Network Security Foundations Network Security Foundations Matthew Strebe San Francisco ◆ London Associate Publisher: Neil Edde Acquisitions and Developmental Editor: Maureen Adams Production Editor: Elizabeth Campbell Technical Editor: Donald Fuller Copyeditor: Judy Flynn Compositor: Laurie Stewart, Happenstance Type-o-Rama Proofreaders: Laurie O’Connell, Nancy Riddiough Indexer: Nancy Guenther Book Designer: Judy Fung Cover Design: Ingalls + Associates Cover Photo: Jerry Driendl, Taxi Copyright © 2004 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501 World rights reserved No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher An earlier version of this book was published under the title Network Security Jumpstart © 2002 SYBEX Inc Library of Congress Card Number: 2004109315 ISBN: 0-7821-4374-1 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc in the United States and/or other countries Screen reproductions produced with FullShot 99 FullShot 99 © 1991-1999 Inbit Incorporated All rights reserved FullShot is a trademark of Inbit Incorporated TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s) The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book Manufactured in the United States of America 10 To Kira Rayleigh Strebe Kira Lyra Loo, I love you Acknowledgments My wife does an amazing job of handling our life, our house, and our kids so that I can run a business and write books Without her, none of my books would have been written I’d like to thank Seanna for prying off and losing the keycaps of the non-critical laptop, Nathan for only losing the ball out of the trackball twice during the production of this book, and Kira for not being able to walk yet and for not choking on the keycap she found under the couch I’d like to thank Maureen Adams, who is my friend more than my editor, for suggesting this title and steering it through the process Elizabeth Campbell did an expert job managing the flurry of e-mail that constitutes the modern writing process, and did so with an infectious enthusiasm that made the process easy Judy Flynn expanded the acronyms, excised the jargon (well, some of it, anyway), clarified the odd constructions, and corrected the capitalization (or standardized it, at least) Without her, this book would have been much harder to understand Thanks also to the CD team of Dan Mummert and Kevin Ly for their work on the companion CD Contents Introduction Chapter xv Security Principles Why Computers Aren’t Secure The History of Computer Security –1945 1945–1955 1955–1965 1965–1975 1975–1985 1985–1995 1995–2005 11 2005– 12 Security Concepts 13 Trust 13 Authentication 13 Chain of Authority 14 Accountability 15 Access Control 15 Terms to Know 17 Review Questions 18 Chapter Understanding Hacking 19 What Is Hacking? Types of Hackers Security Experts Script Kiddies Underemployed Adult Hackers Ideological Hackers Criminal Hackers Corporate Spies Disgruntled Employees Vectors That Hackers Exploit Direct Intrusion Dial-Up Internet Wireless 20 20 21 21 21 22 23 23 24 24 25 25 26 26 viii Contents Chapter Chapter Chapter Hacking Techniques Target Selection Information Gathering Attacks Terms to Know Review Questions 27 27 29 30 37 38 Encryption and Authentication 39 Encryption Secret Key Encryption One-Way Functions (Hashes) Public Key Encryption Hybrid Cryptosystems Authentication Password Authentication Session Authentication Public Key Authentication Certificate-Based Authentication Biometric Authentication Terms to Know Review Questions 40 41 41 43 44 44 45 47 48 49 50 51 52 Managing Security 53 Developing a Security Policy Creating a Policy Requirements Outline Security Policy Best Practices Implementing Security Policy Applying Automated Policy Human Security Updating the Security Policy The Security Cycle Terms to Know Review Questions 54 54 58 63 64 65 67 67 69 70 Border Security 71 Principles of Border Security Understanding Firewalls Fundamental Firewall Functions Firewall Privacy Services Virtual Private Networks Other Border Services 72 74 74 82 83 83 Contents Selecting a Firewall 84 Terms to Know 85 Review Questions 86 Chapter Virtual Private Networks 87 Virtual Private Networking Explained 88 IP Encapsulation 88 Cryptographic Authentication 89 Data Payload Encryption 90 Characteristics of VPNs 90 Common VPN Implementations 91 IPSec 92 L2TP 93 PPTP 94 PPP/SSL or PPP/SSH 95 VPN Best Practices 96 Terms to Know 99 Review Questions 100 Chapter Chapter Securing Remote and Home Users 101 The Remote Security Problem Virtual Private Security Holes Laptops Protecting Remote Machines VPN Connections Data Protection and Reliability Backups and Archiving Protecting against Remote Users Terms to Know Review Questions 102 102 102 103 104 106 106 107 108 109 Malware and Virus Protection 111 Understanding Malware Understanding Viruses Virus Protection Prevention Natural Immunity Active Protection Understanding Worms and Trojan Horses Protecting Against Worms Implementing Virus Protection 112 112 117 117 118 118 119 121 121 ix x Contents Chapter Chapter 10 Client Virus Protection Server-Based Virus Protection E-Mail Gateway Virus Protection Firewall-Based Virus Protection Enterprise Virus Protection Terms to Know Review Questions 122 123 124 124 125 125 126 Creating Fault Tolerance 127 Causes for Loss Human Error Routine Failure Events Crimes Environmental Events Fault Tolerance Measures Backups Uninterruptible Power Supplies (UPSs) and Power Generators Redundant Array of Independent Disks (RAID) Permissions Border Security Auditing Offsite Storage Archiving Deployment Testing Circuit Redundancy Physical Security Clustered Servers Terms to Know Review Questions 128 128 128 130 132 133 133 138 139 141 141 141 141 142 142 143 143 144 147 148 Windows Security 149 Windows Local Security Security Identifiers Logging In Resource Access Objects and Permissions NTFS File System Permissions Encrypting File System (EFS) Windows Network Security Active Directory Kerberos Authentication and Domain Security Group Policy 150 151 152 153 154 157 158 159 159 160 163 ... title Network Security Jumpstart © 2002 SYBEX Inc Library of Congress Card Number: 2004109315 ISBN: 0-7821-4374-1 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX. .. 174 177 177 180 184 186 186 189 190 Unix Network Security 191 Unix Network Security Basics Remote Logon Security Remote Access ... to a particular platform Who Should Read This Book? Network Security Foundations is designed to teach the fundamentals of computer and network security to people who are fairly new to the topic: