Chapter 11: Internet Security

1
Chapter 11 Internet Security

• i-Net Guide to the Internet
• Third Edition

2
Objectives

• Learn how computers and networks can be attacked
• Study solutions used to protect computers and
  networks
• Investigate network protection strategies
• Learn how virtual private networks ensure a
  secure data transmission over the Internet

3
Types of Attack

• The reasons hackers attack a Web site, server, or
  computer can vary.
• Hackers might want to
• Seek a challenge or revenge against a business
• Gain bragging rights among peers
• Steal information, such as credit card numbers,
  that they can sell
• Hijack storage space on a computer or use
  Internet bandwith provided by a network
• Gain remote control of a computer to use in an
  attack against other servers.

4
Flooding

• A denial of service (DoS) attack is an attack
  designed to overload the resources of a Web
  server or other Internet device so that it can no
  longer operate and provide Internet resources.
• A new form of DoS attack has appeared called
  distributed denial of service (DDoS).

5
Flooding (Continued)

• In a DDoS attack, a hacker has remote control of
  hundreds of computers over a large geographical
  area and commands them to send false requests to
  a Web server or other Internet device.
• Computers that are remotely controlled by hackers
  and used in a DDoS attack are called bots.

6
SYN Flooding

• SYN flooding is a type of attack that takes
  advantage of the synchronization feature of TCP.
• When the first computer sends the initial SYN
  packet to begin the TCP connection process,
  instead of sending its own IP address as the
  source IP address in the data packet, it supplies
  an invalid IP address that cannot be accessed.
• When the server responds with the SYNACK packet,
  it responds to an IP address that seems valid,
  but is not available.

7
SYN Flooding (Continued)
8
Teardrop

• Teardrop attack sends a series of fragmented
  packets containing false reassembly instructions.
  
• As a result, the device is unable to reassemble
  the packet because the packet is invalid or
  incomplete.
• However, the device, often a computer or server,
  continues to allocate operating system resources
  to handle the invalid packets.
• Eventually, system resources are exhausted,
  causing the device to crash, hang, or reboot.

9
Ping Flooding

• The Ping program is very helpful for debugging
  network problems, but it also can be dangerous
  when used by hackers to implement a Ping flood.
• Ping flooding (also known as ICMP flooding) is
  when a host is flooded with Ping requests.
• As the host tries to respond to the requests, it
  get bogged down and cannot function, causing DoS.

10
Ping Flooding (Continued)

• This type of flooding is fairly common because it
  does not require a lot of special knowledge.
• A variation of Ping flooding is the Ping of Death
  attack, which occurs when a hacker uses the Ping
  protocol to send a packet that is larger than the
  65,536 bytes allowed by the IP protocol.

11
Mail Flooding

• Mail flooding is when hackers send numerous huge
  e-mail messages to an e-mail server.
• Spam is a form of mail flooding.
• Spam is unsolicited e-mail messages that usually
  are trying to sell a product, and are sent in
  bulk.

12
Data Theft

• A type of intrusion involves the theft of network
  data.
• If hackers find a working user ID and password,
  they can sign onto the network and appear as a
  legitimate user.
• Hackers also try to intercept data as it is
  transmitted across the LAN, an attack known as
  man in the middle.

13
Data Theft (Continued)

• The man in the middle attacks can include the
  interception of e-mail, files, chat dialogs, and
  data packets that are transmitted over the LAN.
• A man in the middle attack is most often
  perpetrated by hackers who have direct access to
  a LAN.
• Key-stroke logging is accomplished by installing
  software that records and transmits every
  character a user types on a keyboard.

14
Data Theft (Continued)

• Phishing occurs when an individual pretending to
  be a legitimate business sends fraudulent e-mail
  messages in hopes of enticing users to reveal
  sensitive information, such as bank account
  information, Social Security numbers, or credit
  card numbers.
• Phishing uses social engineering (it exploits
  social weaknesses in people, not software flaws)
  to steal personal data and sometimes commit
  identity theft.

15
Computer Infestations

• A virus is a program that spreads by attaching to
  other programs.
• Viruses usually spread through infected e-mail
  messages that arrive with a virus in an
  attachment.
• A virus is called a virus because
• It has an incubation period (it does not do
  damage immediately).
• It is contagious
• It can be destructive

16
Computer Infestations (Continued)

• A virus is different from a worm, which is a
  program that spreads copies of itself throughout
  the Internet or LAN without needing a host
  program such as a Microsoft Word file or other
  application.
• A Trojan horse is a third type of computer
  infestation that, like a worm, does not need a
  host program to work but instead substitutes
  itself for a legitimate program.
• A Trojan horse is an infestation that masquerades
  as a legitimate program.

17
Computer Infestations (Continued)

• Programs such as Kazaa Media Desktop can be used
  to unknowingly download Trojan horses from
  peer-to-peer file-sharing networks that
  masquerade as music files or software programs.
• Spyware is software used to collect and relay
  information about a user or the Web sites a user
  visits to advertisers.
• Spyware is often installed in addition to normal
  software that a user installs from the Web.

18
Cookies

• Cookies are considered by many people to be
  another form of spyware.
• A cookie is data that is stored on the clients
  system by a Web site for later retrieval.
• When a user accesses a Web page that uses
  cookies, the cookie is placed on the users hard
  drive.

19
Protection Solutions

• Security experts agree that the best approach to
  protecting computers and other network resources
  is to apply security measures in layers.
• For example, a home computer should run more than
  just antivirus software.
• You should also install the latest security
  patches for the operating system and applications
  on your computer.

20
Firewalls

• A firewall is hardware or software that can
  reside on the networks gateway.
• Different types of firewalls can function in
  several ways. See the list on page 640.

21
Hardware Firewall

• A good firewall solution is a hardware firewall
  that stands between a LAN and the Internet.
• A hardware firewall is ideal for a home network
  consisting of two or more computers because it
  protects the entire network.
• For most home and small-office LANs that connect
  to the Internet through a single cable modem or
  DSL converter, a broadband router is used as a
  hardware firewall.

22
Software Firewall

• Use when the connection to the Internet is always
  on, such as a cable modem or DSL
• Layered security is the key to system protection.
• Requests permission from a user prior to
  accessing programs on the network.

23
A Proxy Server Used as a Firewall

• When a proxy server is acting as a firewall, it
  can filter traffic in both directions.
• It can filter traffic that is coming into the
  network from outside computers, and it can filter
  traffic that is leaving the network.

24
Firewalls that Filter Ports and Packets

• When a firewall filters ports, it prevents
  software on the outside from using certain ports
  on the network, even though those ports have
  services listening at them.
• Sometimes, a problem arises when you want to
  allow certain ports to be accessed but others to
  be filtered, or allow packets that are not a part
  of a current TCP session, such as when there is a
  videoconference.

25
DMZ Configurations

• DMZ is an abbreviation for Demilitarized Zone.
• Refers to an area that is between the private
  network and the Internet, but is not a direct
  part of either network.
• It is often an additional network that is placed
  between the two networks to offer additional
  security, and is sometimes called a perimeter
  network.

26
Screened Host

• With a screened host, a router is used to filter
  all traffic to the private intranet but allow
  full access to the computer in the DMZ.
• The router is responsible for protecting the
  private network.

27
Bastion Host

• Another DMZ configuration is the bastion host.
• The word bastion means a protruding part of a
  fortified wall or rampart.
• Bastion hosts are computers that stand outside
  the protected network and are exposed to an
  attack by using two network cards, one for the
  DMZ and one for the intranet, as shown in Figure
  11-22 on page 652.
• Bastion hosts also are known as dual-homed hosts
  or dual-homed firewalls.

28
Three-Homed Firewall

• Suppose there are several computers in the DMZ, a
  Web server, a DNS server, and an FTP server.
• With a large DMZ, a three-homed firewall can be
  used.
• The entry point to the DMZ requires three network
  cards.
• One network card is connected to the Internet,
  one to the DMZ network, and the final network
  card is connected to the intranet.

29
Three-Homed Firewall (Continued)
30
Back-to-Back Firewall

• The back-to-back firewall configuration offers
  some of the best protection for networks.
• In this design, the DMZ network is located
  between two firewalls, as shown in Figure 11-24.

31
Dead Zone

• A dead zone is a network between two routers
  that uses another network protocol other than
  TCP/IP.
• If the DMZ is using some other protocol, such as
  IPX/SPX, this network between the two routers is
  a dead zone.

32
Intrusion Detection Software

• Intrusion detection software lets you know when
  someone has tried to break into your network.
• Because the Internet makes it so easy for people
  to try to gain access to your resources, it is
  necessary to have software installed to let you
  know when an attack has been attempted.
• Intrusion detection software, sometimes called
  intrusion prevention software, provides alarms
  that go off when suspicious activity is spotted.

33
Secure Sockets Layer

• SSL (Secure Sockets Layer) protocol was developed
  by Netscape to provide security between
  application protocols (such as FTP, HTTP, or
  Telnet) and TCP/IP.
• SSL provides data encryption and server
  authentication, and can provide client
  authentication for a TCP/IP connection.
• SSL uses public and private keys and is similar
  to the public key encryption method.
• Figure 11-25 on page 656 shows one of several
  ways that SSL can work.

34
Secure Electronics Transactions

• SET (Secure Electronics Transactions) is a
  protocol that is designed to offer a secure
  medium for credit card transactions.
• It uses digital signatures to verify that both
  parties involved in the transaction are who they
  say they are.
• SET also protects the information in the
  transaction from being stolen or altered during
  the transaction, which protects all parties,
  including the consumer.

35
Infection Methods

• Like any program, a virus is a program cannot
  function until it is executed.
• Unlike a virus, a worm creates copies of itself,
  which then spread throughout the Internet or LAN.
• In 2004, the Beagle worm arrived as a password
  protected compressed file that appeared to be
  sent by a network administrator on the users
  network.

36
Infection Methods (Continued)

• A e-mail used spoofing to replace the true
  senders e-mail address with a fake e-mail
  address.
• Spoofing is the act of replacing the source of a
  data transmission with fake information so the
  true identity of the sender remains hidden.

37
Managing Antivirus Software

• A real-time antivirus scanner is software that is
  designed to scan every file accessed on a
  computer so that it can catch viruses and worms
  before they can infect a computer.
• This software runs each time a computer is turned
  on.
• Using a real-time scanner helps antivirus
  software stop infections from different sources,
  including a Web browser, e-mail attachment,
  storage media, or local area network.

38
Managing Antivirus Software (Continued)

• The process of calculating and recording
  checksums to protect against viruses and worms is
  called inoculation.
• Antivirus software must be updated to stay ahead
  of new viruses and worms.

39
Eliminating Spam

• To protect your privacy limit how much
  information you volunteer to people.
• Another option is to create a separate e-mail
  account just for junk mail.
• Many ISPs offer spam rejection services.
• Some spam rejection services allow a user to
  indicate that he does not want to receive any
  more messages from the sender by sending a
  message to their ISP e-mail system.

40
Stopping Pop-up Ads

• Follow the steps on page 664 to stop pop-up ads.
• Internet Explorer Pop-up Blocker offers three
  levels of protection.
• The pop-up blocker is set to ON by default.

41
Removing Spyware

• Spyware is often secretly installed in addition
  to normal software that a user installs from the
  Web.
• Spyware consumes system resources and can cause
  your computer to become unresponsive, crash, or
  reboot.
• The best recommendation is to minimize or refrain
  from installing free software from the Web or
  from peer-to-peer, file-sharing networks.

42
Controlling Cookies

• One of the first steps in protecting your privacy
  is to limit cookies.
• Internet Explorer users can control cookies
  through the Privacy tab of the Internet Options
  dialog box.

43
Controlling Cookies (Continued)
44
Protection Strategies

• A security system should
• Provide privacy
• Provide authentication
• Protect data integrity
• Provide nonrepudiation
• Be easy to use

45
Authentication

• Different levels of authentication on a network
  exist
• None
• Connect
• Call
• Packet
• Packet integrity
• Packet privacy

46
Users IDs and Passwords

• User IDs and passwords can be set at many levels,
  including
• Individual computes can have a setup password
  installed in CMOS that is needed to access the
  hardware and is required when you first turn on
  the computer.
• The operating system on the computer can require
  a user ID and password to use the system.
• A network operating system can require a user ID
  and password to access the network.
• The remainder of this list appears on pages 672
  and 673.

47
Choosing a Password

• A good, effective password has a mixture of
  letters, numbers, and symbols, both uppercase and
  lowercase, and does not have any logical meaning.
• To further secure passwords, system
  administrators often put an expiration date on
  passwords meaning that the user periodically must
  change her password.

48
Passwords on the Computer

• Passwords on a computer can be setup passwords,
  operating system passwords, and passwords on
  files, folders, and applications.
• Every computer has a microchip on the motherboard
  inside the computer that can hold some basic
  information about the setup of the system.
• To set or change the startup password, you must
  access the setup information when the computer
  first starts up.

49
User IDs and Passwords Required by the Network
Operating System

• The network operating system allows the system
  administrator to define what files or folders the
  user has access to and what type of access the
  user has, which is called the user permissions.
• A user can have read, write, or no access
  permissions.
• Read access means that the user is allowed to
  read the file, but cannot make changes to it.
• Write access allows the user to read the file,
  make changes, save changes, and delete the file.
• No access, of course, denies the user any access
  to the file.

50
Securing User IDs and Passwords

• Several encryption services, called
  authentication protocols, transmit, store, and
  handle passwords safely.
• These include TACACS (Terminal Access Controller
  Access System), RADIUS (Remote Access Dial-In
  User Service), Kerberos, PAP (Password
  Authentication Protocol), SPAP (Shiva Password
  Authentication Protocol), CHAP (Challenge
  Handshake Authentication Protocol), and MS-CHAP
  (Microsoft CHAP),
• Of these, CHAP and Kerberos are the more popular
  protocols or methods.

51
Passing a User ID and Password in a URL

• Subscription Web sites usually require users to
  enter a user ID and password to access the Web
  site content.
• The user ID and password required to access a Web
  site can be passed to the Web site in the URL.
• Doing this saves the time of having to manually
  enter the user ID and password every time you
  visit a subscript Web site.

52
Smart Cards

• Smart cards are about the size of a credit card
  and contain an embedded microchip.
• The chip enables the card to hold data or
  programming that can authenticate a user who is
  accessing a network.

53
Digital Certificates

• A digital certificate, sometimes called a digital
  ID, is a digital signature that verifies the
  senders identity.
• It is a binary file that is stored on your hard
  drive, usually as part of your Windows registry
  information.
• Another feature of digital certificates is to
  assist in nonrepudiationa guarantee that
  provides proof of delivery to the data sender and
  assurance of the senders identity to the
  recipient.
• Nonrepudiation of origin prevents the person who
  sent the message from claiming not to be that
  person.

54
Digital Certificates (Continued)

• Non repudiation of delivery is used so that the
  receiver of the message cannot deny getting the
  message.
• The only way to obtain a digital certificate is
  through a certification authority (CA), and it is
  the CAs job to verify that you are who you way
  you are.
• The two largest certification authorities are
  VeriSign (www.verisign.com) and Thawte
  (www.thawte.com).
• Digital certificates are sometimes used to help
  create a virtual private network (VPN), whereby
  hosts on the Internet can communicate with as
  much privacy as if they were on a private network.

55
Types of Digital Certificates

• A client SSL certificate
• A server SSL certificate
• An S/MIME certificate
• An object-signing certificate
• A CA certificate

56
What Is in a Digital Certificate?

• Most certificates today conform to the X.509
  certificate specification.
• This specification is recommended by the
  International Telecommunication Union (ITU), and
  has been recommended since 1988.

57
How Digital Certificates Work

• The process of getting a digital certificate and
  using the certificate involves three parties the
  person needing the certificate, the authority
  issuing the certificate, and the company with
  whom the person want to use the certificate

58
How to Protect Your Digital Certificate

• The easiest way to protect the information itself
  is to require a password to access it.
• In addition, most software programs that use
  digital certificates allow you to require a
  password before the certificate is used.

59
Using Digital Certificates

• Digital certificates are commonly used on Web
  sites, but digital certificates can also be used
  to secure e-mail.
• One of the most popular certificate authorities
  used to secure Web sites and e-mail is VeriSign
  (www.verisign.com).

60
Encryption

• To be certain that data cannot be read if
  intercepted, data can be coded in a way that
  allows only the intended receiver to understand
  it.
• Encryption is the process of coding data to
  prevent unauthorized parties from being able to
  change or view it.

61
Symmetric or Private Key Encryption

• Symmetric encryption, also called private key
  encryption, is a very simple and fast encryption
  method that employs encryption software to
  convert data into a form that is unreadable, most
  often through the use of a mathematical formula.
• This unreadable data is called ciphertext.
• Part of the formula that is used to encode the
  data is called a key, session key, or secret key.

62
Length of Encryption Keys

• The longer the session key, the more secure the
  data, which makes sense because there are more
  possible combinations as the key length grows.
• It has been proven that a key that is 40 bits
  long can be cracked in about six hours by
  systematically using every combination of 40 bits
  until the correct combination is discovered.

63
Algorithms Used for Encryption

• DES was one of the first algorithms developed
  that used symmetric encryption.
• It uses a 64-bit key to encrypt and decrypt data,
  and runs the main algorithm 16 times to produce
  the encrypted data.
• DES can be used in one of four modes, listed on
  page 688 of the text.
• Additional examples of symmetric encryption
  include Skipjack and Blowfish.

64
Algorithms Used for Encryption (Continued)

• The U.S. National Security Agency (NSA) developed
  Skipjack.
• The Skipjack algorithm uses 80-bit keys and is
  repeated 32 times to produce ciphertext, and can
  run using all four modes that DES uses.
• Blowfish is an encryption algorithm that can use
  either fixed-length keys or variable-length keys,
  from 32 bits to 448 bits.

65
Asymmetric or Public Key Encryption

• RC2 was designed to replace DES, and uses the
  same 64-bit block size as DES but it processes
  data much faster.
• After the original data is encrypted, another
  block of data (40 to 88 bits long), called the
  salt, is appended to the encryption key to throw
  off hackers.
• Because RC2 can be exchanged for DES without a
  lot of reprogramming, it is called a drop-in
  technology.

66
Asymmetric or Public Key Encryption (Continued)

• RC4 is similar to RC2, but uses a variable key
  size and variable block sizes.
• RC5 is more advanced, using variable block and
  key sizes and varying the number of times the
  algorithm is applied.
• When a session key has been encrypted using
  asymmetric encryption, the session key said to be
  enclosed and called a digital envelope.

67
Pretty Good Privacy Encryption

• Pretty Good Privacy (PGP) encryption is another
  encryption protocol.
• It is used to
• Encrypt and decrypt messages that are sent over
  the Internet.
• Send digital signatures to ensure the identity of
  the sender.
• Verify that the message was not altered during
  transmission.

68
Secure MIME

• The secure version of MIME is S/MIME
  (Secure/Multipurpose Internet Mail Extensions).
• S/MIME works in a similar way as public key
  encryption and is a competing technology.

69
Hashing

• With hashing, the already encrypted data is used
  for a series of calculations that produce a
  fixed-length output called a message digest, or
  hash.
• Because the hash sent to the receiver is not
  decoded, hashing is a one-way operation.
• Therefore, hashing is sometimes called one-way
  encryption.
• Some common algorithms used for hashing are SHA-1
  (Secure Hash Algorithm 1) and MD5 (Message
  Digital 5), both invented by RSA Security.

70
Virtual Private Networks

• A virtual private network (VPN) uses a public
  network to provide a secure connection between
  two parts of a private network or between a
  remote user and the network.
• VPNs are gaining popularity with businesses
  because they offer networking capabilities at
  reduced costs.

71
Tunneling

• Tunneling is a process by which a packet is
  encapsulated in a secure protocol before it is
  sent over a public network.
• In VPNs that deal with the Internet, the packets
  are encapsulated in one of several competing
  secure protocols before they are embedded in the
  IP protocol to travel the Internet.
• Figure 11-51 shows an example of tunneling.

72
Tunneling (Continued)
73
Data Link Layer Protocols

• Three tunneling protocols operate at the Data
  Link layer of the OSI model L2F, PPTP, and L2TP.
• PPTP (Point-to-Point Tunneling Protocol) is the
  most common tunneling protocol.
• PPTP is based on Point-to-Point Protocol (PPP), a
  remote-access standard that was created by
  Microsoft that is used by both the Windows and
  Macintosh operating systems for dial-up
  connections.

74
Data Link Layer Protocols (Continued)

• L2F (Layer 2 Forwarding) is a tunneling protocol
  that was developed by Cisco and which works in a
  way that is very similar to PPTP.
• It requires that the ISPs on both ends support
  the L2F protocol.
• L2TP (Layer 2 Tunneling Protocol) is a
  combination of PPTP and L2F that enables ISPs to
  operate VPNs.
• All of the Data Link layer protocols encode data
  so that it can be transmitted in private across
  the Internet.

75
IPsec

• IPsec (Internet Protocol Security) was developed
  by the Internet Engineering Task Force (IETF) to
  be used as a standard platform for creating
  secure networks and electronic tunnels.
• IPsec is a suite of protocols that is used for
  secure private communications over the Internet.
• IPsec uses three keys a public key, a private
  key, and a session key. See Figure 11-53 on page
  696.

76
VPN Hardware and Software

• A VPN needs three components for optimum
  performance, though not all parts are necessary
  if the network doesnt need a high degree of
  security
• A security gateway that controls access to the
  private network.
• A certificate authority (either internal or
  external to the company) to issue and revoke
  public keys, private keys, and digital
  certificates.
• A security policy server to authenticate users
  trying to access the network.

77
VPN Hardware and Software (Continued)

• A security gateway is a firewall that stands
  between the Internet and private network.
• The security policy server is responsible for
  authenticating those users who have access to the
  private network.
• It can be as simple as a Windows NT server that
  is managing user IDs and passwords, or it can be
  more sophisticated.

78
Summary

• In a DDoS attack, a hacker has remote control of
  hundreds of computers over a large geographical
  area and commands them to send false requests to
  a Web server or other Internet device.
• Most systems cannot handle Ping requests with
  packets over 64 bytes.
• Another form of mail flooding occurs when
  mailboxes are inundated with spam, or unsolicited
  e-mail messages.

79
Summary (Continued)

• Phishing occurs when an individual sends
  fraudulent e-mail messages pretending to be a
  legitimate business in hopes of enticing users to
  reveal sensitive information, such as bank
  account information, Social Security numbers, or
  credit card numbers.
• Worms are self-replicating and can infect
  computers attached to the Internet or a local
  area network.

80
Summary (Continued)

• A DMZ can be created using a screened host, a
  bastion host, a three-homed firewall, or a
  back-to-back firewall.
• Digital certificates provide digital signatures
  that verify that the sender is actually who he
  says he is.
• Four tunneling protocols are currently used for
  virtual private networks L2F (Layer 2
  Forwarding), PPTP (Point-to-Point Tunneling
  Protocol), L2TP (Layer 2 Tunneling Protocol), and
  IPsec (Internet Protocol Security)