Strategic Security Intelligence


Information Resource Guide


information resource guide

Computer, Internet and Network Systems Security

An Introduction to Security
Security Manual

Compiled By:

S.K.PARMAR, Cst

N.Cowichan Duncan RCMP Det

6060 Canada Ave., Duncan, BC

250-748-5522

sunny@seaside.net



This publication is for informational purposes only. In no way should this publication by interpreted as offering legal or accounting advice. If legal or other professional advice is needed it is encouraged that you seek it from the appropriate source. All product & company names mentioned in this manual are the [registered] trademarks of their respective owners. The mention of a product or company does not in itself constitute an endorsement.

The articles, documents, publications, presentations, and white papers referenced and used to compile this manual are copyright protected by the original authors. Please give credit where it is due and obtain permission to use these. All material contained has been used with permission from the original author(s) or representing agent/organization.


Table of Content

1.0 Introduction *

1.1 Basic Internet Technical Details *

1.1.1 TCP/IP : Transmission Control Protocol/Internet Protocol *

1.1.2 UDP:User Datagram Protocol *

1.1.3 Internet Addressing *

1.1.4 Types of Connections and Connectors *

1.1.5 Routing *

1.2 Internet Applications and Protocols *

1.2.1 ARCHIE *

1.2.2 DNS — Domain Name System *

1.2.3 E-mail — Electronic Mail *

1.2.4 SMTP — Simple Mail Transport Protocol *

1.2.5 PEM — Privacy Enhanced Mail *

1.2.6 Entrust and Entrust-Lite *

1.2.7 PGP — Pretty Good Privacy *

1.2.8 RIPEM — Riordan's Internet Privacy-Enhanced Mail *

1.2.9 MIME — Multipurpose Internet Mail Extensions *

1.3 File Systems *

1.3.1 AFS — Andrew File system *

1.3.2 NFS — Network File System *

1.3.3 FTP — File Transfer Protocol *

1.3.4 GOPHER *

1.3.5 ICMP — Internet Control Message Protocol *

1.3.6 LPD — Line Printer Daemon *

1.3.7 NNTP — Network News Transfer Protocol *

1.3.8 News Readers *

1.3.9 NIS — Network Information Services *

1.3.10 RPC — Remote Procedure Call *

1.3.11 R-utils (rlogin, rcp, rsh) *

1.3.12 SNMP — Simple Network Management Protocol *

1.3.13 TELNET *

1.3.14 TFTP ? Trivial File Transfer Protocol *

1.3.15 Motif *

1.3.16 Openwindows *

1.3.17 Winsock *

1.3.18 Windows — X11 *

1.3.19 WAIS — Wide Area Information Servers *

1.3.20 WWW — World Wide Web *

1.3.21 HTTP — HyperText Transfer Protocol *

2.0 Security *

2.1 Security Policy *

2.1.0 What is a Security Policy and Why Have One? *

2.1.1 Definition of a Security Policy *

2.1.2 Purposes of a Security Policy *

2.1.3 Who Should be Involved When Forming Policy? *

2.1.4 What Makes a Good Security Policy? *

2.1.5 Keeping the Policy Flexible *

2.2 Threats * 2.2.0 Unauthorized LAN Access *

2.2.1 Inappropriate Access to LAN Resources *

2.2.2 Spoofing of LAN Traffic *

2.2.3 Disruption of LAN Functions *

2.2.4 Common Threats *

2.2.4.0 Errors and Omissions *

2.2.4.1 Fraud and Theft *

2.2.4.2 Disgruntled Employees *

2.2.4.3 Physical and Infrastructure *

2.2.4.4 Malicious Hackers *

2.2.4.5 Industrial Espionage *

2.2.4.6 Malicious Code *

2.2.4.7 Malicious Software: Terms *

2.2.4.8 Foreign Government Espionage *

2.3 Security Services and Mechanisms Introduction * 2.3.0 Identification and Authentication *

2.3.1 Access Control *

2.3.2 Data and Message Confidentiality *

2.3.3 Data and Message Integrity *

2.3.4 Non-repudiation *

2.3.5 Logging and Monitoring *

2.4 Architecture Objectives * 2.4.0 Separation of Services *

2.4.0.1 Deny all/ Allow all *

2.4.1 Protecting Services *

2.4.1.0 Name Servers (DNS and NIS(+)) *

2.4.1.1 Password/Key Servers (NIS(+) and KDC) *

2.4.1.2 Authentication/Proxy Servers (SOCKS, FWTK) *

2.4.1.3 Electronic Mail *

2.4.1.4 World Wide Web (WWW) *

2.4.1.5 File Transfer (FTP, TFTP) *

2.4.1.6 NFS *

2.4.2 Protecting the Protection *

2.5 Auditing * 2.5.1 What to Collect *

2.5.2 Collection Process *

2.5.3 Collection Load *

2.5.4 Handling and Preserving Audit Data *

2.5.5 Legal Considerations *

2.5.6 Securing Backups *

2.6 Incidents * 2.6.0 Preparing and Planning for Incident Handling *

2.6.1 Notification and Points of Contact *

2.6.2 Law Enforcement and Investigative Agencies *

2.6.3 Internal Communications *

2.6.4 Public Relations - Press Releases *

2.6.5 Identifying an Incident *

2.6.5.1 Is it real? *

2.6.6 Types and Scope of Incidents *

2.6.7 Assessing the Damage and Extent *

2.6.8 Handling an Incident *

2.6.9 Protecting Evidence and Activity Logs *

2.6.10 Containment *

2.6.11 Eradication *

2.6.12 Recovery *

2.6.13 Follow-Up *

2.6.14 Aftermath of an Incident *

2.7 Intrusion Management Summary * 2.7.0 Avoidance *

2.7.1 Assurance *

2.7.2 Detection *

2.7.3 Investigation *

2.8 Modems * 2.8.0 Modem Lines Must Be Managed *

2.8.1 Dial-in Users Must Be Authenticated *

2.8.2 Call-back Capability *

2.8.3 All Logins Should Be Logged *

2.8.4 Choose Your Opening Banner Carefully *

2.8.5 Dial-out Authentication *

2.8.6 Make Your Modem Programming as "Bullet-proof" as Possible *

2.9 Dial Up Security Issues * 2.9.0 Classes of Security Access Packaged for MODEM Access *

2.9.1 Tactical and Strategic Issues in Selecting a MODEM Connection Solution *

2.9.2 Background on User Access Methods and Security *

2.9.3 Session Tracking and User Accounting Issues *

2.9.4 Description of Proposed Solution to Dial-Up Problem *

2.9.5 Dissimilar Connection Protocols Support *

2.9.6 Encryption/Decryption Facilities *

2.9.7 Asynchronous Protocol Facilities *

2.9.8 Report Item Prioritization *

2.9.9 User Profile "Learning" Facility *

2.10 Network Security * 2.10.0 NIST Check List *

2.10.0.0 Basic levels of network access: *

2.10.1 Auditing the Process *

2.10.2 Evaluating your security policy *

2.11 PC Security *

2.12 Access *

2.12.0 Physical Access *

2.12.1 Walk-up Network Connections *

2.13 RCMP Guide to Minimizing Computer Theft * 2.13.0 Introduction *

2.13.1 Areas of Vulnerability and Safeguards. *

2.13.1.0 PERIMETER SECURITY *

2.13.1.1 SECURITY INSIDE THE FACILITY *

2.13.2 Physical Security Devices *

2.13.2.0 Examples of Safeguards *

2.13.3 Strategies to Minimize Computer Theft *

2.13.3.0 APPOINTMENT OF SECURITY PERSONNEL *

2.13.3.1 MASTER KEY SYSTEM *

2.13.3.2 TARGET HARDENING *

2.13.4 PERSONNEL RECOGNITION SYSTEM *

2.13.4.0 Minimizing Vulnerabilities Through Personnel Recognition *

2.13.5 SECURITY AWARENESS PROGRAM *

2.13.5.0 Policy Requirements *

2.13.5.1 Security Awareness Safeguards *

2.13.6 Conclusion *

2.14 Physical and Environmental Security * 2.14.0 Physical Access Controls *

2.14.1 Fire Safety Factors *

2.14.2 Failure of Supporting Utilities *

2.14.3 Structural Collapse *

2.14.4 Plumbing Leaks *

2.14.5 Interception of Data *

2.14.6 Mobile and Portable Systems *

2.14.7 Approach to Implementation *

2.14.8 Interdependencies *

2.14.9 Cost Considerations *

2.15 Class C2: Controlled Access Protection –An Introduction * 2.15.0 C2 Criteria Simplified *

2.15.1 The Red Book *

2.15.2 Summary *

3.0 Identification and Authentication *

3.1 Introduction *

3.1.0 I&A Based on Something the User Knows *

3.1.0.1 Passwords *

3.1.0.2 Cryptographic Keys *

3.1.1 I&A Based on Something the User Possesses *

3.1.1.0 Memory Tokens *

3.1.1.1 Smart Tokens *

3.1.2 I&A Based on Something the User Is *

3.1.3 Implementing I&A Systems *

3.1.3.0 Administration *

3.1.3.1 Maintaining Authentication *

3.1.3.2 Single Log-in *

3.1.3.3 Interdependencies *

3.1.3.4 Cost Considerations *

3.1.4 Authentication *

3.1.4.0 One-Time passwords *

3.1.4.1 Kerberos *

3.1.4.2 Choosing and Protecting Secret Tokens and PINs *

3.1.4.3 Password Assurance *

3.1.4.4 Confidentiality *

3.1.4.5 Integrity *

3.1.4.6 Authorization *

4.0 Risk Analysis *

4.1 The 7 Processes *

4.1.0 Process 1 - Define the Scope and Boundary, and Methodology *

4.1.0.1 Process 2 - Identify and Value Assets *

4.1.0.2 Process 3 - Identify Threats and Determine Likelihood *

4.1.0.3 Process 4 - Measure Risk *

4.1.0.4 Process 5 - Select Appropriate Safeguards *

4.1.0.5 Process 6 - Implement And Test Safeguards *

4.1.0.6 Process 7 - Accept Residual Risk *

4.2 RCMP Guide to Threat and Risk Assessment For Information Technology * 4.2.1 Introduction *

4.2.2 Process *

4.2.2.0 Preparation *

4.2.2.1 Threat Assessment *

4.2.2.2 Risk Assessment *

4.2.2.3 Recommendations *

4.2.3 Updates *

4.2.4 Advice and Guidance *

4.2.5 Glossary of Terms *

5.0 Firewalls *

5.1 Introduction *

5.2 Firewall Security and Concepts *

5.2.0 Firewall Components *

5.2.0.0 Network Policy *

5.2.0.1 Service Access Policy *

5.2.0.2 Firewall Design Policy *

5.2.1 Advanced Authentication *

5.3 Packet Filtering * 5.3.0 Which Protocols to Filter *

5.3.1 Problems with Packet Filtering Routers *

5.3.1.0 Application Gateways *

5.3.1.1 Circuit-Level Gateways *

5.4 Firewall Architectures * 5.4.1 Multi-homed host *

5.4.2 Screened host *

5.4.3 Screened subnet *

5.5 Types of Firewalls * 5.5.0 Packet Filtering Gateways *

5.5.1 Application Gateways *

5.5.2 Hybrid or Complex Gateways *

5.5.3 Firewall Issues *

5.5.3.0 Authentication *

5.5.3.1 Routing Versus Forwarding *

5.5.3.2 Source Routing *

5.5.3.3 IP Spoofing *

5.5.3.4 Password Sniffing *

5.5.3.5 DNS and Mail Resolution *

5.5.4 Firewall Administration * 5.5.4.0 Qualification of the Firewall Administrator *

5.5.4.1 Remote Firewall Administration *

5.5.4.2 User Accounts *

5.5.4.3 Firewall Backup *

5.5.4.4 System Integrity *

5.5.4.5 Documentation *

5.5.4.6 Physical Firewall Security *

5.5.4.7 Firewall Incident Handling *

5.5.4.8 Restoration of Services *

5.5.4.9 Upgrading the firewall *

5.5.4.10 Logs and Audit Trails *

5.5.4.11 Revision/Update of Firewall Policy *

5.5.4.12 Example General Policies *

5.5.4.12.0 Low-Risk Environment Policies *

5.5.4.12.1 Medium-Risk Environment Policies *

5.5.4.12.2 High-Risk Environment Policies *

5.5.4.13 Firewall Concerns: Management *

5.5.4.14 Service Policies Examples *

5.5.5 Client and Server Security in Enterprise Networks * 5.5.5.0 Historical Configuration of Dedicated Firewall Products *

5.5.5.1 Advantages and Disadvantages of Dedicated Firewall Systems *

5.5.5.2 Are Dedicated Firewalls A Good Idea? *

5.5.5.3 Layered Approach to Network Security - How To Do It *

5.5.5.4 Improving Network Security in Layers - From Inside to Outside *

5.5.5.5 Operating Systems and Network Software - Implementing Client and Server Security *

5.5.5.6 Operating System Attacks From the Network Resource(s) - More Protocols Are The Norm - and They Are Not Just IP *

5.5.5.7 Client Attacks - A New Threat *

5.5.5.8 Telecommuting Client Security Problems - Coming to Your Company Soon *

5.5.5.9 Compromising Network Traffic - On LANs and Cable Television It’s Easy *

5.5.5.10 Encryption is Not Enough - Firewall Services Are Needed As Well *

5.5.5.11 Multiprotocol Security Requirements are the Norm - Not the Exception. Even for Singular Protocol Suites... *

5.5.5.12 Protecting Clients and Servers on Multiprotocol Networks - How to Do It *

5.5.5.13 New Firewall Concepts - Firewalls with One Network Connection *

6.0 Cryptography *

6.1 Cryptosystems *

6.1.0 Key-Based Methodology *

6.1.1 Symmetric (Private) Methodology *

6.1.2 Asymmetric (Public) Methodology *

6.1.3 Key Distribution *

6.1.4 Encryption Ciphers or Algorithms *

6.1.5 Symmetric Algorithms *

6.1.6 Asymmetric Algorithms *

6.1.7 Hash Functions *

6.1.8 Authentication Mechanisms *

6.1.9 Digital Signatures and Time Stamps *

7.0 Malicious Code *

7.1 What Is a Virus? *

7.1.0 Boot vs File Viruses *

7.1.1 Additional Virus Classifications *

7.2 The New Macro Virus Threat * 7.2.0 Background *

7.2.1 Macro Viruses: How They Work *

7.2.2 Detecting Macro Viruses *

7.3 Is It a Virus? * 7.3.0 Worms *

7.3.1 Trojan Horses *

7.3.2 Logic Bombs *

7.3.3 Computer Viruses *

7.3.4 Anti-Virus Technologies *

7.4 Anti-Virus Policies and Considerations * 7.4.0 Basic "Safe Computing" Tips *

7.4.1 Anti-Virus Implementation Questions *

7.4.2 More Virus Prevention Tips *

7.4.3 Evaluating Anti-Virus Vendors *

7.4.4 Primary Vendor Criteria *

8.0 Virtual Private Networks: Introduction *

8.1 Making Sense of Virtual Private Networks *

8.2 Defining the Different Aspects of Virtual Private Networking *

8.2.0 Intranet VPNs *

8.2.1 Remote Access VPNs *

8.2.2 Extranet VPNs *

8.3 VPN Architecture *

8.4 Understanding VPN Protocols *

8.4.0 SOCKS v5 *

8.4.1 PPTP/L2TP *

8.4.2 IPSec *

8.5 Matching the Right Technology to the Goal *

9.0 Windows NT Network Security *

9.1 NT Security Mechanisms *

9.2 NT Terminology *

9.2.0 Objects in NT *

9.2.1 NT Server vs NT Workstation *

9.2.2 Workgroups *

9.2.3 Domains *

9.2.4 NT Registry *

9.2.5 C2 Security *

9.3 NT Security Model * 9.3.0 LSA: Local Security Authority *

9.3.1 SAM: Security Account Manager *

9.3.2 SRM: Security Reference Monitor *

9.4 NT Logon * 9.4.0 NT Logon Process * 9.5 Designing the NT Environment * 9.5.0 Trusts and Domains * 9.6 Group Management *

9.7 Access Control *

9.8 Managing NT File Systems *

9.8.0 FAT File System *

9.8.1 NTFS File System *

9.9 Object Permissions *

9.10 Monitoring System Activities *

10.0 Unix Incident Guide *

10.1 Displaying the Users Logged in to Your System *

10.1.0 The "W" Command *

10.1.1 The "finger" Command *

10.1.2 The "who" Command *

10.2 Displaying Active Processes * 10.2.0 The "ps" Command *

10.2.1 The "crash" Command *

10.3 Finding the Footprints Left by an Intruder * 10.3.0 The "last" Command *

10.3.1 The "lastcomm" Command *

10.3.2 The /var/log/ syslog File *

10.3.3 The /var/adm/ messages File *

10.3.4 The "netstat" Command *

10.4 Detecting a Sniffer * 10.4.1 The "ifconfig" Command * 10.5 Finding Files and Other Evidence Left by an Intruder *

10.6 Examining System Logs *

10.7 Inspecting Log Files *

Appendix A : How Most Firewalls are Configured *

Appendix B: Basic Cost Factors of Firewall Ownership *

Appendix C: Glossary of firewall related terms *

Appendix D: Top 10 Security Threats *

Appendix E: Types of Attacks *

Appendix F: Top 10 Security Precautions *

Appendix G: Virus Glossary *

Appendix H: Network Terms Glossary *
 
 
 
 

Forward

This manual is an effort to assist law enforcement agencies and other computer crime investigators by providing a resource guide compiled from the vast pool of information on the Internet. This manual is not intended to replace any formal training or education. This manual should be used as a supplemental guide to reference too. It was not my intention to compile this manual to provide a specific solution for investigators. This was intended to provide a general overview, which would assist in helping to developing a solution. This solution does not have to be hardware or software based. Today policy-based protection can also be incorporated into hardware and software systems.

I would like to thank all the authors, and organizations that have provided me with materials to compile this manual. Some of the material contained in this manual were a part of a larger document. It is strongly recommended that if anyone has an interest in learning more about a particular topic to find these documents on the Internet and read them.

A very special thanks to:

Dr. Bill Hancock Network-1 Security Solutions, Inc. (hancock@network-1.com )

who played an active role in the modeling of this manual.

Finally, please respect the copyrights of the original authors and organizations and give them credit for their work.

Any questions or concerns can be directed to me c/o

RCMP Duncan Detachment

6060 Canada Ave., Duncan, BC

CANADA V9L 1V3

ATN: Cst. S.K.PARMAR
 
 

Telephone number 250-748-5522

Email: sunny@seaside.net
 
 

SUNNY