chapter 4: security baselines security+ guide to network security fundamentals second edition
TRANSCRIPT
![Page 1: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/1.jpg)
Chapter 4: Security Baselines
Security+ Guide to Network Security FundamentalsSecond Edition
![Page 2: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/2.jpg)
Objectives
Disable nonessential systems Harden operating systems Harden applications Harden networks
![Page 3: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/3.jpg)
Disabling Nonessential Systems
First step in establishing a defense against computer attacks is to turn off all nonessential services
Disabling services that are not necessary restricts what attackers can use Reducing the attack surface Hardening the operating system
![Page 4: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/4.jpg)
Disabling Nonessential Systems
Operating systems use programs that run in the background to manage different functions
In Microsoft Windows, a background program, such as Svchost.exe, is called a process
The process provides a service to the operating system indicated by the service name, such as AppMgmt
![Page 5: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/5.jpg)
Viewing Services
![Page 6: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/6.jpg)
Disabling Nonessential Systems
Users can view the display name of a service, which gives a detailed description, such as “Application Management”
A single process can provide multiple services To view these services:
Go to Computer Management Double-click on Services and Applications Double-click on Services
![Page 7: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/7.jpg)
Disabling Nonessential Systems
Display Name
![Page 8: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/8.jpg)
Disabling Nonessential Systems
![Page 9: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/9.jpg)
Disabling Nonessential Systems
A service can be set to one of the following modes: Automatic Manual Disabled
Besides preventing attackers from attaching malicious code to services, disabling nonessential services blocks entries into the system
![Page 10: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/10.jpg)
Hardening Operating Systems
Hardening: process of reducing vulnerabilities
A hardened system is configured and updated to protect against attacks
Three broad categories of items should be hardened: Operating systems Applications that the operating system
runs Networks
![Page 11: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/11.jpg)
Hardening Operating Systems
You can harden the operating system that runs on the local client or the network operating system (NOS) that manages and controls the network, such as Windows Server 2003 or Novell NetWare
http://searchwindowssecurity.techtarget.com/featuredTopic/0,290042,sid45_gci1069557,00.html?bucket=REF
http://www.microsoft.com/technet/security/prodtech/windowsxp.mspx
![Page 12: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/12.jpg)
Applying Updates
Operating systems are intended to be dynamic
As users’ needs change, new hardware is introduced, and more sophisticated attacks are unleashed, operating systems must be updated on a regular basis
However, vendors release a new version of an operating system every two to four years
Vendors use certain terms to refer to the different types of updates.
![Page 13: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/13.jpg)
Applying Updates (continued)
A service pack (a cumulative set of updates including fixes for problems that have not been made available through updates) provides the broadest and most complete update
A hotfix does not typically address security issues; instead, it corrects a specific software problem
![Page 14: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/14.jpg)
Applying Updates (continued)
![Page 15: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/15.jpg)
Applying Updates (continued)
A patch or a software update fixes a security flaw or other problem May be released on a regular or irregular
basis, depending on the vendor or support team
A good patch management system: Design patches to update groups of computers Include reporting system Download patches from the Internet Distribute patches to other computers
http://www.microsoft.com/windowsserversystem/updateservices/default.mspx
http://www.microsoft.com/technet/security/topics/patchmanagement/secmod193.mspx
![Page 16: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/16.jpg)
Securing the File System
Another means of hardening an operating system is to restrict user access
Generally, users can be assigned permissions to access folders (also called directories) and the files contained within them
![Page 17: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/17.jpg)
Securing the File System
Microsoft Windows provides a centralized method of defining security on the Microsoft Management Console (MMC) A Windows utility that accepts additional
components (snap-ins) After you apply a security template to
organize security settings, you can import the settings to a group of computers (Group Policy object)
![Page 18: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/18.jpg)
Securing the File System
Group Policy settings: components of a user’s desktop environment that a network system administrator needs to manage
Group Policy settings cannot override a global setting for all computers (domain-based setting)
Windows stores settings for the computer’s hardware and software in a database (the registry)
![Page 19: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/19.jpg)
Hardening Applications
Just as you must harden operating systems, you must also harden the applications that run on those systems
Hotfixes, service packs, and patches are generally available for most applications; although, not usually with the same frequency as for an operating system Think of Microsoft Office
![Page 20: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/20.jpg)
Hardening Servers (continued)
Mail server is used to send and receive electronic messages
In a normal setting, a mail server serves an organization or set of users
All e-mail is sent through the mail server from a trusted user or received from an outsider and intended for a trusted user
![Page 21: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/21.jpg)
Hardening Servers (continued)
In an open mail relay, a mail server processes e-mail messages not sent by or intended for a local user
File Transfer Protocol (FTP) server is used to store and access files through the Internet Typically used to accommodate users who
want to download or upload files
![Page 22: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/22.jpg)
Hardening Servers (continued)
![Page 23: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/23.jpg)
Hardening Servers (continued)
![Page 24: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/24.jpg)
Hardening Servers
Harden servers to prevent attackers from breaking through the software
Web server delivers text, graphics, animation, audio, and video to Internet users around the world
Refer to the steps on page 115 to harden a Web server
![Page 25: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/25.jpg)
Hardening Servers (continued)
FTP servers can be set to accept anonymous logons
A Domain Name Service (DNS) server makes the Internet available to ordinary users DNS servers frequently update each
other by transmitting all domains and IP addresses of which they are aware (zone transfer)
![Page 26: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/26.jpg)
Hardening Servers (continued)
![Page 27: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/27.jpg)
Hardening Networks
Two-fold process for keeping a network secure: Secure the network with necessary
updates (firmware) Properly configure the network devices
Security Configuration WizardWindows Server 2003 Security Guide
![Page 28: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/28.jpg)
Firmware Updates
RAM is volatile―interrupting the power source causes RAM to lose its entire contents
Read-only memory (ROM) is different from RAM in two ways: Contents of ROM are fixed ROM is nonvolatile―disabling the power
source does not erase its contents
![Page 29: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/29.jpg)
Firmware Updates (continued) ROM, Erasable Programmable Read-
Only Memory (EPROM), and Electrically Erasable Programmable Read-Only Memory (EEPROM) are firmware (flash)
The contents of EEPROM chips can also be erased using electrical signals applied to specific pins. Most ROM chips these days can be
updated – “flashed”
![Page 30: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/30.jpg)
Firmware Updates (continued)
To update a network device we copy over a new version of the OS software to the flash memory of the device.
This can be done via a tftp server or a compact flash reader/writer Router# copy tftp flash:
Having the firmware updated ensures the device is not vulnerable to bugs in the OS that can be exploited
![Page 31: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/31.jpg)
Network Configuration
You must properly configure network equipment to resist attacks
The primary method of resisting attacks is to filter data packets as they arrive at the perimeter of the network
In addition to making sure the perimeter is secure, make sure the device itself is secure by using strong passwords and encrypted connections SSH instead of Telnet and console, vty
passwords
![Page 32: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/32.jpg)
Configuring Packet Filtering
The User Datagram Protocol (UDP) provides for a connectionless TCP/IP transfer
TCP and UDP are based on port numbers Socket: combination of an IP address and
a port number The IP address is separated from the port
number by a colon, as in 198.146.118.20:80
![Page 33: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/33.jpg)
Configuring Packet Filtering
![Page 34: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/34.jpg)
Network Configuration
Rule base or access control list (ACL): rules a network device uses to permit or deny a packet (not to be confused with ACLs used in securing a file system)
Rules are composed of several settings (listed on pages 122 and 123 of the text)
Observe the basic guidelines on page 124 of the text when creating rules
![Page 35: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/35.jpg)
Network Configuration
![Page 36: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/36.jpg)
Summary
Establishing a security baseline creates a basis for information security
Hardening the operating system involves applying the necessary updates to the software
Securing the file system is another step in hardening a system
![Page 37: Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition](https://reader031.vdocuments.net/reader031/viewer/2022013112/56649e115503460f94afd8a3/html5/thumbnails/37.jpg)
Summary (continued)
Applications and operating systems must be hardened by installing the latest patches and updates
Servers, such as Web servers, mail servers, FTP servers, DNS servers, NNTP servers, print/file servers, and DHCP servers, must be hardened to prevent attackers from corrupting them or using the server to launch other attacks