FREE Monthly Technology Updates One-year Vendor Product Upgrade Protection Plan FREE Membership to Access.Globalknowledge If it’s a high-risk, high-impact, must-not-fail situation, it’s MISSION CRITICAL! 1 YEAR UPGRADE BUYER PROTECTION PLAN Bradley Dunsmore, A+, Network+, i-Net+, MCDBA, MCSE+I, CCNA Jeffrey W. Brown, CISSP Michael Cross, MCSE, MCPS, MCP+I, CNA TECHNICAL EDITOR: Stace Cunningham, CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS, A+ “Finally, a truly useful guide to Internet security. A must read for anyone responsible for protecting their network.” —Mike Flannagan, Network Consulting Engineer Cisco Systems, Inc. INTERNET SECURITY MISSION CRITICAL! With over 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we have come to know many of you personally. By listening, we've learned what you like and dislike about typical computer books. The most requested item has been for a web-based service that keeps you current on the topic of the book and related technologies. In response, we have created solutions@syngress.com, a service that includes the following features: ■ A one-year warranty against content obsolescence that occurs as the result of vendor product upgrades. We will provide regular web updates for affected chapters. ■ Monthly mailings that respond to customer FAQs and provide detailed explanations of the most difficult topics, written by content experts exclusively for solutions@syngress.com. ■ Regularly updated links to sites that our editors have determined offer valuable additional information on key topics. ■ Access to “Ask the Author”™ customer query forms that allow readers to post questions to be addressed by our authors and editors. Once you’ve purchased this book, browse to www.syngress.com/solutions. To register, you will need to have the book handy to verify your purchase. Thank you for giving us the opportunity to serve you. solutions@syngress.com 115_MC_intsec_FM 12/13/00 1:12 PM Page i 115_MC_intsec_FM 12/13/00 1:12 PM Page ii MISSION CRITICAL! MISSION CRITICAL! INTERNET SECURITY 115_MC_intsec_FM 12/13/00 1:12 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci- dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media® and Syngress® are registered trademarks of Syngress Media, Inc. “Career Advancement Through Skill Enhancement™,” “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 STP692AD43 002 JY536842C4 003 C392K28FA7 004 BG57C87BC2 005 22PCA94DZF 006 55ZP2ALT73 007 DUDR527749 008 XRDYEW42T3 009 MPE28494DS 010 SM359PS25L PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Mission Critical Internet Security Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written per- mission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-20-2 Copy edit by: Adrienne Rebello Index by: Robert Saigh Technical edit by: Stace Cunningham Page Layout and Art by: Shannon Tozier Project Editor: Kate Glennon Co-Publisher: Richard Kristof Distributed by Publishers Group West 115_MC_intsec_FM 12/13/00 1:12 PM Page iv v Acknowledgments We would like to acknowledge the following people for their kindness and sup- port in making this book possible. Richard Kristof, Duncan Anderson, Jennifer Gould, Robert Woodruff, Kevin Murray, Dale Leatherwood, Rhonda Harmon, and Robert Sanregret of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, John Hays, Bill Richter, Kevin Votel, Brittin Clark, and Sarah MacLachlan of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler, Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making cer- tain that our vision remains worldwide in scope. Annabel Dent, Anneka Baeten, and Laurie Giles of Harcourt Australia for all their help. David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthu- siasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help. v 115_MC_intsec_FM 12/13/00 1:12 PM Page v vi From Global Knowledge At Global Knowledge we strive to support the multiplicity of learning styles required by our students to achieve success as technical professionals. As the world's largest IT training company, Global Knowledge is uniquely positioned to offer these books. The expertise gained each year from pro- viding instructor-led training to hundreds of thousands of students world- wide has been captured in book form to enhance your learning experience. We hope that the quality of these books demonstrates our commitment to your lifelong learning success. Whether you choose to learn through the written word, computer based training, Web delivery, or instructor-led training, Global Knowledge is committed to providing you with the very best in each of these categories. For those of you who know Global Knowledge, or those of you who have just found us for the first time, our goal is to be your lifelong competency partner. Thank your for the opportunity to serve you. We look forward to serving your needs again in the future. Warmest regards, Duncan Anderson President and Chief Executive Officer, Global Knowledge 115_MC_intsec_FM 12/13/00 1:12 PM Page vi vii Contributors Bradley Dunsmore (A+, Network+, i-Net+, MCDBA, MCSE+I, CCNA) is currently working for Cisco Systems in Raleigh, NC. He is a Technical Trainer in the Service Provider Division where he develops and issues training to the solution deployment engi- neers. He has eight years of computer experience, the last four in enterprise networking. Bradley has worked with Bell Atlantic, Adtran Telecommunications, and Electronic Systems Inc., a Virginia-based systems integrator. He specializes in TCP/IP and LAN/WAN communications in both small and large business environments. Joli Annette Ballew (MCSE, MCP, MCT, A+) is a technology trainer and network consultant. She has worked as a technical writer, educational content consultant, PC technician, and MCSE instructor. Joli attended the University of Texas at Arlington and gradu- ated with a Bachelor’s degree in Mathematics. The following year, she earned her teaching certificate from the state of Texas. After teaching for ten years, she earned her MCSE, MCT, and A+ certi- fications and entered the field of computer training and con- sulting. Joli lives near Dallas, TX and has a beautiful daughter, Jennifer. Jeffrey W. Brown (CISSP) is a Vice President of Enterprise Information Security at Merrill Lynch in New York City, where he is responsible for security analysis, design, and implementation of global computing infrastructures. Jeff has over eight years of information technology experience. He is co-author of the Web Publisher’s Design Guide for Windows (Coriolis) and is a member of the SANS Windows Security Digest editorial board. He has been a participant in several SANS efforts including “Windows 115_MC_intsec_FM 12/13/00 1:12 PM Page vii viii NT Security Step-by-Step,” the Windows 2000 Security Improvement Project, and the Center for Internet Security. Jeff was recently a panelist for a discussion on virtual private net- working (VPN) technology at Security Forum 2000, sponsored by the Technology Manager’s Forum. He has a BA in Journalism and an MS in Publishing from Pace University. Michael Cross (MCSE, MCPS, MCP+I, CNA) is the Network Administrator, Internet Specialist, and a Programmer for the Niagara Regional Police Service. In addition to administering their network and providing support to a user base of over 800 civilian and uniform users, he is Webmaster of their Web site (www.nrps.com). Michael also owns KnightWare, a company that provides consulting, programming, networking, Web page design, and computer training. He has served as an instructor for private col- leges and technical schools in London, Ontario in Canada. He is a freelance writer and and has authored over two dozen articles and chapters. He currently resides in St. Catharines, Ontario, Canada. Jason Harper (MCSE) is a published author and technology con- sultant who concentrates exclusively on network and systems security, policy and network architecture technologies. Thanks go to his family, Noah, Stacey, and Laurie for all their support. 115_MC_intsec_FM 12/13/00 1:12 PM Page viii ix Technical Editor and Contributor Stace Cunningham (CMISS, CCNA, MCSE, CLSE, COS/2E, CLSI, COS/2I, CLSA, MCPS, A+) is a security consultant cur- rently located in San Antonio, TX. He has assisted several clients, including a casino, in the development and implementa- tion of network security plans for their organizations. He held the positions of Network Security Officer and Computer Systems Security Officer while serving in the United States Air Force. While in the Air Force, Stace was heavily involved in installing, troubleshooting, and protecting long-haul circuits, ensuring the appropriate level of cryptography necessary to pro- tect the level of information traversing the circuit as well the cir- cuits from TEMPEST hazards. This included American equipment as well as equipment from Britain and Germany while he was assigned to Allied Forces Southern Europe (NATO). Stace has been an active contributor to The SANS Institute booklet “Windows NT Security Step by Step.” In addition, he has co-authored or served as the Technical Editor for over 30 books published by Osborne/McGraw-Hill, Syngress Publishing, and Microsoft Press. He has also written articles for “Internet Security Advisor” magazine. His wife Martha and daughter Marissa have been very sup- portive of the time he spends with the computers, routers, and firewalls in the “lab” of their house. 115_MC_intsec_FM 12/13/00 1:12 PM Page ix [...]... of Attacks Poor Network Perimeter/Device Security 10 9 10 9 11 0 11 1 11 1 11 2 11 3 11 3 11 4 11 4 11 6 11 6 11 7 11 8 11 9 12 0 12 2 12 3 12 5 12 7 12 8 12 8 12 9 12 9 13 0 13 1 13 2 13 3 13 4 13 5 13 6 13 7 13 8 13 8 13 9 13 9 14 1 14 2 14 3 14 4 14 7 14 8 14 8 14 9 11 5_MC_intsec_TOC 12 /13 /00 10 :16 AM Page xv Contents Network Sniffers Scanner Programs Network Topology Unattended Modems Poor Physical Security Application and Operating Software... the Certificate? Summary FAQs Chapter 4 Internet Security Applications Introduction Integration of Internet Security Applications Security Concerns Security Services Cryptography Keys 69 70 71 73 74 75 75 75 76 78 79 80 81 81 82 83 84 85 87 89 90 91 92 93 95 95 98 98 99 99 99 10 0 10 1 10 1 10 2 10 2 10 5 10 6 10 6 10 7 10 8 10 8 10 9 xiii 11 5_MC_intsec_TOC xiv 12 /13 /00 10 :16 AM Page xiv Contents Secret Key Cryptography... 16 1 16 2 16 9 17 0 17 0 17 0 17 1 17 2 17 2 17 2 17 2 17 4 17 5 17 5 17 7 17 7 17 7 17 8 17 9 17 9 18 0 18 2 18 3 18 4 18 5 18 5 18 6 18 7 xv 11 5_MC_intsec_TOC xvi 12 /13 /00 10 :16 AM Page xvi Contents Chapter 6 Microsoft RAS and VPN for Windows 2000 18 9 Introduction What’s New in Windows 2000 Problems and Limitations What Is the Same? Windows 2000 Distributed Security Services Active Directory and Security Advantages of Active... Security Suite Cisco Secure Intrusion Detection System (Secure IDS) The Sensor The Director The Post Office General Operation Cisco IOS Firewall Intrusion Detection System Cisco Secure Integrated Software (Firewall Feature Set) CBAC (Context-based Access Control) CyberCOP Intrusion Detection Package Summary FAQs 14 9 15 0 15 1 15 1 15 2 15 2 15 2 15 2 15 3 15 4 15 4 15 4 15 5 15 5 15 9 16 1 16 2 16 9 17 0 17 0 17 0 17 1... Interface IP Configuration IP Address Configuring NAT and NAPT 298 300 3 01 303 306 306 307 308 311 312 312 312 313 317 317 319 320 326 328 3 31 3 31 335 335 338 338 340 340 3 41 3 41 342 342 343 344 345 346 347 3 51 353 354 354 357 359 3 61 3 61 364 11 5_MC_intsec_TOC 12 /13 /00 10 :16 AM Page xix Contents Security Policy Configuration Security Strategies Deny Everything That Is Not Explicitly Permitted Allow.. .11 5_MC_intsec_FM 12 /13 /00 1: 12 PM Page x 11 5_MC_intsec_TOC 12 /13 /00 10 :16 AM Page xi Contents Chapter 1 Securing Your Internetwork Introduction to Internetworking Security Why the Change of Heart Toward Network Security? Differentiating Security Models and Attacks Hackers and Attack Types What Do Hackers Do? Attack Types Types of Defenses Education Application Security Physical Security Firewalls,... the Internet Connecting Networks over the Internet Sharing a Remote Access VPN Connection Using a Router-to-Router Connection Connecting Computers over an Intranet Tunneling Protocols and the Basic Tunneling Requirements Windows 2000 Tunneling Protocols Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) 19 0 19 1 19 3 19 5 19 7 19 8 19 9 2 01 202 203 207 208 209 211 211 212 212 213 215 ... to Your Security Model Basic Deployment Deployment with a DMZ Deployment of Multiple Raptor Firewall Systems Avoiding Known Security Issues Connectivity Setting Up a DDoS Filter 368 368 369 369 370 3 71 373 373 373 374 374 375 375 377 379 3 81 384 384 385 388 389 395 395 397 399 399 4 01 402 402 403 407 408 412 415 417 418 4 21 423 428 428 428 430 4 31 4 31 4 31 xix 11 5_MC_intsec_TOC xx 12 /13 /00 10 :16 AM Page... Host Security Characteristics of Network Security Availability Integrity Confidentiality Customizing Access Control Authentication Authorization Accounting Network Communication in TCP/IP Application Layer Transport Layer TCP TCP Connection UDP Internet Layer IP ICMP ARP Network Layer Security in TCP/IP Cryptography Symmetric Cryptography 1 2 2 3 5 5 6 8 8 8 9 9 11 13 15 16 17 17 18 19 20 21 21 23... 212 212 213 215 216 218 218 219 220 226 226 226 229 230 230 2 31 2 31 2 31 232 235 235 236 237 237 239 240 240 240 2 41 115 _MC_intsec_TOC 12 /13 /00 10 :16 AM Page xvii Contents Using PPTP with Windows 2000 How to Configure a PPTP Device Using L2TP with Windows 2000 How to Configure L2TP How L2TP Security Differs from that of PPTP Interoperability with Non-Microsoft VPN Clients Possible Security Risks Summary . you. solutions@syngress.com 11 5_MC_intsec_FM 12 /13 /00 1: 12 PM Page i 11 5_MC_intsec_FM 12 /13 /00 1: 12 PM Page ii MISSION CRITICAL! MISSION CRITICAL! INTERNET SECURITY 11 5_MC_intsec_FM 12 /13 /00 1: 12 PM Page iii Syngress. their house. 11 5_MC_intsec_FM 12 /13 /00 1: 12 PM Page ix 11 5_MC_intsec_FM 12 /13 /00 1: 12 PM Page x Contents xi Chapter 1 Securing Your Internetwork 1 Introduction to Internetworking Security 2 Why. Distribution Problem 11 0 Hash Functions 11 1 Key Length 11 1 Using Digital Signatures 11 2 How Does a Digital Signature Add Security? 11 3 Potential Security Risks with Digital Signatures 11 3 Acquiring Digital