ii INFORMATION RESOURCE GUIDE Computer, Internet and Network Systems Security An Introduction to Security iiii Security Manual Compiled By: S.K.PARMAR, Cst N.Cowichan Duncan RCMP Det 6060 Canada Ave., Duncan, BC 250-748-5522 sunny@seaside.net This publication is for informational purposes only. In no way should this publication by interpreted as offering legal or accounting advice. If legal or other professional advice is needed it is encouraged that you seek it from the appropriate source. All product & company names mentioned in this manual are the [registered] trademarks of their respective owners. The mention of a product or company does not in itself constitute an endorsement. The articles, documents, publications, presentations, and white papers referenced and used to compile this manual are copyright protected by the original authors. Please give credit where it is due and obtain permission to use these. All material contained has been used with permission from the original author(s) or representing agent/organization. iiiiii Table of Content 1.0 INTRODUCTION 2 1.1 BASIC INTERNET TECHNICAL DETAILS 2 1.1.1 TCP/IP : Transmission Control Protocol/Internet Protocol 2 1.1.2 UDP:User Datagram Protocol 2 1.1.3 Internet Addressing 3 1.1.4 Types of Connections and Connectors 3 1.1.5 Routing 6 1.2 Internet Applications and Protocols 6 1.2.1 ARCHIE 6 1.2.2 DNS — Domain Name System 7 1.2.3 E-mail — Electronic Mail 7 1.2.4 SMTP — Simple Mail Transport Protocol 7 1.2.5 PEM — Privacy Enhanced Mail 8 1.2.6 Entrust and Entrust-Lite 8 1.2.7 PGP — Pretty Good Privacy 8 1.2.8 RIPEM — Riordan's Internet Privacy-Enhanced Mail 9 1.2.9 MIME — Multipurpose Internet Mail Extensions 9 1.3 File Systems 9 1.3.1 AFS — Andrew File system 9 1.3.2 NFS — Network File System 9 1.3.3 FTP — File Transfer Protocol 10 1.3.4 GOPHER 10 1.3.5 ICMP — Internet Control Message Protocol 10 1.3.6 LPD — Line Printer Daemon 11 1.3.7 NNTP — Network News Transfer Protocol 11 1.3.8 News Readers 11 1.3.9 NIS — Network Information Services 11 1.3.10 RPC — Remote Procedure Call 12 1.3.11 R-utils (rlogin, rcp, rsh) 12 1.3.12 SNMP — Simple Network Management Protocol 12 1.3.13 TELNET 12 1.3.14 TFTP ? Trivial File Transfer Protocol 12 1.3.15 Motif 13 1.3.16 Openwindows 13 1.3.17 Winsock 13 1.3.18 Windows — X11 13 1.3.19 WAIS — Wide Area Information Servers 13 1.3.20 WWW — World Wide Web 13 1.3.21 HTTP — HyperText Transfer Protocol 13 2.0 SECURITY 16 2.1 SECURITY POLICY 16 2.1.0 What is a Security Policy and Why Have One? 16 2.1.1 Definition of a Security Policy 17 2.1.2 Purposes of a Security Policy 17 2.1.3 Who Should be Involved When Forming Policy? 17 2.1.4 What Makes a Good Security Policy? 18 2.1.5 Keeping the Policy Flexible 19 2.2 THREATS 19 2.2.0 Unauthorized LAN Access 21 2.2.1 Inappropriate Access to LAN Resources 21 2.2.2 Spoofing of LAN Traffic 23 2.2.3 Disruption of LAN Functions 24 iviv 2.2.4 Common Threats 24 2.2.4.0 Errors and Omissions 24 2.2.4.1 Fraud and Theft 25 2.2.4.2 Disgruntled Employees 25 2.2.4.3 Physical and Infrastructure 25 2.2.4.4 Malicious Hackers 26 2.2.4.5 Industrial Espionage 26 2.2.4.6 Malicious Code 27 2.2.4.7 Malicious Software: Terms 27 2.2.4.8 Foreign Government Espionage 27 2.3 SECURITY SERVICES AND MECHANISMS INTRODUCTION 27 2.3.0 Identification and Authentication 28 2.3.1 Access Control 30 2.3.2 Data and Message Confidentiality 31 2.3.3 Data and Message Integrity 33 2.3.4 Non-repudiation 34 2.3.5 Logging and Monitoring 34 2.4 ARCHITECTURE OBJECTIVES 35 2.4.0 Separation of Services 35 2.4.0.1 Deny all/ Allow all 35 2.4.1 Protecting Services 36 2.4.1.0 Name Servers (DNS and NIS(+)) 36 2.4.1.1 Password/Key Servers (NIS(+) and KDC) 36 2.4.1.2 Authentication/Proxy Servers (SOCKS, FWTK) 36 2.4.1.3 Electronic Mail 37 2.4.1.4 World Wide Web (WWW) 37 2.4.1.5 File Transfer (FTP, TFTP) 37 2.4.1.6 NFS 38 2.4.2 Protecting the Protection 38 2.5 AUDITING 38 2.5.1 What to Collect 38 2.5.2 Collection Process 38 2.5.3 Collection Load 39 2.5.4 Handling and Preserving Audit Data 39 2.5.5 Legal Considerations 40 2.5.6 Securing Backups 40 2.6 INCIDENTS 40 2.6.0 Preparing and Planning for Incident Handling 40 2.6.1 Notification and Points of Contact 42 2.6.2 Law Enforcement and Investigative Agencies 42 2.6.3 Internal Communications 44 2.6.4 Public Relations - Press Releases 44 2.6.5 Identifying an Incident 45 2.6.5.1 Is it real? 45 2.6.6 Types and Scope of Incidents 46 2.6.7 Assessing the Damage and Extent 47 2.6.8 Handling an Incident 47 2.6.9 Protecting Evidence and Activity Logs 47 2.6.10 Containment 48 2.6.11 Eradication 49 2.6.12 Recovery 49 2.6.13 Follow-Up 49 2.6.14 Aftermath of an Incident 50 2.7 INTRUSION MANAGEMENT SUMMARY 50 2.7.0 Avoidance 51 2.7.1 Assurance 51 2.7.2 Detection 52 vv 2.7.3 Investigation 52 2.8 MODEMS 52 2.8.0 Modem Lines Must Be Managed 52 2.8.1 Dial-in Users Must Be Authenticated 53 2.8.2 Call-back Capability 53 2.8.3 All Logins Should Be Logged 54 2.8.4 Choose Your Opening Banner Carefully 54 2.8.5 Dial-out Authentication 54 2.8.6 Make Your Modem Programming as "Bullet-proof" as Possible 54 2.9 DIAL UP SECURITY ISSUES 55 2.9.0 Classes of Security Access Packaged for MODEM Access 55 2.9.1 Tactical and Strategic Issues in Selecting a MODEM Connection Solution 56 2.9.2 Background on User Access Methods and Security 57 2.9.3 Session Tracking and User Accounting Issues 60 2.9.4 Description of Proposed Solution to Dial-Up Problem 61 2.9.5 Dissimilar Connection Protocols Support 63 2.9.6 Encryption/Decryption Facilities 63 2.9.7 Asynchronous Protocol Facilities 63 2.9.8 Report Item Prioritization 64 2.9.9 User Profile “Learning” Facility 64 2.10 NETWORK SECURITY 64 2.10.0 NIST Check List 65 2.10.0.0 Basic levels of network access: 65 2.10.1 Auditing the Process 65 2.10.2 Evaluating your security policy 66 2.11 PC SECURITY 66 2.12 ACCESS 67 2.12.0 Physical Access 67 2.12.1 Walk-up Network Connections 68 2.13 RCMP GUIDE TO MINIMIZING COMPUTER THEFT 68 2.13.0 Introduction 68 2.13.1 Areas of Vulnerability and Safeguards 69 2.13.1.0 PERIMETER SECURITY 69 2.13.1.1 SECURITY INSIDE THE FACILITY 69 2.13.2 Physical Security Devices 70 2.13.2.0 Examples of Safeguards 70 2.13.3 Strategies to Minimize Computer Theft 73 2.13.3.0 APPOINTMENT OF SECURITY PERSONNEL 73 2.13.3.1 MASTER KEY SYSTEM 73 2.13.3.2 TARGET HARDENING 74 2.13.4 PERSONNEL RECOGNITION SYSTEM 74 2.13.4.0 Minimizing Vulnerabilities Through Personnel Recognition 74 2.13.5 SECURITY AWARENESS PROGRAM 75 2.13.5.0 Policy Requirements 75 2.13.5.1 Security Awareness Safeguards 76 2.13.6 Conclusion 76 2.14 PHYSICAL AND ENVIRONMENTAL SECURITY 76 2.14.0 Physical Access Controls 78 2.14.1 Fire Safety Factors 79 2.14.2 Failure of Supporting Utilities 80 2.14.3 Structural Collapse 81 2.14.4 Plumbing Leaks 81 2.14.5 Interception of Data 81 2.14.6 Mobile and Portable Systems 82 2.14.7 Approach to Implementation 82 2.14.8 Interdependencies 83 vivi 2.14.9 Cost Considerations 84 2.15 CLASS C2: CONTROLLED ACCESS PROTECTION –AN INTRODUCTION 84 2.15.0 C2 Criteria Simplified 84 2.15.1 The Red Book 85 2.15.2 Summary 87 3.0 IDENTIFICATION AND AUTHENTICATION 92 3.1 INTRODUCTION 92 3.1.0 I&A Based on Something the User Knows 93 3.1.0.1 Passwords 93 3.1.0.2 Cryptographic Keys 94 3.1.1 I&A Based on Something the User Possesses 94 3.1.1.0 Memory Tokens 94 3.1.1.1 Smart Tokens 95 3.1.2 I&A Based on Something the User Is 97 3.1.3 Implementing I&A Systems 98 3.1.3.0 Administration 98 3.1.3.1 Maintaining Authentication 98 3.1.3.2 Single Log-in 99 3.1.3.3 Interdependencies 99 3.1.3.4 Cost Considerations 99 3.1.4 Authentication 100 3.1.4.0 One-Time passwords 102 3.1.4.1 Kerberos 102 3.1.4.2 Choosing and Protecting Secret Tokens and PINs 102 3.1.4.3 Password Assurance 103 3.1.4.4 Confidentiality 104 3.1.4.5 Integrity 105 3.1.4.6 Authorization 105 4.0 RISK ANALYSIS 108 4.1 THE 7 PROCESSES 108 4.1.0 Process 1 - Define the Scope and Boundary, and Methodology 108 4.1.0.1 Process 2 - Identify and Value Assets 108 4.1.0.2 Process 3 - Identify Threats and Determine Likelihood 110 4.1.0.3 Process 4 - Measure Risk 111 4.1.0.4 Process 5 - Select Appropriate Safeguards 112 4.1.0.5 Process 6 - Implement And Test Safeguards 113 4.1.0.6 Process 7 - Accept Residual Risk 114 4.2 RCMP GUIDE TO THREAT AND RISK ASSESSMENT FOR INFORMATION TECHNOLOGY 114 4.2.1 Introduction 114 4.2.2 Process 114 4.2.2.0 Preparation 115 4.2.2.1 Threat Assessment 118 4.2.2.2 Risk Assessment 122 4.2.2.3 Recommendations 124 4.2.3 Updates 125 4.2.4 Advice and Guidance 126 4.2.5 Glossary of Terms 127 5.0 FIREWALLS 130 5.1 INTRODUCTION 130 5.2 FIREWALL SECURITY AND CONCEPTS 131 5.2.0 Firewall Components 131 5.2.0.0 Network Policy 131 5.2.0.1 Service Access Policy 131 5.2.0.2 Firewall Design Policy 132 viivii 5.2.1 Advanced Authentication 133 5.3 PACKET FILTERING 133 5.3.0 Which Protocols to Filter 134 5.3.1 Problems with Packet Filtering Routers 135 5.3.1.0 Application Gateways 136 5.3.1.1 Circuit-Level Gateways 138 5.4 FIREWALL ARCHITECTURES 138 5.4.1 Multi-homed host 138 5.4.2 Screened host 139 5.4.3 Screened subnet 139 5.5 TYPES OF FIREWALLS 139 5.5.0 Packet Filtering Gateways 139 5.5.1 Application Gateways 139 5.5.2 Hybrid or Complex Gateways 140 5.5.3 Firewall Issues 141 5.5.3.0 Authentication 141 5.5.3.1 Routing Versus Forwarding 141 5.5.3.2 Source Routing 141 5.5.3.3 IP Spoofing 142 5.5.3.4 Password Sniffing 142 5.5.3.5 DNS and Mail Resolution 143 5.5.4 FIREWALL ADMINISTRATION 143 5.5.4.0 Qualification of the Firewall Administrator 144 5.5.4.1 Remote Firewall Administration 144 5.5.4.2 User Accounts 145 5.5.4.3 Firewall Backup 145 5.5.4.4 System Integrity 145 5.5.4.5 Documentation 146 5.5.4.6 Physical Firewall Security 146 5.5.4.7 Firewall Incident Handling 146 5.5.4.8 Restoration of Services 146 5.5.4.9 Upgrading the firewall 147 5.5.4.10 Logs and Audit Trails 147 5.5.4.11 Revision/Update of Firewall Policy 147 5.5.4.12 Example General Policies 147 5.5.4.12.0 Low-Risk Environment Policies 147 5.5.4.12.1 Medium-Risk Environment Policies 148 5.5.4.12.2 High-Risk Environment Policies 149 5.5.4.13 Firewall Concerns: Management 150 5.5.4.14 Service Policies Examples 151 5.5.5 CLIENT AND SERVER SECURITY IN ENTERPRISE NETWORKS 153 5.5.5.0 Historical Configuration of Dedicated Firewall Products 153 5.5.5.1 Advantages and Disadvantages of Dedicated Firewall Systems 153 5.5.5.2 Are Dedicated Firewalls A Good Idea? 155 5.5.5.3 Layered Approach to Network Security - How To Do It 155 5.5.5.4 Improving Network Security in Layers - From Inside to Outside 157 5.5.5.5 Operating Systems and Network Software - Implementing Client and Server Security 158 5.5.5.6 Operating System Attacks From the Network Resource(s) - More Protocols Are The Norm - and They Are Not Just IP 159 5.5.5.7 Client Attacks - A New Threat 159 5.5.5.8 Telecommuting Client Security Problems - Coming to Your Company Soon 160 5.5.5.9 Compromising Network Traffic - On LANs and Cable Television It’s Easy 162 5.5.5.10 Encryption is Not Enough - Firewall Services Are Needed As Well 163 5.5.5.11 Multiprotocol Security Requirements are the Norm - Not the Exception. Even for Singular Protocol Suites 163 5.5.5.12 Protecting Clients and Servers on Multiprotocol Networks - How to Do It 164 viiiviii 5.5.5.13 New Firewall Concepts - Firewalls with One Network Connection 164 6.0 CRYPTOGRAPHY 167 6.1 CRYPTOSYSTEMS 167 6.1.0 Key-Based Methodology 167 6.1.1 Symmetric (Private) Methodology 169 6.1.2 Asymmetric (Public) Methodology 170 6.1.3 Key Distribution 172 6.1.4 Encryption Ciphers or Algorithms 175 6.1.5 Symmetric Algorithms 175 6.1.6 Asymmetric Algorithms 178 6.1.7 Hash Functions 178 6.1.8 Authentication Mechanisms 179 6.1.9 Digital Signatures and Time Stamps 180 7.0 MALICIOUS CODE 182 7.1 WHAT IS A VIRUS? 182 7.1.0 Boot vs File Viruses 183 7.1.1 Additional Virus Classifications 183 7.2 THE NEW MACRO VIRUS THREAT 183 7.2.0 Background 184 7.2.1 Macro Viruses: How They Work 186 7.2.2 Detecting Macro Viruses 187 7.3 IS IT A VIRUS? 189 7.3.0 Worms 190 7.3.1 Trojan Horses 192 7.3.2 Logic Bombs 192 7.3.3 Computer Viruses 193 7.3.4 Anti-Virus Technologies 194 7.4 ANTI-VIRUS POLICIES AND CONSIDERATIONS 195 7.4.0 Basic "Safe Computing" Tips 196 7.4.1 Anti-Virus Implementation Questions 197 7.4.2 More Virus Prevention Tips 198 7.4.3 Evaluating Anti-Virus Vendors 198 7.4.4 Primary Vendor Criteria 199 8.0 VIRTUAL PRIVATE NETWORKS: INTRODUCTION 202 8.1 MAKING SENSE OF VIRTUAL PRIVATE NETWORKS 202 8.2 DEFINING THE DIFFERENT ASPECTS OF VIRTUAL PRIVATE NETWORKING 202 8.2.0 Intranet VPNs 204 8.2.1 Remote Access VPNs 205 8.2.2 Extranet VPNs 206 8.3 VPN ARCHITECTURE 207 8.4 UNDERSTANDING VPN PROTOCOLS 208 8.4.0 SOCKS v5 208 8.4.1 PPTP/L2TP 209 8.4.2 IPSec 211 8.5 MATCHING THE RIGHT TECHNOLOGY TO THE GOAL 212 9.0 WINDOWS NT NETWORK SECURITY 215 9.1 NT SECURITY MECHANISMS 215 9.2 NT TERMINOLOGY 215 9.2.0 Objects in NT 215 9.2.1 NT Server vs NT Workstation 216 9.2.2 Workgroups 216 ixix 9.2.3 Domains 217 9.2.4 NT Registry 217 9.2.5 C2 Security 218 9.3 NT SECURITY MODEL 219 9.3.0 LSA: Local Security Authority 219 9.3.1 SAM: Security Account Manager 220 9.3.2 SRM: Security Reference Monitor 220 9.4 NT LOGON 221 9.4.0 NT Logon Process 222 9.5 DESIGNING THE NT ENVIRONMENT 222 9.5.0 Trusts and Domains 223 9.6 GROUP MANAGEMENT 226 9.7 ACCESS CONTROL 228 9.8 MANAGING NT FILE SYSTEMS 229 9.8.0 FAT File System 229 9.8.1 NTFS File System 230 9.9 OBJECT PERMISSIONS 231 9.10 MONITORING SYSTEM ACTIVITIES 232 10.0 UNIX INCIDENT GUIDE 234 10.1 DISPLAYING THE USERS LOGGED IN TO YOUR SYSTEM 235 10.1.0 The “W” Command 235 10.1.1 The “finger” Command 236 10.1.2 The “who” Command 236 10.2 DISPLAYING ACTIVE PROCESSES 237 10.2.0 The “ps” Command 237 10.2.1 The “crash” Command 238 10.3 FINDING THE FOOTPRINTS LEFT BY AN INTRUDER 238 10.3.0 The “last” Command 239 10.3.1 The “lastcomm” Command 240 10.3.2 The /var/log/ syslog File 241 10.3.3 The /var/adm/ messages File 242 10.3.4 The “netstat” Command 243 10.4 DETECTING A SNIFFER 243 10.4.1 The “ifconfig” Command 244 10.5 FINDING FILES AND OTHER EVIDENCE LEFT BY AN INTRUDER 244 10.6 EXAMINING SYSTEM LOGS 246 10.7 INSPECTING LOG FILES 247 APPENDIX A : HOW MOST FIREWALLS ARE CONFIGURED 251 APPENDIX B: BASIC COST FACTORS OF FIREWALL OWNERSHIP 254 APPENDIX C: GLOSSARY OF FIREWALL RELATED TERMS 258 APPENDIX D: TOP 10 SECURITY THREATS 260 APPENDIX E: TYPES OF ATTACKS 262 APPENDIX F: TOP 10 SECURITY PRECAUTIONS 265 APPENDIX G: VIRUS GLOSSARY 266 APPENDIX H: NETWORK TERMS GLOSSARY 269 xx [...]... September 19 95 15 2.0 Security 2 .1 Security Policy 2 .1. 0 What is a Security Policy and Why Have One? The security- related decisions you make, or fail to make, as administrator largely determines how secure or insecure your network is, how much functionality your network offers, and how easy your network is to use However, you cannot make good decisions about security without first determining what your security. .. dependent on varied communications surcharges Direct Internet Connections: A computer connected directly to the Internet via a network interface will allow the user the highest internetwork functionality Each computer connected in this manner must also have a unique Internet (IP) address This type of connection is also the most expensive Serial Internet Connections: Another type of connection offering... spoof another address Computers and routers connected to external networks should be configured to ignore source routed packets 1. 2 Internet Applications and Protocols The Internet is a global collection of networks all using the TCP/IP network protocol suite to communicate The TCP/IP protocols allow data packets to be transmitted, and routed from a source computer to a destination computer Above this... firewall to the Internet 1. 3 .12 SNMP — SIMPLE NETWORK MANAGEMENT PROTOCOL The SNMP protocol allows a network administrator to manage network resources from a remote node This protocol should never be allowed through a firewall connected to the Internet A hacker would have the ability to remotely manage and change the configuration of network systems It would also allow a hacker to rewrite the security policy... systems such as routers Compromise of TFTP host systems on a network can cause a great deal of security problems for a customer network 1. 3 .15 MOTIF Motif is a graphical environment developed by the Open Software Foundation (OSF) as a front end for the X 11 X-windows interface The vulnerabilities of the X-Windows system are described below 1. 3 .16 OPENWINDOWS Openwindows is a graphical environment developed... Duncan Detachment 6060 Canada Ave., Duncan, BC CANADA V9L 1V3 ATN: Cst S.K.PARMAR Telephone number 250-748-5522 Email: sunny@seaside.net SUNNY 1 1.0 Introduction 1. 1 Basic Internet Technical Details The Internet utilizes a set of networking protocols called TCP/IP The applications protocols that can be used with TCP/IP are described in a set of Internet Engineering Task Force (IETF) RFCs (Request For... access to the Internet implies that the Internet also has access to that user Therefore, these computers must be protected and secured to ensure the Internet has limited access A terminal user calling using an Internet host has fewer concerns since the host is where the Internet interface lies In this situation the host must take all necessary security precautions To connect the various sub-networks and... other using a hardware address (on LANs, this is called the Medium Access Control or MAC address) Computer users, however, deal with 2 higher levels of abstraction in order to help visualize and remember computers within the network The first level of abstraction is the IP address of the computer (e.g 13 1 .13 6 .19 6.2) and the second level is the human readable form of this address (e.g manitou.cse.dnd.ca)... the Xwindows system, however, it connects to port number 2000 1. 3 .17 WINSOCK Winsock is a Microsoft Windows dynamic link library providing TCP/IP port services to windows applications These services allow users to run many Internet tools, such as Archie, Cello, ftp, Gopher, Mosaic and telnet on an MS-DOS/MS-Windows computer 1. 3 .18 WINDOWS — X 11 X windows is a graphical environment for user application... standard provides a security layer between the TCP and application protocol layers SSL can be used to provide integrity (proof of sender) and confidentiality for any TCP data stream This security protocol can be used with all applications level protocols not just http 14 Section References 1 0 INFOSEC Services, Communications Security Establishment, An Introduction to the Internet and Internet Security Ottawa, . rsh) 12 1. 3 .12 SNMP — Simple Network Management Protocol 12 1. 3 .13 TELNET 12 1. 3 .14 TFTP ? Trivial File Transfer Protocol 12 1. 3 .15 Motif 13 1. 3 .16 Openwindows 13 1. 3 .17 Winsock 13 1. 3 .18 Windows. Daemon 11 1. 3.7 NNTP — Network News Transfer Protocol 11 1. 3.8 News Readers 11 1. 3.9 NIS — Network Information Services 11 1. 3 .10 RPC — Remote Procedure Call 12 1. 3 .11 R-utils (rlogin, rcp, rsh) 12 1. 3 .12 . — X 11 13 1. 3 .19 WAIS — Wide Area Information Servers 13 1. 3.20 WWW — World Wide Web 13 1. 3. 21 HTTP — HyperText Transfer Protocol 13 2.0 SECURITY 16 2 .1 SECURITY POLICY 16 2 .1. 0 What is a Security