NET 102 - Networking Essentials II

Chapter 13, Network Security; Chapter 14, Network Hardening

Objectives:

This lesson discusses securing networks and making them harder to attack. Objectives important to this lesson:

  1. Physical security
  2. Social engineering
  3. Vulnerabilities and threats
  4. Authentication
  5. Secure protocols
  6. Remote access
  7. Troubleshooting security
Concepts:
Chapter 13, Network Security

Chapter 13 covers more material than most chapters. We will consider it by itself this week.

The idea of physical security may not seem to apply to networks, but it does. It applies to all our assets, all our hardware, and all our staff. Consider this list of ideas about physical security. It is a list of major physical controls, a bit longer than the one in our TestOut. It covers a few more ideas.

  • Walls, fences, and gates - obvious barriers make it clear to peopple that they are not allowed to walk beyond a certain point; gates are obvious points of access, but they are also filter points if you require staff to show permission to pass through them; these apply to external and internal environments
  • Guards - putting a guard on a gate, a door, or an asset allows you to set rules for passage and usage that can be interpreted by a human being or referred to an authorizing level of management
  • Dogs - guard dogs should probably appear as a subset of guards, whether they are working with handlers or left to patrol a sealed environment; a dog can sense things (noises, aromas) that a human guard cannot
  • ID cards (badges) - can be just a token or a photo ID, and may have a magnetic stripe, a computer chip, or an RFID; ID cards are both a proof of authorization and a problem: they need to be collected when an employee leaves their job, regardless of who decided they were leaving; the text describes tailgating, the practice of passing through a door that senses an authorization code by following someone who actually has authorization when you a) forgot yours, b) decided to be lazy, or c) are not authorized; it is the last variation we worry about, so some secure centers require that everyone passing a control point show their badge to the sensor to count heads; the text mentions the use of ID operated turnstiles, which are effective in metering traffic 
  • Locks - as indicated above, some locks are opened with credentials; some locks require a key, and others require the intervention of an operator (e.g. guard, receptionist); biometric locks may be the most sophisticated locks: that means that unless they are sophisticated they won't work well
    • A door that stays locked if the electronic lock fails has a fail-secure lock.
    • A door that becomes unlocked if the electronic lock fails has a fail-safe lock. Since safe and secure are usually synonyms, this makes no sense. You just have to know which is which.
  • Cable locks - Devices that are meant to be moved are often built with little slots that may be used with cables which attach to desks, tables, or other structural features in the workplace. The idea is that if something is locked down, it is less likely to be stolen. It can still be stolen if the thief has a tool to cut the cable, and if the cable is securing your docking station, that means the thief may steal it as well as your laptop.
  • Mantrap - a vestibule or airlock with two doors that both lock if someone tries to pass through the second door to a secure area and fails; the idea is to alert security to a possible intrusion while containing the intruder
  • Video monitoring - allows recording of events, also allows fewer guards to watch over more areas by watching several screens at once; this typically adds a delay to response time, and may only be useful for collecting data after an event
  • Alarm systems - commonly associated with the opening of a door, may be triggered by sensors (motion, infrared, touch plates)

I had the pleasure once of visiting a facility that took a different approach from most. There was no sign outside the building, no number on it, and few indications that was a secure facility. The perimeter was fenced, and gated, and the gate was operated remotely by an unseen guard. The fence was surrounded by tall slender yews, which blocked the view of the perimeter from both sides. They were also frail enough that no one could climb them. Yes, they made it difficult for people inside to watch what was happening outside the building. However, the intention was to block the view of the building from outsiders, and to draw no attention. Huge trees with nasty thorns are unusual and they might draw the attention of someone with an eye for what looks odd. Yews are just nice landscaping. A good way to keep a secret is to never hint that the secret even exists. That perimeter followed that logic.

Visibility is what you think about when you plan lighting and surveillance cameras. Sometimes you need more lights because something you can't remove casts a shadow. Sometimes you need another camera, because you can't see through or around that thing the way it is. Your surveillance system needs to cover what your guards need to see even if they do walk around the interior or the grounds. They cannot be everywhere at once, unless you have lots of guards.

The text mentions that tracking who enters and who leaves a location are equally important. This is easier in a well run installation, where you use the same protocols to enter and to leave. In most locations, people are in more of a hurry to leave. The text suggests that keeping video records of people entering and exiting can provide a post-event record if you can live without a live stream of information. Sometimes, the exit of a person is the more important event, such as the provided example of a day care center, as well as in some hospitals and most prisons. The text warns us that exit points must be watched carefully in such cases. It should observe that we should watch known exit points, and be watchful for exits that those seeking them may discover.

If you want to allow foot traffic, but restrict the approach of vehicles, you should consider a recommendation to use bollards. You may not know the word, but you have probably seen these posts in parking lots or outside buildings. Follow this link to a web page that defines them as being available in several types: visual guides, physical barriers, flexible, and decorative. We are most concerned with the physical barrier type, which may simply be a painted concrete and steel post, or it may have a decorative cover to make it look less like a barrier. Some locations that require frequent traffic with the need for restriction in emergencies may lead us to install bollards that are retractable.

We can also discuss physical access controls inside buildings. One our our security texts recommends that guards and cameras should be made visible in general work areas, to act as deterrents to unwanted behavior. Barriers between general work areas and sensitive areas should be clearly defined. The text mentions banks as a commonly available example of businesses with areas for the general public, and areas that are for staff only. Banks often have high counters, gates, security barriers, guards, and bullet resistant glass or plastic barriers between staff and customers. Data centers do not generally provide service to the public, but is not uncommon to have a data center share a building with another service from your company that does invite customer traffic. When this is the case, there must be controls to prevent access by people who should not have access.

Social engineering is a label that is applied to any attempt to convince someone to do something that is to your benefit. In the context of IT security, a social engineer is often a con artist who is asking, fooling, convincing, or otherwise manipulating people into revealing secrets or granting access to systems. These are a few classic social engineering methods:

  • Make a friend - Friends tend to confide in friends, do favors for them, and show off what they know or can do. A hacker may try to become a friend to someone with the next level of access to harvest information from them.
  • Pretext - A pretext is a pretense, a lie of some sort. A pretexting attacker might pretend to be from the IT department, or he/she might instead pretend to be a new user, an assistant to a high level executive, or any other role that seems to fit the situation. Think of Leonardo DiCaprio in Catch Me If You Can, interviewing an airline official to get the information he needed to impersonate a pilot. He was pretexting with the airline official when he pretended to be a reporter for a student newspaper. He then pretended to be a pilot in order to pass bad checks at banks, hotels, and airline counters, which we could say was the real exploit that his initial pretexting led to.
  • Ask for information - The author describes a social engineerr asking a user to log in to a "test page", which in reality has the purpose of collecting the user's ID and password. This is similar to phishing, sending email to users that ask them to do the same or similar things.
  • Impersonation - An attacker might impersonate anyone who might seem to belong in the environment being surveilled or attacked. It is common to impersonate a help desk employee when calling a victim. It is also common to impersonate an employee, a delivery person, or a repair person when the ploy calls for infiltrating a site.
  • Phishing - Phishing is the solicitation of personal or company information, typically through an official looking email. Some variations on phishing:
    • Spear phishing - sending the email to specific people, customizing it to look like a message sent to them by an entity with some of their personal information already
    • Whaling - This is spear phishing but it focuses on big (wealthy or data rich) targets.
    • Pharming - sending an email that takes the person directly to a web site (the phisher's site) instead of asking the reader to follow a link
    • Google phishing - the phisher sets up a fake search engiine that will send people to the phishing web site on specific searches (presumably it returns real search results on searches that would not lead to a page the phisher has prepared)
  • Spam - The section on spam, unsolicited email, seems out of place in this discussion. Most spam may only be looking for a customer, but some spam is sent with the intent to steal, abuse, and sell the payment information that a person might volunteer to provide.
  • Hoaxes - In the larger sense, all social engineering involves a hoax of some kind. First the grifter finds a mark, then he tells the mark the tale, and offers the deal. In the sense that the text means here, a hoax is distraction from reality, such as when the attacker pretends that there is a virus outbreak that is affecting the potential victim. It sets the idea in the victim's mind that the attacker is trying to help and should be assisted in his/her efforts.
  • Typo squatting - Most people are not great typists. The text explains that this is why other people (the bad ones) register domain names that are similar but not identical to real domains. They are hoping that the bad typists among us will misspell a URL and find ourselves on their site instead of the one we wanted, where we might volunteer information by trying to log in with credentials that can then be abused, sold, or ransomed. This technique is also called URL hijacking by the text.
  • Watering hole attack - The attacker determines that targets in the company/agency often visit a particular web site, called the watering hole in this scenario. It may be easier to infect that site than to attack the individuals directly, and then to take advantage of the real target.

The author remarks that social engineering is often preferred to more difficult hacking, because it is usually easy, fast, and effective. That is true for someone with the right skill set. Many hackers are not accomplished actors, but social engineers need to be. Think about it the next time someone calls your home "from Microsoft" and tells you they have noticed problems on your computer. Then hang up the phone, there is no point in talking to them.

The following is a list of six attitudes/approaches a social engineer might take when making a request for a password change. 

  • Authority - pretend to be someone who has the right to make the request
  • Intimidation - in an oppressive environment, it may be easy to use fear of what would happen if the request is not granted
  • Consensus/social proof - tell a believable lie that others have granted this request in the past
  • Scarcity - tell the victim that you are short on time, or you have to get this before it can't be done
  • Urgency - tell the victim that you need this right now, and that you will complete the red tape later
  • Familiarity/Liking - act like one of the family, especially one who appreciate the work the victim does for the company
  • Trust - use details about the organization to make it seem like you are a part of it

Someone who is practiced in manipulating people may be able to choose between these approaches easily, based on the attitude of the person on the other end of the phone, email, or messaging application. A skilled operator may be able to do much more if they can manipulate the person they are working on. Offering the person coffee, chocolate, or other simple gifts may make it easier to get them to do what you want.

The term malware means any software that does something harmful to a system. The CSS 211 text breaks malware in to three types, based on which of three objectives the malware follows: infecting a system, concealing its actions, or bringing profit from its actions.

Infecting Malware

Infecting software is divided into viruses and worms. A virus typically requires a carrier to infect a system, like an email, an instant message, or a program that the user runs. A virus typically has two tasks: replicate and damage. Some viruses have historically been rather benign, just displaying a message to the user. The ones that cause damage to a system are categorized by the method they use or the damage they cause:

  • file infector - the virus attaches itself to an executable file; it is triggered when that file is run
  • resident (aka terminate and stay resident) virus - loads into RAM, then does its damage based on actions the user takes through the operating system
  • boot virus - infects the Master Boot Record of a hard disk, which means the virus will load and run the next time the hard drive is used to boot the computer; typically the virus will trash the hard drive
  • companion virus - found more on pre-Windows systems, loads a program with a name similar to that of a real program, but with a preferred extension so the companion (malware) program is run when the user tries to run the real program from a command line; this seems like it might have a resurgence in Windows Server 8 which has more command line features
  • macro virus - a script virus that is typically placed in a Microsoft Office file

Virus protection programs typically recognize viruses by signatures, the way they look. This recognition method is complicated by metamorphic viruses that change the way they look over time, and polymorphic viruses that change their signature and their encryption methods.

A major difference between worms and viruses: once it is started, a worm can replicate itself across connected computer systems by itself. It does not need a carrier. A worm can attack any running computer that is connected to a network that an infected computer is on: it does not require cooperation from the user. Worms are more dangerous due to their self driven nature. Once a worm is detected in a system, each device on the network must be scanned for it, cleaned if necessary, and prevented from accessing the network until this is done.

Concealing Malware

The text lists four types of malware that are first concerned with remaining hidden from the user and from security personnel: Trojan horses, rootkits, logic bombs (not a terribly accurate name), and privilege escalators.

Trojan horse programs are named for the myth of a wooden horse that was used to smuggle Greek soldiers inside the walls of Troy. A program of this sort has two aspects: what we are told it does, and what it actually does. In some cases, Trojans may do what they say, but they also have a hidden malicious purpose which is what puts them in this category. A classic ploy used by Trojans is to pretend not to be a program at all. The text gives an example of a file that has a .exe extension, but the characters .docx occur in the name immediately before it. If a Windows computer is using the default (idiotic!) configuration, the actual .exe extension will be hidden from the user, and the user may think it is only a Word document.

Students should become familiar with the methods to turn off "Hide extensions for known file types" in common versions of Windows.

The text continues to discuss rootkits. At first, the rootkit sounds like a resident virus that replaces operating system files with its own. There are similarities, but one difference is that a rootkit is much more extensive, and another is that the rootkit obtains elevated privileges to carry out its stealth actions. The resident virus may replace one program on the computer, which will then do some harm to the system. The rootkit opens a door for lots of malware. How?

Have you ever seen a movie about a robbery in which the robbers send false information to security staff (like a video loop) that shows all is well, while the robbers proceed to steal whatever they want? That's kind of what a rootkit does. The rootkit assumes the role of a trustworthy part of the operating system. It will stand between the user and security software on one side, and other malware doing whatever it wants on the other.

The intention of the rootkit programmer may not be malicious. The text discusses the example of Sony, who in 2005 installed a rootkit installer on their audio CDs which had the goal of preventing computer users from copying those CDs. Their intent was not malicious, but it changed a PC without the user's consent, and it made the PC vulnerable to security exploits. The first is just wrong, and the second is worse. As the saying goes, the road to hell is paved with good intentions.

Detection and removal of a rootkit can be difficult, but it is worth trying before following the text's scenario of formatting the hard drive and starting over. The Sophos company, for example, has a free download that is supposed to be good at finding and removing these problems. Here is another one from Kaspersky. Students should do an internet search for tools from the vendor of their choice.

A logic bomb is not a bomb. It is malware that waits for a logical condition to occur before it executes its mission. A classic case was the Michelangelo virus that only executed on the birthday of Michelangelo Buonarroti (which, as everyone knows, is March 6th). Other examples are given in the text. Some act like "dead man switches", where the malware engages if it is not regularly reset, or if a person's ID is removed from a network. A logic bomb can be hidden in a much larger program, making it difficult to find.

Privilege escalation is a technique, not a type. The technique is commonly use by system administrators. They log in to networks with an ID that has normal privileges on the system, but they execute administrative tasks with an ID that has elevated privileges. Of course, these are authorized users who are supposed to do such things. When malware does this, it may do it in one of two ways. It may use an exploit to escalate its own privileges, or it may access the privileges of another account which are greater than its own.

Malware for Profit

The first type in this category is spam. Spam that is sent for profit is sent to as many addresses as possible to maximize the potential of getting a sale. The cost to the spammer is minimal (until they are arrested) and the returns are very large.

Some techniques to make a spam email that will get by spam filters in many security products:

  • image spam - words that would trigger spam filters are presented in images (graphic art) instead of in text to avoid alerting the spam filter that the email is about a trigger subject
  • GIF layering - the graphics that present the message are placed in the message in layers, so a human reader will see the intended message, but a spam filter will not notice the subject matter
  • word splitting - trigger words are shown as graphics, and the graphics have white (or other color) bars running through them to avoid optical character recognition, but still allow a human being to recognize the message
  • geometric variance - the background, the font, and other characteristics are varied from one spam message to another so the messages from the spammer are not recognized as identical messages

Spyware is defined as software that violates a user's security. More informatively, spyware typically has one of three missions: advertising, collection of personal information, or changing configuration settings. If other software did what spyware does with the user's permission, that software would not be spyware. So the issue is not what it does, as much as the fact that it is done in secret.

Another type of malware is adware. As its name suggests, adware is concerned with presenting advertisements to the computer user.

The follow selected notes are taken from CSS 211, Introduction to Network Security.

In case you have forgotten (or do not know) some of these terms:

  • packet - a generic term for message units on a network; all messages are broken into pieces (packets), numbered, and sent across the network to be reassembled into the original email, file, image, etc.
  • switch - a device that connects assets to a network, a switch is a device that several network assets (computers, printers, other connectivity devices) can be plugged into; a switch receives packets, notes their intended recipient, and sends them on a path that will lead to that recipient without sending the signal to uninterested devices
  • router - a device that connects networks together; the purpose of a router is to provide or deny access to other networks
  • NIC - Network Interface Card, the network connection interface (either installed or built in) on network devices; a wireless (radio frequency) NIC is still a NIC even if you don't plug in to connect to a network
  • Ethernet - the most commonly used network methodology; it is based on contention, which means that devices listen for a quiet line, then transmit their signals, which results in collision of signals at times, which slows the network throughput. Ethernets are typically limited to one transmission at a time across any single LAN segment, and one broadcast transmission at a time across a single network.
  • port - a port can be a physical connection point in a device (like a port in a switch) into which you plug connecting media (like an RJ-45 connector on a UTP cable); a port can also be a location in server memory where a program or service is running
Media vulnerabilities

The text tells us that we could configure a managed switch (one that can run administration software) to mirror all traffic for one or more ports. Port mirroring sends that traffic to another specific port as well, where we would connect a workstation to monitor the packets for signs of trouble. We would run a protocol analyzer program on that workstation (such as Wireshark) to determine what might be significant about traffic flowing through that switch.

Another method for monitoring traffic is using a network tap. Tap is an unusual acronym: by convention it is not capitalized. It stands for test access point which is what it is for: you install the tap between any two network devices to monitor the traffic that flows between them.

The author discusses attackers gaining access to a network's medium. He makes a point that an attacker could, for instance, get access to network cable through an acoustic tile ceiling. His point is that such tiles are not secure, and network cable may be run through that space. Another way would be to look for wire that is entering or leaving a building. In either of these cases, the attacker could wire their own connection jack. With standard Ethernet cable, however, this could be a problem for the attacker. A length of UTP cable is meant to run from one device directly to another. It is not like power cable, where you could break into the circuit and steal some electrons. If you break the cable, you make the connection to the switch, but you make the jack for the device unusable while you are tapped in. A better method would be the author's third idea: find an unused network jack. Actually use it, or wire your break in connection on that run of cable. (A wary administrator would make sure that the port that jack connects to is disabled while the jack is not assigned to a user. This is not always done.)

In an example, a network administrator was advised to set the managed switch to mirror traffic to a specific port. What will the attackers do, assuming they do not have access to manage the switch? Several methods could be used:

  • switch flooding - also called MAC flooding, the attacker feeds many MAC addresses (the unique hardware addresses of NICs) to the switch, which can result in the switch abandoning its programming and sending all received packets out every port
  • MAC address impersonation - the attacker spoofs his MAC address, pretends to have the address of a device whose traffic he wants to receive
  • fake network redirect - the attacker sends signals indicating that another device is on a separate network, and that his device is the gateway to it
  • router advertisements - the attacker sends router advertisements (announcements about services and connections available) to get traffic routed through him
  • fake device redirect - another method to impersonate a real device on the network

The text lists some methods to overcome the above exploits: set the switch to accept only one port assignment for each MAC address, set the switch to allow only one specific MAC address to use each port, set the switch to use configured lists (entered by the administrator, or provided by a server) instead of dynamically learning what MAC addresses are on each port.

Device vulnerabilities

Many devices are protected by a combination of user ID and password. The ID is generally less secure, often being a guessable combination of first and last name. The password presents an opportunity to set something hard to guess, but that also makes it hard to remember, which causes many users to write it down and leave it in an accessible location, such as on a Post-it note on their monitor.

The more passwords a person has, the less often each is used, the more likely it is that the password will be forgotten. Add the fact that many systems require changes in password on a regular schedule, and forbid the use of any of their last ten passwords as the next password. This leads to users trying to go through the entire list of ten to get back to their desired password on the change date. Administrators, in turn, can set a minimum age for password change, which prevents the user from running through a list in one day (or longer).

The text presents a lists of bad practices regarding passwords:

  • using a common word as a password - this makes the system vulnerable to a dictionary attack: the attacker simply uses a program that tries every word in a list (usually a dictionary file)
  • not changing passwords - if passwords are not changed regularly, an attacker need only find out the password once to continue to use the system
  • short passwords - even if they are not real words, short passwords are easier for a brute force attack to break than longer ones
  • personal information in passwords - attackers often use social engineering skills to learn about the person whose password they are trying to guess; names of family and pets, birth dates, and anniversaries are all bad choices since they are often easy to get
  • setting the same password on all accounts - this is easy for the user, but offers great returns to the attacker
  • writing down the password - this is generally against every security policy written, as is giving your password to anyone else, but people do it regularly

The text discusses default accounts. They exist on most systems, and most administrators have been told to rename them, but not all do. For example, how do you break into a router like the ones most people have at home? If you have access to it, first you check on the Internet to find the default administrator ID and password for that brand. Then you press the reset button. Then you simply take over the router. On a system where the administrator has never changed the default account, or changed the default password, you don't even need a reset button. (Do you suddenly want to make some changes to your wireless router?)

There is a common misunderstanding about the meanings of the words authentication and authorization. A network can be protected by both kinds of processes.

  • Authentication is the process of proving your stated identity to a system. This is commonly done by stating your identity (entering a user ID), then providing the associated proof (entering a password). This is the classic case of authentication by something you know. Authentication is also commonly done by producing a card with computer chip or a magnetic stripe that has been properly coded (something you have). Less frequently, is is done by fingerprint, retinal scan, face or hand print scan (something you are) or by moving your finger over a scanner in a particular pattern (something you do)
  • Authorization - The process of granting or denying permissions to authenticated users. This is a step that happens in the background. Users are typically unaware of it until something doesn't work. The text reminds us that a common practice is to follow the principle of least privilege, granting only those permissions that permit a user to do an assigned job, and either denying or choosing not to grant other permissions. The text mentions that permissions are commonly assigned to groups, but does not mention that it is done to make authorizations uniform, consistent, and manageable for those groups

Review the material in Chapter 13 about authentication protocols. Note that CHAP and MSCHAP are no longer considered secure. Note the uses of EAP, Kerberos, and 802.1x protocols.

Know some facts about PKI. Public Key Infrastructure is not the only code system used in business or government, but it is widely used by both, and by individuals to protect personal or sensitive information. The text points out that there is a difference between PKI and public key cryptography.

  • Public key cryptography is a system in which each entity has two cryptographic keys, each of which is the only means to decrypt what was encrypted by the other.
  • Public Key Infrastructure is a system of using public key cryptography, distributing keys through trusted sources, and revoking keys that have been compromised.

Public key cryptography is a system that uses two encryption/decryption keys. An entity, whether a person or company, must have two keys in this system: a public key and a private key. They are created so that whatever is encrypted with one must be decrypted with the other. The owner of the keys gives the public key to anyone who wants it, but keeps the private key safe from anyone else. This is how SSL encryption on a web site works. I connect to a vendor's web site. I obtain the vendor's public key by making the secure connection. My browser encrypts my credit card data with the vendor's public key and sends the ciphertext to the vendor. If the vendor's private key is secure, the vendor is the only one who can decrypt the data sent through the public key.

That's the way it is supposed to work in a perfect world. However, attackers have created a need for a security net around the process. In a way, PKI is the success story of businesses that have grown up around this technology. The text lists components of public key infrastructure on pages 289 and 290:

  • Certificate authority - An entity, typically a company, that creates digital certificates, which are verified statements of a public key and its owner. They may also create the key pair for the customer, and are responsible for storing and providing certificates as needed.
  • Registration authority - An entity that receives requests for certificates, verifies the requests are from recognized users (such as merchants processing credit cards), and forwards the requests to certificate authorities.
  • Certificate server - A service, or the device that runs the service, that responds to certificate requests.
  • Certificate repository - A database for storing digital certificates, sometimes including records of revoked certificates.
  • Certificate revocation list - A list of certificates that are no longer valid for various reasons.
  • Certificate validation - A process used to make sure that a request submitted for certificate creation actually came from the organization it appears to come from, and that the key submitted in the request is theirs.
  • Key Recovery Service - A service that stores and recovers encryption keys in case they should be lost, for example in a system crash or attack.
  • Time server - A service that provides a standard time reference, used to mark the time of requests and responses. Timestamps may be used to judge whether requests are being processed by the entity we expect to process it.
  • Signing server - In a system that is increasingly automated, this is a central control over related services.
Basic Encryption and PKI

Some encryption systems use one key for encryption and decryption, some use two. Single key systems are symmetric systems, and the whole system is worthless if the key is broken by a hacker. Two key systems are asymmetric systems.

Algorithms use a set of values or characters to create keys and to encrypt messages with those keys. The set of values is the keyspace. Larger keyspaces mean more possible keys from the algorithm. This is what makes it harder to guess the actual contents of a key. Think about that. We rely on secrecy about the algorithm and on the complexity of the keyspace to make security of this type possible. And unless we do something special with the algorithm, most are known, so we only have to know the key and right algorithm to be able to decrypt a message sent in symmetric key system. Are you worried now?

In its discussion of  symmetric systems, one of our texts makes an interesting point. To address the problem of a symmetric key being exposed, we should consider how many different keys we can make with such a system. We need to switch keys from time to time for security, and we want make sure we have a different key for every user on our system. That is only for communication between each user and the main system. The text explains that this sort of system would also require a different key for every conceivable pair of users on the system, assuming that they all need to communicate securely with each other. The text provides a formula for the number of keys we would need in a system like that: number of users times (number of users minus 1) divided by two. If we had a thousand users, how many keys does that system have to make, just to work for a while? Four hundred ninety nine thousand, five hundred keys. It should be obvious that we also want the system to store those keys and make sure none are repeats. Oh, my.

Moving on to asymmetric encryption, the text explains the text explains public key encryption, as noted above. It seems odd, at first, that a public key can be given to everyone. It takes a moment to get the concept the first time. The keys are created in pairs, and you give your public key to me (or everyone who needs a copy). You keep the private key secret. This enables me (your customers) to send encrypted traffic to you that only you can read. To turn that channel around, you need my public key, so you can send an encrypted message only I can read. It is possible for you to encrypt a message with your private key, and send it to me, but anyone intercepting that message would be able to decrypt it. A message sent to me that way proves you have the matching key, but it does not prove you are who you say you are, unless I trust the method by which I received the public key copy.

The difference between the number of keys needed for secure transmission in symmetric versus asymmetric systems is shown in a table on page 294. Compare the example above (a thousand users) in the two systems. In an asymmetric system we only need two thousand keys. Using an asymmetric system with a large keyspace means we do not have to switch systems just because we increase our user population by a factor of ten, or because a particular key was exposed.

Digital Certificates

The following list is the standard contents of a digital certificate. The most critical factor is the public key, but the other factors are required by the X.509 standard. The link to Wikipedia tells us that X.509 is an international standard for PKI. Some of the elements included in that standard are:

  • Version Number
  • Serial Number
  • Signature Algorithm ID
  • Issuer Name
  • Validity period
    • Not Before
    • Not After
  • Subject name
  • Subject Public Key Info
    • Public Key Algorithm
    • Subject Public Key
  • Issuer Unique Identifier (optional)
  • Subject Unique Identifier (optional)
  • Extensions (optional)

Keys are destroyed when they are compromised and when they reach the end of their intended life. This is more about private keys than public keys. Note that lifetime should be related to the sensitivity of the use the key serves. More sensitive equals shorter life.

What PKI is and is not

PKI can provide security, integrity, and nonrepudiation. It is used for financial transactions and downloaded file integrity. PKI is meant to be one layer of security.

It does not include authorization functions. It does not prove the identity of someone who is only using the public key in a key pair.

  • Security Content Automation Protocol (SCAP) - A protocol developed by NIST that supports tools and methods fo sharing common information.
  • Simple Network Management Protocol (SNMP) - This protocol has been used to manage network devices for many years. A security flaw in early versions was that commands sent to devices had to include a community string, a prefix that gave the command permission to manage the device. The problem was that the default strings were well known. (If the video below starts at the beginning, skip ahead to 6 minutes and 35 seconds.)



    Message integrity. authentication of senders, and encryption were added in version 3 of SNMP. Obviously, Star Fleet was using an earlier version at the time of this encounter.
  • Web-Based Enterprise Management (WBEM) - The text tells us that this is a set of standards for the operation of web based tools, developed by the Distributed Management Task Force. The link in this bullet point leads to their site. So, not exactly a tool as much as some standards for how tools should work.
  • Digital Signatures - A digital signature is something that can accompany a file (such as a download) that offers proof of the file's source and integrity.
  • Securing VPNs - The text recommends we use NAT, firewalls, strong authentication, and data encryption for these connections. The text says that encryption is often done with IP Security Protocol (IPsec). It is implemented at a lower layer in the ISO network model (Network layer) than PGP (Application layer), Kerberos, or SSL (both at the Session layer). As such, it is more transparent to processes that occur at higher layers, to users, and to software running on the workstation. It works well with several security protocols, so it allows you to customize the solution.
  • File Transfer Protocol (FTP) - FTP does what it sounds like, it moves or copies files in a TCP/IP environment; the text describes its problem: no encryption, which makes it vulnerable to man-in-the-middle attacks 
    The text recommends using a secure protocol instead when updating web sites or moving sensitive data. Secure FTP (SFTP) can use either of the next two protocols as a basis.
  • Secure Sockets Layer (SSL)/Transport Layer Security (TLS) - You have probably used SSL every time you have made a purchase across the Internet. The vendor site sends a public key to your computer, your computer encrypts the transaction, and the resulting SFTP data stream can only be decrypted with the vendor's private key. (You should know this concept very well by now.)
    The text explains that TLS is an improvement over SSL. This link goes to a Wikipedia article that discusses the same point, as well as the uses of TLS which include email.
  • Secure Shell (SSH) - SSH is another method used to implement SFTP. This is a Unix based protocol, that can be used to replace Telnet, and it is used to provide secure login, file operations, and command line operations on the remote server. Management of switches, routers, and other networking devices should be done with nonstandard IDs and passwords, using a protocol that allows secure access such as Secure Shell (SSH).
  • Web protocols - such as HTTPS and SHTTP, provide SSL versions of HTTP. Note the discussion of ports: HTTP typically uses port 80, while HTTPS typically uses port 443.
  • IP Security (IPsec) - IPsec is described as a preferred prottocol because it is implemented at a lower layer in the ISO network model (Network layer) than PGP (Application layer), Kerberos, or SSL (both at the Session layer). As such, it is more transparent to processes that occur at higher layers, to users, and to software running on the workstation. The text discusses the virtues of IPsec for several pages.
  • S/MIME - uses digital certificates to protect email. This protocol is built into most email applications.

Go over the troubleshooting material at the end of chapter 13 to get a feeling for applying some of these concepts.

Week 7 Assignment: Labs for Chapter 13 (and all the chapters after that)

  1. Complete as many labs as you can, as soon as you can. For this week, concentrate on doing the labs in Chapter 13 of the TestOut lessons. Repeat the labs until you score at least 80% on them.
  2. When you have done what you can for this week, capture a screen that shows your current progress, and submit it to me as this week's report of your progress.