✦Part IV:Communications
✦Part V:The Security Threat and Response
The flow of the material is designed to provide a smooth transition from fundamen-tal principles and basic knowledge to the practical details of network security.
In this manner, the text can serve as a learning mechanism for people new to the field as well as a valuable reference and guide for experienced professionals.
Part I: Security Principles and Practices
Part I provides a background in the fundamentals of information system security.
Specifically, it comprises chapters on information system security principles, infor-mation system security management, and access control.
✦Chapter 1: Information System Security Principles.It is important that the network security practitioner be intimately familiar with the fundamental tenets of information system security, particularly the concepts of confiden-tiality, integrity, and availability (CIA). These topics are explained in detail in this chapter and then related to threats, vulnerabilities, and possible impacts of threats realized. After covering these basic topics, the formal processes of systems engineering (SE), information systems security engineering (ISSE), the systems development life cycle (SDLC), and the relationship of network security to the SDLC are explained. These subject areas provide the reader with an excellent understanding of applying standard rules to incorporate information system security into system development activities. These skills are particularly valuable to individuals working in large companies that need the discipline provided by these methods and to government organizations required to apply formal information security approaches in their everyday operations.
✦Chapter 2: Information System Security Management.To continue to pro-vide a basis for delving into network security issues, this chapter discusses the important, but sometimes neglected, roles of management and administra-tion in implementing good network security. All personnel in an organizaadministra-tion should be aware of the information security policies, procedures, and guide-lines and practice them on an ongoing basis. The existence of these docu-ments and practices are of critical importance to an organization and should be incorporated into the organization’s routine operations. For example, the seemingly innocuous requirement of requiring critical personnel to take vaca-tion time in blocks of a week or more might reveal covert and illegal activities on the part of those individuals when they are replaced by new personnel during the vacation interval. Also, corporate officers will be exposed to legal liability if they do not have policies in place addressing the protection of the organization’s intellectual property and other critical information.
Chapter 2 also provides clear and concise guidelines on the best practices to ensure the continuity of an organization’s critical operations during and after a disaster. Business continuity planning (BCP) and disaster recover planning (DRP) approaches are explained and illustrated, providing for continuity of critical business functions and networked information systems, respectively.
✦Chapter 3: Access Control Considerations.Controlling access to critical net-work and computer resources is one of the most important requirements for any organization. Chapter 4 defines and illustrates the concepts of identifying a user or process to an information system, verifying the identity of that user or process (authentication), and granting access privileges to specific resources (authorization). In addition, this chapter covers the methods of implementing secure access to information systems from remote sites.
Part II: Operating Systems and Applications
In the second part of this book, the security issues and solutions associated with operating systems such as Windows, UNIX, and Linux are detailed. Following these topics, Web browser security, Web security, e-mail security, domain name systems, and server applications are addressed. The authors provide insights and directions to implementing operating system and Web security based on their extensive expe-rience in these areas.
✦Chapter 4: Windows Security.Because the many versions of the Windows operating system that are in widespread use, their security vulnerabilities pose serious threats to their host computers. Chapter 4 reviews these secu-rity problems and offers steps to be taken to securely install Windows, harden the operating system, operate securely, and maintain a safe system.
✦Chapter 5: UNIX and Linux Security.UNIX and the open source Linux operat-ing systems are becomoperat-ing increasoperat-ingly popular as counters to the reliability problems of the Windows operating systems. Thus, network security aspects
of UNIX and Linux are covered in Chapter 5, including kernel issues, extrane-ous services, and specific services such as NFS, Sendmail, BIND, and RIP.
✦Chapter 6: Web Browser and Client Security.Web browsers pose serious threats to the security of their host machines and this chapter explores the sources of those threats, focusing on the Netscape and Internet Explorer browsers. The authors provide their solutions to securing a Web browser and protecting corporate portals.
✦Chapter 7: Web Security.Building on the information and solutions presented for Web browsers, Chapter 7 continues by examining the Hypertext Transfer Protocol (HTTP); Common Gateway Interface (CGI) security issues; privacy concerns associated with cookies, hidden fields and URL tracking; auditing;
and the secure implementation of e-commerce applications.
✦Chapter 8: E-mail Security.Because we all use e-mail, the information security knowledge covered in this chapter is directly applicable to users, IT profes-sionals, and security personnel. Chapter 8 explains the different types of e-mail, including SMTP, POP3, and IMAP. The authors describe how to prop-erly configure e-mail systems, and how to handle security problems associ-ated with those types.
✦Chapter 9: Domain Name System.This chapter describes the concepts behind the Domain Name System (DNS), Master and Slave Name servers, and the design of Domain Name Systems, including split DNS and split-split DNS.
The authors then describe how to set up different types of DNS servers and discuss recursion and zone transfers.
✦Chapter 10: Server Security.Another key knowledge component of network security is understanding the different types of servers and their associated applications. Chapter 10 describes the general principles to be observed when putting a server on line and then specifically presents valuable com-mentary on FTP servers, instant messaging, NetBIOS file sharing, secure shell, Kazaa, and remote access of computer-based information.
Part III: Network Security Fundamentals
This part describes the various network protocols, particularly the specifics of the OSI and TCP models. The fundamental concepts of wireless communication and wireless security are explained, including coding schemes, the different wireless technology generations, and wireless vulnerabilities. The authors then provide detailed recommendations and guidance for securing networks along with descrip-tions of the components of network architectures.
✦Chapter 11: Network Protocols.This chapter explains in detail the OSI and TCP models and the IP, ICMP, TCP, and UDP protocols. It also reviews address resolution concepts and methods and relates them to the general goals of net-work security.
✦Chapter 12: Wireless Security.Wireless connections to the Internet are becoming extremely popular and this chapter covers topics including the wireless frequency spectrum, fundamentals of wireless transmission, the dif-ferent coding schemes and generations of wireless technology, and security issues associated with wireless applications.
✦Chapter 13: Network Architecture Fundamentals.The components of a net-work and their corresponding configurations for implementing security are critical factors in the protection information systems. Chapter 14 provides clear descriptions and explanations of network bridges, routers, switches, firewalls, gateways, guards, and other important network elements. Their functions and relationship to the overall security of a network are reviewed and guidelines for their application are provided.
Part IV: Communications
Part IV of this book reveals the best practices and approaches related to communi-cations security.
✦Chapter 14: Secret Communication.Secret communication involves the means to encrypt and decrypt messages as well as to authenticate the sender.
Chapter 14 provides a history of cryptography, reviews the fundamentals of symmetric and asymmetric encryption, explains digital signatures, and con-cludes with an overview of generally accepted cryptographic axioms.
✦Chapter 15: Covert Communication.Covert communication refers to commu-nication that conceals the fact that hidden information is being transmitted.
In secret communication, described in Chapter 14, an attacker is aware that sensitive information is being transmitted in scrambled form. The problem for the attacker is to retrieve the information by unscrambling or decrypting it. In covert communication, sensitive information might be hidden some-where in an image or in a microdot that appears as a period at the end of a sentence. Thus, an attacker does not know that information is hidden unless he or she checks everything that is being transmitted for concealed messages.
This type of covert communication is known as steganography. Chapter 15 describes the goals of steganography, its advantages and disadvantages, methods of embedding sensitive information in other components such as images, and tools for detecting hidden information.
✦Chapter 16: Applications of Secure/Covert Communication.Chapter 16 details the methods of achieving secure and covert communication. The top-ics addressed include e-mail security, implementing virtual private networks (VPNs), and applying different protocols to protect information transmitted over the Internet. The chapter also addresses digital certificates to “certify”
individuals’ public keys and methods of managing cryptographic keys in an organizational setting.
Part V: The Security Threat and Response
The chapters in this part primarily address the issues of detecting and responding to network intrusions and assuring the security controls that have been put in place actually do provide the expected results. This section and the text conclude with
“putting everything together” through detailed descriptions of the most common problems in network security, their solutions, and planning for future situations.
✦Chapter 17: Intrusion Detection and Response.The network security practi-tioner has to be familiar with and understand the various types and effects of malicious code. Chapter 17 explains these different kinds of malware, dis-cusses common types and sources of attacks, and shows how to detect and handle intrusions into a network and its resources.
✦Chapter 18: Security Assessments, Testing, and Evaluation.Private and gov-ernmental organizations, by necessity, have to ensure that their networks and information systems are secure from attacks. Both entities have critical and sensitive information that have to be protected from violations of confidential-ity, integrconfidential-ity, and availability. Therefore, these organizations have developed assessment and evaluation approaches that can be applied to determine whether a network is really secure, even after appropriate controls have been implemented. Chapter 18 discusses these methodologies, including the Systems Security Engineering Capability Maturity Model (SSE-CMM), the dif-ferent types of certification and accreditation approaches, the National Institute for Standards and Technology (NIST) information security publica-tions, and the various types of testing and auditing practices.
✦Chapter 19: Putting Everything Together.At this point in Network Security Bible, the elements that comprise a network, security architectures, security threats, countermeasures, incident handling, and assessment approaches have been covered in detail. Chapter 19 ties all these entities together by describing the top 10 problems of network security, the top 10 solutions to these problems, the top 10 mistakes information security and IT practitioners make, and how to develop a framework for future activities and challenges.
How to Use This Book
Network Security Bibleis designed for use as a comprehensive tutorial on the field of network security, as a “how to” manual for implementing network security, as a ref-erence document for the information and network security practitioner, and as a guide for planning future network security issues and projects.
Use as a comprehensive tutorial on the field of network security
Network Security Bibleis organized to provide the reader with an understanding of the fundamentals of information system security by covering their basic principles, standard processes, management issues, and access control concepts. With this foundation, the text expands into discussions of the popular operating systems, Internet security, and Web security. Following this material, a tutorial on networking protocols, wireless communications, and network architectures provides an under-standing of networking and communications. The book then explores the funda-mentals of intrusion detection and information security assessment methodologies.
All these topics comprise book parts so that the reader can focus on the areas of particular interest to him or her and scan or skip topics that are familiar. Thus, the book is designed to provide either a comprehensive or selective tutorial, based on the experience and training of the reader.
Use as a “how to” manual for implementing network security
The authors of this text have extensive experience in analyzing network security problems and implementing effective solutions. Based on this experience, the authors provide guidance and detail “secrets” used by real-world practitioners to solve real-world problems. These “secrets” apply to the following areas:
✦Risk management
✦Information security system life cycle processes
✦Training
✦Business continuity/disaster recovery
✦Back-ups
✦Remote authentication
✦Windows
✦UNIX
✦Linux
✦Attacks
✦Server security
✦Wireless security
✦Intrusion detection and handling
✦Assurance evaluation
Use as a reference document for the information and network security practitioner
The chapters of Network Security Biblecontain fundamental and advanced knowledge on network security and related topics. This content will serve as a useful reference source for the information security practitioner in conducting his or her everyday security-related activities. The chapters on operating systems, access control, wire-less security, Web security, intrusion detection and response, and assessment methodologies will be particularly useful in present and future applications.
Use as a guide for planning future network security issues and projects
The book emphasizes topics that are focused on planning for the future and antici-pating network security problems and issues. These topics address the following relevant and important areas:
✦How to apply good systems engineering principles to the development of information security systems
✦Recommendations concerning which standards and guidelines are most use-ful and that should be used in implementing and achieving required network security
✦How to implement organizational security policies and how to ensure that they are understood and institutionalized
✦How to make sure that the organization is prepared for a disaster
✦How to protect against possible future liability suits
✦How to plan for expanded, secure, remote access requirements
✦How to implement wireless security
✦How to protect against future attacks
✦How to handle future attacks
✦How to assess the effectiveness of proposed new security architectures These issues and approaches are then summarized in the last chapter.
Security
Principles
and Practices
✦ ✦ ✦ ✦
In This Part Chapter 1 Information System Security Principles Chapter 2 Information System Security Management Chapter 3
Access Control Considerations
✦ ✦ ✦ ✦
I I
Information
System Security Principles
A
number of organizations have defined terminology and methodologies for applying systems engineering (SE) principles to large tasks and undertakings. When information systems and networks are involved, companion Information System Security Engineering (ISSE) processes should be practiced concurrently with SE at project initiation.This chapter defines the fundamental principles of network security and explains the SE and ISSE processes. It also describes the steps in the systems development life cycle (SDLC) and reviews how network and information technology (IT) security practices can be incorporated into the SDLC activities.
The chapter concludes with coverage of risk management tech-niques and the application of risk management in the SDLC.
Key Principles of Network Security
Network security revolves around the three key principles of confidentiality, integrity, and availability (C-I-A). Depending upon the application and context, one of these principles might be more important than the others. For example, a gov-ernment agency would encrypt an electronically transmitted classified document to prevent an unauthorized person from reading its contents. Thus, confidentiality of the information is paramount. If an individual succeeds in breaking the encryp-tion cipher and, then, retransmits a modified encrypted ver-sion, the integrity of the message is compromised. On the
1 1
other hand, an organization such as Amazon.com would be severely damaged if its network were out of commission for an extended period of time. Thus, availability is a key concern of such e-commerce companies.
Confidentiality
Confidentiality is concerned with preventing the unauthorized disclosure of sensi-tive information. The disclosure could be intentional, such as breaking a cipher and reading the information, or it could be unintentional, due to carelessness or incom-petence of individuals handling the information.
Integrity
There are three goals of integrity:
✦Prevention of the modification of information by unauthorized users
✦Prevention of the unauthorized or unintentional modification of information by authorized users
✦Preservation of the internal and external consistency
• Internal consistency ensures that internal data is consistent. For exam-ple, in an organizational database, the total number of items owned by an organization must equal the sum of the same items shown in the database as being held by each element of the organization.
• External consistency ensures that the data stored in the database is consistent with the real world. Relative to the previous example, the total number of items physically sitting on the shelf must equal the total number of items indicated by the database.
Availability
Availability assures that a system’s authorized users have timely and uninterrupted access to the information in the system and to the network.
Other important terms
Also important to network security are the following four C-I-A–related terms:
✦Identification— The act of a user professing an identity to the system, such as a logon ID
✦Authentication— Verification that the user’s claimed identity is valid, such as through the use of a password
✦Accountability— Determination of the actions and behavior of a single indi-vidual within a system, and holding the indiindi-vidual responsible for his or her actions
✦Authorization— The privileges allocated to an individual (or process) that enable access to a computer resource
Formal Processes
The processes associated with specifying, designing, implementing, operating, and maintaining network-based systems are amenable to formal methods. These meth-ods provide a structured approach to achieving effective and maintainable net-works and systems. In particular, applying the disciplines of systems engineering and systems security engineering (SSE) in the systems development life cycle can yield functional, secure, robust, and cost-effective networks and systems. These processes are described in the following sections.
The systems engineering process
There are a myriad of definitions of systems engineering, ranging from the view of government and military establishments to commercial organizations. A sampling of these definitions follows:
✦“The function of systems engineering is to guide the engineering of complex systems. ... A system is a set of interrelated components working together toward some common objective.” (Kossiakoff and Sweet, Systems Engineering, Principles and Practices, John Wiley & Sons, 2003.)
✦The branch of engineering concerned with the development of large and com-plex systems, where a system is understood to be an assembly or combina-tion of interrelated elements or parts working together toward a common objective. (General, widely used definition)
✦The selective application of scientific and engineering efforts to:
• Transform an operational need into a description of the system configu-ration which best satisfies the opeconfigu-rational need according to the mea-sures of effectiveness
• Integrate related technical parameters and ensure compatibility of all physical, functional, and technical program interfaces in a manner that optimizes the total system definition and design
• Integrate the efforts of all engineering disciplines and specialties into the total engineering effort
• Integrate the efforts of all engineering disciplines and specialties into the total engineering effort