Installing the DHCP Service:
You can install DHCP either during or after the initial installation of Windows
2000 Server or Advanced Server, although there must be a working DNS in the
environment. To validate your DNS server, click Start, click
Run, type cmd, press ENTER, type
ping friendly name of an existing DNS server in your
environment, and then press ENTER. An unsuccessful reply generates
an "Unknown Host My DNS server name" message.
To install the DHCP Service on an existing Windows 2003 Server:
1. Click Start, click Settings, and then click
Control Panel.
2. Double-click Add/Remove Programs, and then click
Add/Remove Windows Components.
3. In the Windows Component Wizard, click Networking
Services in the Components box, and then click
Details.
4. Click to select the Dynamic Host Configuration Protocol (DHCP)
check box if it is not already selected, and then click OK.
5. In the Windows Components Wizard, click Next
to start Windows 2003 Setup. Insert the Windows 2003 Server CD-ROM into the
CD-ROM drive if you are prompted to do so. Setup copies the DHCP server and tool
files to your computer.
6. When Setup is complete, click Finish.
Tuesday, April 21, 2009
Install DHCP Server
Configure DNS Server
Configure DNS Server:
DNS server Auto Install with Domain Controller or Active Directory So now
Configure the DNS server.
To configure the server as a DNS server From the Manage Your Server
screen, click Manage this DNS server.
Right-click DC01, click Configure a DNS Server,
and then click Next.
Select Create aForward Lookup Zone.
Select This server maintains the zone. Type your domain name
for the zone; for example, adatum.com.
Select Allow dynamic updates.
Select Yes, forward queries to DNS servers with the following IP
addresses, and type the IP address of the NAT router.
Exit the Manage DNS Server snap-in.
Note
You will receive a message that the forward lookup zone cannot be added to the
server, because the zone already exists. This is because the zone was created
when the DNS server role was initially configured. This message does not
indicate an error condition
Install and Configure Domain Controller
Domain Controller:
Active Directory is a huge topic in itself. While DCPROMO is easy to run, planning of both the physical and the logical structure is the key to a trouble free active directory. Good news, in Server 2003 you can rename the both the domain itself and the domain controller (Renaming was greyed out in Windows 2000).
Domain controllers do not have to be your most powerful machines, however they
must be reliable and always available to answer logon requests. Decide which
DCs will hold which FSMO (Flexible single master operations) role. By default,
only the first server is a GC (Global Catalog). Having at least one GC on each
site will improve any service which makes and LDAP request for Active Directory
names.
To install and configure the domain controller, you will perform the following tasks:
1) Install the Windows Server 2003 operating system.
2) Install Active Directory on the domain controller, and configure the server role.
3) Configure DNS.
4) Install the Application Server role (Internet Information Services [IIS],
ASP.NET). This step is only necessary for servers hosting Software Update
Services (SUS) and is not a core requirement for a DC.
To install Windows Server 2003
1) Boot from your Windows Server 2003 operating system CD-ROM. Follow the
instructions in the documentation for Windows Server 2003 to install the
operating system on the computer that is to be your domain controller. Create
disk partitions with the following properties.
Active Directory is a huge topic in itself. While DCPROMO is easy to run, planning of both the physical and the logical structure is the key to a trouble free active directory. Good news, in Server 2003 you can rename the both the domain itself and the domain controller (Renaming was greyed out in Windows 2000).
Domain controllers do not have to be your most powerful machines, however they
must be reliable and always available to answer logon requests. Decide which
DCs will hold which FSMO (Flexible single master operations) role. By default,
only the first server is a GC (Global Catalog). Having at least one GC on each
site will improve any service which makes and LDAP request for Active Directory
names.
To install and configure the domain controller, you will perform the following tasks:
1) Install the Windows Server 2003 operating system.
2) Install Active Directory on the domain controller, and configure the server role.
3) Configure DNS.
4) Install the Application Server role (Internet Information Services [IIS],
ASP.NET). This step is only necessary for servers hosting Software Update
Services (SUS) and is not a core requirement for a DC.
To install Windows Server 2003
1) Boot from your Windows Server 2003 operating system CD-ROM. Follow the
instructions in the documentation for Windows Server 2003 to install the
operating system on the computer that is to be your domain controller. Create
disk partitions with the following properties.
Note
If your LAN includes a second server, you can choose to create only one
partition on the domain controller’s hard drive, to store the operating system,
and use the other server for storing additional software and data.
2) During Windows Setup, enter the following values:
Computer Name: Enter DC01.
Administrator Password: Enter a strong password.
Important
Computer security requires the use of a strong password for your administrator
account. A strong password has from 7 through 14 characters, and contains
letters (both uppercase and lowercase), numerals, and symbols (all other
characters, such as $%*&). The password should contain at least one symbol
character in the second through sixth positions.
Network settings: Select typical settings.
When prompted about whether this computer is part of a Workgroup or Computer
Domain, select Workgroup and accept the default name of
Workgroup.
After the computer restarts, log on as Administrator.
Click Start, point to All Programs, and click
Activate Windows. Follow the prompts to activate and register
your copy of Windows Server 2003 through the Internet.
If you cannot access the Internet, refer to your router and modem instructions
for troubleshooting assistance.
To configure the server as a domain controller:
Click Start, and click Manage Your Server.
Select Custom Configuration. Click Add or remove a role,
and then click Next. Wait for the wizard to review the
computer’s current configuration.
Select the Domain Controller (Active Directory) role. Proceed
to run the Active Directory Installation Wizard. Use the following values as you
are prompted for them:
Select Domain controller for a new domain.
Select Domain in a new forest.
Enter your domain name (in the sample configuration, this is adatum.com).
Accept the default values for Domain NetBIOS name,
Database folder, Log folder, and SYSVOL folder
location.
Because DNS has not yet been installed on this server, the DNS
Registration Diagnostics will indicate that none of the DNS servers
used by this computer responded within the timeout interval.
Select Install and configure the DNS server on this computer, and set
this computer to use this DNS server as its preferred DNS server.
Select Permissions compatible only with Windows 2000 or Windows
Server 2003 operating systems.
In the Directory Services Restore Mode Administrator Password
field, enter a strong password.
The wizard will notify you that the computer has a dynamically assigned IP
address. Typically you would not assign a dynamic IP address to a domain
controller. However, this configuration is acceptable for this simple network in
which the router is used as the DHCP server.
When the Local Area Connection Properties page displays, click
Cancel.
When the wizard finishes configuring Active Directory, select Restart
Now. After the computer has restarted, click Finish.
Server Roles
Windows 2003 - Server Roles
Microsoft's slogan of - 'Easy to deploy, use, and manage' - does have a ring of truth. However, it does rely on you having the knowledge and skill to make your Windows Server 2003 fulfil its potential. I must confess that even though I am familiar with the different types of server, every time I checked with the 'Configure Your Server Wizard', I found at least one feature that I would otherwise have missed, so my mantra became - 'Give the wizard a chance'.
Roles for your Windows 2003 Server
Microsoft's slogan of - 'Easy to deploy, use, and manage' - does have a ring of truth. However, it does rely on you having the knowledge and skill to make your Windows Server 2003 fulfil its potential. I must confess that even though I am familiar with the different types of server, every time I checked with the 'Configure Your Server Wizard', I found at least one feature that I would otherwise have missed, so my mantra became - 'Give the wizard a chance'.
Roles for your Windows 2003 Server
Domain Controller
DNS (WINS)
DHCP
File Server
Print Server
Application Server
Mail Server
Terminal Services
RAS - Dial-in or VPN
Streaming Media
DNS (WINS)
DHCP
File Server
Print Server
Application Server
Mail Server
Terminal Services
RAS - Dial-in or VPN
Streaming Media
Monday, April 20, 2009
Pwdump...Security Tools
Pwdump : A window password recovery tool
Pwdump is able to extract NTLM and LanMan hashes from a Windows target, regardless of whether Syskey is enabled. It is also capable of displaying password histories if they are available. It outputs the data in L0phtcrack-compatible form, and can write to an output file.
Metasploit Framework...Security Tools
Metasploit Framework : Hack the Planet
Metasploit took the security world by storm when it was released in 2004. No other new tool even broke into the top 15 of this list, yet Metasploit comes in at #5, ahead of many well-loved tools that have been developed for more than a decade. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their online exploit building demo. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. Similar professional exploitation tools, such as Core Impact and Canvas already existed for wealthy users on all sides of the ethical spectrum. Metasploit simply brought this capability to the masses.
Netcat...Security Tools
Netcat : The network Swiss army knife
This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections. The original Netcat was released by Hobbit in 1995, but it hasn't been maintained despite its immense popularity. It can sometimes even be hard to find nc110.tgz. The flexibility and usefulness of this tool have prompted people to write numerous other Netcat implementations - often with modern features not found in the original. One of the most interesting is Socat, which extends Netcat to support many other socket types, SSL encryption, SOCKS proxies, and more. It even made this list on its own merits. There is also Chris Gibson's Ncat, which offers even more features while remaining portable and compact. Other takes on Netcat include OpenBSD's nc, Cryptcat, Netcat6, PNetcat, SBD, and so-called GNU Netcat.
Snort...Security Tools
Snort : Everyone's favorite open source IDS
This lightweight network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. Also check out the free Basic Analysis and Security Engine (BASE), a web interface for analyzing Snort alerts.
Wireshark : Sniffing the glue that holds the Internet together
Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).
Google...Security Tools
Google : Everyone's Favorite Search Engine
While it is far more than a security tool, Google's massive database is a good mind for security researchers and penetration testers. You can use it to dig up information about a target company by using directives such as “site:target-domain.com” and find employee names, sensitive information that they wrongly thought was hidden, vulnerable software installations, and more. Similarly, when a bug is found in yet another popular webapp, Google can often provide a list of vulnerable servers worldwide within seconds. The master of Google hacking is Johny Long. Check out his Google Hacking Database or his excellent book: Google Hacking for Penetration Testers.
VMware...Security Tools
VMware : Multi-platform Virtualization Software
VMware virtualization software lets you run one operating system within another. This is quite useful for security researchers who commonly need to test code, exploits, etc on multiple platforms. It only runs on Windows and Linux as the host OS, but pretty much any x86 OS will run inside the virtualized environment. It is also useful for setting up sandboxes. You can browse from within a VMware window so the even if you are infected with malware, it cannot reach your host OS. And recovering the guest OS is as simple as loading a "snapshot" from prior to the infection. VMware player (executes, but can't create OS images) and VMWare Server (partitions a physical server machine into multiple virtual machines) were recently released for free. Another interesting virtualization system (Linux focused) is Xen.
MBSA...Security Tools
MBSA : Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS) and Microsoft Operations Manager (MOM). Apparently MBSA on average scans over 3 million computers each week.
Types of Internet Connections
DSL ConnectionDSL
(Digital Subscriber Line) connections are provided by a variety of companies and use the vast existing telephone network to deliver high-speed internet access to almost any area with telephone service.
Cable Connection
Cable modem connections provide high-speed internet access in varying speeds through the same coaxial cable network that normally carries your cable tv signal.
Satellite Dish Connection
In areas where DSL or cable internet access is not available, satellite dish access can provide internet access at somewhat higher prices.
Power Line Connection
Although still developmental. power line modems promise to deliver high-speed internet access over the existing electrical wiring via the regional power grid.
Cellular Connection
A relative newcomer to the internet access lineup uses a cellular card to provide broadband speed over the cellular telephone network.
Types of Private Network
Wired Networks
The most common method of networking computers, the traditional wired network, involves using special cabling that is permanently installed throughout the site to connect the desired devices. Wired networks are the most reliable and the most secure and is a leading candidate for best home network.
Wireless Networks
Wireless networks use radio waves to transmit signals through thin air, eliminating the need for network cabling. Isn't modern technology wonderful? When combined with a traditional wired network, the resulting hybrid is the "winner" for best home network.
Phone Line Networks
This type of network involves using the regular telephone lines that are already installed in your home to transmit data eliminating the need for any extra cabling.
Power Line Networks
Although still developmental, power line networks, which use the existing electrical wiring already present in your home to transmit computer data, may be the future of pain-free home networking.
Public Vs Private
It is important to make a distinction here regarding public networks versus private networks. When we use the term "public network" we are speaking of the what most people know as "the internet". When we use the term "private network" we are referring to the much smaller networks found inside a business or residential home.
There are a variety of ways you can connect to the public internet and there are a variety of ways you can connect a group of computers together within a business or residential home.
Now we can explore the variety of ways you can connect both the computers inside your home and to the public internet as well as the pros and cons of each.
Network Types...Other
While LAN and WAN are by far the most popular network types mentioned, you may also commonly see references to these others:
Wireless Local Area Network - a LAN based on WiFi wireless network technology
Metropolitan Area Network - a network spanning a physical area larger than a LAN but smaller than a WAN, such as a city. A MAN is typically owned an operated by a single entity such as a government body or large corporation.
Campus Area Network - a network spanning multiple LANs but smaller than a MAN, such as on a university or local business campus.
Storage Area Network - connects servers to data storage devices through a technology like Fibre Channel.
System Area Network - links high-performance computers with high-speed connections in a cluster configuration. Also known as Cluster Area Network
LAN, WAN and Home Networking
Residences typically employ one LAN and connect to the Internet WAN via an Internet Service Provider (ISP) using a broadband modem. The ISP provides a WAN IP address to the modem, and all of the computers on the home network use LAN (so-called private) IP addresses. All computers on the home LAN can communicate directly with each other but must go through a central gateway, typically a broadband router, to reach the ISP.
Network Types...WAN
Network Types...WAN
As the term implies, a WAN spans a large physical distance. The Internet is the largest WAN, spanning the Earth. A WAN is a geographically-dispersed collection of LANs. A network device called a router connects LANs to a WAN. In IP networking, the router maintains both a LAN address and a WAN address. A WAN differs from a LAN in several important ways. Most WANs (like the Internet) are not owned by any one organization but rather exist under collective or distributed ownership and management. WANs tend to use technology like ATM, Frame Relay and X.25 for connectivity over the longer distances.
Network Types...LAN
LAN - Local Area Network
A LAN connects network devices over a relatively short distance. A networked office building, school, or home usually contains a single LAN, though sometimes one building will contain a few small LANs (perhaps one per room), and occasionally a LAN will span a group of nearby buildings. In TCP/IP networking, a LAN is often but not always implemented as a single IP subnet. In addition to operating in a limited space, LANs are also typically owned, controlled, and managed by a single person or organization. They also tend to use certain connectivity technologies, primarily Ethernet and Token Ring
Network Types
Types of Network
LAN - Local Area Network
WAN - Wide Area Network
MAN - Metropolitan Area Network
SAN - Storage Area Network, System Area Network, Server Area Network
CAN - Campus Area Network, Controller Area Network
PAN - Personal Area Network
DAN - Desk Area Network
LAN - Local Area Network
WAN - Wide Area Network
MAN - Metropolitan Area Network
SAN - Storage Area Network, System Area Network, Server Area Network
CAN - Campus Area Network, Controller Area Network
PAN - Personal Area Network
DAN - Desk Area Network
Security Tips for Network Designing
1. Make sure you have a security policy in place -— The security policy is the formal statement of rules on how security will be implemented in your organization. A security policy should define the level of security and the roles and responsibilities of users, administrators and managers.
2. Make sure all of your operating systems and applications are patched with the latest service packs and hotfixes -— Keeping your systems patched will close vulnerabilities that can be exploited by hackers.
3. Keep an inventory of your network devices -— Develop and maintain a list of all hardware/software components, and understand which default software installations provide weak security configurations.
4. Scan TCP/UDP services -— Turn off or remove unnecessary services. Unneeded services can be the entry point attackers use to gain control of your system.
5. Establish a strong password policy -— Weak passwords could mean a compromised user account.
6. Don't trust code from non-trusted sources.
7. Block certain e-mail attachment types -— This list includes .bas, .bat, .exe and .vbs.
8. Don't provide more rights to system resources than necessary -— Implement the concept of "least privilege".
9. Perform your own network security testing -— Find the holes before the attackers do!
10. Implement "defense-in-depth" -— Don't rely on just one control or system to provide all the security you need.
Virtual Private Networks ....Secure Network Devices
Given the ubiquity of the Internet, and the considerable expense in private leased lines, many organizations have been building VPNs (Virtual Private Networks). Traditionally, for an organization to provide connectivity between a main office and a satellite one, an expensive data line had to be leased in order to provide direct connectivity between the two offices. Now, a solution that is often more economical is to provide both offices connectivity to the Internet. Then, using the Internet as the medium, the two offices can communicate.
The danger in doing this, of course, is that there is no privacy on this channel, and it's difficult to provide the other office access to ``internal'' resources without providing those resources to everyone on the Internet. VPNs provide the ability for two offices to communicate with each other in such a way that it looks like they're directly connected over a private leased line. The session between them, although going over the Internet, is private (because the link is encrypted), and the link is convenient, because each can see each others' internal resources without showing them off to the entire world.
A number of firewall vendors are including the ability to build VPNs in their offerings, either directly with their base product, or as an add-on. If you have need to connect several offices together, this might very well be the best way to do it.
Crypto-Capable Routers....Secure Network Devices
A feature that is being built into some routers is the ability to use session encryption between specified routers. Because traffic traveling across the Internet can be seen by people in the middle who have the resources (and time) to snoop around, these are advantageous for providing connectivity between two sites, such that there can be secure routes.
Dial-Back Systems....Secure Network Devices
It's important to remember that the firewall is only one entry point to your network. Modems, if you allow them to answer incoming calls, can provide an easy means for an attacker to sneak around (rather than through ) your front door (or, firewall). Just as castles weren't built with moats only in the front, your network needs to be protected at all of its entry points.
If modem access is to be provided, this should be guarded carefully. The terminal server , or network device that provides dial-up access to your network needs to be actively administered, and its logs need to be examined for strange behavior. Its passwords need to be strong -- not ones that can be guessed. Accounts that aren't actively used should be disabled. In short, it's the easiest way to get into your network from remote: guard it carefully.
There are some remote access systems that have the feature of a two-part procedure to establish a connection. The first part is the remote user dialing into the system, and providing the correct userid and password. The system will then drop the connection, and call the authenticated user back at a known telephone number. Once the remote user's system answers that call, the connection is established, and the user is on the network. This works well for folks working at home, but can be problematic for users wishing to dial in from hotel rooms and such when on business trips.
Other possibilities include one-time password schemes, where the user enters his userid, and is presented with a ``challenge,'' a string of between six and eight numbers. He types this challenge into a small device that he carries with him that looks like a calculator. He then presses enter, and a ``response'' is displayed on the LCD screen. The user types the response, and if all is correct, he login will proceed. These are useful devices for solving the problem of good passwords, without requiring dial-back access. However, these have their own problems, as they require the user to carry them, and they must be tracked, much like building and office keys.
No doubt many other schemes exist. Take a look at your options, and find out how what the vendors have to offer will help you enforce your security policy effectively.
Types of Firewalls... Network Security
There are three basic types of firewalls, and we'll consider each of them.
Application Gateways The first firewalls were application gateways, and are sometimes known as proxy gateways. These are made up of bastion hosts that run special software to act as a proxy server. This software runs at the Application Layer of our old friend the ISO/OSI Reference Model, hence the name. Clients behind the firewall must be proxitized (that is, must know how to use the proxy, and be configured to do so) in order to use Internet services. Traditionally, these have been the most secure, because they don't allow anything to pass by default, but need to have the programs written and turned on in order to begin passing traffic.
Packet Filtering Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned on. By default, a router will pass all traffic sent it, and will do so without any sort of restrictions. Employing ACLs is a method for enforcing your security policy with regard to what sorts of access you allow the outside world to have to your internal network, and vice versa. There is less overhead in packet filtering than with an application gateway, because the feature of access control is performed at a lower ISO/OSI layer (typically, the transport or session layer). Due to the lower overhead and the fact that packet filtering is done with routers, which are specialized computers optimized for tasks related to networking, a packet filtering gateway is often much faster than its application layer cousins. Figure 6 shows a packet filtering gateway. Because we're working at a lower level, supporting new applications either comes automatically, or is a simple matter of allowing a specific packet type to pass through the gateway. (Not that the possibility of something automatically makes it a good idea; opening things up this way might very well compromise your level of security below what your policy allows.) There are problems with this method, though. Remember, TCP/IP has absolutely no means of guaranteeing that the source address is really what it claims to be. As a result, we have to use layers of packet filters in order to localize the traffic. We can't get all the way down to the actual host, but with two layers of packet filters, we can differentiate between a packet that came from the Internet and one that came from our internal network. We can identify which network the packet came from with certainty, but we can't get more specific than that.
Hybrid Systems In an attempt to marry the security of the application layer gateways with the flexibility and speed of packet filtering, some vendors have created systems that use the principles of both. In some of these systems, new connections must be authenticated and approved at the application layer. Once this has been done, the remainder of the connection is passed down to the session layer, where packet filters watch the connection to ensure that only packets that are part of an ongoing (already authenticated and approved) conversation are being passed. Other possibilities include using both packet filtering and application layer proxies. The benefits here include providing a measure of protection against your machines that provide services to the Internet (such as a public web server), as well as provide the security of an application layer gateway to the internal network. Additionally, using this method, an attacker, in order to get to services on the internal network, will have to break through the access router, the bastion host, and the choke router.
Firewalls.....Network Security
As we've seen in our discussion of the Internet and similar networks, connecting an organization to the Internet provides a two-way flow of traffic. This is clearly undesirable in many organizations, as proprietary information is often displayed freely within a corporate intranet (that is, a TCP/IP network, modeled after the Internet that only works within the organization).
In order to provide some level of separation between an organization's intranet and the Internet, firewalls have been employed. A firewall is simply a group of components that collectively form a barrier between two networks.
A number of terms specific to firewalls and networking are going to be used throughout this section, so let's introduce them all together.
Bastion host. A general-purpose computer used to control access between the internal (private) network (intranet) and the Internet (or any other untrusted network). Typically, these are hosts running a flavor of the Unix operating system that has been customized in order to reduce its functionality to only what is necessary in order to support its functions. Many of the general-purpose features have been turned off, and in many cases, completely removed, in order to improve the security of the machine.
Router. A special purpose computer for connecting networks together. Routers also handle certain functions, such as routing , or managing the traffic on the networks they connect.
Access Control List (ACL). Many routers now have the ability to selectively perform their duties, based on a number of facts about a packet that comes to it. This includes things like origination address, destination address, destination service port, and so on. These can be employed to limit the sorts of packets that are allowed to come in and go out of a given network.
Demilitarized Zone (DMZ). The DMZ is a critical part of a firewall: it is a network that is neither part of the untrusted network, nor part of the trusted network. But, this is a network that connects the untrusted to the trusted. The importance of a DMZ is tremendous: someone who breaks into your network from the Internet should have to get through several layers in order to successfully do so. Those layers are provided by various components within the DMZ.
Proxy. This is the process of having one host act in behalf of another. A host that has the ability to fetch documents from the Internet might be configured as a proxy server , and host on the intranet might be configured to be proxy clients . In this situation, when a host on the intranet wishes to fetch the
Risk Management.... Network Security
It's very important to understand that in security, one simply cannot say ``what's the best firewall?'' There are two extremes: absolute security and absolute access. The closest we can get to an absolutely secure machine is one unplugged from the network, power supply, locked in a safe, and thrown at the bottom of the ocean. Unfortunately, it isn't terribly useful in this state. A machine with absolute access is extremely convenient to use: it's simply there, and will do whatever you tell it, without questions, authorization, passwords, or any other mechanism. Unfortunately, this isn't terribly practical, either: the Internet is a bad neighborhood now, and it isn't long before some bonehead will tell the computer to do something like self-destruct, after which, it isn't terribly useful to you.
This is no different from our daily lives. We constantly make decisions about what risks we're willing to accept. When we get in a car and drive to work, there's a certain risk that we're taking. It's possible that something completely out of control will cause us to become part of an accident on the highway. When we get on an airplane, we're accepting the level of risk involved as the price of convenience. However, most people have a mental picture of what an acceptable risk is, and won't go beyond that in most circumstances. If I happen to be upstairs at home, and want to leave for work, I'm not going to jump out the window. Yes, it would be more convenient, but the risk of injury outweighs the advantage of convenience. Every organization needs to decide for itself where between the two extremes of total security and total access they need to be. A policy needs to articulate this, and then define how that will be enforced with practices and such. Everything that is done in the name of security, then, must enforce that policy uniformly.
TCP/IP...Network Security
TCP/IP (Transport Control Protocol/Internet Protocol) is the ``language'' of the Internet. Anything that can learn to ``speak TCP/IP'' can play on the Internet. This is functionality that occurs at the Network (IP) and Transport (TCP) layers in the ISO/OSI Reference Model. Consequently, a host that has TCP/IP functionality (such as Unix, OS/2, MacOS, or Windows NT) can easily support applications (such as Netscape's Navigator) that uses the network.
One of the most important features of TCP/IP isn't a technological one: The protocol is an ``open'' protocol, and anyone who wishes to implement it may do so freely. Engineers and scientists from all over the world participate in the IETF (Internet Engineering Task Force) working groups that design the protocols that make the Internet work. Their time is typically donated by their companies, and the result is work that benefits everyone.
As noted, IP is a ``network layer'' protocol. This is the layer that allows the hosts to actually ``talk'' to each other. Such things as carrying datagrams, mapping the Internet address (such as 10.2.3.4) to a physical network address (such as 08:00:69:0a:ca:8f), and routing, which takes care of making sure that all of the devices that have Internet connectivity can find the way to each other.
IP has a number of very important features which make it an extremely robust and flexible protocol. For our purposes, though, we're going to focus on the security of IP, or more specifically, the lack thereof.
A number of attacks against IP are possible. Typically, these exploit the fact that IP does not perform a robust mechanism for authentication , which is proving that a packet came from where it claims it did. A packet simply claims to originate from a given address, and there isn't a way to be sure that the host that sent the packet is telling the truth. This isn't necessarily a weakness, per se , but it is an important point, because it means that the facility of host authentication has to be provided at a higher layer on the ISO/OSI Reference Model. Today, applications that require strong host authentication (such as cryptographic applications) do this at the application layer
IP Spoofing
This is where one host claims to have the IP address of another. Since many systems (such as router access control lists) define which packets may and which packets may not pass based on the sender's IP address, this is a useful technique to an attacker: he can send packets to a host, perhaps causing it to take some sort of action. Additionally, some applications allow login based on the IP address of the person making the request (such as the Berkeley r-commands ). These are both good examples how trusting untrustable layers can provide security that is -- at best -- weak.
TCP is a transport-layer protocol. It needs to sit on top of a network-layer protocol, and was designed to ride atop IP. (Just as IP was designed to carry, among other things, TCP packets.) Because TCP and IP were designed together and wherever you have one, you typically have the other, the entire suite of Internet protocols are known collectively as ``TCP/IP.'' TCP itself has a number of important features that we'll cover briefly.
UDP (User Datagram Protocol) is a simple transport-layer protocol. It does not provide the same features as TCP, and is thus considered ``unreliable.'' Again, although this is unsuitable for some applications, it does have much more applicability in other applications than the more reliable and robust TCP.
One of the things that makes UDP nice is its simplicity. Because it doesn't need to keep track of the sequence of packets, whether they ever made it to their destination, etc., it has lower overhead than TCP. This is another reason why it's more suited to streaming-data applications: there's less screwing around that needs to be done with making sure all the packets are there, in the right order, and that sort of thing.
Network Security
Introduction of Network Security:
A basic understanding of computer networks is requisite in order to understand the principles of network security. In this section, we'll cover some of the foundations of computer networking, then move on to an overview of some popular networks. Following that, we'll take a more in-depth look at TCP/IP, the network protocol suite that is used to run the Internet and many intranets. Once we've covered this, we'll go back and discuss some of the threats that managers and administrators of computer networks need to confront, and then some tools that can be used to reduce the exposure to the risks of network computing.
What is Network?
A "Network'' has been defined as "any set of interlinking lines resembling a net, a network of roads an interconnected system, a network of alliances.'' This definition suits our purpose well: a computer network is simply a system of interconnected computers. How they're connected is irrelevant, and as we'll soon see, there are a number of ways to do this.
The ISO/OSI Reference Model:
The International Standards Organization (ISO) Open Systems Interconnect (OSI) Reference Model defines seven layers of communications types, and the interfaces among them. Each layer depends on the services provided by the layer below it, all the way down to the physical network hardware, such as the computer's network interface card, and the wires that connect the cards together. An easy way to look at this is to compare this model with something we use daily: the telephone. In order for you and I to talk when we're out of earshot, we need a device like a telephone. (In the ISO/OSI model, this is at the application layer.) The telephones, of course, are useless unless they have the ability to translate the sound into electronic pulses that can be transferred over wire and back again. (These functions are provided in layers below the application layer.) Finally, we get down to the physical connection: both must be plugged into an outlet that is connected to a switch that's part of the telephone system's network of switches. If I place a call to you, I pick up the receiver, and dial your number. This number specifies which central office to which to send my request, and then which phone from that central office to ring. Once you answer the phone, we begin talking, and our session has begun. Conceptually, computer networks function exactly the same way.
What is Network Design
Secure Network Design
Network Design services are for clients and organizations that are designing, upgrading, moving or re-designing their networks and internet access points and want to incorporate layered security mechanisms and controls into the network. This is the optimal way to build a secure and productive network since is it easier (and less costly); to build the security features into the network as it is being built, upgraded or remodeled. This way, the security features are part of the network from the beginning, reducing or even eliminating the need for future downtime and expensive installations. Having security mechanisms built into the network from the design stage allows for the isolation of potential compatibility problems, network hardware/software glitches or other issues from the initial stages, versus discovering them later and having to deal with the consequences. Building security into the design or re-vamping of a business network will not only provide for a superior network design, but will also create a more secure and productive network environment for any business or organization.
Subscribe to:
Posts (Atom)