Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Instructor’s Manual Materials to Accompany
COMPUTER SECURITY FUNDAMENTALS
CHAPTER 9
COMPUTER SECURITY SOFTWARE
CHAPTER 9 OBJECTIVES
When students finish reading this chapter, they will be able to
• Evaluate the effectiveness of a scanner based on how it works.
• Choose the best type of firewall for a given organization.
CHAPTER OVERVIEW
If you try to secure your network, you need more details on the different types of security devices and software
you might choose. To secure any system, you must have antivirus and antispyware scanners, firewalls, and an
IDS. This chapter reviews these items with enough detail to allow you to make intelligent decisions on which
products would be best for your organization.
The major sections in this chapter are
1. Virus Scanners. This section describes different types of virus scanners and how they work. Both
commercial and free scanners are presented.
3. Antispyware. This section briefly describes antispyware scanners and why you need them.
4. Intrusion-Detection Software. Different types of intrusion detection systems are described, including how
6. Authentication. Protocols used to authenticate users to your network.
CHAPTER OUTLINE
I. Chapter 9 Objectives
II. Introduction
III. Virus Scanners
How Does a Virus Scanner Work?
Virus-Scanning Techniques
Commercial Antivirus Software
IV. Firewalls
Benefits and Limitations of Firewalls
Firewall Types and Components
Screening Firewall
Application Gateway
Circuit-Level Gateway
How Firewalls Examine Packets
Stateful Packet Inspection
Stateless Packet Inspection
Firewall Configurations
Network Host-Based
Dual-Homed Host
Router-Based Firewall
Screened Host
Commercial and Free Firewall Products
Firewall Logs
V. Antispyware
VI. Intrusion-Detection Software
IDS Categorization
Misuse Detection Versus Anomaly Detection
Passive Systems Versus Reactive Systems
Network-Based System Versus Host-Based System
IDS Approaches
Preemptive Blocking
Snort
Honey Pots
Other Preemptive Techniques
Intrusion Deflection
Infiltration
Intrusion Deterrence
VII. VPN
PPTP
L2TP
IPSEC
VIII. Authentication
CHAP
Kerberos
IX. Summary
X. Test Your Skills
XI. Exercises
XII. Projects
KEY TERMS
anomaly detection A process to look for system behavior that is not normal. This process is used by many
intrusion detection systems.
application gateway A type of firewall that authenticates entire client applications.
bastion host A gateway between an inside network and an outside network. Used as a security measure, it is
designed to defend against attacks aimed at the inside network.
breach To successfully break into a system.
dual-homed host A firewall that actually has two network interface cards, thus participating in two networks.
(Although one might be the Internet.)
IDS signatures Characteristics of specific types of attacks that intrusion detection systems look for.
Intrusion Detection System (IDS) A system designed to detect signs of attacks in progress and to notify the
administrator.
on-demand virus scanners Virus scanning that runs when requested by the user.
ongoing virus scanner Virus scanning continually running in the background.
screened host A firewall, usually on the perimeter of a network, that combines a packet-filtering router with an
application gateway located on the protected subnet side of the router; also called a screening firewall.
spyware Software that monitors computer use.
stateful packet inspection (SPI) A type of firewall process in which each packet and its contents are examined,
in which the inspection does not involve actually examining the contents of each packet, nor does it examine a
packet within the context of an ongoing TCP conversation.
TEACHING NOTES
I. Introduction
Teaching Tips: Two concepts that must be clear to students are false positives and
false negatives. A false positive is when your detection system shows an intrusion when there is none,
sending a false alarm or “crying wolf.” And we know what happens to detection systems that have too
II. Virus Scanners/Anti-Spyware
Teaching Tips: No computer connected to a LAN or the Internet should be without a
virus scanner and a good antispyware system. Ask students what programs they use and how they like
them.
III. Firewalls/IDS
Teaching Tips: It will be helpful to draw an example network with PCs, servers,
PROJECTS/EXERCISES
I. Discussion Questions
A. Discussion Question 1
Is it better to have your ISP filter your e-mail, buy e-mail virus scanner software
for your PC, or just manually delete spam and e-mail that contains bad attachments?
B. Discussion Question 2
How often should IDS, antivirus, or antispyware signature files be updated?
II. Web Projects
A. Web Project 1
Go to Google.com to search for articles on honeypots. Find out the legal and
ethical issues involved with evidence collected by using a honeypot system. Is it an
intrusion if you set one up to be broken into? Is this a form of entrapment? Do honeypots
encourage break-ins? One place to start your research is an article titled “Honey pots: Are
They Illegal?” at http://www.linuxsecurity.com/content/view/114141/65 /.
B. Web Project 2
Many IT people say that Windows and IE are more susceptible to viruses and
spyware than Linux and Firefox. Go to Google.com and search for articles on Windows
versus Linux security. Which OS and browser is safe?
C. Web Project 3
Anomaly detection involves actual software that works to detect intrusion
attempts and notify the administrator. The system looks for any anomalous behavior. Any
activity that does not match the pattern of normal user access is noted. Go to Google.com
and search for information on how anomaly detection works and then answer the
question: How does the IDS define “normal” use? A good place to find information about
IDS system types is http://infosecuritymag.techtarget.com/articles/august01/cover.shtml.
D. Web Project 4
Microsoft recently acquired an antispyware company called “Giant.” As of this
writing, Microsoft has released a beta antispyware program. Go to Microsoft on the
Internet or to http://www.microsoft.com/athome/security/spyware/software/default.mspx
and find out what type of antispyware program it is and what issues exist in installing and
using this software.
WEB RESOURCES
• Firewall resources
http://www.agnitum.com/products/outpost/ outpost firewall software resource
• Free firewall software resources
CHAPTER REVIEW/ANSWERS TO TEST YOUR SKILLS
Multiple Choice Questions
1. Which of the following is the most common way for a virus scanner to recognize a virus?
2. What is one way of checking e-mails for virus infections?
3. What is a TSR program?
4. What is the name for scanning that depends on complex rules to define what is and is not a virus?
5. Which of the following is not one of the basic types of firewalls?
C
6. Which of the following is the most basic type of firewall?
7. Which of the following is a disadvantage to using an application gateway firewall?
8. What is SPI?
© 2012 Pearson, Inc.
8
A
9. What is the term for a firewall that is simply software installed on an existing server?
10. What is a major weakness with a network host-based firewall?
11. What is the term for blocking an IP address that has been the source of suspicious activity?
12. What is the term for a fake system designed to lure intruders?
13. Which of the following is the correct term for simply making your system less attractive to
intruders?
14. What method do most IDS software implementations use?
15. How do most antispyware packages work?
Exercises
EXERCISE 12.1: SETTING UP A FIREWALL
EXERCISE 12.2: ROUTER-BASED FIREWALLS
EXERCISE 12.3: EVALUATING FIREWALLS
This exercise asks students to evaluate differing firewall solutions. The key is not so much what the
EXERCISE 12.4: ACTIVE CODE
EXERCISE 12.5: HARDWARE USED BY A COMPANY
The purpose of this exercise is for students to gain an understanding of how the software and hardware
Projects
PROJECT 12.1: HOW DOES THE MICROSOFT FIREWALL WORK?
PROJECT 12.2: HOW DOES ANTI-VIRUS WORK?
In this project students use vendor documentation to find out exactly what methods both Norton and
PROJECT 12.3: USING SNORT
Snort is not the only IDS available, but it is free and it is widely recommended by many experts.
Case Study
This case study asks students to apply knowledge they have gained. They are asked to evaluate the
appropriateness of Jane Smith’s security selections. In this case study the firewall Jane has selected is
probably fine. Additional recommendations students might make could include
