Register now to access 7 million high quality study materials (What's Course Hero?) Course Hero is the premier provider of high quality online educational resources. With millions of study documents, online tutors, digital flashcards and free courseware, Course Hero is helping students learn more efficiently and effectively. Whether you're interested in exploring new subjects or mastering key topics for your next exam, Course Hero has the tools you need to achieve your goals.
46 Pages
1418836796_ch01
Course: ITSY 2430, Fall 2008School: Del Mar College
Rating:
Word Count: 17957
Document Preview
9/13/2005 36694_01 8:15:59 Page 1 CHAPTER 1 NETWORK DEFENSE FUNDAMENTALS After reading this chapter and completing the exercises, you will be able to: Explain the fundamentals of TCP/IP networking Describe the threats to network security Explain the goals of network security Describe a layered approach to network defense Explain how network security defenses affect your organization T his chapter...
Unformatted Document Excerpt
Coursehero >> Texas >> Del Mar College >> ITSY 2430Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
9/13/2005 36694_01 8:15:59 Page 1
CHAPTER
1
NETWORK DEFENSE FUNDAMENTALS
After reading this chapter and completing the exercises, you will be able to:
Explain the fundamentals of TCP/IP networking Describe the threats to network security Explain the goals of network security Describe a layered approach to network defense Explain how network security defenses affect your organization
T
his chapter introduces you to the fundamental network security concepts you need to know. Some material might be a review for you, but it will serve to get you warmed up. To secure a network, understanding the TCP/IP protocol suite is vital. You review IP addressing briefly, and then move on to examining the guts of packets and seeing how attackers can use them to breach your network defenses. You also see how your knowledge of protocols can be used to block harmful communications. Next, you learn about different kinds of intruders and threats to network security, such as malicious code and natural disasters. Attackers have many motivations for hacking into networks, and your job is to figure out what theyre doing (before they do it, if possible) and to prevent them from carrying out their plans. When youre warmed up, youll dive in to the goals of network security. You learn about the challenges of ensuring privacy, confidentiality, integrity, and availability for your network resources. Your organizations security policy (covered in Chapters 2 and 3) is the first step toward defining specific security goals. After reviewing the basics, youll dig in to the real meat of network defense technologies. You discover how layering technologies can ensure better protection than any single technology used alone. The method of layering defenses is called defense in depth (DiD). Although youll probably encounter some concepts that seem overwhelming, dont worry about that now. Ancient Techno-ese secrets will be shared, and you will soon know all.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this 1 publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:19:26 Page 2
2
Chapter 1
Network Defense Fundamentals
TCP/IP NETWORKING REVIEW
Transmission Control Protocol/Internet Protocol (TCP/IP) is actually a suite of many protocols that allow information to be transmitted from point to point on a network. This section gives you a refresher on networking basics, such as IP addressing, packet structures, and header information. You also review how to determine a local computers IP address.
The Open Systems Interconnect (OSI) Model
Youre probably familiar with the Open Systems Interconnection (OSI) model of network communications, which divides communications into seven separate layers. TCP/IP has its own stack of protocols that roughly correspond to these layers. The two models are shown in Figure 1-1.
OSI model Application Presentation Session TCP Transport Transport layer ICMP Network ARP IP Internet layer Data link Network interface layer Physical RARP FTP SMTP Application layer UDP TCP/IP DHCP DNS TFTP SNMP
Telnet HTTP
Figure 1-1 The OSI model and the TCP/IP stack
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 8/19/2005 16:11:26 Page 3
TCP/IP Networking Review
3
You should be familiar with most of these protocols and their functions. If you need a quick refresher on theTCP/IP stack, the OSI model, and the major protocols operating at different layers, simply run an Internet search on TCP/IP and the OSI Model. Dozens of helpful sites are available for every level of knowledge, such as www.tcpipguide.com/free/index.htm.
1
IP Addressing
One way attackers can gain access to your network is by determining the IP addresses of computers. After they have an address, they can attempt to take over the computer and use it to launch attacks on other computers in the network or access resources on the network. Therefore, one of the fundamental requirements of network security is to understand IP addresses and other network addresses so that you can conceal or change them to deter attackers. IP addresses currently in use on the Internet conform to Internet Protocol version 4 (IPv4), which calls for addresses with 32 bits or 4 bytes of data. Each of the 4 bytes (which is also called an octet) in an IP address has a value between 0 and 255, and each octet is separated by dots, as in 192.168.10.1. An IP address consists of two main parts:
The network address, the part of the address shared among computers in a network The host address, which is unique to a computer in its subnet
These two parts are combined with a third value, the subnet mask, which tells another computer which part of the IP address is the network address and which part is the host address. IP addresses are valuable commodities. If attackers can find a computers IP address, they can run a port scan to look for open ports that can be exploited. If you can hide IP addresses, you can prevent certain attacks. To hide the addresses of computers on your network, you can use Network Address Translation (NAT) to translate your private networks nonroutable internal addresses into the address of the NAT servers external interface connected to the Internet, thereby hiding the internal addresses. Security is not the only reason for using NAT. The Internet has grown at a rate not expected by those who created the IPv4 32-bit addressing scheme. Today, IP addresses are in short supply, so Internet Protocol version 6 (IPv6) is under development. By sharing one or more of the NAT servers IP addresses with internal hosts, NAT has allowed more time to work out the details of IPv6. You can also use a proxy server to effectively conceal IP addresses of internal machines (see Figure 1-2).
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 11:27:47 Page 4
4
Chapter 1
Network Defense Fundamentals
Technology standards are explained in documents called Requests for Comments (RFCs). You can look up RFCs at www.rfc-editor.org. IPv6, specified in RFC 2460, has several improvements over IPv4. IPv6 is autoconfiguring and incorporates Internet Protocol Security (IPSec, explained in Chapter 5) for authentication and encryption. IPv6 addresses are 128 bits, increasing the number of possible addresses from about 4 billion to 3.4 times 1038. Thats 34 with 37 zeros. How would you like that number for a bank balance?
Internet
Proxy server presents this IP address: 156.23.56.7 Dual-homed host with proxy server IP address 10.1.1.1/24 LAN gateway Proxy servers internal interface IP address: 192.168.23.1
Router
Web server 10.1.1.26
E-mail server 10.1.1.29
FTP server 10.1.1.33
Figure 1-2 Proxy servers concealing IP addresses on the internal network
In IPv4, addresses are separated into address categories called classes.An IP address class is determined by the number of its networks compared to the number of its hosts. For example, a Class A address uses 8 bits for the network portion of the address and 24 bits for the host portion. The classes have been divided as shown in Table 1-1. Remember that private network addresses can never be used on the public Internet.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/16/2005 10:54:56 Page 5
TCP/IP Networking Review
Table 1-1 IP address classes
Class First Octet Decimal Range 1127 Default Subnet Mask 255.0.0.0 Reserved Private Address Range 10.0.0.1 to 10.255.255.254 (127.0.0.1 reserved for TCP/IP local interface testing) 172.16.0.1 to 172.16.255.254 192.168.0.1 to 192.168.255.254 N/A N/A Purpose
5
1
Class A
Large corporations and governments
Class B Class C Class D Class E
128191 192223 224239 240254
255.255.0.0 255.255.255.0 N/A N/A
Medium networks Small networks Multicasting Experimentation
You can find a number of IP address calculators on the Web; an excellent one is at www.subnetmask.info/. For more on IP addresses and subnets, refer to Guide to TCP/IP, Second Edition, by Ed Tittel and Laura Chappell (Thomson Course Technology, 2004, ISBN 0-619-21242-X).
Activity 1-1: Determining Your Computers IP Address
Time Required: 10 minutes Objective: Determine the IP address of your computer. Description: Every computer connected to the Internet is assigned an IP address. Often the address is dynamically generated and changes from session to session. With some DSL connections and many T-1 or other connections, a static IP address is used. ISDN connections also use a static IP address; however, for dial-up users, the Internet service provider (ISP) assigns an address dynamically at the time of the connection. In this activity, you use the Ipconfig command to determine your computers IP address. 1. Power on your computer, if necessary. 2. Click Start, point to All Programs, point to Accessories, and then click Command Prompt to open a command prompt window. (You can also click Start, Run, type cmd, and click OK.) 3. At the command prompt, type ipconfig /all. (Be sure to leave a single blank space between ipconfig and the forward slash.) 4. Press Enter. The screen displays your IP address as well as other information. Your IP address is four numbers separated by periods. In some cases, you might have several addresses. The IP address assigned to your Ethernet adapter is the external address.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:26:2 Page 6
6
Chapter 1
Network Defense Fundamentals
5. Write down your IP address, subnet mask, and default gateway address on the following lines. In addition, write down the address assigned to your Ethernet adapter, if applicable.
6. Type exit and press Enter to close the command prompt window. Leave your system running for the next activity.
For a complete listing of Ipconfig commands, type ipconfig /? at the command prompt.
Exploring IP Packet Structure
TCP/IP is packet-based; it gives computers a fairly simple framework for transmitting information in small packages called packets. Unfortunately, TCP/IP packets give attackers another way to gain entry into a network. They can intercept packets and falsify the information in them or manipulate the packets in a way that makes it impossible for receiving servers to respond, which then disables those servers and opens the network to attack.
IP Datagrams
TCP/IP is transmitted along networks as discrete chunks called packets or datagrams. Each complete message is usually separated into multiple datagrams. In addition, each datagram contains information about the source and destination IP addresses, a variety of control settings, and the actual data exchanged by the client and host. Each IP datagram is divided into different sections. The primary subdivisions are the header and the data, described in the following sections. Besides the header and data sections, some packets have an additional segmented section at the end called a footer (or sometimes trailer) containing data that indicates its the end of the packet. An error-checking algorithm, called a Cyclic Redundancy Check (CRC), might also be added.
IP Header Structure
The data in an IP packet is the part that end users see, but the header is the part that computers use to communicate, and it plays an important role in terms of network security and intrusion detection. An IP header (similar to a TCP header, described in TCP Headers later in this chapter) contains a number of components. Figure 1-3 shows a common way of depicting the information in an IP header, which is divided into different sections of 32-bit layers.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:26:36 Page 7
TCP/IP Networking Review
0 bits Header version (4 bits) Header length (4 bits) 32 bits
7
1
Type of service (8 bits) Flags (3 bits)
Total length (16 bits) Fragment offset (13 bits)
Identification (16 bits)
Time to live (8 bits)
Protocol (8 bits)
Header checksum (16 bits)
Source IP address (32 bits) Destination IP address (32 bits)
Options
Data
Figure 1-3 IP header structure
Its helpful to divide the IP header sections into components because they have varying degrees of value for configuring packet filters. Each section has varying importance to attackers, too, so its vital to know what each one does to protect against different types of attacks. These are the components in the IP header structure:
Header versionThis component identifies the IP version used to generate the packet. Header lengthThis component describes the length of the header in 32-bit words and is a 4-bit value. The default value is 20. Type of serviceThis component expresses the quality of service in the transmission of the packet through the network. Four options are available: minimize delay, maximize throughput, maximize reliability, and minimize cost. Most IP network setups dont enable an application to set this value. Total lengthThis 16-bit field specifies the packets total length to a maximum of 65,535 bytes.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:26:53 Page 8
8
Chapter 1
Network Defense Fundamentals
IdentificationThis 16-bit value helps divide the data stream into packets of information. The receiving computer (possibly a firewall) uses each packets identification number to reassemble the packets that make up the data stream in the correct order. FlagsThis 3-bit value indicates whether the packet is a fragmentone packet within a sequence of packets that make up an entire communicationand whether its the last fragment or more are to follow. Fragment offsetIf the data received is a fragment, this value indicates where it belongs in the sequence of fragments so that a packet can be reassembled. Time to live (TTL)This 8-bit value identifies the maximum time the packet can remain in the system before its dropped. Each router or device the packet passes through reduces the TTL by a value of one. ProtocolThis component identifies the type of transport packet being carried (for example, 1 = ICMP, 2 = IGMP, 6 = TCP, and 17 = UDP). Header checksumThis component is the sum of the 16-bit values in the packet header expressed as a single value. Source IP addressThis component is the address of the computer or device that sent the IP packet. Destination IP addressThis component is the address of the computer or device receiving the IP packet. OptionsThis component can include items such as a security field and several source routing fields that the packet sender uses to supply routing information. Gateways can then use this routing information to send the packet to its destination.
Programs that capture packets as they pass through a network interface give you another way to view packet header information. Most network operating systems (OSs) have some type of built-in or add-on program to monitor network activity, such as Windows Network Monitor. Many security administrators, however, prefer third-party applications for their versatility and extra features. One such program called Ethereal tracks packets and supplies detailed information on them (see Figure 1-4).
IP Data
Firewalls, covered in Chapters 9 through 11, and virtual private networks (VPNs, covered in Chapters 5 and 6) can protect data in a packet in a number of ways. Firewalls inspect inbound and outbound traffic and compare it to a set of rules to decide whether the packet can pass. VPNs use the public Internet to send and receive, but they create a secure private tunnel for the transmission. A proxy server is another method of securing data. Proxies receive a packet from a host on the internal local area network (LAN) that theyre protecting and completely rebuild the packet from scratch before sending it to its destination. The receiving computer then thinks the packet has come from the proxy server rather than the originating host.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:27:8 Page 9
TCP/IP Networking Review
9
1
Figure 1-4 TCP/IP header information displayed by Ethereal
IP Fragmentation
Fragmentation of IP packets was originally developed as a means of allowing large packets to pass through routers that couldnt handle them because of frame-size limitations. Routers were then able to divide packets into multiple fragments and send them along the network, where receiving routers reassembled them in the correct order and passed them along to their destination. Fragmentation creates a number of security problems, however. Because the TCP or User Datagram Protocol (UDP) port number is supplied only at the beginning of a packet, it appears only in fragment number 0. Fragments numbered 1 or higher are passed through the filter without being scrutinized because they dont contain any port information. An attacker simply has to modify the IP header to make all fragment numbers of a packet start at 1 or higher. All fragments then go through the filter and can access internal resources. To be safe, you should configure the firewall/packet filter to drop all fragmented packets, especially because fragmentation is seldom used now because of improvements in routers. You could also have the firewall reassemble fragmented packets and allow only complete packets to pass through.
ICMP Messages
Internet Control Message Protocol (ICMP) is a protocol designed to assist TCP/IP networks with troubleshooting communication problems. When used correctly, ICMP produces messages that tell a host whether another host can be reached through a ping signal.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:27:57 Page 10
10
Chapter 1
Network Defense Fundamentals
A firewall or packet filter must be able to determine, based on a packets message type, whether an ICMP packet should be allowed to pass. Table 1-2 lists some common ICMP type codes.
Table 1-2 ICMP type codes
ICMP Type 0 3 4 5 6 7 8 11 12 Name Echo Reply Destination Unreachable Source Quench Redirect Destination Network Unknown Destination Host Unknown Echo Request Time Exceeded Parameter Problem Possible Cause Normal response to a ping Host is listed on the network but cannot be contacted Router receiving too much traffic Faster route located Network cannot be found Host cannot be found on the network Normal ping request Too many hops to a destination There is a problem with the IP header and the packet cannot be processed
Youll find a complete list of ICMP message types at www.iana.org/ assignments/icmp-parameters.
TCP Headers
TCP/IP packets dont contain just IP header information. They also contain TCP headers (shown in Figure 1-5) that provide hosts with a different set of flagsand give attackers a different set of components they can misuse in an attempt to attack networks. From a security standpoint, the Flags section (labeled as Offset reserved in Figure 1-5) of a TCP header is important because its the one you can filter for when you create packet-filtering rules. For example, the TCP header portion of a TCP packet that has an acknowledgement (ACK) flag set to 1 rather than 0 indicates that the destination computer has received the packets that were sent previously. RFC 793 includes specifications for these six control flags in a TCP header:
URG (urgent) ACK (acknowledgment) PSH (push function, which forces TCP to forward and deliver data) RST (reset the connection) SYN (synchronize sequence numbers) FIN (finishedno more data from the sender)
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:28:4 Page 11
TCP/IP Networking Review
11
16-bit Source port Sequence number
32-bit Destination port
1
Acknowledgement number (ACK) Flags Offset reserved U A P R S F Window Urgent pointer Options and padding
Checksum
Figure 1-5 A TCP header
UDP Headers
UDP provides a datagram transport service for IP, but this protocol is considered unreliable because its connectionless. In other words, a UDP packet doesnt depend on an actual connection being established from host to client. This makes it easier for an attacker to send a malformed or dangerous UDP packet to a client. UDP is used for broadcasting messages or for protocols that dont require the same level of service as TCP. For example, Simple Network Management Protocol (SNMP) and Trivial File Transfer Protocol (TFTP) are normally used on LANs, where packet loss is less of a problem. Attackers can scan for open UDP services to exploit by sending empty UDP datagrams to a suspected open port. If the port is closed, the system sends back an ICMP Destination Unreachable message (type 3). UDP packets have their own headers, as shown in Figure 1-6, in addition to the data part of the packet.
UDP is described in detail in RFC 768.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 11:19:41 Page 12
12
Chapter 1
Network Defense Fundamentals
Source port
Destination port
Length
Checksum
Data
Figure 1-6 A UDP packet header and data
Activity 1-2: Downloading and Installing a Network Traffic Analyzer
Time Required: 45 minutes Objective: Monitor and analyze network traffic. Description:To get a better idea of whatTCP/IP packet headers look like, using a network traffic analyzer to capture packets as they enter or leave your network can be helpful. In this activity, you download and use Ethereal to observe packets. You also need to download and install a packet capture utility called WinPcap for running Ethereal.
To do this activity, you must stop any firewall programs youre running currently.
1. Start your Web browser, enter the URL for the WinPcap Web site (http://winpcap. org), and then press Enter. 2. Click Downloads on the left side of the page. 3. Start to download WinPcap by clicking the WinPcap auto-installer (driver +DLLs) link for the latest version of the software. 4. When the File Download dialog box opens, click Run. If you see a security warning about an unknown publisher, click Run again. The file is downloaded to a temporary directory on your computer, and the WinPcap setup utility opens automatically. 5. Click Next in the first setup window. 6. Click the I Agree button. In the Completing the WinPcap 3.1 Setup Wizard window, click Finish. Restart your computer to complete the installation.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 11:20:5 Page 13
TCP/IP Networking Review 7. Start your Web browser, enter the URL for the Ethereal Web site (http://www.ethereal.com), and then press Enter. 8. Click Download to go to the Ethereal: Download page. 9. Under Official Releases, click the Main Site link next to Windows. 10. Scroll down the Ethereal for Windows page and click the latest ethereal-setup[version number].exe file.
13
1
11. When the File Download dialog box opens, click Run. If you see a security warning about an unknown publisher, click Run again. Then click Next to continue the setup. 12. In the Ethereal Setup: License Agreement window, click I Agree. 13. In the Choose Components window, accept all defaults, and then click Next. 14. If the Select Additional Tasks window is displayed, accept all defaults and click Next. 15. In the Choose Install Location dialog box, select the directory where you want to install the software, and click Next. 16. If necessary, in the Install WinPcap? window, click to clear the Install WinPcap 3.1 beta 4 check box to keep your current version of WinPcap, and then click Install. The Installing dialog box opens, displaying a series of messages about the installation progress. When you see the message Installation Complete, click Next and then click Finish. 17. Click Start, point to All Programs, point to Ethereal, and click Ethereal. The Ethereal Network Analyzer window opens. 18. Click Capture, Options from the Ethereal menu. If you see a warning, click OK, and then click Capture, Options from the Ethereal menu again. 19. Click the Interface list arrow, and select your network interface device in the dropdown list. Click the Start button at the bottom of the Options dialog box. The Ethereal: Capture dialog box opens with a series of 0% readings, reporting that no data has been captured yet. 20. Click Start, point to All Programs, point to Accessories, and click Command Prompt to open a command prompt window. 21. At the command prompt, type ping IPaddress (substituting the IP address you found in Activity 1-1 for IPaddress). 22. Click Stop at the bottom of the Ethereal: Capture dialog box. A wealth of information about the packets that have passed through your network gateway should appear in the main Ethereal window. The first line should contain information about your ping request. Write down what protocol is listed, and explain what the abbreviations mean. (Hint: Look at the middle section of the Ethereal window, where detailed information about the packet is displayed.)
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:45:49 Page 14
14
Chapter 1
Network Defense Fundamentals
23. Type exit and press Enter to close the command prompt window. 24. Click File, Quit from the Ethereal menu, and then click Continue without saving to close the Ethereal window and return to the Windows desktop. Leave your system running for the next activity.
Domain Name Service (DNS)
Domain Name Service (DNS) is a general-purpose service used mainly on the Internet. DNS servers translate host names to IP addresses used to identify the host computer. To connect toWeb sites, users need a DNS server that can translate the fully qualified domain names (FQDNs) they enter, such as www.course.com, to the corresponding IP addresses so that the appropriate computers can connect to one another. In terms of network security, DNS is important because it gives network administrators another tool for blocking unwanted communication. With firewalls, Web browsers, and proxy servers, administrators can enter DNS names to block Web sites containing content thats considered offensive or unsuitable. In addition, networks that use DNS servers need to enable traffic through the DNS servers when packet filtering is set up. DNS can be exploited in many ways. Attackers often attempt buffer overflow, zone transfer, or cache poisoning attacks. In a DNS buffer overflow attack, an overly long DNS name is sent to the server. When the server is unable to process or interpret the DNS name, it cant process other requests. A DNS cache poisoning attack exploits the fact that every DNS packet contains a Question section and an Answer section. An older, more vulnerable server has stored answers that are sent in response to requests to connect to DNS addresses. Attackers can break into the cache to discover the DNS addresses of computers on the network. Most (but not all) DNS servers, however, have since been patched to eliminate this vulnerability. DNS zone files contain a list of every DNS-configured host on a network as well as their IP address. Microsoft DNS-enabled networks also list all services running on DNS-configured hosts. When an attacker attempts to penetrate the network, the DNS zone file can provide a list of exploitable targets on the internal network. When configuring DNS servers connected to the Internet, you should disable zone transfers to all hosts except those internal to the network. Internal hosts must be able to transfer zone information to update their records.
Encryption
Packet filters, firewalls, and proxy servers provide protection for packets of information that pass through a gateway at the perimeter of a network or subnet. However, corruption can also occur between the sending gateway and the gateway of the destination network. To protect a packets contents from being intercepted, firewalls and other security components often encrypt the contents of packets leaving the network and are prepared to decrypt
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/16/2005 10:55:12 Page 15
TCP/IP Networking Review
15
incoming packets. Encryption is the process of concealing information to render it unreadable to all but the intended recipients. Encryption turns ordinary (plaintext) information into encoded ciphertext. Much of the encryption on the Internet makes use of digital certificateselectronic documents containing an encrypted series of numerals and characters called a digital signature, which authenticates the identity of the person sending the certificate. Certificates make use of keys, which are long blocks of encoded text generated by algorithms. The sending host uses a key to encrypt data before transmission, and the receiving host uses the key to decrypt data back into readable form. The encryption key can be any length, but most current encryption methods use key lengths from 40 to 256 bits. Longer keys are more secure but at the cost of performance. An organization that wants to encrypt data often needs to set up Public Key Infrastructure (PKI), which is needed to make digital certificates and public and private key distribution possible for users. The PKI framework is the foundation of some popular and highly trusted security schemes, including Pretty Good Privacy (PGP) and Secure Sockets Layer (SSL).
Digital signatures and PKI are important concepts to understand and are crucial to security on the internet. Fore more information on these topics, run an Internet search, or consult the relevant RFCs. (Try www.rfc-editor.org.rfcxx00. html for the current Internet standards.)
1
Activity 1-3: Examining a Digital Certificate
Time Required: 20 minutes Objective: Examine a default digital certificate on a Windows XP computer. Description: A digital certificate, an electronic document that encrypts communication between networked computers, can be difficult to conceptualize. However, your Windows XP computer already has a number of digital certificates that have been issued by organizations called certification authorities (CAs). You can view these certificates to get a better idea of the information they contain. In this activity, you open the Microsoft Management Console, add the Certificates snap-in, and then view the components of a certificate. 1. Click Start, Run, type mmc, and then click OK. The Microsoft Management Console window (labeled Console1) opens. 2. Click File, Add/Remove Snap-in from the menu. 3. In the Add/Remove Snap-in dialog box, click Add. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add. 4. In the Certificates snap-in dialog box, verify that My user account is selected, and then click Finish.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:51:43 Page 16
16
Chapter 1
Network Defense Fundamentals
5. In the Add Standalone Snap-in dialog box, click Close. Click OK to close Add/ Remove Snap-in and return to Console1. 6. Click to expand Certificates - Current User and Trusted Root Certification Authorities. 7. Under Trusted Root Certification Authorities, click Certificates, and scroll down the list of certificates in the pane on the right. Double-click the first certificate labeled VeriSign Trust Network. 8. In the Certificate dialog box (which lists the certificates components), click Details. 9. Click Public key to see the public key associated with the digital signature. Click Enhanced key usage (property) to see the ways in which the digital certificate can be used. Click OK to close the Certificate dialog box. 10. Click File, Exit to close the MMC window. When prompted to save the settings, click No. Leave your system running for the next activity.
OVERVIEW
OF
THREATS
TO
NETWORK SECURITY
A variety of attackers might attempt network intrusions, causing loss of data, loss of privacy, and other consequences. The threat is one that concerns a growing number of corporate managers. More businesses are actively addressing this problem, but many others have not taken steps to secure their systems from attack. This section gives you a general overview of who might want to attack your systems and other threats you might encounter. The first step in defeating the enemy is to know the enemy! Next, you learn about major security concerns on the Internet and see how network security and defensive technologies are used to combat threats. Finally, you learn about access controls and auditing and see how defense measures affect your network and organization.
Types of Attackers
When planning network security measures, knowing the types of attackers (discussed in the following sections) likely to attempt breaking in to your network is important. This knowledge can help you anticipate and set up detection systems, firewalls, and other defenses to block them as effectively as possible. Before getting into the types of attackers, an overview of motivations for attempting to break into systems can be helpful:
StatusSome attackers attempt to take over computer systems just for the thrill of it. They like to keep count of how many systems they have access to as a sort of notch on their belt. RevengeDisgruntled current or former employees might want to retaliate against an organization for policies or actions they consider wrong. They can sometimes gain entry through an undocumented account (back door) on the system.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:52:1 Page 17
Overview of Threats to Network Security
17
Financial gainOther attackers have financial profit as their goal. Obviously, attackers who break into a network can gain access to financial accounts. They can steal individual or corporate credit card numbers and make unauthorized purchases. Just as often, attackers defraud people out of money with scams carried out via e-mail or other means. Industrial espionageProprietary information is often valuable enough that it can be sold to competing companies or other parties who want to upgrade their technological capabilities in some way.
1
Crackers
A cracker is anyone who attempts to gain access to unauthorized resources on a network, usually by finding a way to circumvent passwords, firewalls, or other protective measures. They seek to break into computers for different reasons:
Old school hackers consider themselves seekers of knowledge; they operate on the theory that knowledge is power, regardless of how they come by that knowledge. They are not out to destroy or harm; they want to discover how things work and open any sources of knowledge they can find. They believe the Internet was intended to be an open environment and anything online can and should be available to anyone. Other less ethical crackers pursue destructive aims, such as the proliferation of viruses and e-mail bombs, much like vandals and graffiti artists. Some bored young people who are highly adept with computers try to gain control of as many systems as possible for the thrill of it. They enjoy disrupting systems and keeping them from working, and they tend to boast about their exploits online.
A good overview of crackers motivations is available at The Learning Channels Web site, http://tlc.discovery.com/convergence/hackers/articles/psych.html.
Disgruntled Employees
Who would try to access customer information, financial files, job records, or other sensitive information from inside an organization? Disgruntled employees. These employees are usually unhappy over perceived injustices and want to exact revenge by stealing information. Often they give confidential information to new employers. When an employee is terminated, security measures should be taken immediately to ensure that the employee can no longer access the company network. Sometimes the most serious vulnerabilities facing a company are those inside the firewall, not outside it. For example, in November 2002, the FBI broke up the largest identity theft ring in U.S. history. A help desk worker at a computer software company allegedly agreed
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:52:50 Page 18
18
Chapter 1
Network Defense Fundamentals
to give passwords and access codes for consumer credit reports to another person, who was then able to make unauthorized purchases using the stolen information (the credit card numbers and other personal information of more than 30,000 people).
The 2004 CSI/FBI Computer Crime and Security Survey is available at www.gocsi.com. Click the Download Survey PDF link on the right, and follow the instructions to download the survey. You need to register, but registration is free.
Criminals and Industrial Spies
No matter how ethical old school hackers consider themselves to be, many other crackers are out to steal anything they can get their hands on. They might be interested in selling information to the top bidder or using it to influence potential victims. Many companies would certainly be interested in getting the plans for a new product from their competitors.
Script Kiddies and Packet Monkeys
The term script kiddie is often used to describe young, immature computer programmers who spread viruses and other malicious scripts and use techniques to exploit weaknesses in computer systems. They lack the experience to create viruses or Trojan programs on their own, but they can usually find these programs online and spread them for their own aims. The assumption among supposedly more sophisticated crackers is that script kiddies seek only to break in to as many computers as possible to gain attention and notoriety. Another type of mischievous attacker is a packet monkey, whos primarily interested in blockingWeb site activities through a distributed denial of service (DDoS) attack. In a DDoS attack, the attacker hijacks many computers and uses them to flood the target with so many false requests that the server cant process them all, and normal traffic is blocked. Packet monkeys might also want to deface Web sites by leaving messages that their friends can read.
Packet monkeys, script kiddies, and their exploits are explained in the Jargon File, an online version of the Hackers Dictionary that you can research at www.eps.mcgill.ca/jargon/jargon.html.
Terrorists
Until September 11, 2001, most people didnt consider a terrorist attack on an information infrastructure a likely threat. Since that awful day, however, the threat posed by terrorists has been taken more seriously. A terrorist group might want to attack computer systems for several reasons: making a political statement or accomplishing a political goal, such as the release of a jailed comrade; causing damage to critical systems; or disrupting the targets financial stability. Attacking the World Trade Center certainly accomplished the latter goal, given the nature and location of the structures. Terrorists might also want to simply cause fear.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:53:5 Page 19
Overview of Threats to Network Security
19
It might be hard to understand why a terrorist attack on computers would be considered a serious threat, until you think about how many critical systems are controlled by computers. Consider the chaos a successful attack on a computer system controlling a nuclear power plants reactors would cause. The overall psychological effect would be just as detrimental as the damage to the infrastructure and even the loss of life.
1
Malicious Code
In 2001, the Code Red worm infected millions of computers, costing around $2.4 billion in cleanup, lost productivity, and so on. (For more information, see the story Code BlueWorm Strikes in China, May Migrate at www.newsfactor.com/perl/story/13405.html.) This selfpropagating malicious code (malware) exploited systems using Internet Information Services (IIS, Windows Web server software) that were susceptible to a buffer overflow vulnerability in the Indexing Service. When the worm appeared, Microsoft had already released a patch. The vulnerability was well known, and instructions were freely available explaining how to exploit it, yet many administrators hadnt taken steps to protect their systems. Information security has come a long way since the Code Red worm, but there will always be a new vulnerability right around the corner, and security professionals must stay one step ahead of attackers. The following sections review types of malware you might encounter.
Viruses, Worms, and Trojan Programs
Although most users think of any type of virus, worm, or Trojan program as a virus, they are completely different types of attacks. A virus is computer code that copies itself from one place to another surreptitiously and performs actions that range from benign to harmful. Viruses are spread by several methods: running executable code, sharing disks or memory sticks, opening e-mail attachments, or viewing Web pages that use malicious ActiveX objects. A worm creates files that copy themselves repeatedly and consume disk space. Worms dont require user intervention to be launched; they are self-propagating. Some worms can install back doorsa way of gaining unauthorized access to a computer or other resource, such as an unused port or terminal service, that makes it possible for attackers to access and gain control over a computer. Others can destroy data on a hard disk. At this writing, for instance, one antivirus software company reports the top virus threat to be another Mydoom variant called W32.Mydoom.BU@mm (see the Symantec Security Response Web site at http:// securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.bu@mm.html). Just like a cold or flu virus, computer viruses and worms can mutate or be altered to defeat antivirus software. A Trojan program is also a harmful computer program but one that appears to be something usefula deception much like the Trojan horse described in Greek legends. The difference between a virus and a Trojan program is in how the malicious code is used. Viruses replicate themselves and can potentially cause damage when they run on a users computer. Trojan programs can also create a back door. In addition, the often hidden or obscure nature of a back door makes the attackers activities difficult to detect.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 8:53:38 Page 20
20
Chapter 1
Network Defense Fundamentals
Viruses, worms, and Trojan programs are a major security threat. They can damage files, enable attackers to control computers, and cause applications to stop functioning correctly. In creating a network defense perimeter, you need to consider guarding against them. Firewalls and intrusion detection systems dont block malicious code on their own, however; you need to install antivirus software or proxy servers that can be configured to filter them out and delete them before they cause harm.
Macro Viruses
A macro is a type of script that automates repetitive tasks in Microsoft Word or similar applications. When you run a macro, a series of actions are carried out automatically. Macros are a useful way to make performing some tasks more efficient. Unfortunately, macro viruses perform the same functions, but they tend to be harmful. For example, in March 1999, the Melissa macro virus caused Microsoft to shut down incoming e-mail. Melissa spread rapidly and arrived as an attachment with the subject line Important message from [name of someone]. The body text read, Here is that document you asked for . . . dont show anyone else. If the recipient opened the attachment, the macro virus infected the computer and carried out a series of commands. Melissa was a fast-spreading virus, infecting more than 100,000 computers in the first few days. Macro viruses remain a threat today, but the good news is that the user must perform some action for the virus to be activated; therefore, educating users not to open these attachments is essential.
Other Threats to Network Security
It isnt possible to prepare for every possible risk to your systems. At best, you can maintain a secure environment for todays threat and have a comprehensive plan for integrating safeguards against tomorrows threat into your defenses. The next threat might be infection by a new virus or the exploit of a recently discovered vulnerability, or it might be an earthquake that destroys your facility. There are many threats you cant mitigate entirely, such as a natural disaster. Although you might have prepared for natural disasters by maintaining an alternate site complete with all necessary equipment, the fact remains that your primary sites network and equipment suffered total or near total loss.
Social Engineering: The People Factor
Another common way in which attackers gain access to an organizations resources is one that cant be defended against with hardware or software. The vulnerability, in this case, is gullible employees who are fooled by attackers into giving out passwords or other access codes. Attacks that involve personnel who dont observe accepted security practices (or who willfully abuse them) can best be addressed with a strong and enforced security policy. Chapters 2 and 3 cover security policies in depth.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/16/2005 10:55:38 Page 21
Overview of Threats to Network Security
21
Common Attacks and Defenses
Table 1-3 describes some of the common attacks you need to guard against and the defensive strategies you can use to defeat them. These concepts are discussed in more depth throughout the remainder of the book.
Table 1-3 Attacks and defenses
Attack Denial of service (DoS) attack Description The traffic into and out of a network is blocked when servers are flooded with malformed packets (bits of digital information) that have false IP addresses or other data inserted into them or contain other fake communications. A network is overloaded with packets that have the SYN flag set. Defense Keep your server OS up to date; log instances of frequent connection attempts against one service.
1
SYN flood
Virus Trojan program
Social engineering
Network computers are infected by viruses. An attacker delivers a malicious Trojan program through a back door. An employee is misled into giving out passwords or other sensitive information. An attacker looks for open ports to infiltrate a network.
Keep your firewall and OS up to date so that these attacks are blocked by means of software patches and updates, and review your log files of access attempts to see whether intrusion attempts have been made. Install antivirus software and keep virus definitions up to date. Install antivirus software and keep virus definitions up to date. Educate employees about your security policy, which is a set of goals and procedures for making an organizations network secure. Install and configure a firewall, which is hardware and/or software designed to filter out unwanted network traffic and protect authorized traffic. Set up packet filtering.
Malicious port scanning
Internet Control Message Protocol (ICMP) message abuse
A network is flooded with a stream of ICMP echo requests to a target computer.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 11:20:44 Page 22
22
Chapter 1
Network Defense Fundamentals
Table 1-3 Attacks and defenses (continued)
Attack Finding vulnerable hosts on the internal network to attack Description An attacker who gains access to one computer on a network can get IP addresses, host names, and passwords, which are then used to find other hosts to attack. An attacker operates between two computers in a network and impersonates one computer to intercept communications. A virus or other program causes new files to proliferate on infected computers, using up system resources. The operating systems crash because they are unable to handle arbitrary data sent to an RPC port. Defense Use proxy servers.
Man-in-the-middle
Use VPN encryption.
New files being placed on the system Remote Procedure Calls (RPC) attacks
Install system-auditing software, such as Tripwire.
Set up an IDS.
Internet Security Concerns
As you probably know from your study of basic networking concepts and TCP/IP, a port number combined with a computers IP address constitutes a network connection called a socket. Software commonly used by attackers attempts to identify sockets that respond to connection requests. The sockets that respond can be targeted to see whether they have been left open or have security vulnerabilities that can be exploited. Hypertext Transport Protocol (HTTP) Web services use port 80. HTTP is among the most commonly exploited services. The following sections briefly cover some aspects of using the Internet that you need to be aware of from a security standpoint. These sections cover e-mail vulnerabilities such as viruses, scripts that enter the network through e-mail or downloaded files, and broadband connections that enable computers to connect to the Internet with IP addresses that never change and can easily be attacked.
E-Mail and Communications
For a home user who regularly surfs the Web, uses e-mail, and engages in instant messaging, a firewalls primary job is to keep viruses from infecting files and to prevent Trojan programs from entering the system through hidden back door openings. Personal firewall programs, such as Norton Internet Security, come with an antivirus program that alerts users when an e-mail attachment or a file containing a known virus is found.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 8/19/2005 16:11:29 Page 23
Overview of Threats to Network Security
23
Scripting
A widespread network intrusion thats increasing in frequency and severity is the use of scriptsexecutable code attached to e-mail messages or downloaded files that infiltrates a system. It can be difficult for a firewall or intrusion detection system (IDS) to block all such files; specialty firewalls and other programs should be integrated with existing security systems to keep scripts from infecting a network. A specialty e-mail firewall can monitor and control certain of types content that pass into and out of a network. These firewalls can be configured to filter out pornographic content, junk e-mail, and malicious code. MailMarshal by NWTECH (www.nwtechusa.com/ mailmarshal.html ), for instance, unpacks and scans the content of each e-mail message before it reaches the recipient. E-mail filtering programs, however, introduce privacy issues that need to be balanced against an organizations need for protectiona trade-off that applies to almost all aspects of network security, not just e-mail messages.
1
Always-on Connectivity
The proliferation of affordable high-speed connections, such as cable modems and DSL lines, brings up special security concerns for network administrators. Computers using always-on connections are easier to locate and attack because their IP addresses remain the same as long as theyre connected to the Internetwhich might be days at a time if computers are left on overnight or over a weekend.Some users pay extra for static IP addresses that never change and that enable them to run Web servers or other services. Static IP addresses, however, make it easier for attackers to locate a computer and scan it for open ports. Another problem happens when remote users (employees who are on the road, contractors who work at home, or business partners) want to connect to your organizations internal network. With the popularity of the Internet, more home computers started using modems. These connections were usually made through temporary dial-up connections that used protocols such as Point-to-Point Protocol (PPP). Now its increasingly likely that remote users connect to a network through an always-on DSL or cable modem connection, which means they might be connected to your network for hours at a time. Always-on connections effectively extend the boundaries of your corporate network, and you should secure them as you would any part of your network perimeter. At the very least, your network security policy should specify that remote users have their computers equipped with firewall and antivirus protection software. After all, if attackers can break in to a remote users computer while that user is connected to your network through a VPN or other connection, your network becomes vulnerable as well.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 9:6:44 Page 24
24
Chapter 1
Network Defense Fundamentals
Activity 1-4: Identifying Open Ports
Time Required: 15 minutes Objective: Use the Netstat command to look for open ports on your computer. Description: A computer youre securing, particularly one thats hosting firewall or IDS software, should have a minimal set of resources and open ports on it. How do you determine which ports are open on your computer?You can do so with the Netstat utility, which is built in to both UNIX and Windows systems. The following steps apply to a Windows XP computer, but you can also run the Netstat -a command on a UNIX system to get the same information. 1. Click Start, point to All Programs, point to Accessories, and click Command Prompt. 2. At the command prompt, type netstat -a (leave a blank space between netstat and the hyphen). Press Enter. 3. Netstat presents information in columns. The first column, Proto, indicates the protocol being used. The last column, State, tells you whether a connection has been established (ESTABLISHED) or the computer is listening for connections (LISTENING). How many TCP ports did you find that were reported in the State column as LISTENING? How many UDP ports? Write your findings here:
4. Type exit and press Enter to close the command prompt window.
GOALS
OF
NETWORK SECURITY
So far, you have reviewed basic TCP/IP knowledge and an overview of the threats networks face. In the following sections, you learn whats needed to begin building secure systems. You need to enable business partners, mobile workers, and contractors to connect securely to the main network, and you need a way to authenticate authorized users reliably. You must also have a clear picture of the overriding goals of a network security effort, including privacy and data integrity.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 9:7:35 Page 25
Goals of Network Security
25
Providing Secure Connectivity
In the early days of the Internet, network security primarily emphasized blocking attackers and other unauthorized users from accessing the corporate network. Now secure connectivity with trusted users and networks is the priority. When people go online to conduct business, they often engage in the following activities that could make them vulnerable:
1
Placing orders for merchandise online, revealing both personal and financial information during payment Paying bills by transferring funds online Accessing account information Looking up personnel records Creating authentication information, such as user names and passwords
The growth of the Internet and e-commerce isnt likely to slow down, so methods to secure these transactions must be set up and maintained. Several methods can be combined in a layered security scheme, as you see later in Using Network Defense Technologies in Layers.
Secure Remote Access
One of the biggest security challenges facing organizations that communicate via the Internet is the need to provide secure remote access for contractors and employees who are traveling. A VPN, with its combination of encryption and authentication, is an ideal and cost-effective solution (see Figure 1-7). (VPNs are explained in more detail in Chapters 5 and 6.)
Ensuring Privacy
Corporations, hospitals, and other organizations with databases full of personal and financial information need to maintain privacy not only to protect their customers but also to maintain the integrity and credibility of their own companies. In addition, legislation exists that protects private information and mandates severe penalties for failure to adequately protect private information. Examples of these laws include Sarbanes-Oxley, Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act. You probably wont need to know much about these laws for the SCNP certification exam, but if you work in an industry affected by these or other laws governing privacy protection, you definitely want to keep up on the legalities. One of the most important and effective ways to maintain the privacy of information on an organizations network is to educate all employees about security dangers and to explain security policies. Employees are the ones most likely to detect security breaches and to cause security breaches accidentally through their own behaviors. They can also monitor activities of their fellow employees and stay aware of suspicious activity that could indicate a security problem.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 9:8:19 Page 26
26
Chapter 1
Network Defense Fundamentals
Router with IPSec VPN virtual tunnel Router with IPSec
Firewall
Router
LAN gateway
Firewall
Router LAN gateway
Figure 1-7 Providing secure connectivity with VPNs
Providing Nonrepudiation
Nonrepudiation is an important aspect of establishing trusted communication between organizations that do business across a network rather than face-to-face. Encryption protects the integrity, confidentiality, and authenticity of digital information. Encryption can also provide nonrepudiation, which is the capability to prevent one participant in an electronic transaction from denying that it performed an action. Nonrepudiation simply means ensuring that the sender cant deny sending a message and the receiver cant deny receiving it.
Confidentiality, Integrity, and Availability: The CIA Triad
Security professionals are familiar with the term CIA triad (not to be confused with our friends in Langley, Virginia) to refer to the goals of ensuring confidentiality, integrity, and availabilitythe tenets of information security. Confidentiality refers to preventing intentional or unintentional disclosure of communications between a sender and recipient. Integrity ensures the accuracy and consistency of information during all processing (storage, transmission, and so forth). Availability is making sure those who are authorized to access resources can do so in a reliable and timely manner. The CIA triad is often represented as a triangle, as shown in Figure 1-8.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 8/19/2005 16:11:29 Page 27
Using Network Defense Technologies in Layers
Confidentiality
27
1
Integrity
Availability
Figure 1-8 The CIA triad
USING NETWORK DEFENSE TECHNOLOGIES
IN
LAYERS
No single security component or method by itself can be expected to ensure complete protection for a networkor even an individual host computer. Instead, you need to assemble a group of methods that work in a coordinated fashion to provide protection against a variety of threats. The components and approaches described throughout the rest of this book should be arranged to provide layers of network defense. This layering approach to network security is often called defense in depth (DiD). The National Security Agency (NSA) originally designed DiD as a best practices strategy for achieving information assurance. In general, the layers are as follows (each layer in discussed in the following sections):
Physical security Authentication and password security Operating system security Antivirus protection Packet filtering Firewalls Demilitarized zone (DMZ) Intrusion detection system (IDS) Virtual private network (VPN) Auditing and log files Routers and access control
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 9:8:36 Page 28
28
Chapter 1
Network Defense Fundamentals
For more information defenseindepth.pdf.
on
DiD,
visit
www.nsa.gov/snac/support/
Physical Security
The term physical security refers to measures taken to physically protect a computer or other network device from theft, fire, or environmental disaster. Along with installing computer locks that attach the device to a piece of furniture in your office, critical servers should be in a room protected by a lock and/or burglar alarm. Its been said many times but is worth repeating:If the bad guys can touch it, they own it.This statement means it takes only seconds for a computer to be compromised. Within minutes, an attacker can defeat most common locks and steal anything from a password file to the whole server. In addition, uninterruptible power supply (UPS) devices help maintain a steady level of electrical power, thus avoiding possible damage from voltage spikessudden and dramatic increases in power that can damage hardware.
Use an engraving tool to mark serial numbers, phone numbers, or other identifiers on portable devices, such as laptops, that can be lost or stolen easily. Specialized locks are available for PCs and laptops; many have alarms that go off if someone tries to take the device. You can also store portable computers in locked cabinets, such as the ones sold by Datamation Systems (http://pc-security.com).
Authentication and Password Security
After you have physically secured your computers, you can begin to protect them from the inside as well. One simple but effective strategy is password securityhaving your employees select good passwords, keep them secure, and change them as needed. Using multiple passwords, including screen-saver passwords and passwords for protecting critical applications, is also a good idea to guard against unauthorized employees gaining control of unattended computers. Authentication uses one of three methods: something the user knows, something the user possesses, and something the user is. In the field of network computing, authentication is performed in one of several ways. Basic authentication makes use of something the user knows, such as a user name/password pair. In challenge/response authentication, the authenticating device generates a random code or number (the challenge) and sends it to the user who wants to be authenticated. The user resubmits the number or code and adds his or her secret PIN or password (the response) or uses something the user possesses, such as a smart card swiped through a card reader. In large organizations, a centralized server typically handles authentication. The use of something the user isbiometrics (retinal scans, voiceprints, fingerprints, and so on)is also
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 8/19/2005 16:11:30 Page 29
Using Network Defense Technologies in Layers
29
growing in popularity because of increasing concerns over terrorist attacks and other criminal activities.
You can provide an extra layer of protection for a laptop by setting the Basic Input Output System (BIOS)a password that keeps intruders from starting a computer. However, this protection can be circumvented easily if the computer is booted from a floppy disk.
1
Operating System Security
Another way to secure computers and their data from the inside is by installing OS patches that have been issued to address security flaws. Its your responsibility to keep up with patches, hot fixes, and service packs and install them when they become available. In addition, stopping any unneeded services and disabling Guest accounts help make an OS more secure.
Antivirus Protection
Virus scanning refers to the process of examining files or e-mail messages for file names, file extensions such as .exe (for executable code) or .zip (for zipped files), or other indications that viruses are present. Many viruses have suspicious file extensions, but some seem innocuous. Antivirus software uses several methods to look for malware, including comparisons to the softwares current signature files, which contain a pattern of known viruses. Signature files are the primary reason for keeping your antivirus software updated; antivirus software vendors frequently create updates and make them available for customers to download. When antivirus software recognizes the presence of viruses, it deletes them from the file system or places them in a storage area called a quarantine where they cant replicate themselves or do harm to other files. Firewalls and IDSs, by themselves, arent equipped to scan for viruses and eliminate them. However, many enterprise-level firewalls come with integrated antivirus protection. Antivirus software is a must-have for every computer in a network; if your firewall doesnt provide antivirus software, you need to install it on the computer that hosts the firewall and on all network computers.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 9:8:49 Page 30
30
Chapter 1
Network Defense Fundamentals
Packet Filtering
Packet filters block or allow the transmission of packets of information based on port, IP address, protocol, or other criteria. Like firewalls and IDSs, they come in many varieties. Some are hardware devices, such as routers placed at a network gateway. Others are software programs that can be installed on a gateway or a computer. Here are a few examples:
RoutersThese devices are probably the most common packet filters. Routers process packets according to an access control list (ACL) the administrator defines. Operating systemsSome systems, such as Windows and Linux, have built-in utilities for packet filtering on the TCP/IP stack of the server software. Linux has a kernel-level packet filter called Ipchains; Windows has a feature called TCP/IP Filtering. Ipchains are covered in detail in Chapter 11, which also covers Iptables, the replacement for Ipchains in Linux kernel versions 2.4 and later. Software firewallsMost enterprise-level programs, such as Check Point NG, perform packet filtering; Check Points product specializes in stateful filtering. Personal firewalls, such as ZoneAlarm and Sygate Personal Firewall, have a less sophisticated version called stateless packet filtering.
Whatever type is used, the packet-filtering device evaluates information in the header and compares it to the established rules. If the information corresponds to one of the allow rules, the packet is allowed to pass; if the information matches one of the deny rules, the packet is dropped.
Firewalls
The foundation for installing a firewall is your organizations overall security policy. After you have a solid security policy as your guide, you can design security configurations to support your organizations goals. Specifically, you can create a packet-filtering rule base for your firewall that reflects your overall approach to network security. (Dont worry if this information seems a bit overwhelming now; you learn all about security policies in Chapters 2 and 3 and firewalls in more detail in Chapters 9 to 11.)The following sections describe two ways in which a firewall can control the amount of protection a network receives: permissive versus restrictive policies.
Permissive Versus Restrictive Policies
A firewall, following the direction given in a security policy, typically adopts one of these general approaches to security (see Figure 1-9):
PermissiveCalls for a firewall and associated security components to allow all traffic through the network gateway by default, and then block services on a case-by-case basis.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 8/19/2005 16:11:30 Page 31
Using Network Defense Technologies in Layers
31
RestrictiveCalls for a firewall and associated network security components to deny all traffic by default. The first rule denies all traffic on any service and using any port. To allow a specific type of traffic, a new rule must be placed ahead of the deny all rule.
1
Restrictive
Permissive
Internet
Internet
All traffic blocked by default
Selected packets blocked Firewall All traffic allowed by default LAN gateway
To DMZ
Web traffic allowed on port 80
Firewall Partner network allowed to access LAN LAN gateway
To DMZ
Figure 1-9 Permissive versus restrictive policies
A firewall should enforce the overall policy established by the network administrator. Enforcement is handled primarily through setting up packet-filtering rules, and a rule base contains a set of these rules. The order of rules in the rule base is important to how the firewall processes traffic.
Demilitarized Zone (DMZ)
A subnet called a demilitarized zone (DMZ), which is a network that sits outside the internal network but is connected to the firewall, makes services publicly available yet protects the internal LAN. A DMZ might also contain a DNS server, which resolves domain names to IP addresses. The subnet attached to the firewall and contained in the DMZ is sometimes called a service network or perimeter network.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/16/2005 10:55:59 Page 32
32
Chapter 1
Network Defense Fundamentals
Intrusion Detection System (IDS)
Firewalls and proxy servers ideally block intruders or malicious code from entering a network. However, an IDS used with these tools offers an additional layer of protection for a network. An IDS works by recognizing the signs of a possible attack and sending a notification to an administrator that an attack is underway. The signs of possible attacks are commonly called signaturescombinations of IP address, port number, and the frequency of access attempts. You learn the details of IDS concepts and implementation in Chapters 7 and 8.
Virtual Private Networks (VPNs)
When companies need to share files or exchange confidential financial information, traditionally they turn to expensive leased lines provided by telecommunications companies. Although these lines create a point-to-point connection between company networks and, therefore, ensure a high level of security, the monthly costs are excessively high for many budget-conscious companies. A growing number of organizations are turning to VPNs to provide a low-cost and secure connection that uses the public Internet.
Network Auditing and Log Files
Auditing is the process of recording which computers are accessing a network and what resources are being accessed and then recording the information in a log file. IT managers often overlook detailed and periodic review of log files generated by firewalls and IDSs. By reviewing and maintaining log files, you can detect suspicious patterns of activity, such as regular and unsuccessful connection attempts that occur at the same time each day. You can identifyor at least gather enough information to begin to identifythose who have attacked your network. You can set up rules to block attacks and keep your network defense systems up to date by examining attack attempts that have penetrated firewalls and other protective devices. Effective management of log files is an essential activity that goes hand-in-hand with any perimeter security configuration.
Log File Analysis
Compiling, reviewing, and analyzing log files are among the most tedious and timeconsuming tasks associated with network security. Network administrators read and analyze log files to see who is accessing their networks from the Internet. All connection attempts that were rejected should be recorded in the hope of identifying possible intruders or pinpointing vulnerable points in the system. When you first install intrusion detection or firewall hardware or software on your network, youll probably be asked to prepare reports stating how the network is being used and what kinds of filtering activities the device is performing. Its a good idea to sort logs by time of day and per hour. (Sorting log files produces more organized material thats easier to review than the log files produced by the server, firewall, or other device.)
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 8/19/2005 16:11:30 Page 33
Using Network Defense Technologies in Layers
33
Be sure to check logs to learn when the peak traffic times are on your network, and try to identify the services that consume the largest part of your available bandwidth. If your firewall or IDS can display log file entries graphically (as shown in Figure 1-10), showing these graphs to management is always a good idea because they illustrate trends with more impact than lists of raw data.
1
Figure 1-10 A graphical representation of log file traffic
Configuring Log Files
Typically, the log files compiled by firewalls or IDSs give you different options. You can view active data (data compiled by the firewall as traffic moves through the gateway in real time) or data that the device has recently recorded. You can also view the information in these ways:
System eventsThese events usually track the operations of the firewall or IDS, making a log entry whenever it starts or shuts down. Security eventsThese events are records of any alerts the firewall or IDS has issued. TrafficThis is a record of the traffic that passes through the firewall. PacketsSome programs enable you to view information about packets that pass through them.
With more elaborate programs, you can customize what you see in log files and search for specific items or events.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 8/19/2005 16:11:31 Page 34
34
Chapter 1
Network Defense Fundamentals
GUI Log Viewers
You can always view log files with a text editor, but if you have ever used this method, you know how tedious it can be. A graphical tool organizes logged information into easy-to-read columns and lets you sort them by date, IP address, or other criteria. One GUI product is Sygate Personal Firewalls log viewer, shown in Figure 1-11.
Figure 1-11 Sygate Personal Firewalls log viewer
Routing and Access Control Methods
Routing and access control are important network concepts because routers at the perimeter of a network are critical to the movement of all network traffic, regardless of whether the traffic is legitimate or harmful. Because of routers positions on the perimeter of networks, they can be equipped with their own firewall software so that they can perform packet filtering and other functions. To set up a defense, you need to know what kinds of attacks to expect and what services and computers might present openings that could be exploited. As a security professional, its your job to ensure that no unauthorized access occurs. You must find points of access that would allow attackers to gain access to your network. An attacker might attempt to access open points of entry, such as:
Vulnerable servicesThe attacker might be able to exploit known vulnerabilities in a server program. E-mail gatewaysThe attacker might be able to attach a virus payload to an e-mail message. If a recipient clicks the attachment to open it, the program runs and the virus installs itself on the users system.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 8/19/2005 16:20:42 Page 35
The Impact of Defense
35
Porous bordersComputers on the network might be listening (that is, waiting for connections) on a virtual channel called a port thats not being used. If an attacker discovers a port that the computer has left open and that isnt being used, this open port can give the attacker access to that computers contents.
1
Users must have access to the resources necessary to do their jobs, but unauthorized people must not be able to gain access to exploit those resources. Access control is a vital facet of network security and encompasses everything from complex permission configurations on domain controllers to a locked door. There are three main methods of access control you should be familiar with:
Mandatory Access Control (MAC)This method defines an uncompromising manner of how information can be accessed. With the MAC method, all access capabilities are defined in advance. System administrators establish what information users can and cannot share. Discretionary Access Control (DAC)With this method, network users are given more flexibility in accessing information. This method allows users to share information with other users; however, the risk of unauthorized disclosure is higher than with the MAC method. Role Based Access Control (RBAC)This method establishes organizational roles to control access to information. The RBAC method limits access by job function or job responsibility. An employee could have one or more roles that allow access to specific information.
THE IMPACT
OF
DEFENSE
Although the cost of securing systemsand the data they containmight seem high, in terms of return on investment (ROI), the cost of a security breach can be much higher. As mentioned, several laws exist to protect privacy, and those laws can carry severe monetary penalties. When added to the direct and indirect costs of a security breach, implementing a sound security scheme can seem inexpensive by comparison. A key factor in successfully securing systems is the support you gain from upper management. Before security efforts ever start, executives and managers have to be sold on the idea. This serves several key purposes:
First, the project is going to cost money, and you need to have funding for the project approved beforehand. Second, the project will require IT staff time, and managers, supervisors, and employees from all departments must participate to paint a clear picture of priorities and carry out the security plan.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/16/2005 10:56:12 Page 36
36
Chapter 1
Network Defense Fundamentals
Next, the process of actually implementing security systems might require downtime for the network, which translates into lost productivity and inconvenience to everyone. Last, and most important for the long-term success of security efforts, executives and management need to fully support the project from start to finish. If they dont, development, testing, implementation, and maintenance are nearly impossible to complete. The necessary resources and enforcement wont be available. Besides, if management doesnt seem to care and doesnt support the new order, why would anyone else?
In addition, remember that it isnt enough to simply plan and implement security systems. Probably the most challenging facet of information security is keeping up-to-date on new threats and other developments in the industry. Security systems must be maintained continuously and updated to provide protection against new threats. This chapter has given you a rundown of network security fundamentals. You should already be familiar with most of the material. If you find you arent familiar with a concept discussed here, you might want to pick up a copy of Guide to Networking Essentials, Fourth Edition, by Greg Tomsho, Ed Tittel, and David Johnson (Thomson Course Technology, 2004, ISBN 0-619-21532-1). Most network professionals keep a library of reference materials, so theres no shame in needing a quick refresher. After all, the security field is constantly changing, and many employers consider the ability to adapt and learn new concepts a prized soft skill. Besides, who can remember the exact details of a TCP/IP packet if the information isnt used daily?
CHAPTER SUMMARY
Some basic knowledge of TCP/IP networking is important not only to configure the equipment that helps form a defensive configuration but also to be aware of vulnerabilities related to IP addresses. Proxy servers or Network AddressTranslation can be used to shield the IP addresses of internal hosts from external users. The IP and TCP (or UDP) header sections of IP packets contain a variety of settings that attackers can exploit. These settings include header information, such as the source or destination IP address. Attackers can misuse ICMP messages to intercept traffic and direct it to a server they control or to flood a server with so many requests that it can no longer handle other traffic. Domain Name Service (DNS) is a general-purpose service that translates fully qualified domain names, such as www.course.com, into IP addresses. Computers use IP addresses to locate other computers. Attackers can exploit DNS, but administrators also use it to block unwanted traffic. Encryption protects data as it passes from one network to another, and authentication limits access to authorized users.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 8/19/2005 16:20:43 Page 37
Key Terms
37
Network intruders might simply be motivated by a desire to see what kind of data is available on a network and to gain control of computers. Revenge by disgruntled current or former employees might be the primary motivation, however. Some attackers break in to accounts and networks for financial gain. Others want to steal proprietary information for their own use or for resale to other parties. Because the Internet is playing an increasingly important role in the movement of business-related traffic from one corporate network to another, an understanding of network security concerns pertaining to online communication is essential. E-mail is one of the most important services to secure because of the possibility of malicious scripts being delivered in e-mail attachments. In addition, always-on connections present new security risks that need to be addressed with firewall and VPN solutions. Goals for a network security program originate with an analysis of the risks you face and an assessment of the resources you want to protect. One of the most important goals of any network security effort should be to maintain the privacy of customer and employee information. Other goals include preserving data integrity, authenticating approved users of network resources, and enabling remote users to connect securely to the internal network. An effective network security strategy involves many layers of defense working together to prevent many different kinds of threats. Auditing is the process of recording which computers access a network and what resources are being accessed, and then recording the information in a log file. Firewall, packet filtering, and IDS logs should be reviewed regularly as a way to detect vulnerable points that should be closed. Routing and access control are important network concepts because the routers at the perimeter of a network are critical to the movement of all traffic into and out of the network. Defense affects the entire organization. Before beginning a security project, a companys upper management must agree and fully support the project. IT staff need input from managers, supervisors, and employees from all departments to create an effective policy and carry out security measures.
1
KEY TERMS
acknowledgement (ACK) flag A TCP header field that contains the value of the next sequence number the sender is expecting to receive. After a connection is established (TCP three-way handshake), the ACK flag is significant and this value is always sent. availability Making sure those who are authorized to access resources can do so in a reliable and timely manner. authentication The process of determining the identity of an authorized user through matching a user name and password, a fingerprint or retinal scan, a smart card and PIN, and so on.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 8/19/2005 16:20:43 Page 38
38
Chapter 1
Network Defense Fundamentals
back doors A way of gaining unauthorized access to a computer or other resource, usually through an opening in a program thats supposed to be known only to the programs author. confidentiality The goal of preventing intentional or unintentional disclosure of communication between a sender and recipient. connectionless A feature of the UDP protocol, which does not depend on a connection actually being established between a host and client for a UDP packet to be sent from host to client. cracker A person who attempts to gain access to unauthorized resources on a network, usually by finding a way to circumvent passwords, firewalls, or other protective measures. Cyclic Redundancy Check (CRC) An error-checking algorithm sometimes added to the end of a TCP/IP packet. data The part of a packet that contains the actual data being sent from client to server. datagrams Discrete chunks of packets, each of which contains source and destination addresses, control settings, and data. defense in depth (DiD) A layering approach to security that protects a network at many different levels by using a variety of strategies and methods. demilitarized zone (DMZ) A subnetwork of publicly accessible Web, e-mail, and other servers thats outside the LAN but still protected by the firewall. footer Another section added to aTCP/IP packet that tells a computer its the end of the packet. fully qualified domain name (FQDN) The complete DNS name of a computer, including the computer name, domain name, and domain name extension, such as www. course.com. header The part of a packet that contains source and destination information and general information about the packet. host address The part of an IP address thats unique to a computer in its subnet. Hypertext Transport Protocol (HTTP) A protocol used by Web services that communicates via TCP/IP port 80. integrity The goal of ensuring the accuracy and consistency of information during all processing (storage, transmission, and so forth). Internet Control Message Protocol (ICMP) A protocol that reports network communication errors to support IP communications. The Ping command is a common troubleshooting utility based on ICMP. Internet Protocol version 4 (IPv4) The IP addressing system currently in widespread use on the Internet, in which addresses are created with 32 bits (4 bytes) of data. Internet Protocol version 6 (IPv6) A new version of IP thats gaining support among software and hardware manufacturers and that will eventually replace IPv4; this version calls for 128-bit IP addresses. macro viruses A type of malware that performs the same functions as a macro but tends to be harmful. malware Software, such as viruses, worms and Trojans, designed to purposely cause harm, allow theft, or otherwise compromise a computer system.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 9:11:55 Page 39
Key Terms
39
network address The part of an IP address that a computer has in common with other computers in its subnet. Network Address Translation (NAT) NAT translates internal network address into external interface address, which hides the internal LAN addressing scheme and decreases the need for Internet-usable addresses. nonrepudiation Ensuring that the sender cant deny sending a message and the receiver cant deny receiving it. packet filters Devices or software that block or allow the transmission of packets of information based on port, IP address, protocol, or other criteria. packet monkey An attacker whos primarily interested in blocking the activities of a Web site through a distributed denial-of-service attack. password security Selecting good passwords, keeping them secure, and changing them as needed contributes to password security. Using multiple passwords, including screen-saver passwords and passwords for protecting critical applications, also helps guard against unauthorized access. physical security A term that refers to measures taken to physically protect a computer or other network device from theft, fire, or environmental disaster. proxy server A program that provides Web browsing, e-mail, and other services for network users to conceal their identity from those outside the network. return on investment (ROI) The total value gained after a solution has been deployed. A positive return on investment is desirable because it means the solution has solved more problems than it creates. script kiddies Attackers (often young people) who spread viruses and other malicious scripts and use techniques to exploit weaknesses in computer systems. signatures Combinations of flags, IP addresses, and other characteristics indicating an attack that are detected by a firewall or IDS. socket A network connection that uses a TCP/IP port number combined with a computers IP address. subnet mask A value that tells another computer which part of a computers IP address is its network address and which part is the host address. Transmission Control Protocol/Internet Protocol (TCP/IP) This suite of protocols allows information to be transmitted from point to point on a network. Trojan programs A type of program that appears to be harmless but that actually introduces viruses or causes damage to a computer or system. virus Computer code that copies itself from one place to another surreptitiously and performs actions that range from benign to harmful. worm A type of malware that creates files that copy themselves repeatedly and consume disk space. Worms dont require user intervention to be launched; they are self-propagating.
1
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 8/19/2005 16:20:43 Page 40
40
Chapter 1
Network Defense Fundamentals
REVIEW QUESTIONS
1. What advantages does IPv6 have over IPv4? (Choose all that apply.) a. IPv6 uses DHCP for its configuration settings. b. IPv6 uses a 128-bit address space. c. IPv4 cannot support IPSec. d. IPv6 incorporates IPSec. 2. Which of the following is a method of hiding internal host IP addresses? (Choose all that apply.) a. Network Address Translation (NAT) b. configuring a firewall to insert a fake source IP address into outgoing messages c. proxy servers d. setting up software firewalls on all internal hosts, thus hiding them 3. A Class C address has a first octet decimal range of . a. 172, 191 b. 191, 224 c. 192, 239 d. 192, 223 4. Class D addresses are reserved for experimentation. True or False? 5. The reserved Class A address 127.0.0.1 is used for which of the following? a. broadcasting to all hosts on a subnet b. testing the TCP/IP local interface c. experimentation d. your firewalls internal interface address 6. What are the primary subdivisions of an IP datagram? (Choose all that apply.) a. data b. flags c. body d. header 7. Fragmentation of IP packets causes several security problems. How should you configure the firewall or packet filter to prevent harm from fragmented packets? (Choose all that apply.) a. Reassemble the packets and allow only completed packets to pass. b. Forward fragments to the destination address for reassembly. c. Drop all fragmented packets. d. Request authentication from the source.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
to
36694_01 8/19/2005 16:20:43 Page 41
Review Questions 8. Most network intrusions originate from what location? a. inside the company b. script kiddies c. back doors d. industrial spies 9. Why is UDP considered unreliable? a. The header does not contain a checksum. b. The data is transmitted in clear text. c. It is connectionless. d. Routers typically drop a large number of UDP packets. 10. A DNS server translates a. encrypted IP addresses, clear text b. IP addresses, MAC addresses c. FQDNs, IP addresses d. static addresses, DHCP to .
41
1
11. How can DNS help network administrators? a. Filtering devices (routers, firewalls, and so on) can use DNS names to block certain traffic, such as offensive Web site content. b. DNS can automatically configure client protocol settings. c. DNS can forward or drop requests based on the source address and protocol used. d. DNS can translate all protocols to TCP/IP, enabling cross communication between different types of networks. 12. DNS is vulnerable to what types of attacks? (Choose all that apply.) a. zone transfer attacks b. cache poisoning attacks c. targeted SYN flood attacks d. buffer overflow attacks 13. What kind of network communication requires a third-party program rather than a firewall or an IDS to scan for viruses or harmful executables? a. e-mail message content b. e-mail message headers c. Web pages d. all of the above
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 9:12:13 Page 42
42
Chapter 1
Network Defense Fundamentals
14. What are some of the reasons for network attacks? (Choose all that apply.) a. social engineering b. revenge c. financial gain d. status 15. A port number combined with a computers IP address constitutes a network connection called a(n) . a. always-on connection b. executable connection c. socket d. VPN tunnel 16. Why is fragmentation considered a security risk? a. Fragments numbered 0 contain port information. b. Fragments numbered 1 or higher are passed through filters. c. Fragmented packets cant be assembled. d. Fragmentation is frequently used. 17. The ability to prevent one participant in an electronic transaction from denying that it performed an action is called . a. plausible deniability b. integrity c. nonrepudiation d. undeniability 18. Firewall enforcement of policies is handled primarily through setting up packetfiltering rules, a set of which is contained in the . a. routing table b. rule base c. access control list d. packet filter 19. Servers with outside access to the public should never be located where? a. on their own subnet b. on a DMZ c. on the internal LAN d. on the network perimeter
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 9:14:8 Page 43
Hands-On Projects 20. The signs of possible attacks detected by an IDS are commonly called signatures. What information do signatures contain? (Choose all that apply.) a. port number b. open ports c. time of access attempts d. IP address
43
1
HANDS-ON PROJECTS
Hands-On Project 1-1: Assessing Your Network Interface
Time Required: 10 minutes Objective: Examine active connections to computers with the Netstat utility. Description: As you saw in Activity 1-4, the Netstat utility can provide a wealth of information. In this project, you use it to learn more about the active connections to your computer. 1. Click Start, point to All Programs, point to Accessories, and then click Command Prompt to open a command prompt window. 2. Type netstat and press Enter to view the computers current active connections. 3. Type netstat -a and press Enter to view the currently established connections and the ports on which your computer is listening for new connections. 4. Type netstat -p TCP and press Enter to view information about TCP connections. 5. Type netstat -p UDP and press Enter to view information about UDP connections. 6. Type netstat -n and press Enter to view the IP address of the remote computer connected to your computer. This information can be useful in tracking an attacker connected to your network. 7. To get a summary of Netstats switches, type netstat /? and press Enter. 8. Type exit and press Enter to close the command prompt window. Leave your system running for the next project.
Hands-On Project 1-2: Determining Network Connectivity with Linux
Time Required: 15 minutes Objective: Use a Linux terminal window to observe the output from the Ifconfig command.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 9:14:40 Page 44
44
Chapter 1
Network Defense Fundamentals
Description: In this project, you view network connectivity in Fedora or Red Hat Enterprise Linux, which is already configured with the X Window GNOME interface. You need to log in with the root account or an account that has superuser (root) permissions. (Note:The steps are similar for other Linux versions and some UNIX versions.) 1. Right-click the GNOME desktop, and then click Open Terminal. 2. At the command line, type ifconfig, and then press Enter. 3. Notice the left side of the display. If you see an entry for eth0, that means the system is configured to access an Ethernet network, such as through a network interface card. If you see an entry for ppp, that means the system is configured for access to the Internet, such as through a dial-up modem. The lo connection is a local loopback connection used for diagnostic testing of the network connection.
For detailed information on the Linux ifconfig command, type man ifconfig in a terminal window. Press the spacebar to scroll through the pages. Press q to return to the terminal.
4. Type exit, and then press Enter to close the terminal window.
CASE PROJECTS
Case Project 1-1: Defining and Designing a Network
The overview of this books running case project is in the front matter. Please review this information carefully to guide you in completing each chapters project as you work through the remaining chapters. You have been hired as a consultant to design a network for LedGrafix, a video and PC game design company. LedGrafixs newest game has become a hot seller, and the company anticipates rapid growth. Its moving into a new facility and will be installing a new network. Because competition is fierce in the game industry, LedGrafix wants the network fully secured, documented, and maintained while providing high availability, scalability, and performance.
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 9:15:6 Page 45
Case Projects
45
Based on your current network technology and information security knowledge, for this project you design a network to meet the specified requirements and create a network diagram detailing your design. After you have created the diagram, you create a hardware and software inventory for the network. In addition to designing the network, you must also provide full documentation. The network should meet the following requirements: One location in Phoenix, AZ Capable of supporting 62 users in these departments: Accounting and Payroll, 4; Research and Development, 12; Sales and Marketing, 10; Order Processing, Shipping, and Receiving, 14; secretarial and office management staff, 4; upper management (including the president, vice president, and general manager), 10; Customer Relations and Support, 6;Technology Support, 2. Full T-1 Internet connection 1. Design a network that meets the preceding requirements. 2. Examine the facility diagram your instructor provides. Using whatever drawing application you have available (MS Paint will work, if you have no other options), create a diagram of your network, showing the physical layout of the system. 3. Create a hardware and software inventory. Your instructor has blank forms you can use, or you can create or find your own. Your inventory should include at least the following: Operating systems Server operating systems Office applications Antivirus software Computers, servers, and peripherals Network connectivity equipment, such as hubs, switches, or routers Specialized imaging or multimedia devices or software Developer tools (you can make up tool names, if necessary) Other applications you think are necessary 4. After you have finished the diagram and inventory, turn them in to your instructor. Strive for a professional look in your work, and dont forget to proofread your work carefully before submitting it.
1
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
36694_01 9/13/2005 9:14:9 Page 46
Copyright 2005 by Thomson Course Technology. All rights reserved. This publication is protected by federal copyright law. No part of this publication may be reproduced without prior permission in writing from Course Technology. Some of the product names and company names have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufactures and sellers.
Find millions of documents on Course Hero - Study Guides, Lecture Notes, Reference Materials, Practice Exams and more.
Course Hero has millions of course specific materials providing students with the best way to expand
their education.
Below is a small sample set of documents:
Below is a small sample set of documents:
University of Toronto - ECE - 1770
IBM SOADataPower SOA AppliancesSimplify, Secure, and Accelerate SOANitin Thukral, CISSPCanadian National Specialist 2007 IBM CorporationIBM SOAAgenda1. New Model Required for SOA and Web Services 2. DataPower SOA Appliances Overview 3. DataPower S
Bluffton University - LIS - 550
Preliminary Technology Report Preamble The Middletown Public School System has fallen far behind the national average for Internet connectivity. Middletown is looking at increasing internet connectivity to our public schools and e-rate and LSTA funds are
Wesleyan - ECON - 300
s 0 1 2 3 4 5 6 7 8 9 10p(s) 0 0 0 0 0 0 0.01 0.06 0.19 0.39 0.35p(s) 0.5 0.4 p(s) 0.3 0.2 0.1 0 0 1 2 3 4 s 5 6 7 8 9 10 p(s)s 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
Western Kentucky University - TXT - 102
February 15, 2006Op-Ed ContributorThe Islam Gap By KARIM RASLANJakarta, IndonesiaSOUTHEAST Asian Muslims have not been roiled by a clash of civilizations. Rather, people like me Western-trained, English-speaking and constantly traveling have begun to
Yale - CS - 434
Link Layer; Media cc ss ontro M a Access ControlY. Richard Yang 1/27/2009OutlineAdmin. and recap d d Intro to link layer y Media access control2Admin. AdminOffice h ff hours posted on course information d f page Any questions on hw 1?3Recap: ISII
Yale - HL - 293
Replace this file with prentcsmacro.sty for your meeting, or with entcsmacro.sty for your meeting. Both can be found at the ENTCS Macro Home Page.Plugging a Space Leak with an ArrowHai Liu and Paul Hudak1Department of Computer Science Yale University N
Ill. Chicago - PH - 510
CountySmallpox Cases for Children 0-17 1 2 3 1 0 0 0 1 2 0 1 0 0 0 3 52 0 0 1 0 0 8 0 0 0 0 0 0 1 0 0 2 0 0 0 3 2 0 0 0 1Total Population Ages 0-17ADAMS ALEXANDER BOND BOONE BROWN BUREAU CALHOUN CARROLL CASS CHAMPAIGN CHRISTIAN CLARK CLAY CLINTON COLES
UC Davis - ECS - 271
Search Algorithm F = space of functions f H = space of hypotheseshLearning protocol Example = <x, f(x)>BIASExample distribution TeacherLearner
Rochester - PHY - 235
Physics 235 Chapter 5 GravitationChapter 5In this Chapter we will review the properties of the gravitational force. The gravitational force has been discussed in great detail in your introductory physics courses, and we will primarily focus on specifyin
Rose-Hulman - CHEM - 111
Potentiometric Titration Calculation ConcAcid VolAcid VolExtra Ka Kw ConcBase Increment VolBase 0.46 10 50 0 0 0.33 1 Equil_H Equil_OH 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.01 0 0.02 0 0.02 0 0.03 0 0.04 0 0.04 0 0.05 0 0.05 0 0.06if ac
Purdue - AAE - 450
SPS 06 Oct 2005 AEROPROP, lcg= 5.20 ycg= 0.00 lplate=10.00 lflap= 2.00 rnose=0.0020betadeg=-1.000 deg. betadeg=-0.500 deg. betadeg= 0.000 deg. betadeg= 0.500 deg. betadeg= 1.000 deg. betadeg= 1.500 deg. betadeg= 2.000 deg. zero reference0.0010.00050-
Cal Poly Pomona - PHY - 132
The Big Ideas-Chapter 14 (Serway and Beichner, Physics for Scientists and Engineers, 5th Edition)Sections 1&2 Every particle in the universe attracts every other with a force that is directly proportional to the product of their masses and inversely prop
Reed - PHYSICS - 411
Classical Mechanics IIProblem Set 10Problem Set 10Classical Mechanics II Physics 411Due on November 16th, 2007Problem 10.1 When you computed the electromagnetic solution for the elds outside a spherically symmetric source, you worked directly from th
Caltech - WEEK - 108
dvHdiygml hkrivw9rrgvwddwVmPV i wdvwdVwfftHg9 ie y e n j ge ge i e e yi l j z e i ~e g i e y y e zi l e e e i e g g yi yi hrved9hHdirykHdh9h9gfVro~HvHwt z y e zi g ei x e VvVHvhwvy9h e e e j yi l VvVhvfHh|HPdi zi j z y e vHfVrimypVvHh ~e ~ y y e xee i ~
University of Toronto - ECE - 411
hT BT Y rf eqfgdvgr r fbgrntdinaknPkW i q y g Y y q Y k r r g y yw g r k gd qq g Y y y Y y gd c g Y gyrtxciyPrfificagyz|Bcfw_ni7iegYxciyig'VpiY7naPYBFfBawk o r Ydq r r g y yw gci Yw w Y y r fYBeqYBeqfhwfnfgyrtxciy|rfiBifFfypFfB|naStqeiYiyegYpiYcfw_qqB|Y
San Diego State - BIO - 210
E X E R C I S EObserving BacteriaOBJECTIVESAt the conclusion of the exercise, you should. 1. 2. 3. 4. 5.5recognize the differences between bacteria and other organisms studied so far. know the different types of microscopic morphology of bacteria. be
Cornell - A - 171
42Part I Exploring and Understanding Data Chapter 5 Describing Distributions Numerically 4510. Standard deviation.a) Set 2 has the greater standard deviation. Both sets have the same mean (7), maximum (10), 20. Gas prices. and minimum (4), but 6 and 8
San Jose State - CS - 157
Object oriented DataBaseProf. Sin-Min Lee Department of Computer ScienceObject Database Systems Not a new concept research dates back to the mid-1970s As the technology matured, a number of commercial ODBMSs appeared in the 80s and early 90s To compete
Sanford-Brown Institute - EB - 022
GE7GGg&xGcfw_ GkuE"u xI ~ myl m m qfur oIx4oy0oy` n d d f y y n j z f d y y n j l n oyq"EUgkxHqovqucfw_"0GHqoqUIxo m y d f m y y d f l d j m ~ m n ~ z l y d z d y l j qxogGvqoIqge"vo`oomq`v|Ig|cfw_uvIxxwutssr q p ml j i h fd v7$onk&$ge w rhp h r w
UCSC - ENGR - 131
uvn v t p j m l l T Q IG E C A Tfta v U a seBikff8g4RfB~Xhn"hVh RPHFDB@ T e c a U W Y T Q IG E C A ffd'Rq"f~ RPHFDB@ v Tcr v #da n|u vcfw_Rnu zy x a vnu w tsr)rcqfonkm'kjhihgfefXH!yxRPHFDB@ p g j l d T w Q IG E C A T e u c a c W r W U W i T Q IG E C A v#
Michigan State University - CAMPB - 382
CAMPBELL, Cheryl & SIMPSON, Candace SLWP Expanded Reflections ATL135:004-S01 John A Dowell, instructor 4/29/01 615 words Leadership, Structure, and Fun As you walk in the door you see kids running everywhere, you hear shouting and yelling from one side of
UMass (Amherst) - BIOEP - 540
ET45. [Solution] An equal number of boy and girl babies are born in a hospital. We are interested in estimating the proportion of births with some kind of genetic abnormality. In the past, the proportions were 5% for boy births, and 2% for girl births. Su
Binghamton - MATH - 327
MATH. 341. Final Examination December 15, 2000. 1. (10 points) For testing the reliability of an insertion machine, n = 2500 insertions were made. Let X denote the number of errors in the sample. It is assumed X has a Binomial distribution with parameter
Rose-Hulman - ES - 202
To:I. M. A. EngineerFrom: U. R. Boss, Project Manager, Stop-the-shakin', Inc. Date: 3 December 2007 Subject: New viscous damper concept. Stop-the-shakin', Inc. has acquired the patent rights for a viscous damper that provides a damping force that is pro
MO St. Louis - DOCS - 3320
Game Theory: Shoddy Work and Lousy PayWarm room environmental builds temperature controlled rooms in research centers throughout the world. The boss hires local labor at the site to do some of the routine wiring and plumbing. Unfortunately, as soon as th
Western Washington - H - 370
AP17: Hard Legalists and Hard Confucians17-1AP17: HARD LEGALISTS AND HARD CONFUCIANS(4/89; 1/91; 1/95, 10/96)A. Shang Yang17a. What elements of continuity do there appear to have been between the policies of Shang Yang and the soft Legalist tradition
Illinois State - COE - 081
C&I 271 Course Syllabus & outline Spring 2008KIM1Illinois State UniversityPREKINDERGARTEN EDUCATION C&I 271 Section 01 - 3 Semester Hours Dr. Jin-ah KIM Office: DeGarmo 214 Office Phone: (309) 438-3836 Office Hours: Tuesday 1:30 to 2:30pm, Wednesday 2
Washington University in St. Louis - CSE - 573
CSE 573S: Networking Protocols Protocol Stacks (Network Layer) Instructor: Manfred GeorgInternet Protocol StackApplication Layer SMTP HTTPBitTorrent RTSPTransport LayerTCPUDPNetwork LayerIPLink Layer Physical LayerManfred GeorgEthernet Cables8
Acton School of Business - OLD - 101
Math 101 Fall 2000 Final Exam Solutions Instructor: Richard Stong Wednesday, December 13, 2000Instructions: This is a closed book, closed notes exam. Use of calculators is not permitted. You have three hours. Do all 12 problems. Please do all your work o
Findlay - NR - 11171
QUICK REFERENCE GUIDETOPICAcademic record, enrollment schedule Academic skills development Access Codes Address change, off campus Admissions - Undergraduate, Transfer students, Admissions - Adult Non-traditional students Admissions - Graduate, Re-admis
NJIT - CIS - 651
CIS651 Midterm Exam - Study Guide - Spring 2004Chapter 1 Identify uses of networks (e-commerce, etc) Basic terminology Network Hardware Network Software Protocols (hierarchies, layers, services) Reference Models (OSI, TCP/IP Example Network: the Internet
Southern New Orleans - CS - 1205
Engineering Problem Solving With C+ An Object Based ApproachChapter 5 Functions1FunctionsA program can be thought of as a collection of sub parts or sub tasks: input data analyze data output resultsIn C+ these sub tasks are called functions.2Funct
Knox College - BIO - 320
Medicinal ChemistryBut First Some Flowers15 Century Turkish TulipthSemper Augustus TulipTriumph TulipsQueen of the Night TulipRosa alba White Rose of York England pre-16th CenturyMadame Hardy Rose bred 1832Modern Hybrid Tea RoseMedicinal Chemist
Western Kentucky University - TXT - 102
Kerry Is Criticized for Church DriveOctober 13, 2004 By DAVID D. KIRKPATRICK Liberal religious groups criticized Senator John KerryyestK M erday as politicizing religion by campaigning inAfrican-American churches. A spokesman for Americans United
Western Kentucky University - TXT - 102
Democrats Criticize Denial of Communion by BishopsMay 20, 2004 By LAURIE GOODSTEIN Forty-eight Roman Catholic members of Congress who areDemocrats have signed a letter to the cardinal archbishopof Washington, D.C., saying the threats by some bishops
Acton School of Business - PHYS - 600
Nobel Lecture: Electronic structure of matter-wave functions and density functionals*W. KohnDepartment of Physics, University of California, Santa Barbara, California 93106[S0034-6861(99)00505-X]CONTENTSI. Introduction II. Schrodinger Wave Functions-
NMT - PHYS - 516
^ E = E z z ^2 L ^ H0 = 2I ,^ L I Ej(0)= E,m =2(0)h 2 ( + 1) 2I,^ L ^ V = -dE cos , d = QD Q m D E,m =(2)dE h 2I( + 1) - 3m2 (2 - 1)(2 + 3)( + 1). (2 + 1)
SUNY Albany - M - 301
` s f s f i d ux h sd hv u td s f u h QbeQQqEbgGfpgxwb6gQmbvphh9 ` xvd dx h i dr i xv rd h v h t s f Vbno`~wvwgwrgepfbugwbuqxblwgdwgGxpfle0QEQQ ph9 h 6phQGbupdQphGwgbdbgbbuGbwrlblwgwrgGxpfhA4Qt Q 9 x f xrd f u i dx x xvd d v h t s f h fd h dr u a gbpdbwbm
Caltech - EE - 126
EE/Ma 126a Lecture 14 November 3, 2004 Copyright c 2004 by R. J. McEliece Outline The Channel Coding Theorem (Section 2.2).1And Now For Something Extraordinarily ImportantTheEEy Channel Noisy Coding Theorem2The Block DiagramInformationEncoderCode
Lake County - ECE - 420
Sampling of continuous-time signalsChap: 4.1-4.8; Pages: 140-201Jont AllenECE-310Allen April 19, 2004 p.1/45Periodic symmetryEvery function may be made -periodic with an overlap and add OLA operation and integer, the periodFunctions periodic in
ASU - AST - 114
Active Galactic Nuclei and Super-Massive Black Holes1 Units to be used throughout this Lab:Because dierent kinds of units are needed in this Lab Exercise, some conversions are listed below: 1 astronomical unit = 1 a.u. = average Earth to Sun distance =
Rutgers - HW - 614
Practical Interaction Model: Cat-a-Cone10/29/2004 614 Information Retrieval Theory YooJin HaCat-a-Cone"Cat-a-Cone: An Interactive Interface for Specifying Searches and Viewing Retrieval Results using a Large Category Hierarchy" at the 20th Annual Inter
Clarkson - AE - 430
AE 430 - Stability and Control of Aerospace VehiclesAircraft Equations of MotionDynamic StabilityDegree of dynamic stability: time it takes the motion to damp to half or to double the amplitude of its initial amplitude Handling quality of an airplaneO
UCSD - BGGN - 238
Dynorphin Activates Quorum Sensing Quinolone Signaling in Pseudomonas aeruginosaOlga Zaborina1, Francois Lepine2, Gaoping Xiao3, Vesta Valuckaite4, Yimei Chen5, Terry Li6, Mae Ciancio4, Alex Zaborin1, Elaine Petroff4, Jerrold R. Turner7, Laurence G. Rahm
UCSB - BREN - 219
Prokaryotes (2006) 3:889918 DOI: 10.1007/0-387-30743-5_33CHAPTER 1.1.18eh T su e nG l ac i denN - u i re t cab cM mo - m oyThe Genus MycobacteriumNonmedicalSYBE HARTMANS, JAN A. M. DE BONT AND ERKO STACKEBRANDTIntroductionBecause new Mycobacterium s
Valparaiso - ECE - 222
VALPARAISO UNIVERSITY ELECTRICAL AND COMPUTER ENGINEERING DEPARTMENT ECE 222 DESIGN PROJECT #1 - TRAFFIC LIGHT CONTROLLER SPRING 2004Objective: In this project, you will design and simulate a Highway/Farmroad traffic light controller (similar to the one
Alaska Anch - CS - 351
Computational Geometry - Divide and Conquer Closest Pair In computational geometry, two well-known problems are to find the closest pair of points and the convex hull of a set of points. The closest-pair problem, in 2D space, is to find the closest pair o
Yale - RP - 269
STATE KERLA KERLA KERLA KERLA KERLA KERLA KERLA KERLA KERLA KERLA KERLA KERLA KERLA KERLAYEAR 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003 2003DISTRICT TRISSOOR PALAKKAD KASARGOD ERNAKULAM ALAPUZHA MALAPURAM IDUKKI KANNOOR KOTTAYAM W
Kent State - BUSINESS - 24163
Chapter 5Decision MakingManagement, by Williams South-Western College Publishing Copyright 2000Blast From The PastRational decision making can be traced back to Benjamin Franklin's "moral algebra" Frederick W. TaylorGscientific study of work Gscienti
UCLA - GEOG - 297
70IEEE GEOSCIENCE AND REMOTE SENSING LETTERS, VOL. 5, NO. 1, JANUARY 2008RivWidth: A Software Tool for the Calculation of River Widths From Remotely Sensed ImageryTamlin M. Pavelsky and Laurence C. SmithAbstractRivWidth is an implementation in ITT Vis
Lake County - CI - 336
HTMLI. Basics of HTML a. HyperText Markup Language i. HyperText 1. Connectedness of the internet 2. Notice this when "surfing" the net 3. Any page on the internet can link to any other page on the internet ii. Markup Language 1. Markup = Tags 2. Markup i
Washington University in St. Louis - CSE - 571
SOFTWARE MANUALNET V IGI LANTNETWORK MONITORV1.1 Printed On: 3rd Dec 2007 C:\Washington University \ SoftwareUserManual.docxDepartment Of Computer Science & EngineeringWashington University in Saint LouisSubmitted By Subharthi Paul 1Madhuri Kulkarn
CSU Northridge - JCO - 69120
Curriculum Guide Pacing ReportReport CriteriaSubject: Science Grade: Grade 07 Course: Pacing Name: Science 07 Material Group: Default Material Group Period Type: QuarterDate Printed:08/17/2006Standards InformationRef No Standard Strand Quarter 1Uni
UCF - CWR - 4101
CWR 4101 HYDROLOGY 2nd TEST FALL 2004Administrative Instructions:1. There are 5 questions, do all 52. All work must be your own; cheating will result in a grade of "F" for the course and could result in addition action. All work must be done on this te
Yale - RP - 269
STATE MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADESH MADHYAPRADE
Wisc Parkside - CSCI - 490
Report Lab Practice 3 Edge DetectionAuthor: Jay MehtaEdge DetectionIntroductionEdges in images are areas with strong intensity contrasts a jump in intensity from one pixel to the next. Edge detection of an image reduces significantly the amount of dat
Wisc Parkside - CSCI - 490
Report Lab Practice 2 Image FilteringAuthor: Jay MehtaImage FilteringIntroductionDigital images can be processed in a variety of ways. The most common one is called filtering and creates a new image as a result of processing the pixels of an existing
LSU - D - 51242
Department of DefenseDIRECTIVENUMBER 5124.2October 31, 1994DA&MSUBJECT: Under Secretary of Defense for Personnel and Readiness (USD(P&R) References: (a) Title 10, United States Code (b) DoD Directive 5124.2, "Under Secretary of Defense for Personnel
Villanova University - ECE - 4790
ECE 4970 Homework Solutions 2.23a ( We want to find out the pre-envelope of g(t ) = ) . There are many ways to do this. I chose to do the problem in the frequency domain. Remember, G+ ( ) is the positive side of G(f). G(f) 2 G+(f)-1/21/21/2Question is
UCSC - ENGR - 027
| 3W8 i R Q 5 38F HF 5 Q g 3 7 B @8 7 H F` 3 BW P 7B` QW 3 @ 3W8F i 8c H 3 @ o AhGFuFUSE$QhG663I$SIaFfhCA6BHSpacACCfhCYacC m ChAGYSaFY6c$A8 8P F 3` 3 F CSQIHIaFlBvAc6c8G$@tu p u 5p$A7vIFCq p u $hA$Scfw_u o hAlSp5 gf$AuC65!6eC6A8C"cfw_h!Sh$SpuhIbA8ChIF B @
Delaware - CMPE - 312
Chapter 5 Instructor: Prof. Jeffery Six TA : Tushar Chaubal ( tushar1@cs.umbc.edu) T/W 1100 1300hrs Q 5.2 Grading : 10 Construct a JK Flip Flop using a D Flip Flop , 2:1 MUX and an inverterThe Analysis of the circuit to show that the implementation will