Lesson 1: Network Device and Operating System Hardening

Lesson 1: Network Device and Operating System Hardening

Network device and operating system exploits are common and numerous. From a security standpoint, maintaining secure configurations, updating devices and operating systems, and monitoring for alerts is a continuous process. Many security professionals say that there is no such thing as a device or operating system that is 100 percent secure. If you don't already agree with that statement, you probably will after reading this book. However, you do already know that there are many steps that you can take to increase the security of your network and the devices that are part of it. In this section, you learn steps you can take to secure and maintain the security of your network devices and operating systems.


After this lesson, you will be able to

  • Explain the importance of applying network device, operating system, and application updates

  • Verify the integrity of security updates

  • Locate and download security baseline information for various platforms

  • Locate sources for security vulnerability alerts

Estimated lesson time: 60 minutes


There are many specific recommendations and guidelines available for a variety of operating systems. You can review and download security baseline information and related software tools from the following sources:

  • Computer Emergency Response Team (CERT) Web site at http://www.cert.org/tech_tips

  • CIS Web site at http://www.cisecurity.com

  • United States National Security Agency (NSA) Web site at http://www.nsa.gov (see Security Recommendation Guides)

  • National Information Assurance Partnership (NIAP) Web site at a http://niap.nist.gov

  • Computer Security Resource Center (CRSC) of the National Institute of Standards and Technology (NIST) Web site at http://csrc.nist.gov

  • National Computer Security Center (NCSC) Trusted Product Evaluation Program (TPEP) at http://www.radium.ncsc.mil/tpep

  • Microsoft Web site at http://www.microsoft.com/technet/security/tools/Tools

Network Device Updates

The processing logic of network devices such as routers, switches, and firewalls is typically maintained through firmware updates, programs that update the current processing logic (or operating system) of the device. Manufacturers often produce firmware updates to correct security issues.

Basic input/output systems (BIOS) updates are also frequently available for a variety of computer hardware. Although many BIOS updates are aimed at increasing hardware support, some BIOS updates might be related to security issues.

To protect your network devices, be sure to monitor communications from the vendors of those devices for information on new security patches. You should also monitor security newsletters and alerts for information on new exploits. The CERT is probably the most well-known security alert system. In addition, CERT publishes a list of other information sources on its Web site at http://www.cert.org/other_sources.

Different vulnerability reporting services have different names and codes for the vulnerabilities they discover. For example, the CERT alert codes differ from alert codes produced by the U.S. Department of Energy's Computer Advisory Incident Capability (CIAC) system. In an effort to help coordinate the naming and coding of security alerts, NIST recommends the use of the Common Vulnerabilities and Exposures (CVE) naming format. You can learn more about CVE from http://cve.mitre.org or by reviewing NIST Special Publication 800-51. (NIST articles can be found at http://www.csrc.nist.gov/publications.)

Verifying Updates

Before you install a security update, you should verify that it is authentic and not corrupted. Verification usually involves checking a digital signature or checksum to verify the authenticity of the patch. A checksum (or hash) is a computation applied to a file that results in a string that can be used to check the integrity of a downloaded file. Figure 8-1 illustrates an example of a Message Digest (MD5) checksum. Three files, all named Code.txt, exist in three different directories test1, test2, and test3, as shown in the directory listing. All the files have the same date, time, file size, and name. However, they don't all have the same MD5 hash value because they are not all the same. The Code.txt file in the test2 directory is different than the other two files, as shown in the MD5 command hash values.

figure 8-1 md5 signature verification

Figure 8-1. MD5 signature verification

Pretty Good Privacy (PGP) can also be used to verify file downloads. Figure 8-2 illustrates signature verification with PGP. The first Code.txt file was modified after the signature file was created and therefore shows up as a bad signature. The second file in the list is intact and therefore shows up with a proper time and date.

figure 8-2 pgp signature verification

Figure 8-2. PGP signature verification

If an attacker compromises a vendor Web site, the attacker could feasibly post a Trojan horse in place of a security patch. Many vendors now digitally sign or compute a hash value for security updates, so that you can ensure the update's integrity. Be sure to check that signature or security hash before you install security updates.

Maintaining an Archive of Updates

No matter how you receive updates for your applications, network devices, and operating systems, you should consider building an archive of update files. Maintain all of the updates that you must apply for each type of software and hardware your organization uses. This allows you to quickly reapply updates when new systems are brought in or existing systems require reinstallation.

Testing Updates

Always test updates on nonproduction systems, if possible. This allows you to determine if the update performs properly before you load it onto your production devices, because software vendors can rarely guarantee that updates won't break other applications that you might be using on a production computer. If you don't have a test system for trying out patches, make sure you have an action plan for restoring your production systems if the security patch causes a problem.

Applying Updates

After you verify and test updates, apply them as soon as possible. The actual process for applying firmware updates varies depending on the product and vendor, but typically it is not much more involved than downloading and running a file from the vendor's Web site.

If an exploit is discovered and an update is not available, you might have to follow a workaround. For example, if an exploit for Dynamic Host Configuration Protocol (DHCP) is discovered on a router that supports DHCP, you might consider disabling DHCP on the router and enabling it on a device that doesn't have the same vulnerability. Once the security patch is available, you can decide whether you want to return to the original configuration.

Operating System and Application Updates

The SANS Institute has created a list of the top 20 security exploits (http://www.sans.org/top20.htm). The list shows that buffer overflows are the most common security problem. As you read earlier in Chapter 6, buffer overflows are related to programming errors. Consequently, when they are discovered, software vendors usually fix them by issuing security updates. These updates might be called upgrades, patches, service packs, or hotfixes, depending on the product and the vendor. No matter what they are called, these updates fix programming errors that might be exploited by an attacker.

Software updates aren't always related to security updates. Sometimes they add new features or fix other programming issues that are related to ease of use or functionality and not necessarily a security exploit. Be sure you review what the update is fixing before installing it because you might decide that you don't need or want the update.

Checking for Updates

Almost every piece of software and hardware that your organization has is likely to be updated at some point. As with firmware updates, you must stay attuned to appropriate information sources (such as your software vendor's Web site or an alert list) so that you know about exploits when they are discovered and fixed.

The Computer Security Division of NIST maintains a searchable index of information on computer vulnerabilities called ICAT located at http://icat.nist.gov. (ICAT originally stood for Internet Categorization of Attacks Toolkit. However, it is not an acronym today because the focus of the toolset has changed.)

Operating systems in particular are likely to be updated routinely. Updates are so frequent that many software vendors have worked to simplify the process of finding and installing updates. For example, CERT lists scanning tools on their Web site list of security tools under the heading "Tools to Scan Hosts for Known Vulnerabilities," located at http://www.cert.org/tech_tips/security_tools.html#D. Two of those scanning tools are Internet Security Scanner (ISS) and Security Administrator Tool for Analyzing Networks (SATAN). Other examples of scanning tools include the Microsoft Baseline Security Analyzer (MBSA) and the Microsoft Network Security Hot Fix Checker (HFNetChk).

For more information concerning MBSA and HFNetChk, visit http://www.microsoft.com/technet/security/tools/Tools.

Automated Updates

Many software vendors are providing methods for receiving and applying updates automatically. Many virus scanner vendors offer automated programs for updating virus definition files. Microsoft offers an automatic updates program called Software Update Services for many of its operating systems. These automated updates can be configured to automatically download updates from the vendor's Web site on a regular schedule or whenever they are available.

For more information about Software Update Services visit http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp.

Securing Networking Components

As you have seen thus far, there are many potential avenues that an attacker can use to exploit your network. In this section, you learn some additional avenues that attackers might take to exploit your network. More important, you learn steps that you can take to help protect your network and reduce the possible ways in which attackers might exploit it.

Disabling Unnecessary Network Services and Protocols

People often speak of disabling unnecessary "services" and "protocols" interchangeably. This is because services and protocols often have the same name. For example, the Simple Network Management Protocol (SNMP) is by name a protocol, but it is also a service. SNMP is typically used for remote management of hosts on a TCP/IP network. As a service, SNMP communications occur by default over User Datagram Protocol (UDP) ports 161 and 162. As a protocol, SNMP communicates according to standards documented in Request for Comments (RFC) 1643. (RFC articles can be found at http://www.icann.rfceditor.org.)

CERT Advisory CA-2002-03, titled "Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)," issued February 12, 2002, warned that more than 140 hardware and software vendors had vulnerable SNMP services. Many organizations were advised to disable SNMP until their vendors were able to distribute patches. You can review the advisory at http://www.cert.org/advisories/CA-2002-03.html.

A network service is a program used to provide some function for another computer or device on the network. Network services are often generically referred to as services. Many operating systems install and enable services by default that might not be necessary or appropriate on your network. Of course, the necessity and appropriateness of a service depends on the role that the computer is performing. For example, CERT Advisory CA-1996-01, "UDP Port Denial-of-Service Attack," (also CVE-1999-0103) warns of a denial of service (DoS) attack directed against two UDP services: chargen and echo.

Chargen and echo are used for testing networked computers. Chargen responds with random characters to packets sent to its UDP port 19. Echo sends a response for each packet it receives on its UDP port 7. Both services are not required for typical network communications. You can read the CERT advisory on the potential for attack on the chargen and echo services at http://www.cert.org/advisories/CA-1996-01.html.

Most network operating systems allow network administrators to list the services that are active on the system. In Microsoft Windows, UNIX, and Linux systems the netstat command can be used to provide a list of network connections and listening ports over which services are provided. Figure 8-3 shows the netstat command and appropriate command-line switches to show all listening TCP and UDP ports in numerical order.

figure 8-3 netstat on windows 2000 professional

Figure 8-3. Netstat on Windows 2000 Professional

You can usually find a list of services and ports in the Services file. This file is located in different places on different operating systems. On UNIX and Linux operating systems, the file is commonly stored as the services file in the /Etc directory. Microsoft Windows 2000 and Microsoft Windows XP operating systems store the services file in the %systemroot%\System32\Drivers\Etc folder. You can view and edit the Services file in any text editor program such as vi, Emacs, or pico in UNIX/Linux operating systems or Notepad in Microsoft Windows operating systems.

Recent Microsoft operating systems use the term folder instead of directory. For example, documentation refers to file and folder-level security instead of directory-level security. The Microsoft Services file is only used to map friendly names to services; you cannot actually disable services by removing entries from that file.

Once you figure out what services are running on your system, you should disable all unnecessary services. In UNIX and Linux operating systems, disabling services is typically done by editing the /Etc/Inetd.conf or /Etc/Xinetd.conf files. To disable a service in Inetd.conf, you add a pound sign (#) in front of the line referencing the service. An excerpt of an Inetd.conf file is shown here with the echo and chargen services disabled:

#echo stream tcp nowait root internal #echo dgram udp wait root internal discard stream tcp nowait root internal discard dgram udp wait root internal daytime stream tcp nowait root internal daytime dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal 

Once you have disabled all the unnecessary services, you must restart the inetd program so that it reads the edited Inetd.conf file. Depending on the specific distribution of UNIX or Linux, you might do this by typing killall HUP inetd. The preferred technique for accomplishing a restart of inetd might be different in your specific operating system, so consult your documentation.

All of the services listed in the preceding excerpt of the Inetd.conf file are typically used for testing only, and most security guidelines recommend disabling them.

In Microsoft Windows operating systems, disabling specific services can be a bit more complex because you need to know which software applications are providing which services. For example, consider the following list (excerpted from Figure 8-3):

Proto Local Address TCP 10.200.200.153:139 UDP 10.200.200.153:137 UDP 10.200.200.153:138 

All entries in this list are associated with NetBIOS over TCP/IP services. If you have no need for NetBIOS over TCP/IP services, you can disable them through the Advanced TCP/IP Settings dialog box by clicking the WINS tab, and then choosing the option to disable NetBIOS over TCP/IP, as shown in Figure 8-4.

figure 8-4 disabling netbios over tcp/ip in windows 2000

Figure 8-4. Disabling NetBIOS over TCP/IP in Windows 2000

In addition to disabling unnecessary services on the clients and server operating systems on your network, you should filter unneeded services at the firewall. As mentioned in Chapter 4, you'd be wise to use a default-deny rule on the firewall and enable only needed services.

Removing Unnecessary Programs

The Melissa virus (described in Chapter 6) was targeted at systems running Microsoft Word and Microsoft Outlook. The Melissa virus would not have affected someone who didn't have Word and Outlook installed. The more programs you have installed and running on your system, the greater the likelihood that someone can create or find an exploit for one of your programs.

To reduce the risk of compromise on your network, you should remove all unnecessary programs from every device on your network. Most operating systems provide a method for you to determine which processes and applications are running. UNIX and Linux systems have the ps command that can be used to list running processes. In Microsoft Windows operating systems released after 1995 (including Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows Me, Windows 2000, and Windows XP) you can hold the Ctrl, Alt, and Delete keys simultaneously to activate the Task Manager. In Windows XP, you can also use the tasklist.exe command to view processes on local and remote computers from the command line.

A generic description for a process is a running program. Services, as described previously, are also running programs. In many conversations and documents there is no distinction made between a service and a process. However, in this text and others, network services are often generically referred to as services. A process therefore is any running program, whether it is involved with network communications or not. Applications are programs, too, but when many people refer to an application they are talking about a program (or group of programs) that accomplishes a specific task, which might involve one or more running processes. For example, Microsoft Windows games Minesweeper and Solitaire are applications. Here again, the lines are not perfectly clear because when Minesweeper and Solitaire are running on the system they run as single processes. In Microsoft Windows operating systems, you can review installed applications through the Add/Remove Programs icon in the Control Panel.

Once you have listed all of the running processes, you can determine if they are necessary. Determining which processes are actually necessary depends on many different factors. Later in this lesson and in the following lesson we cover some of the guidelines that help you determine which processes are necessary. However, beyond all of the recommendations, in many cases, the decision on whether a process is necessary varies depending on what the individual or organization needs to accomplish or provide.

Disabling Unnecessary Protocol Stacks

As you saw in Chapter 2, TCP/IP is a suite of protocols. TCP/IP is often referred to as a protocol stack. Other types of protocol stacks include IPX/SPX and NetBEUI. Many operating systems and network devices are capable of running more than one protocol stack. As with removing an unnecessary service or protocol, you should also remove any unnecessary protocol stacks. For example, the IPX/SPX protocol stack is only used on Novell NetWare networks. However, recent versions of NetWare frequently use TCP/IP. If you convert your network to TCP/IP completely, you can remove IPX/SPX from hosts and routers on your network. The fewer protocols, protocol stacks, and services that your systems support, the less likely it is that newly discovered vulnerabilities will affect them. At a minimum, removing unnecessary services, protocols, and protocol stacks improves performance and makes systems less complex to troubleshoot.

Disabling Promiscuous Mode

Attackers who are able to compromise one of the systems on your network might use that compromised system to gather information and possibly exploit other systems. One way in which an attacker might gather information is to install a protocol analyzer program on the compromised system. The attacker then uses the protocol analyzer to monitor data packets, hoping to find passwords, user names, or additional information that might help to compromise other systems.

To protect your systems from this type of attack, you must do all you can to ensure that a system is not compromised in the first place. However, if a system is compromised, one method for stopping the attacker from gathering additional information is to disable the promiscuous mode of the network card. Promiscuous mode is a condition that a network adapter can be placed in to gather all passing information. Normally, network adapters do not gather information that is not specifically destined for the adapter or broadcast to all adapters. Certain programs (such as protocol analyzer programs) place adapters into promiscuous mode.

Many network card manufacturers provide directions for disabling promiscuous mode through various operating systems. Unfortunately, if the attacker is savvy enough to compromise the system and gain full control (root, superuser, or administrative access), then he or she can probably re-enable promiscuous mode on the adapter through the operating system. Some network card manufacturers make network cards on which promiscuous mode can be permanently disabled. If you can permanently disable promiscuous mode on the network adapter, even if an attacker does compromise the system, installing a protocol analyzer would not provide any additional advantages to the attacker.

Some network security tools, such as vulnerability scanners and network monitors, depend on enabling promiscuous mode on your network adapter. Consequently, you should not disable promiscuous mode on systems that you must use to conduct network monitoring or run certain vulnerability scanning tools.

Disabling Unnecessary Systems

Computer systems that are not in use on your network should be disabled. Network attacks are often launched against test systems that were never properly secured and then forgotten about. Even a test system that has no legitimate user accounts locally could be quite useful to an attacker. As previously mentioned, if an attacker compromises an unsecured system, she or he could install a protocol analyzer and other tools that could lead to further exploits.

To protect your network from exploits launched against systems that are not in use, you must routinely audit your systems. You can use vulnerability scanners on your own network to scan for unsecured systems, and you can also physically inspect your network to see if there are any computers or other network devices that are no longer in use.

Virtual Machines from VMWare or Virtual PCs from Connectix can be susceptible to the same attacks and viruses as the physical workstations and servers on your network. Be sure to maintain or disable these virtual machines or PCs as you would other systems on your network.

Access Control Lists

Packet filtering, as described in Chapter 4, is typically accomplished with an access control list (ACL). An ACL is a rule list that tells the router or firewall how to deal with network packets the router receives, so routers and firewalls use ACLs to determine which packets to forward and which to drop. As you learned in Chapter 4, packet filters can be used to restrict packets based on source address, destination address, protocol ID, TCP or UDP port number, Internet Control Message Protocol (ICMP) message type, fragmentation flags, and options.

One common problem with router and firewall configurations is that packet filters are not stringent enough. As an example, assume you work for an organization that handles name resolution for all internal client systems. In addition, you want to allow Domain Name System (DNS) zone transfers from your Internet service provider's (ISP's) DNS server (named IspDNS) to your local DNS server (named CorpDNS). Because the ISP's DNS server sends zone transfers over the standard port (TCP port 53) to your organization, you know you must enable that port on the firewall. You can configure an ACL that looks like the one shown in Table 8-1.

Table 8-1. Sample Access Control List

Rule

Direction

Destination

Source

Protocol

Source Port

Destination Port

Zone XFR1

OUT

Any

CorpDNS

TCP

>1023

53

Zone XFR2

IN

CorpDNS

Any

TCP

53

>1023

However, if you do this, an attacker could potentially use port 53 to scan your entire network. Further, an attacker could send a bogus zone transfer right through your firewall to your DNS server. The problem is the use of "any" instead of listing the actual DNS server of the ISP. A more secure solution would be to restrict zone transfers to only the IP address of your ISP's DNS server, as shown in Table 8-2.

Table 8-2. A More Secure Access Control List

Rule

Direction

Destination

Source

Protocol

Source Port

Destination Port

Zone XFR1

OUT

IspDNS

CorpDNS

TCP

>1023

53

Zone XFR2

IN

CorpDNS

IspDNS

TCP

53

>1023

Configuring a secure ACL is an important way to help protect your network from attack. Make sure that your firewall and router rules limit the connections that can be made and from where.

File System Security

A file system (or file management system) is a program for organizing, storing, and even sharing data. To increase the security of your network and individual systems, you should secure the file systems in use on your network. There are three main areas to consider related to file system security:

  • File and directory permissions

  • Data encryption

  • Shared or exported data

File and Directory Permissions

File and directory permissions are used to identify who can access a file or directory. Many operating systems use file systems that allow you to set file and directory permissions. Typical permissions you can configure include read, write, and execute.

Some operating systems allow you to choose to install a file system that supports file- and directory-level security and one that does not. For example, Microsoft Windows NT, Windows 2000, and Windows XP allow you to choose between the file allocation table (FAT) file system and the NTFS file system (NTFS). FAT does not support file and directory security, whereas NTFS does. To better secure your operating system, you should select the file system that supports file- and directory-level security.

To best protect your operating systems from compromise, configure security on files and directories according to the rule of least privilege. This means giving each person or group only the required amount of access and nothing more. For example, if all the users in the marketing department need access to read, but not change, a file you should give them read access only, and nothing more. By limiting permissions you can protect files from being accessed or deleted by attackers who are able to compromise a trusted user account. Further, you help to prevent accidental deletions by legitimate users.

Data Encryption

Some file systems, such as NTFS in Windows 2000 and Windows XP, enable you to encrypt data. You should encrypt all files that you are concerned about keeping private. Although file system permissions should protect your files, encryption adds an additional layer of protection. For more information on data encryption, see Chapter 3, Chapter 4, and Chapter 6.

Shared or Exploited Data

Sharing files and folders is common and so is the exploitation of those shares. To secure your shared files and folders, you can typically configure access controls on them, commonly referred to as share permissions or export permissions. Be sure to follow the rule of least privilege when granting access to shared files and directories.

Tips for securing file and print servers are covered in Lesson 2. The items mentioned here also apply to that lesson and vice versa.

Operating System Hardening

Operating system hardening means securing the operating system. Many of the security tips already covered in this lesson can be applied directly to hardening the operating system, including the following:

  • Disable unnecessary programs and processes.

  • Disable unnecessary services.

  • Disable unnecessary protocols.

  • Verify, test, and install all vendor patches.

  • Use vulnerability scanners to identify potential security weaknesses.

  • Disable promiscuous mode.

  • Configure file system security according to the rule of least privilege.

In addition to taking those precautions, you should consider the following to better protect your operating system:

  • Set complex passwords for all user accounts and change them frequently.

    Setting complex passwords was discussed in Chapter 4. Be sure to routinely change passwords to keep them secure.

  • Set account lockout policies.

    If someone is trying to guess a password, they'll probably take a few guesses. If you have an account lockout policy that locks someone out after three to five attempts, the chances of that person guessing a password successfully are greatly reduced.

  • Remove or disable all unnecessary modems.

    Modems (or dial-up adapters) can become a way to circumvent the security of your network, as explained in Chapter 4.

  • Enable monitoring, logging, auditing, and detection.

    You should monitor your hosts and connectivity devices. Many operating systems allow you to log user access, file system access, and other security-related events. You can also configure a host-based intrusion detection system. Monitoring was covered in Chapter 4. Intrusion detection is covered in greater detail in Chapter 11, "Intrusion Detection."

  • Maintain backups and images.

    One of the most important ways to protect your operating systems is by backing them up. You can also use disk-imaging software to maintain a complete image of the operating system and its data.

There are many specific recommendations and guidelines available for a variety of operating systems available on the Internet. Here are some links to recommendations for specific operating systems:

  • The UNIX Security Checklist v2.0 from CERT is available at http://www.cert.org/tech_tips/unix_security_checklist2.0.html.

  • The CIS Web site at http://www.cisecurity.com includes information for securing Solaris, Linux, HP-UX, Cisco IOS, Windows 2000, Windows NT, and more.

  • The U.S. NSA Web site at http://www.nsa.gov has security guides for Windows 2000, Windows NT, and Cisco routers. Also, the NSA has published a security-enhanced version of the Linux operating system (see Security Enhanced Linux on the NSA Web site).

  • The Information Systems and Technology Department of the University of Waterloo Web site at http://ist.uwaterloo.ca/security/howto includes information on securing Windows NT, Windows 2000, Windows XP, AIX, Solaris, and Linux.

  • Windows NT Configuration Guidelines from CERT are available at http://www.cert.org/tech_tips/win_configuration_guidelines.html.

  • Windows 95 and Windows 98 Computer Security Information from CERT is available at http://www.cert.org/tech_tips/win-95-info.html.

Lesson 2 discusses securing specific types of servers. Servers present specific challenges because they must often run additional protocols and provide additional services that can potentially be exploited by attacks.

Exercise: Using MD5

MD5 can be used to verify the integrity of files, and you can download and use it with a wide variety of operating systems. Many Web sites and vendors post MD5 checksums so that you can verify that the file they post is the file you downloaded. In this exercise you locate the MD5.exe file and learn how to use it. You create three files and see the effect on the MD5 hash when you change one of those files.

This exercise, as written, works on Windows 95, Windows 98, Windows Me, and Windows 2000 operating systems.

  1. Download the MD5.exe file from the Internet. You can use any Internet search engine. Copy the MD5.exe file to your C drive.

  2. Create a text file named Code.txt, type some text into the file using a text editor such as Notepad, and then save the file somewhere on your C drive.

  3. Create three folders on the C drive named test1, test2, and test3.

  4. Copy Code.txt to each of the folders (test1, test2, and test3).

  5. Modify the contents of the Code.txt file in the test2 folder and save it.

  6. From the Start menu, click Run and then type CMD or command (depending on your version of Windows) and press Enter. A command prompt appears.

  7. At the command prompt, type CD\ and press Enter.

  8. Type MD5 C:\test1\code.txt, and press Enter.

  9. Type C:\test2\code.txt and press Enter.

  10. Type C:\test3\code.txt and press Enter.

    You should see that the first and third files have the same hash value, but the value of the second is different.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

  1. How can you stop certain protocols from traversing your routers?

  2. What can you do to make it more difficult for an attacker to sniff your network?

  3. What can you do to secure your computer's file system?

  4. What is the purpose of disabling unnecessary systems, programs, processes, protocols, and services?

  5. Why is it imperative that you monitor security alerts?

Lesson Summary

  • Vulnerabilities are often discovered in network devices, operating systems, and applications. You should monitor for security alerts to ensure that you know about exploits that could affect your equipment. Be sure to verify, test, and apply all security updates as soon as possible.

  • To better protect your network devices and hosts, you should do the following:

    • Disable unnecessary programs and processes.

    • Disable unnecessary services.

    • Disable unnecessary protocols.

    • Verify, test, and install all vendor patches.

    • Use vulnerability scanners to identify potential security weaknesses.

    • Disable promiscuous mode.

  • Choose secure file systems that allow you to set file- and folder-level permissions. Configure file system permissions according to the rule of least privilege.

  • In addition to removing all unnecessary components and applying security updates, additional steps to secure operating systems, beyond those already discussed, include the following:

    • Set complex passwords for all user accounts and change them frequently.

    • Set account lockout policies.

    • Remove or disable all unnecessary modems.

    • Enable monitoring, logging, auditing, and detection.

    • Maintain backups and disk images.



Security+ Certification Training Kit
Security+ Certification Training Kit (Pro-Certification)
ISBN: 0735618224
EAN: 2147483647
Year: 2002
Pages: 55

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net