In Table 4-9, file system checking is listed as detecting both web application and buffer overflow attacks (the two elements of the application manipulation subclass). How does it do this?

This is a case in which the categories don't fit quite perfectly. Remember from Chapter 3 that the attacks selected under application manipulation were just examples of a whole range of attacks. Because file system checking detects the modification of applications, it certainly can stop application manipulation in certain forms. Even though the two sample attacks listed can be stopped by file system checking (if the attack relies on first inserting the vulnerability into the application), file system checking is more geared toward detecting modified files and applications in general, which is not a listed attack element under application manipulation.

If you usually use OTP through TACACS+ when authenticating administrators to network devices, how would you deal with an automated script that checks configurations or upgraded software images?

Because OTP requires the operator to manually enter a password, it is unsuitable for automated scripting. Instead, a reusable password is required and is sent, hopefully, over a secure medium such as SSH. This should be an appropriately random and long password that is impossible to brute force in a short period of time. Although these passwords should be changed often, if an insecure medium is used for the scripts (such as Telnet), the passwords should be changed very frequently. Thankfully, when using TACACS+ or RADIUS, a password can be changed in a single location that affects the authentication method for hundreds of devices.

When might SSL be used instead of IPsec for a VPN deployment?

Using session layer crypto for a VPN has a few disadvantages, as discussed in this chapter. The biggest disadvantage is a lack of robust application support. If, however, your only goal is to provide internal web access and e-mail, SSL could be a fine alternative or addition to IPsec. IPsec could be used on company assets, providing robust application support. SSL could be used on employee home machines or public Internet terminals if limited access is all that is necessary.

If you don't need the level of user control that proxy servers offer for all your users, what kinds of users still might benefit from the technology?

You might consider this level of control for several locations in your network, even if most users don't need it. Here are two examples:

• Guest machines are often used in public areas of a company. Contractors, customers, and other guests all might need to access the Internet at some time. This could also occur over a wireless LAN. Providing these users access to a limited set of protocols by proxy servers could be a good solution.
• Lab or test networks within your organization can have nonstandard applications that might not always be patched. This makes them more vulnerable to automated attacks. To prevent these systems from attacking hosts outside your network, forcing deliberate configuration of a proxy server on the part of the lab user will stop most of these attacks. For example, nonstandard systems were a huge source of attacks when Code Red hit. If these nonstandard systems were blocked from accessing the Internet directly and were forced to go through a proxy, much of the propagation of Code Red could have been stopped.

Besides running AV software, what else is equally important in stopping the spread of viruses?

User education is very important in stopping the spread of viruses. Teach your users not to open attachments without carefully considering the likelihood of whether the file is a virus, Trojan horse, or worm. The configuration of mail clients matters as well. New attacks target popular e-mail clients and execute attacks without requiring the user to open an attachment.

Find at least three places in this chapter where you disagree with the rating values I've assigned to security technology. Consider building the included tables yourself and assigning your own values. Did the overall score of any technology significantly change? Did the top technology in any category change?