Information Resource Guide |
Computer, Internet and Network Systems Security
Compiled By:
S.K.PARMAR, Cst
N.Cowichan Duncan RCMP Det
6060 Canada Ave., Duncan, BC
250-748-5522
This publication is for informational purposes only. In no way should this publication by interpreted as offering legal or accounting advice. If legal or other professional advice is needed it is encouraged that you seek it from the appropriate source. All product & company names mentioned in this manual are the [registered] trademarks of their respective owners. The mention of a product or company does not in itself constitute an endorsement.
The articles, documents, publications, presentations, and white papers referenced and used to compile this manual are copyright protected by the original authors. Please give credit where it is due and obtain permission to use these. All material contained has been used with permission from the original author(s) or representing agent/organization.
Table of Content
1.1 Basic Internet Technical Details *
1.1.2 UDP:User Datagram Protocol *
1.1.3 Internet Addressing *
1.1.4 Types of Connections and Connectors *
1.1.5 Routing *
1.2 Internet Applications and Protocols *
1.2.1 ARCHIE *
1.2.2 DNS Domain Name System *
1.2.3 E-mail Electronic Mail *
1.2.4 SMTP Simple Mail Transport Protocol *
1.2.5 PEM Privacy Enhanced Mail *
1.2.6 Entrust and Entrust-Lite *
1.2.7 PGP Pretty Good Privacy *
1.2.8 RIPEM Riordan's Internet Privacy-Enhanced Mail *
1.2.9 MIME Multipurpose Internet Mail Extensions *
1.3 File Systems *
1.3.1 AFS Andrew File system *
1.3.2 NFS Network File System *
1.3.3 FTP File Transfer Protocol *
1.3.4 GOPHER *
1.3.5 ICMP Internet Control Message Protocol *
1.3.6 LPD Line Printer Daemon *
1.3.7 NNTP Network News Transfer Protocol *
1.3.8 News Readers *
1.3.9 NIS Network Information Services *
1.3.10 RPC Remote Procedure Call *
1.3.11 R-utils (rlogin, rcp, rsh) *
1.3.12 SNMP Simple Network Management Protocol *
1.3.13 TELNET *
1.3.14 TFTP ? Trivial File Transfer Protocol *
1.3.15 Motif *
1.3.16 Openwindows *
1.3.17 Winsock *
1.3.18 Windows X11 *
1.3.19 WAIS Wide Area Information Servers *
1.3.20 WWW World Wide Web *
1.3.21 HTTP HyperText Transfer Protocol *
2.1 Security Policy *
2.1.1 Definition of a Security Policy *
2.1.2 Purposes of a Security Policy *
2.1.3 Who Should be Involved When Forming Policy? *
2.1.4 What Makes a Good Security Policy? *
2.1.5 Keeping the Policy Flexible *
2.2.1 Inappropriate Access to LAN Resources *
2.2.2 Spoofing of LAN Traffic *
2.2.3 Disruption of LAN Functions *
2.2.4 Common Threats *
2.2.4.0 Errors and Omissions *
2.2.4.1 Fraud and Theft *
2.2.4.2 Disgruntled Employees *
2.2.4.3 Physical and Infrastructure *
2.2.4.4 Malicious Hackers *
2.2.4.5 Industrial Espionage *
2.2.4.6 Malicious Code *
2.2.4.7 Malicious Software: Terms *
2.2.4.8 Foreign Government Espionage *
2.3.1 Access Control *
2.3.2 Data and Message Confidentiality *
2.3.3 Data and Message Integrity *
2.3.4 Non-repudiation *
2.3.5 Logging and Monitoring *
2.4.0.1 Deny all/ Allow all *
2.4.1 Protecting Services *
2.4.1.0 Name Servers (DNS and NIS(+)) *
2.4.1.1 Password/Key Servers (NIS(+) and KDC) *
2.4.1.2 Authentication/Proxy Servers (SOCKS, FWTK) *
2.4.1.3 Electronic Mail *
2.4.1.4 World Wide Web (WWW) *
2.4.1.5 File Transfer (FTP, TFTP) *
2.4.1.6 NFS *
2.4.2 Protecting the Protection *
2.5.2 Collection Process *
2.5.3 Collection Load *
2.5.4 Handling and Preserving Audit Data *
2.5.5 Legal Considerations *
2.5.6 Securing Backups *
2.6.1 Notification and Points of Contact *
2.6.2 Law Enforcement and Investigative Agencies *
2.6.3 Internal Communications *
2.6.4 Public Relations - Press Releases *
2.6.5 Identifying an Incident *
2.6.5.1 Is it real? *
2.6.6 Types and Scope of Incidents *
2.6.7 Assessing the Damage and Extent *
2.6.8 Handling an Incident *
2.6.9 Protecting Evidence and Activity Logs *
2.6.10 Containment *
2.6.11 Eradication *
2.6.12 Recovery *
2.6.13 Follow-Up *
2.6.14 Aftermath of an Incident *
2.7.1 Assurance *
2.7.2 Detection *
2.7.3 Investigation *
2.8.1 Dial-in Users Must Be Authenticated *
2.8.2 Call-back Capability *
2.8.3 All Logins Should Be Logged *
2.8.4 Choose Your Opening Banner Carefully *
2.8.5 Dial-out Authentication *
2.8.6 Make Your Modem Programming as "Bullet-proof" as Possible *
2.9.1 Tactical and Strategic Issues in Selecting a MODEM Connection Solution *
2.9.2 Background on User Access Methods and Security *
2.9.3 Session Tracking and User Accounting Issues *
2.9.4 Description of Proposed Solution to Dial-Up Problem *
2.9.5 Dissimilar Connection Protocols Support *
2.9.6 Encryption/Decryption Facilities *
2.9.7 Asynchronous Protocol Facilities *
2.9.8 Report Item Prioritization *
2.9.9 User Profile "Learning" Facility *
2.10.0.0 Basic levels of network access: *
2.10.1 Auditing the Process *
2.10.2 Evaluating your security policy *
2.12 Access *
2.12.1 Walk-up Network Connections *
2.13.1 Areas of Vulnerability and Safeguards. *
2.13.1.0 PERIMETER SECURITY *
2.13.1.1 SECURITY INSIDE THE FACILITY *
2.13.2 Physical Security Devices *
2.13.2.0 Examples of Safeguards *
2.13.3 Strategies to Minimize Computer Theft *
2.13.3.0 APPOINTMENT OF SECURITY PERSONNEL *
2.13.3.1 MASTER KEY SYSTEM *
2.13.3.2 TARGET HARDENING *
2.13.4 PERSONNEL RECOGNITION SYSTEM *
2.13.4.0 Minimizing Vulnerabilities Through Personnel Recognition *
2.13.5 SECURITY AWARENESS PROGRAM *
2.13.5.0 Policy Requirements *
2.13.5.1 Security Awareness Safeguards *
2.13.6 Conclusion *
2.14.1 Fire Safety Factors *
2.14.2 Failure of Supporting Utilities *
2.14.3 Structural Collapse *
2.14.4 Plumbing Leaks *
2.14.5 Interception of Data *
2.14.6 Mobile and Portable Systems *
2.14.7 Approach to Implementation *
2.14.8 Interdependencies *
2.14.9 Cost Considerations *
2.15.1 The Red Book *
2.15.2 Summary *
3.1 Introduction *
3.1.0.1 Passwords *
3.1.0.2 Cryptographic Keys *
3.1.1 I&A Based on Something the User Possesses *
3.1.1.0 Memory Tokens *
3.1.1.1 Smart Tokens *
3.1.2 I&A Based on Something the User Is *
3.1.3 Implementing I&A Systems *
3.1.3.0 Administration *
3.1.3.1 Maintaining Authentication *
3.1.3.2 Single Log-in *
3.1.3.3 Interdependencies *
3.1.3.4 Cost Considerations *
3.1.4 Authentication *
3.1.4.0 One-Time passwords *
3.1.4.1 Kerberos *
3.1.4.2 Choosing and Protecting Secret Tokens and PINs *
3.1.4.3 Password Assurance *
3.1.4.4 Confidentiality *
3.1.4.5 Integrity *
3.1.4.6 Authorization *
4.1 The 7 Processes *
4.1.0.1 Process 2 - Identify and Value Assets *
4.1.0.2 Process 3 - Identify Threats and Determine Likelihood *
4.1.0.3 Process 4 - Measure Risk *
4.1.0.4 Process 5 - Select Appropriate Safeguards *
4.1.0.5 Process 6 - Implement And Test Safeguards *
4.1.0.6 Process 7 - Accept Residual Risk *
4.2.2 Process *
4.2.2.0 Preparation *
4.2.2.1 Threat Assessment *
4.2.2.2 Risk Assessment *
4.2.2.3 Recommendations *
4.2.3 Updates *
4.2.4 Advice and Guidance *
4.2.5 Glossary of Terms *
5.1 Introduction *
5.2 Firewall Security and Concepts *
5.2.0.0 Network Policy *
5.2.0.1 Service Access Policy *
5.2.0.2 Firewall Design Policy *
5.2.1 Advanced Authentication *
5.3.1 Problems with Packet Filtering Routers *
5.3.1.0 Application Gateways *
5.3.1.1 Circuit-Level Gateways *
5.4.2 Screened host *
5.4.3 Screened subnet *
5.5.1 Application Gateways *
5.5.2 Hybrid or Complex Gateways *
5.5.3 Firewall Issues *
5.5.3.0 Authentication *
5.5.3.1 Routing Versus Forwarding *
5.5.3.2 Source Routing *
5.5.3.3 IP Spoofing *
5.5.3.4 Password Sniffing *
5.5.3.5 DNS and Mail Resolution *
5.5.4.1 Remote Firewall Administration *
5.5.4.2 User Accounts *
5.5.4.3 Firewall Backup *
5.5.4.4 System Integrity *
5.5.4.5 Documentation *
5.5.4.6 Physical Firewall Security *
5.5.4.7 Firewall Incident Handling *
5.5.4.8 Restoration of Services *
5.5.4.9 Upgrading the firewall *
5.5.4.10 Logs and Audit Trails *
5.5.4.11 Revision/Update of Firewall Policy *
5.5.4.12 Example General Policies *
5.5.4.12.0 Low-Risk Environment Policies *
5.5.4.12.1 Medium-Risk Environment Policies *
5.5.4.12.2 High-Risk Environment Policies *
5.5.4.13 Firewall Concerns: Management *
5.5.4.14 Service Policies Examples *
5.5.5.1 Advantages and Disadvantages of Dedicated Firewall Systems *
5.5.5.2 Are Dedicated Firewalls A Good Idea? *
5.5.5.3 Layered Approach to Network Security - How To Do It *
5.5.5.4 Improving Network Security in Layers - From Inside to Outside *
5.5.5.5 Operating Systems and Network Software - Implementing Client and Server Security *
5.5.5.6 Operating System Attacks From the Network Resource(s) - More Protocols Are The Norm - and They Are Not Just IP *
5.5.5.7 Client Attacks - A New Threat *
5.5.5.8 Telecommuting Client Security Problems - Coming to Your Company Soon *
5.5.5.9 Compromising Network Traffic - On LANs and Cable Television Its Easy *
5.5.5.10 Encryption is Not Enough - Firewall Services Are Needed As Well *
5.5.5.11 Multiprotocol Security Requirements are the Norm - Not the Exception. Even for Singular Protocol Suites... *
5.5.5.12 Protecting Clients and Servers on Multiprotocol Networks - How to Do It *
5.5.5.13 New Firewall Concepts - Firewalls with One Network Connection *
6.1 Cryptosystems *
6.1.1 Symmetric (Private) Methodology *
6.1.2 Asymmetric (Public) Methodology *
6.1.3 Key Distribution *
6.1.4 Encryption Ciphers or Algorithms *
6.1.5 Symmetric Algorithms *
6.1.6 Asymmetric Algorithms *
6.1.7 Hash Functions *
6.1.8 Authentication Mechanisms *
6.1.9 Digital Signatures and Time Stamps *
7.1 What Is a Virus? *
7.1.1 Additional Virus Classifications *
7.2.1 Macro Viruses: How They Work *
7.2.2 Detecting Macro Viruses *
7.3.1 Trojan Horses *
7.3.2 Logic Bombs *
7.3.3 Computer Viruses *
7.3.4 Anti-Virus Technologies *
7.4.1 Anti-Virus Implementation Questions *
7.4.2 More Virus Prevention Tips *
7.4.3 Evaluating Anti-Virus Vendors *
7.4.4 Primary Vendor Criteria *
8.1 Making Sense of Virtual Private Networks *
8.2 Defining the Different Aspects of Virtual Private Networking *
8.2.1 Remote Access VPNs *
8.2.2 Extranet VPNs *
8.4 Understanding VPN Protocols *
8.4.1 PPTP/L2TP *
8.4.2 IPSec *
9.0 Windows NT Network Security *
9.1 NT Security Mechanisms *
9.2 NT Terminology *
9.2.1 NT Server vs NT Workstation *
9.2.2 Workgroups *
9.2.3 Domains *
9.2.4 NT Registry *
9.2.5 C2 Security *
9.3.1 SAM: Security Account Manager *
9.3.2 SRM: Security Reference Monitor *
9.7 Access Control *
9.8 Managing NT File Systems *
9.8.1 NTFS File System *
9.10 Monitoring System Activities *
10.1 Displaying the Users Logged in to Your System *
10.1.1 The "finger" Command *
10.1.2 The "who" Command *
10.2.1 The "crash" Command *
10.3.1 The "lastcomm" Command *
10.3.2 The /var/log/ syslog File *
10.3.3 The /var/adm/ messages File *
10.3.4 The "netstat" Command *
10.6 Examining System Logs *
10.7 Inspecting Log Files *
Appendix A : How Most Firewalls are Configured *
Appendix B: Basic Cost Factors of Firewall Ownership *
Appendix C: Glossary of firewall related terms *
Appendix D: Top 10 Security Threats *
Appendix E: Types of Attacks *
Appendix F: Top 10 Security Precautions *
Appendix G: Virus Glossary *
Appendix H: Network Terms Glossary
*
Forward
This manual is an effort to assist law enforcement agencies and other computer crime investigators by providing a resource guide compiled from the vast pool of information on the Internet. This manual is not intended to replace any formal training or education. This manual should be used as a supplemental guide to reference too. It was not my intention to compile this manual to provide a specific solution for investigators. This was intended to provide a general overview, which would assist in helping to developing a solution. This solution does not have to be hardware or software based. Today policy-based protection can also be incorporated into hardware and software systems.
I would like to thank all the authors, and organizations that have provided me with materials to compile this manual. Some of the material contained in this manual were a part of a larger document. It is strongly recommended that if anyone has an interest in learning more about a particular topic to find these documents on the Internet and read them.
A very special thanks to:
Dr. Bill Hancock Network-1 Security Solutions, Inc. (hancock@network-1.com )
who played an active role in the modeling of this manual.
Finally, please respect the copyrights of the original authors and organizations and give them credit for their work.
Any questions or concerns can be directed to me c/o
RCMP Duncan Detachment
6060 Canada Ave., Duncan, BC
CANADA V9L 1V3
ATN: Cst. S.K.PARMAR
Telephone number 250-748-5522
Email: sunny@seaside.net
SUNNY