Networking Chapter 9 Instructors Manual Materials Accompany Computer Security Fundamentals Computer Security Software

Instructor’s Manual Materials to Accompany

COMPUTER SECURITY FUNDAMENTALS

CHAPTER 9

COMPUTER SECURITY SOFTWARE

CHAPTER 9 OBJECTIVES

When students finish reading this chapter, they will be able to

• Evaluate the effectiveness of a scanner based on how it works.

• Choose the best type of firewall for a given organization.

CHAPTER OVERVIEW

If you try to secure your network, you need more details on the different types of security devices and software

you might choose. To secure any system, you must have antivirus and antispyware scanners, firewalls, and an

IDS. This chapter reviews these items with enough detail to allow you to make intelligent decisions on which

products would be best for your organization.

The major sections in this chapter are

1. Virus Scanners. This section describes different types of virus scanners and how they work. Both

commercial and free scanners are presented.

3. Antispyware. This section briefly describes antispyware scanners and why you need them.

4. Intrusion-Detection Software. Different types of intrusion detection systems are described, including how

6. Authentication. Protocols used to authenticate users to your network.

CHAPTER OUTLINE

I. Chapter 9 Objectives

II. Introduction

III. Virus Scanners

How Does a Virus Scanner Work?

Virus-Scanning Techniques

Commercial Antivirus Software

IV. Firewalls

Benefits and Limitations of Firewalls

Firewall Types and Components

Screening Firewall

Application Gateway

Circuit-Level Gateway

How Firewalls Examine Packets

Stateful Packet Inspection

Stateless Packet Inspection

Firewall Configurations

Network Host-Based

Dual-Homed Host

Router-Based Firewall

Screened Host

Commercial and Free Firewall Products

Firewall Logs

V. Antispyware

VI. Intrusion-Detection Software

IDS Categorization

Misuse Detection Versus Anomaly Detection

Passive Systems Versus Reactive Systems

Network-Based System Versus Host-Based System

IDS Approaches

Preemptive Blocking

Snort

Honey Pots

Other Preemptive Techniques

Intrusion Deflection

Infiltration

Intrusion Deterrence

VII. VPN

PPTP

L2TP

IPSEC

VIII. Authentication

CHAP

Kerberos

IX. Summary

X. Test Your Skills

XI. Exercises

XII. Projects

KEY TERMS

anomaly detection A process to look for system behavior that is not normal. This process is used by many

intrusion detection systems.

application gateway A type of firewall that authenticates entire client applications.

bastion host A gateway between an inside network and an outside network. Used as a security measure, it is

designed to defend against attacks aimed at the inside network.

breach To successfully break into a system.

dual-homed host A firewall that actually has two network interface cards, thus participating in two networks.

(Although one might be the Internet.)

IDS signatures Characteristics of specific types of attacks that intrusion detection systems look for.

Intrusion Detection System (IDS) A system designed to detect signs of attacks in progress and to notify the

administrator.

on-demand virus scanners Virus scanning that runs when requested by the user.

ongoing virus scanner Virus scanning continually running in the background.

screened host A firewall, usually on the perimeter of a network, that combines a packet-filtering router with an

application gateway located on the protected subnet side of the router; also called a screening firewall.

spyware Software that monitors computer use.

stateful packet inspection (SPI) A type of firewall process in which each packet and its contents are examined,

in which the inspection does not involve actually examining the contents of each packet, nor does it examine a

packet within the context of an ongoing TCP conversation.

TEACHING NOTES

I. Introduction

Teaching Tips: Two concepts that must be clear to students are false positives and

false negatives. A false positive is when your detection system shows an intrusion when there is none,

sending a false alarm or “crying wolf.” And we know what happens to detection systems that have too

II. Virus Scanners/Anti-Spyware

Teaching Tips: No computer connected to a LAN or the Internet should be without a

virus scanner and a good antispyware system. Ask students what programs they use and how they like

them.

III. Firewalls/IDS

Teaching Tips: It will be helpful to draw an example network with PCs, servers,

PROJECTS/EXERCISES

I. Discussion Questions

A. Discussion Question 1

Is it better to have your ISP filter your e-mail, buy e-mail virus scanner software

for your PC, or just manually delete spam and e-mail that contains bad attachments?

B. Discussion Question 2

How often should IDS, antivirus, or antispyware signature files be updated?

II. Web Projects

A. Web Project 1

Go to Google.com to search for articles on honeypots. Find out the legal and

ethical issues involved with evidence collected by using a honeypot system. Is it an

intrusion if you set one up to be broken into? Is this a form of entrapment? Do honeypots

encourage break-ins? One place to start your research is an article titled “Honey pots: Are

They Illegal?” at http://www.linuxsecurity.com/content/view/114141/65 /.

B. Web Project 2

Many IT people say that Windows and IE are more susceptible to viruses and

spyware than Linux and Firefox. Go to Google.com and search for articles on Windows

versus Linux security. Which OS and browser is safe?

C. Web Project 3

Anomaly detection involves actual software that works to detect intrusion

attempts and notify the administrator. The system looks for any anomalous behavior. Any

activity that does not match the pattern of normal user access is noted. Go to Google.com

and search for information on how anomaly detection works and then answer the

question: How does the IDS define “normal” use? A good place to find information about

IDS system types is http://infosecuritymag.techtarget.com/articles/august01/cover.shtml.

D. Web Project 4

Microsoft recently acquired an antispyware company called “Giant.” As of this

writing, Microsoft has released a beta antispyware program. Go to Microsoft on the

Internet or to http://www.microsoft.com/athome/security/spyware/software/default.mspx

and find out what type of antispyware program it is and what issues exist in installing and

using this software.

WEB RESOURCES

• Firewall resources

http://www.agnitum.com/products/outpost/ outpost firewall software resource

• Free firewall software resources

CHAPTER REVIEW/ANSWERS TO TEST YOUR SKILLS

Multiple Choice Questions

1. Which of the following is the most common way for a virus scanner to recognize a virus?

2. What is one way of checking e-mails for virus infections?

3. What is a TSR program?

4. What is the name for scanning that depends on complex rules to define what is and is not a virus?

5. Which of the following is not one of the basic types of firewalls?

C

6. Which of the following is the most basic type of firewall?

7. Which of the following is a disadvantage to using an application gateway firewall?

8. What is SPI?

8

A

9. What is the term for a firewall that is simply software installed on an existing server?

10. What is a major weakness with a network host-based firewall?

11. What is the term for blocking an IP address that has been the source of suspicious activity?

12. What is the term for a fake system designed to lure intruders?

13. Which of the following is the correct term for simply making your system less attractive to

intruders?

14. What method do most IDS software implementations use?

15. How do most antispyware packages work?

Exercises

EXERCISE 12.1: SETTING UP A FIREWALL

EXERCISE 12.2: ROUTER-BASED FIREWALLS

EXERCISE 12.3: EVALUATING FIREWALLS

This exercise asks students to evaluate differing firewall solutions. The key is not so much what the

EXERCISE 12.4: ACTIVE CODE

EXERCISE 12.5: HARDWARE USED BY A COMPANY

The purpose of this exercise is for students to gain an understanding of how the software and hardware

Projects

PROJECT 12.1: HOW DOES THE MICROSOFT FIREWALL WORK?

PROJECT 12.2: HOW DOES ANTI-VIRUS WORK?

In this project students use vendor documentation to find out exactly what methods both Norton and

PROJECT 12.3: USING SNORT

Snort is not the only IDS available, but it is free and it is widely recommended by many experts.

Case Study

This case study asks students to apply knowledge they have gained. They are asked to evaluate the

appropriateness of Jane Smith’s security selections. In this case study the firewall Jane has selected is

probably fine. Additional recommendations students might make could include