SYBEX Sample Chapter
Security+
™
Study Guide
Michael Pastore
Chapter 3: Infrastructure and Connectivity
Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this
publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to
photocopy, photograph, magnetic or other record, without the prior agreement and written permission of the publisher.
ISBN: 0-7821-4098-X
SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the USA and other
countries.
TRADEMARKS: Sybex has attempted throughout this book to distinguish proprietary trademarks from descriptive terms
by following the capitalization style used by the manufacturer. Copyrights and trademarks of all products and services
listed or described herein are property of their respective owners and companies. All rules and laws pertaining to said
copyrights and trademarks are inferred.
This document may contain images, text, trademarks, logos, and/or other material owned by third parties. All rights
reserved. Such material may not be copied, distributed, transmitted, or stored without the express, prior, written consent
of the owner.
The author and publisher have made their best efforts to prepare this book, and the content is based upon final release
software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software
manufacturers. The author and the publisher make no representation or warranties of any kind with regard to the
completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to
performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged
to be caused directly or indirectly from this book.
Sybex Inc.
1151 Marina Village Parkway
Alameda, CA 94501
U.S.A.
Phone: 510-523-8233
www.sybex.com

Chapter

3

Infrastructure and
Connectivity

THE FOLLOWING COMPTIA SECURITY+ EXAM
OBJECTIVES ARE COVERED IN THIS CHAPTER:


2.1 Remote Access


2.1.1 802.1x


2.1.2 VPN


2.1.3 RADIUS


2.1.4 TACACS/+


2.1.5 L2TP/PPTP



2.1.6 SSH


2.1.7 IPSEC


2.1.8 Vulnerabilities


2.2 Email


2.2.3 Vulnerabilities


2.2.3.1 Spam


2.2.3.2 Hoaxes


2.3 Web


2.3.1 SSL/TLS


2.3.2 HTTP/S



2.3.4 Vulnerabilities


2.3.4.1 Java Script


2.3.4.2 ActiveX


2.3.4.3 Buffer Overflows


2.3.4.4 Cookies


2.3.4.5 Signed Applets


2.3.4.6 CGI


2.3.4.7 SMTP Relay
Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved.


2.5 File Transfer


2.5.1 S/FTP



2.5.2 Blind FTP/Anonymous


2.5.3 File sharing


2.5.4 Vulnerabilities


2.5.4.1 Packet Sniffing


3.1 Devices


3.1.1 Firewalls


3.1.2 Routers


3.1.3 Switches


3.1.4 Wireless


3.1.5 Modems



3.1.6 RAS


3.1.7 Telecomm/PBX


3.1.8 VPN


3.1.9 IDS


3.1.10 Network Monitoring/Diagnostics


3.1.11 Workstations


3.1.12 Servers


3.1.13 Mobile Devices


3.2 Media


3.2.1 Coax



3.2.2 UTP/STP


3.2.3 Fiber


3.2.4 Removable Media


3.2.4.1 Tape


3.2.4.2 CDR


3.2.4.3 Hard Drives


3.2.4.4 Diskettes


3.2.4.5 Flashcards


3.2.4.6 Smartcards
Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved.

Y


our network is composed of a variety of

media

and devices
that both facilitate communications and provide security. Some of these
devices (such as routers, modems, and PBX systems) provide external con-
nectivity from your network to other systems and networks. Some of the
devices (such as CDRs, disks, and tape) provide both internal archival storage
and working storage for your systems. In order to provide reasonable security,
you must know how these devices work and how they provide or fail to
provide security. This chapter deals with issues of infrastructure and media.
They are key components of the Security+ exam and necessary for you to
understand in order to secure your network.

Infrastructure Security

I

nfrastructure security

deals with the most basic aspects of how informa-
tion flows and how work occurs in your network and systems. An

infrastructure


is simply the basis for all of the work occurring in your organization.
When discussing infrastructures, bear in mind that this includes servers,
networks, network devices, workstations, and the processes in place to

facilitate work.
To evaluate the security of your infrastructure, you must examine the
hardware and its characteristics, and also examine the software and its
characteristics. Each time you add a device, change configurations, or switch
technologies, you are potentially altering the fundamental security capabilities
of your network.
Networks are tied together using the Internet and other network tech-
nologies, thereby making them vulnerable to attack in any number of
manners. The job of a security professional is to eliminate the obvious threats,
to anticipate how the next creative assault on your infrastructure might
occur, and to neutralize it before it happens.
Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved.

104

Chapter 3


Infrastructure and Connectivity

The following sections deal with the hardware and software components
that make up a network.

Hardware Components

Hardware components include physical devices, such as routers, servers, and
firewalls. Figure 3.1 depicts a typical network infrastructure and some of
the common hardware components in the environment. From a security per-
spective, this infrastructure is more than the sum of all of its parts. You must
evaluate your network from the perspective of each device in it. The complexity

of most networks makes securing them extremely complicated. In order to
provide reasonable security, every device must be evaluated to determine its
strengths and weaknesses.

FIGURE 3.1

A typical network infrastructure

Notice in this figure that the network we will be evaluating has Internet
connections. Internet connections expose your network to the highest
number of external threats. These threats can come from virtually any location
worldwide. The network includes routers, firewalls, switches, servers,
Internet
Clients
Clients
Server
Accounting
Server
Engineering
Router
Firewall
Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved.

Infrastructure Security

105

and workstations. Each of these devices has its own unique vulnerabili-
ties and strengths. These devices are covered in more detail later in this
chapter. As you can see from Figure 3.1, your infrastructure is complicated

and dynamic.

Software Components

Hardware exists to run software. Most of the devices that we use today have
a certain amount of artificial intelligence. This intelligence makes them easy
to configure, easy to support, and to a certain extent, easy to bypass. The
network infrastructure illustrated in Figure 3.1 includes servers, workstations
running operating systems, routers, firewalls (which may run as applications
on servers), and dedicated devices that have their own communications and
control programs.
This situation leaves networks open to attacks and security problems
because many of these systems work independently. Many larger organiza-
tions have built a single area for network monitoring and administrative control
of systems. This centralization allows a larger overall picture of the network to
be seen, and it allows actions to be taken on multiple systems or network
resources if an attack is underway. These centralized areas are called a

Network Operations Center (NOC)

. Using a NOC makes it easier to see
how an attack develops and easier to provide counter measures. Unfortu-
nately, a NOC is beyond the means of most businesses. They are expensive
and require a great deal of support.

ATT Wireless NOCs

ATT Wireless maintains a huge NOC for each of the cell centers they man-
age. These centers provide 24/7 real-time monitoring of all devices in the
cellular and computer network that they support. The operators in the NOC

have the ability to literally reach out and touch any device in the network to
configure, repair, and troubleshoot. A single NOC has dozens of people
working around the clock to keep on top of the network. When an ATT Wire-
less center goes down, it effectively takes down the entire cell-phone
service for an entire region. As you can imagine, this is horrendously expen-
sive and they do not let it happen very often. There are several NOC facilities
in the United States, and one region can support or take over operations for
another region if that center becomes inoperable.
Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved.

106

Chapter 3


Infrastructure and Connectivity

Supporting an infrastructure in a large corporation can be a horrendously
expensive proposition, and it requires literally years of development to create
an effective NOC.
Devices
Connecting all of these components requires physical devices. Large
multinational corporations, as well as small and medium-sized corporations,
are building networks of enormous complexity and sophistication. These
networks work by utilizing miles and miles of both wiring and wireless tech-
nologies. Whether the network is totally wire and fiber-based, or totally
wireless, the method of transmitting data from one place to another opens
vulnerabilities and opportunities for exploitation. These vulnerabilities
appear whenever an opportunity exists to intercept information from
the media.

The devices briefly described here are the components that you will typically
encounter in a network.
Firewalls
Firewalls are one of the first lines of defense in a network. There are different
types of firewalls, and they can be either stand-alone systems or included
in other devices such as routers or servers. Many firewalls are add-in software
available for servers or workstations. The basic purpose of a firewall is to
isolate one network from another. Firewalls are becoming available as appli-
ances, meaning they are installed into the network between two networks.
Appliances are freestanding devices that operate in a largely self-contained
manner. They should require less maintenance and support than a server-based
product.
Firewalls function as one of the following:

Packet filter

Proxy firewall

Stateful inspection
The proxy shown in Figure 3.2 effectively limits access from outside
networks, while allowing inside network users to access outside resources.
Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved.
Devices 107
The proxy in this illustration is also performing firewall functions. The end
user in this network uses the proxy server to manage traffic and receive
returning information. This section discusses three of the most common
functions that firewalls perform.
FIGURE 3.2 A proxy firewall blocking network access from external networks
Packet Filter
A firewall operating as a packet filter will pass or block traffic to specific

addresses based on the type of application. A packet filter may allow web
traffic on Port 80 and block Telnet traffic on Port 23. This type of filtering
is included in many routers. If a received packet request asks for a port
that is not authorized, the filter may reject the request or simply ignore it.
Many packet filters can also specify which IP addresses can request which
ports and allow or deny them based on the security settings of the firewall.
Packet filters are growing in sophistication and capability. A packet filter
does not analyze the contents of a packet; it decides whether to pass it or not
based on the addressing information of the packet.
Proxy Firewall
Think of a proxy firewall as an intermediary between your network and
another. Proxy firewalls are used to process requests from an outside network
and evaluate whether the request is forwarded or not. The proxy will
intercept all of the packages and reprocess them for use internally. This
process includes hiding IP addresses. The proxy firewall will examine the
data and make rules-based decisions about whether to forward the request
or refuse it.
External
Network
Proxy
Internal
Network
Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved.
108 Chapter 3

Infrastructure and Connectivity
The proxy firewall provides better security than packet filtering because
of the increased intelligence that a proxy firewall offers. Requests from
internal network users are routed through the proxy. The proxy, in turn,
repackages the request and sends it along, thereby effectively isolating the

user from the external network.
A server-based proxy firewall will typically use two NIC cards. This type
of firewall is referred to as a dual-homed firewall. One of the cards is
connected to the outside network and one is connected to the internal network.
The proxy software manages the connection between the two NIC cards.
This effectively segregates the two networks from each other and offers
increased security. Figure 3.3 illustrates a dual-homed firewall segregating
two networks from each other.
FIGURE 3.3 A dual-homed firewall segregating two networks from each other
Dual-Homed Server-Based Proxy Firewall
You are the network administrator of a small network. You are installing a
new firewall server using Windows 2000. After you complete the installa-
tion, you notice that the network does not appear to be routing traffic
through the firewall and that inbound requests are not being blocked. This
presents a security problem for the network because you have been getting
unusual network traffic lately.
NIC A NIC B
Network A Network B
NIC Card
Make sure routing or IP
forwarding is disabled in
operating system.
Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved.
Devices 109
The proxy function can occur at either the application level or the
circuit level. Application-level proxy functions will read the individual
commands of the protocols that are being served. This type of server is
very advanced and must know the rules and capabilities of the protocol
used. This type of proxy would know the difference between a GET and
a PUT operation, for example, and would have rules specifying how to

execute them. A circuit-level proxy creates a circuit between the client and
the server and does not deal with the contents of the packets that are being
processed.
A unique application-level proxy server must exist for each protocol
supported. Many proxy servers also provide full auditing, accounting, and
other usage information that would not normally be kept by a circuit-level
proxy server.
Combining firewalls with other firewalls will provide a variety of configuration
and security options. See Chapter 6, “Working with a Secure Network,” for
further details.
Stateful Inspection
The last section on firewalls focuses on the concept of stateful inspection.
Stateful Inspection is also referred to as stateful packet filtering. Most of the
devices we use in networks do not keep track of how information is routed or
used. Once a packet is passed, the packet and path are forgotten. In stateful
inspection or stateful packet filtering, records are kept using a state table that
tracks every communications channel. Stateful inspections occur at all levels
of the network and provide additional security, especially in connectionless
protocols such as User Datagram Protocol (UDP) and Internet Control
The most likely solution to this problem deals with the fact that Windows 2000
offers the ability to use IP forwarding in a dual-homed server. IP forwarding
bypasses your firewall and uses the server as a router. Even though the
two networks are effectively isolated, the new router is doing its job well
and it is routing IP traffic.
You will need to verify that IP forwarding and routing services are not
running on this server
Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved.