In this section, we will study some basic elements of computer security. These topics include authentication technologies and protocols, malicious software, and elements of wireless security.
Authentication technologies and protocols
Authenticationis the process of verifying the identity of a person. It is considered the first point of controlling access to a system. In the context of computer secu- rity, authentication is the method of verifying that the identity of a person or an application seeking access to a system, object, or a resource is true. For example, if a user wants to access a computer, the identity of the user is usually verified by having the user enter a valid username and password. If the username and pass- word of the user matches the ones stored in the security database of the computer, the user is allowed access. This process is known as the authentication process. Depending on the requirements of an organization, one or more authentication mechanisms can be implemented to ensure security of an individual computer or for the entire network.
The following sections discuss a number of authentication technologies and protocols used in computer networks.
Username and password. Almost all operating systems implement some kind of
authentication mechanism wherein users can simply use a locally created user- name and password to get access to the system. When the user enters his credentials (the combination of username and password), the local security data- base is checked to verify that the credentials match the ones stored in the local security database of the computer. If a match is found, the user is granted access; otherwise, the user is not allowed to log on to the system. This is the simplest form of authentication and can be implemented easily, but it also comes with its own limitations. Many organizations document and implement password policies that control how users can create and manage their passwords in order to secure network resources.
Biometrics.Biometrics refers to the authentication technology used to verify the identity of a user by measuring and analyzing human physical and behavior char- acteristics. This is done with the help of advanced biometric authentication devices that can read or measure and analyze fingerprints, scan the eye retina, and facial patterns, and/or measure body temperature. Handwriting and voice patterns are also commonly used as biometrics. Biometric authentication provides the highest level of authenticity about a person, which is much more reliable than a simple username and password combination. It is nearly impossible to imper- sonate a person when biometric authentication is used for authentication.
Smart cards.Smart cards store a small amount of data that is generally used to authenticate the holder or owner of the card. These cards typically come in the size of a standard credit/debit card. When used for authentication and identifica- tion purposes, they prevent modification of the data stored on them. Smart cards are designed well to protect them against theft of data and are immune to EMI and RFI and have built-in protection against physical damage.
A+ Essentials
Study Guide
Security tokens. A security token (also known as anauthentication tokenor ahard- ware token) is considered to be the most trusted method for verifying the identity of a user or a system. Tokens provide a very high level of security for authenti- cating users because of the multiple factors employed to verify the identity. It is almost impossible to duplicate the information contained in a security token in order to gain unauthorized access to a secure network. In its simplest form, an authentication token or a security token consists of two parts: a hardware device that is coded to generate token values at predetermined intervals, and a software- based component that tracks and verifies that these codes are valid.
Security tokens are also known askey fobs because they are small enough to be carried on a key chain or in a wallet. Some security tokens may contain crypto- graphic keys while others may contain biometrics data such as fingerprints of the user. Some tokens have a built-in keypad, and the user is required to key in a
personal identification number (PIN).
Digital certificates. Certificates or digital certificates are widely used for Internet- based authentications, as well as for authentication of users and computers in networkenvironments, to access networkresources and services where directory services such as Microsoft’s Active Directory service are implemented. Certifi- cates are a part ofpublic key infrastructure (PKI). In a PKI, certificate servers are used to create, store, distribute, validate, and expire digitally created signatures and other identity information about users and systems. Certificates are created by a trusted third-party known as aCertification AuthorityorCertificate Authority (CA). Examples of commercially available CAs are Verisign and Thwate. It is also a common practice to create a CA within an organization to manage certificates for users and systems inside the organization or with trusted business partners. In Windows 2000 and later server operating systems, certificates are used for authen- ticating users and granting access to Active Directory objects. CA used within an organization is known as anenterprise CA or aStandalone CA.
Another common use of certificates is forsoftware signing. Software is digitally signed to ensure the user that it has been developed by a trusted software vendor. It also ensures that the software has not been tampered with since it was devel- oped and made available for download. Certificates are also implemented in Internet services to authenticate users and verify their identity.
Multifactor. In computer authentication-using secure methods, afactoris a piece of information that is present to prove the identity of a user. In a multifactor authen- tication mechanism, any of the following types of factors may be utilized:
• Asomething you know factor, such as your password or PIN.
• Asomething you have factor, such as your hardware token or a smart card. • A something you are factor, such as your fingerprints, your eye retina, or
other biometrics that can be used for identity.
• Asomething you do factor, such as your handwriting or your voice patterns. Multifactor authentication is considered to be acceptably secure because it employs multiple factors to verify the identity of the user.
Challenge-Handshake Authentication Protocol (CHAP). This protocol is widely used for local and remote access authentication. CHAP is a modified form of Password Authentication Protocol (PAP), which transmits user credentials in clear text. CHAP periodically verifies the authenticity of the remote user using a three-way handshake even after the communication channel has been established. CHAP authentication involves an authentication server and the client. The process is carried out as follows:
1. When the communication linkhas been established, the authentication server sends a “challenge” message to the peer.
2. The peer responds with a value calculated using a one-way hash function such as Message Digest 5 (MD5).
3. The authentication server checks the response to ensure that the value is equal to its own calculation of the hash value. If the two values match, the authentication server acknowledges the authentication; otherwise, the connection is terminated.
4. The authentication server sends the challenge message to the peer at random intervals and repeats steps 1 to 3.
One drawbackof CHAP is that it cannot workwith encrypted password data- bases and is considered to be a weakauthentication protocol. Microsoft has implemented its own version of CHAP known as MS-CHAP, which is currently in version 2.
Kerberos. Kerberos is a cross-platform authentication protocol used for mutual authentication of users and services in a secure manner. Kerberos V5 is the current version of this protocol and is used on Windows servers as the default authentication protocol. The protocol ensures the integrity of authentication data (user credentials) as it is transmitted over the network. It is widely used in all other major operating systems, such as Unix and Cisco IOS.
Kerberos works in aKey Distribution Center (KDC), which is typically a network server used to issue secure encrypted keys and tokens(tickets)to authenticate a user or a service. The tickets carry a timestamp and expire as soon as the user or the service logs off. The following steps are carried out to complete the authenti- cation process:
1. The client presents its credentials to the KDC for authentication by means of username/password, smart card, or biometrics.
2. The KDC issues a Ticket Granting Ticket (TGT) to the client. The TGT is associated with anaccess tokenthat remains active until the time the client is logged on. This TGT is cached locally and is used later if the session remains active.
3. When the client needs to access the resource server, it presents the cached TGT to the KDC. The KDC grants a session ticket to the client.
4. The client presents the session ticket to the resource server, and the client is granted access to the resources on the resource server.
The TGT remains active for the entire session. Kerberos is heavily dependent on synchronization of clocks on the clients and servers. Session tickets granted by the
A+ Essentials
Study Guide
KDC to the client must be presented to the server within the established time limits or else they may be discarded.
Protection from malicious software
Malicious software or malware are software applications specifically written to launch attacks against individual computers or networks. The basic purpose of malicious software is to gain unauthorized access and cause damage to the system or steal confidential information. Examples of code attacks include viruses, Trojan horses, worms, logic bombs, spyware, and adware. These are discussed in the following paragraphs.
Virus. Avirusis a self-replicating application that inserts itself into executable files on the computer and spreads itself using the executable. A computer virus is typi- cally created for the sole purpose of destroying a user’s data. In order for the virus to workor infect a computer, it must first load itself into system memory. When the hosting executable file is run, the virus code is also executed and destroys user data or critical system files.
A virus must first infect an executable file to run successfully. The infected file is known as the virus host. The infected program must be executed before the virus can spread to infect other parts of the system or data.
The following are different types of viruses:
Boot sector or bootstrap virus
Infects the first sector on the hard disk, which is used for booting or starting up the computer. The boot sector virus becomes active as soon as the computer is started.
Parasitic virus
Infects an executable file or an application on a computer. The infected file actually remains intact, but when the file is run, the virus runs first.
If the infected computer is connected to the network, the virus can travel from one computer to another and can infect every computer on its way. A virus can infect data stored on floppy disks, hard disks, and even on network storage devices.
Trojans. ATrojan horse(or simply aTrojan) is a malicious code that is embedded inside a legitimate application. The application appears to be very useful or inter- esting and harmless to the user until it is executed. Trojans are different from other computer viruses in that they must be executed by the victim who falls for the “interesting software.”
Most of the modern Trojans contain code that is basically used to gather informa- tion about the user. These Trojans fall into the category ofspywareand appear as pop-up windows on a user’s computer screen. The sole purpose of these Trojans is to somehow trickthe user into executing the application so that the code can execute. Some Trojans are written very precisely to allow the user’s computer to be controlled remotely by the attacker.
The main difference between a virus and a Trojan is that viruses are self-replicating programs while Trojans need some action taken on the part of the user. If the user does not fall into the trap of the Tro- jan, it does not execute.
Worms. A worm is a computer virus that does not infect any particular executable or application but resides in the active memory of computers. This virus usually keeps scanning the network for vulnerabilities and then replicates itself onto other computers using those security holes. The effects of worms are not easily notice- able until entire systems or networkresources appear to have been consumed by the virus. The most common type of worm is the email virus that uses email addresses from the address book of a user to spread itself.
Spam. Spam, or email spam, refers to unsolicited junkmail that fills up your mail box everyday. These messages come from unknown persons and are rarely of any interest or use to the recipient. Spammers collect email addresses from user forums, news groups, and so on. They also use specially created applications known as Spamwareto collect email addresses and send messages to them. In most cases, the sending email address of spammers is not traceable by a normal computer user.
Spyware. Spyware software is used to collect personal information stored in the computer and send it to a third party without the permission or knowledge of the user. This process is carried out in the background, and the user does not even know that his personal information has been stolen. The personal information is usually stored in cookies. The information may include your name and password that you use on other web sites. The third parties who receive this information use it to send you unsolicited advertisements for selling their products.
Adware. The termadwareis used for software that displays advertisements on your computer. Adware appears as unsolicited pop-up windows on the computer screen. These advertisements appear when the computer is connected to the Internet. Most of these advertisements offer free software, screen savers, or tickets.
Grayware. The termgraywareis used for those software programs that workin an undesirable or annoying manner. These programs may also negatively affect the performance of the computer. Grayware includes software programs such as spyware, adware, and so on. Pop-up windows are also classified as grayware.
Software firewalls
Afirewall is a hardware device or a software application that sits between the internal networkof the organization and the external networkto protect the internal networkfrom communicating with outside networks. A properly config- ured firewall blocks all unauthorized access to the internal network. It also prevents internal users from accessing potentially harmful external networks.
A+ Essentials
Study Guide
Firewalls can be implemented in the form of dedicated hardware devices or through the use of special software applications. When a computer or a network is protected using software applications, the firewall implementation is known as
software firewall. Windows Firewallin Windows XP SP2 is a simple example of software firewall, which can be implemented on personal computers.
The three common firewall technologies are:
Packet-filtering firewalls
Packet-filtering firewalls inspect the contents of each IP packet entering the firewall device and, based on predefined and configured rules, allows or blocks packets inside the network. These firewalls permit or block access to specific ports or IP addresses and workon two basic policies: Allow by DefaultandDeny by Default. Following theAllow by Defaultpolicy, all traffic is allowed to enter the networkexcept the specifically denied traffic. In the
Deny by Defaultpolicy, all traffic entering the firewall is blocked except the one specifically allowed. Deny by Default is considered the best firewall policy, as only authorized traffic is allowed to enter the networkusing speci- fied port numbers or IP addresses.
Application layer firewalls
Application layer firewalls are also known asApplication firewallsorApplica- tion Layer gateways. This technology is more advanced than packet filtering, as it examines the entire packet to allow or deny traffic. Proxy servers use this technology to provide application layer filtering to clients. Inspection of data packets at the application layer (of the OSI model) allows firewalls to examine the entire IP packet and, based on configured rules, allow only intended traffic through them. One of the major drawbacks of application layer firewalls is that they are much slower than packet filtering firewalls because every IP packet is broken at the firewall, inspected against a complex set of rules, and reassembled before allowing it to pass.
Stateful inspection firewalls
Stateful inspection firewalls workby actively monitoring and inspecting the state of the networktraffic, and they keep trackof all the traffic that passes through the networkmedia. This technology overcomes the drawbacks of both packet filtering and application layer firewalls. It is programmed to distinguish between legitimate packets for different types of connections. Only those packets are allowed that match a known connection state. This technology does not breakor reconstruct IP packets and hence is faster than application layer technology.
Filesystem security. Windows operating systems provide file- and folder-level secu- rity using the NT File System (NTFS). Files can even be stored and transmitted over the networkin secure encrypted form. To keep tight control of access permissions of shared resources, the Windows operating system allows you to configure two types of permissions: Share permissions and NTFS permissions. Share permissions provide an outer layer of control, while NTFS permissions provide more granular control on file and folder access. A list of standard NTFS permissions is shown next.
Full Control
Grants the user all rights on the resource.
Modify
The Modify permission allows a user to change the contents of the file.
Read and Execute
Allows a user to read the file and execute (run) it.
List Folder Contents
Allows the user to list the files and subfolders inside a folder.
Read
Allows a user to read a file.
Write
Allows a user to write files to a folder.
NTFS permissions are available only on those diskpartitions that are formatted using NTFS. These permissions cannot be config- ured on disks formatted with the FAT filesystem. Moreover, Share permissions do not apply to a user who is logged on locally to the computer.
Wireless security
Wireless networks rely on radio frequencies to communicate instead of the networkcabling used for normal computer networks. Radio frequencies create