffie-Hellman key exchange, generating more
secure keys.
There are three default IPSec policies in Windows Server 2003. We can assign only one policy at a
time.
Client (Respond Only): Client (Respond Only) IPSec policy allows the computer to attempt unsecured
communications first and switch to secured communications if requested.. This policy contains the
default response rule, which creates dynamic IPSec filters for inbound and outbound traffic based on
the requested protocol and port traffic for the communication the system is securing.
Server (Request Security): Server (Request Security) IPSec policy configured systems can request
secure IP communications whenever possible but will fall back to clear-text IP communication if non
IPSec-aware computers or systems not configured using a Client (Respond Only) policy request
communication.
Secure Server (Require Security): Systems configured with a Secure Server (Require Security) IPSec
policy require secure communications. The filters for this policy require all communication from the
given system to be secure, with the exception of the initial inbound communication request. Non
IPSec aware devices and the devices which are not configured with Client (Respond Only) IPSec policy
will not be able to communicate with a device configured with Server (Request Security) IPSec policy.
The default polices can be viewed at group policy editor. If you are working in a Windows 2003
Domain Controller, select Start > Programs > Administrative Tools > Domain Controller Security
Policy.
You have learned the three default policies with Windows Server 2003 and their functions. Click
"Next" to continue.
Telnet is a network protocol and is commonly used to refer to an application that uses that protocol.
The application is used to connect to remote computers. Telnet listens at TCP well known port 23.
Telnet is a terminal emulator software and is used to gain access to a command-line interface on a
remote machine.
Figure 10: Scenario - Configure Internet Protocol Security in a Windows 2003 network.
You want to allow Internet Protocol Security (IPSec) secure Telnet traffic to your Windows 2003
domain controller SERV03.omnisecu.com from SERV04.omnisecu.com, which is a windows 2003
member server and to block Telnet access from all other servers to Windows 2003 domain controller
SERV03.omnisecu.com.
You cannot use the default IPSec policies, because there is no default Internet Protocol Security
(IPSec) policy to block Telnet traffic specifically.
Here we need to create a new Internet Protocol Security (IPSec) policy to permit secure Telnet access
to the domain controller SERV03.omnisecu.com only from SERV04.omnisecu.com, and block Telnet
traffic from all other servers.
In this lesson, you have learned an overview about telnet. You have four Windows 2003 servers. One
is a Windows 2003 domain controller and other three are member servers. You want to allow only
secure Telnet traffic to Windows 2003 domain controller from member server,
SERV04.omnisecu.com. Click "Next" to continue.
Insert a meaning-ful name for the IPSec Policy and description here and click "Next" IP Security Policy
Wizard to continue.
In "Requests for Secure Communications" screen of IP Security Policy Wizard, uncheck the "Activate
the default response rule" checkbox.
"Default Response rule" is an IPSec rule that is used to ensure that the computer responds to
requests for secure communication. If the active IPSec policy does not have a rule defined for a
computer that is requesting secure communication, the default response rule is applied for secure
IPSec communication.
You can now see the new "Secure Telnet" Internet Protocol Security (IPSec) policy, you have just
created in the MMC snap-in.
You have learned how to create an Internet Porotocol Security (IPSec) policy on a windows 2003
domain controller. You will learn how to create a Internet Porotocol Security (IPSec) Policy Rule in
next lesson. Click "Next" to continue.
How to create IPSec Rule in Windows 2003 Server
In this lesson , you will learn how to create Internet Protocol Security (IPSec) rule, in a Windows 2003
Server.
An Internet Protocol Security (IPSec) rule consists of IP filter list, filter action, Authentication
methods, Tunnel endpoint and Connection type. Internet Protocol Security (IPSec) rules specifies
when and how the computer should use IPSec. We can assign only one Internet Protocol Security
(IPSec) policy at a time, but an Internet Protocol Security (IPSec) policy can contain more than one
Internet Protocol Security (IPSec) rule.
Here we will create two rules, one rule will block all the Telnet Traffic from all the computers to the
domain controller SERV03.omnisecu.com, and other will allow secure traffic from member server
SERV04.omnisecu.com.
To create a new Internet Protocol Security (IPSec), right click the new Internet Protocol Security
(IPSec) policy you have created and select the "Properties" from the context menu.
Properties box of the "Secure Telnet" Internet Protocol Security (IPSec) policy will fire up, as shown
below. Remember to unckeck "Use Add Wizard" checkbox.
Click "Add" button to create a new Internet Protocol Security (IPSec) rule. Once again, Internet
Protocol Security (IPSec) rule consists of IP Filter List, Filter Action, Authentication methods, Tunnel
endpoint and Connection type.
.
1) IP Filter Lists
2) Filter Action
3) Authentication Methods
4) Tunnel Setting
5) Connection Type
In this lesson you have started learning how to create an Internet Protocol Security (IPSec) rule.
Internet Protocol Security (IPSec) rule contains IP filter lists and filter actions. Next lesson you will
learn how to create an IP filter list. Click "Next" to continue.
IP Filter list specifies what traffic the system should secure using IPSec. IP filter lists can be specified
based on IP addresses, protocols, and port numbers. An IP filter list is configured on the IP Filter List
tab in the Properties dialog box of an IPSec rule of an IPSec policy.
In Source address combo box, select "Any IP Address" and in Destination address combo box, select
"My IP Address". To automatically create two filters based on configured filter settings going to and
coming from the specific Destination address, select the Mirrored check box. Now click the "Protocol"
tab.
Select TCP as the protocol and "To this port" as 23. Remember, Telnet is listening at TCP port number
23. Click "OK" to create a new IP filter list.
Click "OK" to finish. The new filter list "Block All Telnet" will be listed in the IP filter lists tab.
You have created a new IPSec IP filter list (Block All Telnet) to filter Telnet Traffic from all computers
to the domain controller SERV03.omnisecu.com. Now you have to specify a filter action for this filter
list. Click the filter action tab of "New Rule properties" Dialog box. To learn how to create a filter
action, click "Next".
We have created a IPSec filter list "Block All Telnet" which filter all Telnet traffic originating from any IP
address to the domain controller SERV03.omnisecu.com. We need to associate a filter action "Block" with
this filter list. when any traffic matches "Block All Telnet" filter list arrives at the domain controller, it will
be blocked.
Select the new filter list "Block All Telnet" you have created in last lesson by selecting the radio button.
Now click the filter action tab, to associate a filter action with this filter list.
To add IPSec block filter action, Uncheck the "Use Add Wizard" and Click "Add". Select "Block" radio
button inside "New Filter Action Properties".
Click "General" tab, enter a meaning-ful name for the filter action, and a description.
Click "OK".
New filter action "Block Telnet" will be listed, select it by clicking the radio button. Click "Apply" and
"Close". You can see the new "Block All Telnet" rule listed in the Rules tab of the IPSec policies.
New IPSec rule is created. There are three more tabs in the rule properties dialog box.
1) Authentication Methods - Lists the IPSec authentication methods. Three possible authentication
methods are
Kerberos: Kerberos 5 is the default authentication method in a Windows Server 2003 domain. Users
running the Kerberos protocol within a trusted domain can authenticate using this method.
Certificates: Digital certificates can be used for authentication, if a trusted certificate authority is available.
Shared Key: A Pre-shared key can be used for authentication when kerberos is not available. A pre-shared
key is a string value which is configured on each computer and must be the same on both computers.
2) Tunnel Setting - Specifies whether this is in Tunnel mode or Transport mode. You need to specify the
end-point of the tunnel also. "This rule does not specify an IPSec tunnel" option is the Transport mode.
3) Connection Type - Determines for which types of connections the rule will be applied: LAN, Remote
Access, or All Network Connections.
You have created a IPSec rule to block all telnet traffic to the domain controller. Now you need create a
IPSec rule allowing SERV04.omnisecu.com to allow secure telnet access. Follow the steps we did before
except a few changes.
Click the "Add" tab in the Secure Telnet IPSec policy to add a new rule.
Click "Add" button in the "New Rule Properties" dialog box, to add an IPSec IP filter list.
Type a meaning-ful name and description for the IPSec IP filter list.
Click "Add" button to add an IPSec IP filter.
Select "A specific IP Address" from the combo box of Source address and enter the IP address od
SERV4.omnisecu.com (192.168.1.12), to which we need to enable secure telnet communication using
IPSec. Enter Destination address as "My IP address". Click Protocol tab.
Click "OK".
Select the new filter list "Allow SERV04" and click filter action tab.
Select "Require Security" filter action to enable secure IPSec communication between
SERV03.omnisecu.com and SERV04.omnisecu.com. Click "Apply" and "Close". Refer next lesson how to
configure IPSec encryption algorithm, hashing algorithm and other settings.
The two rules you have created are listed in the "Secure Telnet" policy properties.
At this point you may wondering about these two conflicting rules. "Block all Telnet" rule is defined to
block all telnet traffic to the domain controller SERV03.omnisecu.com and "Allow Serv04" is defined to
allow secure telnet traffic from SERV04.omnisecu.com. The IPSec rules are automatically ordered from the
most specific to the least specific. Here "Allow SERV04" IPSec rule is most specific, because we have
specified the IP address of SERV04.omnisecu.com (192.168.1.12).
You have learned how to associate an IPSec IP filter list with a filter action. You have created two rules,
one rule will block all IP traffic and other rule enable secure Telnet traffic betwee SERV03.omnisecu.com
and SERV04.omnisecu.com. Click "Next" to continue.
You will learn how to assign the IPSec policy you have created last lesson to the domain controller.
To assign an IPSec policy, right click the policy and select "Assign" from the context menu. This action will
assign "Secure Telnet" IPSec policy you have created and make it active.
Once the policy is assigned, you can see a green dot at the policy icon and "Policy Assigned" status will be
"Yes".
Remember to assign the Client (Respond Only) IPSec policy on
SERV04.omnisecu.com, to allow it to communicate using IPSec.
Once the policy is active, Telnet traffic from all other servers will be blocked and secure communication
using IPSec only will be allowed between Serv03.omnisecu.com and SERV04.omnisecu.com. Remember to
update group policy using gpupdate command.
In this lesson you have learned how to assign an Internet Protocol Security (IPSec) policy. Click "Next" to
continue.
his lesson explains how to configure Internet Protocol Security (IPSec) Integrity and Encryption algorithms
in Windows 2003.
If you select "Negotiate Security", you can specify you require Authetication Header (AH), Encapsulating
Security Payload (ESP) or both. You can also specify the encryption algorithm (DES or 3DES) and the
integrity algorithm (MD5 or SHA1).
Selct "Negotiate Security" in the "New Filter Action" dialog box and Click "Add".
You can select either Authetication Header (AH), Encapsulating Security Payload (ESP) or both here.
"Integrity and encryption" will enable ESP with data integrity and confidentiality. "Integrity only" will
enable ESP with only data integrity. You can select "Custom" to customize your IPSec protocols and
algorithms. Select "Custom" radio button and click "Settings".
You can select IPSec protocols Authentication Header (AH), Encapsulating Security Payload (ESP) or both
in this dialog box. If you select Authentication header, you need to select an Integrity Algorithm also (MD5
or SHA1). If you select Encapsulating Security Payload, you need to select both Integrty Algorithm(MD5 or
SHA1) and encryption algorithm (DES or 3DES).
In the "Session key settings", you can specify an intervel to generate a new session key. Reducing this
value will increase your security, but decrease the performance. The interval can be specified in data size
(Kilobytes) or seconds. Session key generation process will be started whichever come first.
In this lesson, you have learned how to configure Internet Protocol Security (IPSec) Integrity and
Encryption algorithms in Windows 2003.
Cryptography is the art and science of making data impossible to read. Cryptographic algorithms start
with plain, readable data (plaintext) and scramble it so it becomes an unreadable ciphertext. Each
encryption algorithm must also specify how the ciphertext can be decrypted back into the plaintext it
came from, so that the intended recipient can read it.
Encrypting the plaintext to ciphertext will give high security to your confidential data and only the
authorized person who is supposed to read this document, can read it.
Encryption Terms
Following are some important terms related with encryption. Before continuing, you should know
what these terms are.
Encryption Algorithm: An algorithm defines how data is transformed when original plaintext data
scrambled to ciphertext. Both the data sender and the recipient must know the algorithm used for
data transformation. The recipient should use the same algorithm to decrypt the ciphertext back into
the original plaintext data.
Encryption Key: A key is secret value, which is used as an input to the algorithm along with the
plaintext data when plaintext is converted to ciphertext. The same secret key should be used to
decrypt the ciphertext back into plaintext data.
Data Encryption Standard XORed (DESX): DESX is a stronger variation of the DES encryption algorithm. In
DESX, the input plaintext is bitwise XORed with 64 bits of additional key material before encryption with
DES and the output is also bitwise XORed with another 64 bits of key material.
Triple DES (3DES): Triple DES was developed from DES, uses a 64-bit key consisting of 56 effective key bits
and 8 parity bits. In 3DES, DES encryption is applied three times to the plaintext. The plaintext is
encrypted with key A, decrypted with key B, and encrypted again with key C. 3DES is a block encryption
algorithm.
RC2 and RC5: Ronald Rivest (RSA Labs), developed these algorithms. They are block encryption algorithms
with variable block and key sizes. It is difficult to break if the attacker does not know the original sizes
when attempting to decrypt captured data.
RC4: A variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of
a random permutation and is commonly used for the encryption of traffic to and from secure Web sites
using the SSL protocol.
Advanced Encryption Standard (AES): Advanced Encryption Standard (AES) is a newer and stronger
encryption standard, which uses the Rijndael (pronounced Rhine-doll) algorithm. This algorithm was
developed by Joan Daemen and Vincent Rijmen of Belgium. AES will eventually displace DESX and 3DES.
AES is capable to use 128-bit, 192-bit, and 256-bit keys.
International Data Encryption Algorithm (IDEA): IDEA encryption algorithm is the European counterpart to
the DES encryption algorithm. IDEA is a block cipher, designed by Dr. X. Lai and Professor J. Massey. It
operates on a 64-bit plaintext block and uses a 128-bit key. IDEA uses a total of eight rounds in which it
XOR’s, adds and multiplies four sub-blocks with each other, as well as six 16-bit sub-blocks of key material.
Blowfish: Blowfish is a symmetric block cipher, designed by Bruce Schneier. Blowfish has a 64-bit block
size and a variable key length from 32 up to 448 bits. Bruce Schneier later created Twofish, which
performs a similar function on 128-bit blocks.
CAST: CAST is an algorithm developed by Carlisle Adams and Stafford Tavares. It’s used in some products
offered by Microsoft and IBM. CAST uses a 40-bit to 128-bit key, and it’s very fast and efficient.
Note:
Block Cipher: A block cipher divides data into chunks, pads the last chunk if necessary, and then encrypts
each chunk in its turn.
Streaming Cipher. A streaming cipher uses a series of random numbers seeded with a cipher key to encrypt
a stream of bits.
The private key is possessed only by the user or computer that generates the key pair. The public key
can be distributed to any person who wishes to send encrypted data to the private key holder. It is
impossible to compute the private key if you know the public key. Hence it is safe to publish the
public key.
If the public key is used for encryption, the associated private key is used for decryption.
If the private key is used for encryption, the associated public key is used for decryption
First, the data sender obtains the recipient’s public key. The plaintext is encrypted with asymmetric
encryption algorithm, using the recipient’s public key and the ciphertext is created. After the
encyprion process, the ciphertext is sent to the recepient through the unsecure network. The
recipient decrypts the ciphertext with his private key and now he can access the plaintext from the
sender.
Diffie-Hellman key agreement: Diffie-Hellman key agreement algorithm was developed by Dr. Whitfield
Diffie and Dr. Martin Hellman in 1976. Diffie-Hellman algorithm is not for encryption or decryption but it
enable two parties who are involved in communication to generate a shared secret key for exchanging
information confidentially. The working of Diffie-Hellman key agreement can be explained as below.
1) P1 and P2 agree on two large integers a and b such that 1 < a < b.
2) P1 then chooses a random number i and computes I = a^i mod b. P1 sends I to P2.
3) P2 then chooses a random number j and computes J = a^j mod b. P2 sends J to P1.
6) We have k1 = k2 = a^(ij) mod b and thus k1 and k2 are the secret keys for secure transmission.
Rivest Shamir Adleman (RSA): Ron Rivest, Adi Shamir, and Len Adleman released the Rivest-Shamir-
Adleman (RSA) public key algorithm in 1978. This algorithm can be used for encrypting and signing data.
The encryption and signing processes are performed through a series of modular multiplications.
Elliptic Curve Cryptography (ECC): Elliptic Curve Cryptography (ECC) provides similar functionality to RSA.
Elliptic Curve Cryptography (ECC) is being implemented in smaller devices like cell phones. It requires less
computing power compared with RSA. ECC encryption systems are based on the idea of using points on a
curve to define the public/private key pair.
El Gamal: El Gamal is an algorithm used for transmitting digital signatures and key exchanges. The method
is based on calculating logarithms. El Gamal algorithm is based on the characteristics of logarithmic
numbers and calculations. The Digital Signature Algorithm (DSA) is based on El Gamal algorithm.
Digital Signature Algorithm (DSA). The Digital Signature Algorithm (DSA) was developed by the United
States government for digital signatures. Digital Signature Algorithm can be used only for signing data and
it cannot be used for encryption. The DSA signing process is performed through a series of calculations
based on a selected prime number. Although intended to have a maximum key size of 1,024 bits, longer
key sizes are now supported.
When DSA is used, the process of creating the digital signature is faster than validating it.
When RSA is used, the process of validating the digital signature is faster than creating it.
Public Key cryptography is based on asymmetric encryption. Asymmetric encryption makes use of a
mathematically linked pair of keys, one is known as the public and the other is known as the private key.
The plaintext encrypted using one of the keys can only be decrypted using the other key, and it is
impossible to compute private key, if public key is published. A user has his own pair of keys, keeping the
private key absolutely private and the public key as public as possible.
The following text explains the concept more clearly. If Alice has in hand her own public key (PubA), her
own private key (PrivA), and Bob's public key (PubB), she can do the following:
• Calculate the hash sum of the plaintext and encrypt it with her own private key (PrivA)
• Combine the ciphertext and the encrypted hash sum in a message and send it to Bob.
Upon receiving this message, Bob, who should have in his possession his own public key (PubB), his own
private key (PrivB), and Alice's public key (PubA), can do the following:
Bob can now decrypt the ciphertext to plaintext and, if the hash sums are the same he can make sure that
it hasn't been altered in network.
The data structure used to transport and validate keys is called a digital certificate. A certificate protects
the key by guaranteeing the identity of the issuer, the identity of the owner, and the purposes for which
the key can be used. A certificate cannot be forged because the issuing authority digitally signs it. The
signature is applied to a hash of the certificate. This enables clients to validate the issuer's identity and
find any alteration. The client decrypts the hash using the issuer's public key and then compares the result
to a separate hash it performs on the certificate. If the results match, the certificate is valid.
Issued By: The Certification Authority (CA) that issued the digital certificate.
Issued To: The recipient that obtained the digital certificate. If the recipient is a user, the name can be the
user's logon ID, User Principal Name (UPN), or Distinguished Name (DN).
Intended Uses (OID): A certificate has one or more uses. This shows the intended uses of the certificate.
Version: The certificate version. Windows Certification Authority (CA) servers issue X.509 Version 3
certificates.
Serial Number: This is a sequential number assigned by the CA to the certificate. The number is unique
and acts as a validity check.
Signature Algorithm: The hashing algorithm used to do the digital signature for the certificate. This is
typically either SHA-1 or MD5.
Valid To: This important field defines the expiry date of the certificate.
CA Version: This field contains the version number (number of times the authorization certificate for a
particular Certification Authority (CA) has been renewed).
Subject Key Identifier: This field contains an SHA-1 hash of the Public Key field used to uniquely identify
the contents. This prevents alteration of the public key.
Certificate Template: This field is a Microsoft extension that contains name of the template used by the
CA to generate this certificate.
Key Usage: This field contains the OIDs of the purposes for the certificate.
Authority Key Identifier: Contains an SHA-1 hash of the public key of the issuing CA along with the
distinguished name of the CA.
CRL Distribution Points (CDPs): CRL (Certificate Revocation List) information listed by LDAP path, URL, and
file share name.
Authority Information Access: Information for a client to find the certificate of the issuing CA.
The following are the major functions of Public Key Infrastructure (PKI).
Confidentiality: The privacy of user transactions is protected by encrypting data streams and messages.
The confidentiality function may be intended to prevent the unauthorized disclosure of information
locally or across a network. By using Public Key Infrastructure (PKI), users are able to ensure that only an
intended recipient can “unlock” (decrypt) an encrypted message.
Authentication: Authentication is the process of verifying that the user is who they say they are. PKI
provides a means for senders and recipients to validate each other's identities.
Integrity: Guaranteeing message integrity is another important function of Public Key Infrastructure (PKI).
Public Key Infrastructure (PKI) has built-in ways to validate that all the outputs are equivalent to the
inputs. Any alter of the data can be immediately detected and prevented.
Non-Repudiation: Public Key Infrastructure (PKI) ensures that an author cannot refute that they signed or
encrypted a particular message once it has been sent, assuming the private key is secured. Here Digital
signatures link senders to their messages. Only the sender of the message could sign messages with their
private key and therefore, all messages signed with the sender's private key originated with that specific
individual.
The Certificate Authority (CA) verifies that the owner of the certificate is who he says he is. A
Certificate Authority (CA) can be a trusted third party which is responsible for physically verifying the
legitimacy of the identity of an individual or organization before issuing a digital certificate.
A Certificate Authority (CA) can be an external (public) Certificate Authority (CA) like verisign, thawte
or comodo, or an internal (private) Certificate Authority (CA) configured inside our network.
Certificate Authority (CA) is a critical security service in a network. A Certificate Authority (CA)
performs the following functions.
Certificate Authority (CA) Verifies the identity: The Certificate Authority (CA) must validate the
identity of the entity who requested a digital certificate before issuing it.
Certificate Authority (CA) issues digital certificates: Once the validation process is over, the Certificate
Authority (CA) issues the digital certificate to the entity who requsted it. Digital certificates can be
used for encryption (Example: Encrypting web traffic), code signing, authentocation etc.
Certificate Authority (CA) maintains Certificate Revocation List (CRL): The Certificate Authority (CA)
maintains Certificate Revocation List (CRL). A certificate revocation list (CRL) is a list of digital
certificates which are no longer valid and have been revoked and therefore should not be relied by
anyon
Comparison between Internal and External Certificate Authorities (CAs), Internal CA Vs External CA
• In a Microsoft Windows environment, internal Certificate Authority (CA) can be integrated in Active
Directory. This further simplifies the management of the CA structure.
• There is no cost per certificate wen you are using an internal Certificate Authority (CA).
• Internal Certificate Authorities (CAs) are cheaper to configure, and expand the Public Key Infrastructure
(PKI).
• The auto-enrollment feature of Windows Server 2003 further simplifies the certificate issuing process.
• The security and accountability of Public Key Infrastructure (PKI) is completely on the organization's
shoulder.
• External parties normally will not trust a digital certificate signed by an internal Certification Authority
(CA).
• The certificate management overhead of internal Certification Authority (CA) is higher than that of
external Certification Authority (CA).
• External parties normally trust a digital certificate signed by a trusted external CA, such as VeriSign,
Thwate, Comodo, SecureNet etc.
• The certificate management overhead of external Certification Authority (CA) is lower than that of
internal Certification Authority (CA).
• Your organization need to pay per certificate when you are using the services of an external Certification
Authority (CA).
Root CA: A Root CA is the topmost Certificate Authority (CA) in a Certificate Authority (CA) hierarchy. Each
Certificate Authority (CA) hierarchy begins with the Root CA, and multiple CAs branch from this Root CA in
a parent-child relationship. All child CAs must be certified by the corresponding parent CA back to the
Root CA. The Root CA is kept in a secure area and it is usually a stand-alone offline CA (to make it topmost
secure Certificate Authority (CA). The root CA provides certificates for intermediate CAs. The certificates
can be revoked if they are compromised.
Issuing CAs: Issuing CAs are used to provide certificates to users, computers, and other services. There can
be multiple issuing CAs, and one issuing CA can be used for generating computer certificates and another
can be used for generating user certificates.
The Enterprise Root CA is usually responsible for issuing certificates to subordinate CAs, which then
issue the certificates to users and computers on the network. However the Enterprise Root CA can
also issue certificates to users and computers, if required. Following are the features of Enterprise
CAs.
If you require smart cards for your employees, you should use Enterprise CAs.
• Auto enrollment feature is not available. All requests for certificates are pending until an
administrator approves them.
Microsoft Windows 2003 Certificate Server engine is certsrv.exe. The engine has three important modules
to which the Certificate Server engine communicates. They are 1) Entry Module 2) Policy Module and 3)
Exit Module.
Entry Module: The entry module accepts PKCS10 and CMC formatted certificate requests. The Entry
Module place the certificate requests in a queue for policy module.
Policy Module: A policy module is a set of instructions that tells the CA what to do with incoming
certificate requests. A policy module can automatically approve a request, reject a request, or mark a
request as pending for an administrator to manually approve it based on any criteria coded into the
module.
Exit Module: An exit module allows the CA to take some action after a certificate is generated. For
example, an exit module might publish new certificates in the Active Directory or export them to the file
system.
The exit and policy modules are both customizable and replaceable. If the policy module or the exit
module does not match to the needs of an organization, it can develop modules in C++ or Visual Basic
(VB) and plug them into the CA architecture.
The Certificate Server has a database which is used to store certificate transactions and status
information, certificates, and optionally archived private keys. The database (<CAName>.edb) is by default
located in the system32\certlog folder. The Certificate Server engine communicates with its database
through the certdb.dll.
The GUI administrative tool used for managing the certificate server is "Certificate Authority" MMC snap-
in. It can be located inside Administrative Tools. Windows 2003 also has a command line tool to manage
the certificate server and this tool is certutil.exe.
An intermediary or Registration Authorities (RAs) are applications that help the client in generating
correctly formatted PKCS10 or CMC certificate request files. Examples of Windows Server 2003
intermediaries are the Web enrollment pages (works using HTTP) and the MMC Certificates snap-in
(works using RPC) intermediary.
The root Certificate Authority (CA) is the most important Certificate Authority (CA) and it is the first
Certificate Authority (CA) in a Public Key Infrastructure (PKI).
Only one Certificate Authority (CA) can authorize itself, and it is the Root Certificate Authority (CA). The
importance of the Root Certificate Authority (CA) is that only the Root Certificate Authority (CA) can issue
a certificate to itself.
The subordinate Certificate Authorities (CAs) should be authorized by the Root Certificate Authority (CA).
The Root Certificate Authority (CA) can issue certificates to Subordinate Certificate Authorities (CAs) and
Subordinate Certificate Authorities (CAs) are then used to issue certificates to users, computers etc.
In a secure Certificate Authority (CA) hierarchy, the Root Certificate Authority (CA) should be an offline
(out of the network) stand-alone Root Certificate Authority (CA). The possibility of compromising the
Public Key Infrastructure (PKI) by hacking the private key of the Root Certificate Authority (CA) can be
avoided to a great extent when the Root Certificate Authority (CA) is kept offline (out of the network). The
offline root can be used only to issue CA certificates to its subordinate CAs.
We need to install the Root Certificate Authority (CA) as Standalone Certificate Authority (CA), because we
need to make sure the Root Certificate Authority (CA) is offline and secured. The Root Certificate
Authority (CA) cannot have network connections and cannot be linked to any domain. If the Root
Certificate Authority (CA) is a member server in a domain, it may lose its trust relationship with the
domain. The offline Root Certificate Authority (CA) cannot be a domain controller also, because domain
controllers cannot be taken off the network indefinitely.
• The stand-alone offline Root Certificate Authority (CA) should not be a member of any domain or a
domain controller.
• The computer name for the stand-alone offline Root Certificate Authority (CA) must be unique for the
entire forest.
• A certificate revocation list (CRL) must be published. The CRL distribution point (CDP) must be accessible
to users on the network and it should be included in the certificate.
• The Authority Information Access (AIA) distribution point needs to be configured for other CAs to verify
the Certificate Authority (CA) chain.
• IIS (Internet Information Services) should be configured on the Certificate Authority (CA) server.
Internet Information Service (IIS) is not required for the installation of a stand-alone offline Root CA
because the only certificate requests submitted to the Root CA are for subordinate CA certificates.
This is normally submitted by using the Certification Authority MMC console.
Before Installing, the Stand-alone offline Root CA make sure that the Server Date and time are
correct. The name of the server cannot be changed once you configure the Certificate Authority (CA)
on this server.
Open "Add or Remove Programs" applet from the Control Panel (Start > Control Panel > Add.
A dialog box will be displayed stating that once you have installed the certificate services in this
server, you cannot change the name of the server. Click "Yes" to accept it and continue or "No" to
exit from the wizard.
Select the Certificate Authority Type from the CA type screen. In this case, select "Stand-alone root
CA". Check the "Use custom settings to generate the key pair and CA certificate" check box. Checking
the above check box is only required if you want to change the default settings.
In the "Public and Private Key Pair" screen, you can select the CSP (Cryptographic Service Provider),
Hash Algorithm, and the other settings like Key length. For a Root CA, you must select a high key
length value. Some CSPs might not be supported for generating certificates from some templates.
The Microsoft Strong Cryptographic Provider CSP is the default choice. Other CSPs can be used if you
have the software installed or you have the related hardware.
You can also select the Hash Algorithm here and it allows you to select the required Hash Algorithm
for signatures. MD4 is the weakest and SHA1 is the strongest Hash Algorithm from the available
choices.
The "Use An Existing Key" check box allows you to use an existing key pair, if it was generated with
algorithms compatible with the selected CSP and the Import button lets you import certificates from
a file.
In the "CA Identifying Information" screen, enter the common name of the CA.
It will take a few seconds to generate the keys and a progress bar will be displayed.
In the "Certificate Database Settings", select the CA's certificate database and log files will be stored.
In this location CA’s own certificates are stored and it should be backed up regularly.
The wizard need some setup files to copy now and insert your Windows 2003 Operating System
installation CD inside the CD drive. After inerting the CD, click "Browse" button in the "Copy Error"
dialog box to show the "i386" folder inside the Windows 2003 Operating System installation CD.
Click "Open" button in the "Locate File"dialog box and then click "Retry" button in the "Copy Error"
dialog box.
"Configuring Components" screen with a progress bar will be displayed. If Internet Information
Services (IIS) is not installed on your computer, a dialog box will be displayed stating that.
"Completing Windows Components Wizard" will be displayed. Click "Finish" to complete the
installation. Once the installation is over, you can open the "Certification Authority" Console from
Administrative tools.
How to install Enterprise Subordinate (intermediate) Certificate Authority (CA)
Enterprise Certificate Authorities require Active Directory. Make sure the server you are planning to
make an Enterprise Subordinate Certificate Authority is a member of an Active Directory Domain.
Click the following link to learn about Active Directory and how to make a Windows 2003 server member
of Active Directory domain.
In the "CA Type" Screen, select "Enterprise Subordinate CA" radio button. Click "Next".
In "CA Identifying Information" screen, enter Common Name and Distinguished Name suffix (DN field
will be filled automatically). Click "Next"
In "Certificate Database Settings" screen, keep default paths and click "Next".
In "CA Certificate Request" screen, show the path where the Certificate request will be saved. To get
a Certificate Authority certificate from Root Certificate Authority, we need this request file. Click
"Next.
The installation of the Enterprise subordinate Certificate Authority is not complete. To complete the
installation, we need to get the CA certificate from the Root CA. Copy the request file in a floppy drive
or a pendrive to the Root CA and submit the request to the Root CA. To learn how to submit a
request to Root CA, click "Next".
Open the "Certification Authority" Console in Root CA. (Start > Programs > Administrative Tools >
Certification Authority).
Right click Server icon and select "All Tasks > Submit New Request" from the context menu.
Select the copied request file created from Enterprise subordinate CA.
Go to "Pending Requests", right click the "Pending Requests" now created, select "Issue" from the
context menu.
Click "Copy to File". Certificate export wizard will launch. Click "Next".
Select the format of the certificate.
Click "Finish" to complete it, a diablog box will be displayed showing the export was successful.
Once the Certificate for the Enterprise Subordinate CA is issued from the Root CA, copy that file to
a floppy disk or any removable drive and bring the certificate to the Enterprise Subordinate CA. In
this case, the name of the CA certificate is Cert_SubCA.cer. To learn how to install this certificate
on Enterprise Subordinate CA, click "Next".
How to import Root CA Certificate inside Trusted Root Certification Authorities Store
To import our Standalone offline Root CA certificate to Enterprise Subordinate CA's Trusted Root AA store,
follow these steps.
Copy the Root CA certificate from the Standalone Root CA we have created before.
Open the "Certification Authority" MMC console from Administrative Tools. (Start > Programs >
Administrative Tools > Certification Authority). Select Properties from Context menu.
Click the "Details" tab and click "Copy to file" to export the Root CA certificate to a file. After exporting the
Root CA certificate, bring it to the Enterprise subordinate CA. Open the certificates MMC console (Start >
Run > mmc). Open menu path File > Add/Remove Snap-in.
In "Add/Remove Snap-in" dialog box, click Add.
Select "Local computer", and click Finish to open Certificates MMC console Snap-in.
Right click Certificates folder inside "Trusted Root Certification Authorities", and select "All Tasks >
Import" from the context menu.
This action will fire "Certificate Import Wizard". Click "Next" in Welcome screen.
Select the physical location of the Root CA certificate to import. Locate the file in Open dialog box and
click "Open".
In "Certificate Store" screen, select the default selection and click "Next".
In "Completing the Certificate Import Wizard" screen, click "Finish" to finish the import.
You have imported the Root CA certificate inside "Trusted Root Certification Authorities" store.
After importing the Root CA certificate in "Trusted Root Certification Authorities", open the "Certification
Authorities" Console (Start > Programs > Administrative Tools > Certification Authorities). The red squre
on the server icon denots that the Certificate Services are not running on this server.
Right click the server and select "All Tasks > Start Service" from the context menu.
Click "Yes" on the dialog box, which shows the CA certificate is missing and whether you want to install a
new certificate.
In "Select file to complete CA installation" dialog box, show the physical path where the certificate for the
Enterprise Subordinate CA is kept (certificate file which is generated from the Root CA for the enterprise
subordinate CA).