Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
108 lines (106 sloc) 28.9 KB
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE abiword PUBLIC "-//ABISOURCE//DTD AWML 1.0 Strict//EN" "http://www.abisource.com/awml.dtd">
<abiword template="false" styles="unlocked" xmlns:fo="http://www.w3.org/1999/XSL/Format" xmlns:svg="http://www.w3.org/2000/svg" xmlns:dc="http://purl.org/dc/elements/1.1/" fileformat="1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:awml="http://www.abisource.com/awml.dtd" xmlns="http://www.abisource.com/awml.dtd" xmlns:xlink="http://www.w3.org/1999/xlink" version="0.99.2" xml:space="preserve" props="dom-dir:ltr; document-footnote-restart-section:0; document-endnote-type:numeric; document-endnote-place-enddoc:1; document-endnote-initial:1; lang:en-US; document-endnote-restart-section:0; document-footnote-restart-page:0; document-footnote-type:numeric; document-footnote-initial:1; document-endnote-place-endsection:0">
<!-- ======================================================================== -->
<!-- This file is an AbiWord document. -->
<!-- AbiWord is a free, Open Source word processor. -->
<!-- More information about AbiWord is available at http://www.abisource.com/ -->
<!-- You should not edit this file by hand. -->
<!-- ======================================================================== -->
<metadata>
<m key="dc.format">application/x-abiword</m>
<m key="abiword.generator">AbiWord</m>
</metadata>
<history version="33" edit-time="214253" last-saved="1115689562" uid="a54f43de-beae-11d9-896a-abf8e065bac1">
<version id="1" started="1115528896" uid="2fb11d9c-bf7f-11d9-896a-abf8e065bac1" auto="0"/>
<version id="14" started="1115564352" uid="0083bd9c-c0e0-11d9-80a6-caf9fb5ca178" auto="0"/>
<version id="33" started="1115683078" uid="443f7188-c0f5-11d9-86a9-c1cd21550db8" auto="0"/>
</history>
<styles>
<s type="P" name="Normal" followedby="Current Settings" props="text-indent:0in; margin-top:0pt; margin-left:0pt; font-stretch:normal; line-height:1.0; text-align:left; font-variant:normal; lang:en-US; dom-dir:ltr; margin-bottom:0pt; text-decoration:none; font-weight:normal; bgcolor:transparent; color:000000; text-position:normal; font-size:12pt; margin-right:0pt; font-style:normal; widows:2; font-family:Times New Roman"/>
<s followedby="Normal" name="Heading 1" basedon="Normal" type="P" props="keep-with-next:1; margin-top:0.3056in; font-weight:bold; margin-bottom:0.0417in; font-family:Arial; font-size:17pt"/>
<s followedby="Normal" name="Contents 1" basedon="Normal" type="P" props="list-delim:%L.; list-decimal:.; list-style:Numbered List; start-value:1; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:NULL"/>
<s followedby="Normal" name="Contents 2" basedon="Normal" type="P" props="list-delim:%L.; list-decimal:.; list-style:Numbered List; start-value:1; field-color:transparent; margin-left:1.0000in; text-indent:-0.2979in; field-font:NULL"/>
<s followedby="Normal" name="Contents 3" basedon="Normal" type="P" props="list-delim:%L.; list-decimal:.; list-style:Numbered List; start-value:1; field-color:transparent; margin-left:1.5000in; text-indent:-0.2979in; field-font:NULL"/>
<s followedby="Normal" name="Contents 4" basedon="Normal" type="P" props="list-delim:%L.; list-decimal:.; list-style:Numbered List; start-value:1; field-color:transparent; margin-left:2.0000in; text-indent:-0.2979in; field-font:NULL"/>
<s followedby="Normal" name="Numbered Heading 1" basedon="Heading 1" type="P" props="list-delim:%L.; field-color:transparent; start-value:1; margin-left:0.0in; field-font:Arial; text-indent:0.0in; list-style:Numbered List; tabstops:0.299306in/L0"/>
<s followedby="Normal" name="Numbered Heading 2" basedon="Heading 2" type="P" props="list-delim:%L.; field-color:transparent; start-value:1; margin-left:0.0in; field-font:Arial; text-indent:0.0in; list-style:Numbered List; tabstops:0.299306in/L0"/>
<s type="P" name="Square List" followedby="Current Settings" props="list-delim:%L; list-decimal:NULL; list-style:Square List; start-value:0; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:Dingbats"/>
<s type="P" name="Lower Roman List" basedon="Normal" followedby="Current Settings" props="list-delim:%L; list-decimal:.; list-style:Lower Roman List; start-value:1; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:NULL"/>
<s type="P" name="Diamond List" followedby="Current Settings" props="list-delim:%L; list-decimal:NULL; list-style:Diamond List; start-value:0; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:Dingbats"/>
<s type="P" name="Numbered List" followedby="Current Settings" props="list-delim:%L.; list-decimal:.; list-style:Numbered List; start-value:1; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:NULL"/>
<s followedby="Current Settings" name="Endnote Text" basedon="Normal" type="C"/>
<s type="P" name="Triangle List" followedby="Current Settings" props="list-delim:%L; list-decimal:NULL; list-style:Triangle List; start-value:0; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:Dingbats"/>
<s followedby="Normal" name="Numbered Heading 3" basedon="Heading 3" type="P" props="list-delim:%L.; field-color:transparent; start-value:1; margin-left:0.0in; field-font:Arial; text-indent:0.0in; list-style:Numbered List; tabstops:0.299306in/L0"/>
<s type="P" name="Dashed List" followedby="Current Settings" props="list-delim:%L; list-decimal:NULL; list-style:Dashed List; start-value:0; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:NULL"/>
<s type="P" name="Upper Roman List" basedon="Numbered List" followedby="Current Settings" props="list-delim:%L; list-decimal:.; list-style:Upper Roman List; start-value:1; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:NULL"/>
<s followedby="Normal" name="Heading 4" basedon="Normal" type="P" props="keep-with-next:1; margin-top:0.3056in; font-weight:bold; margin-bottom:0.0417in; font-family:Arial; font-size:12pt"/>
<s type="P" name="Heart List" followedby="Current Settings" props="list-delim:%L; list-decimal:NULL; list-style:Heart List; start-value:0; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:Dingbats"/>
<s followedby="Normal" name="Contents Header" basedon="Normal" type="P" props="keep-with-next:1; font-size:16pt; margin-bottom:0.0819in; font-weight:bold; text-align:center; font-family:Arial; margin-top:0.1667in"/>
<s type="P" name="Upper Case List" basedon="Numbered List" followedby="Current Settings" props="list-delim:%L); list-decimal:.; list-style:Upper Case List; start-value:1; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:NULL"/>
<s type="P" name="Bullet List" followedby="Current Settings" props="list-delim:%L; list-decimal:NULL; list-style:Bullet List; start-value:0; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:Symbol"/>
<s type="P" name="Hand List" followedby="Current Settings" props="list-delim:%L; list-decimal:NULL; list-style:Hand List; start-value:0; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:Dingbats"/>
<s followedby="Normal" name="Heading 2" basedon="Normal" type="P" props="keep-with-next:1; margin-top:0.3056in; font-weight:bold; margin-bottom:0.0417in; font-family:Arial; font-size:14pt"/>
<s followedby="Normal" name="Heading 3" basedon="Normal" type="P" props="keep-with-next:1; margin-top:0.3056in; font-weight:bold; margin-bottom:0.0417in; font-family:Arial; font-size:12pt"/>
<s type="P" name="Tick List" followedby="Current Settings" props="list-delim:%L; list-decimal:NULL; list-style:Tick List; start-value:0; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:Dingbats"/>
<s type="P" name="Lower Case List" basedon="Numbered List" followedby="Current Settings" props="list-delim:%L); list-decimal:.; list-style:Lower Case List; start-value:1; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:NULL"/>
<s type="P" name="Block Text" basedon="Normal" followedby="Current Settings" props="margin-bottom:0.0819in; margin-right:1.0000in; margin-left:1.0000in"/>
<s followedby="Normal" name="Section Heading" basedon="Numbered Heading 1" type="P" props="list-delim:Section %L.; field-color:transparent; start-value:1; margin-left:0.0in; field-font:Arial; text-indent:0.0in; list-style:Numbered List; tabstops:1.100000in/L0"/>
<s type="P" name="Implies List" followedby="Current Settings" props="list-delim:%L; list-decimal:NULL; list-style:Implies List; start-value:0; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:Symbol"/>
<s type="P" name="Box List" followedby="Current Settings" props="list-delim:%L; list-decimal:NULL; list-style:Box List; start-value:0; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:Dingbats"/>
<s type="P" name="Star List" followedby="Current Settings" props="list-delim:%L; list-decimal:NULL; list-style:Star List; start-value:0; field-color:transparent; margin-left:0.5000in; text-indent:-0.2979in; field-font:Dingbats"/>
<s followedby="Normal" name="Chapter Heading" basedon="Numbered Heading 1" type="P" props="list-delim:Chapter %L.; field-color:transparent; start-value:1; margin-left:0.0in; field-font:Arial; text-indent:0.0in; list-style:Numbered List; tabstops:1.100000in/L0"/>
</styles>
<pagesize pagetype="Letter" orientation="portrait" width="8.500000" height="11.000000" units="in" page-scale="1.000000"/>
<section props="page-margin-footer:0.5in; page-margin-header:0.5in">
<p style="Normal" props="text-align:right; line-height:1.0"><c props="font-weight:bold">Sumit Khanna</c></p>
<p style="Normal" props="text-align:right; line-height:1.0"><c props="font-weight:bold">CPSC 544</c></p>
<p style="Normal" props="text-align:right; line-height:1.0"><c props="font-weight:bold">Lab #2</c></p>
<p style="Normal" props="line-height:1.5"></p>
<p style="Normal" props="line-height:1.5">When working on securing a network and keeping it secure, there are several tools, techniques and strategies a system administrator can use to keep critical information private. In this paper I plan on starting from an outside in approach of protecting a network </p>
<p style="Heading 1">Secure Internet Services</p>
<p style="Normal" props="margin-top:0.0000in; margin-left:0.0000in; text-indent:0.0000in; dom-dir:ltr; margin-bottom:0.0000in; line-height:1.5; text-align:left; margin-right:0.0000in"><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">Starting from outside the scope of a private network, let's take a look at global services that provide the infrastructure for the Internet. Without services such as </c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:bold; font-style:normal; text-decoration:none">Domain Name Services</c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none"> (DNS), we wouldn't be able to use names to refer to locations on a network. Early DNS server were simple, however ten years ago, the community had no idea the cost of a domain could reach into the hundreds of thousands of dollars. </c></p>
<p style="Normal" props="margin-top:0.0000in; margin-left:0.0000in; text-indent:0.0000in; dom-dir:ltr; margin-bottom:0.0000in; line-height:1.5; text-align:left; margin-right:0.0000in"></p>
<p style="Normal" props="margin-top:0.0000in; margin-left:0.0000in; text-indent:0.0000in; dom-dir:ltr; margin-bottom:0.0000in; line-height:1.5; text-align:left; margin-right:0.0000in"><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">Because of the value of a simple domain reference, it is important to keep DNS secure as resolving false DNS records (spoofing) could lead to phishing attacks (i.e. referring a user to a website that looks like their bank, but is really a fake website used to grab their password).</c></p>
<p style="Normal" props="margin-top:0.0000in; margin-left:0.0000in; text-indent:0.0000in; dom-dir:ltr; margin-bottom:0.0000in; line-height:1.5; text-align:left; margin-right:0.0000in"></p>
<p style="Normal" props="margin-top:0.0000in; margin-left:0.0000in; text-indent:0.0000in; dom-dir:ltr; margin-bottom:0.0000in; line-height:1.5; text-align:left; margin-right:0.0000in"><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">The most common DNS server found on the Internet is BIND and like other such archaic software (e.g. Sendmail), it is important to use to the latest version to avoid security flaws in earlier releases. All versions previous to 8.2.3 have known security problems (</c><a xlink:href="http://www.oreilly.com/catalog/dns4/chapter/ch11.html#10959"><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">http://www.oreilly.com/catalog/dns4/chapter/ch11.html#10959</c></a><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">).</c></p>
<p style="Normal" props="margin-top:0.0000in; margin-left:0.0000in; text-indent:0.0000in; dom-dir:ltr; margin-bottom:0.0000in; line-height:1.5; text-align:left; margin-right:0.0000in"></p>
<p style="Normal" props="margin-top:0.0000in; margin-left:0.0000in; text-indent:0.0000in; dom-dir:ltr; margin-bottom:0.0000in; line-height:1.5; text-align:left; margin-right:0.0000in"><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">Another response to security problems with DNS servers is </c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:bold; font-style:normal; text-decoration:none">DNSSEC</c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">. DNSSEC is an extension to DNS that provides origin authentication of DNS data, data integrity and authenticated denial of service. However DNSSEC does </c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:italic; text-decoration:none">not</c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none"> provide confidentiality of data nor does it protect against Denial of Service attacks. (</c><a xlink:href="http://www.dnssec.net/"><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">http://www.dnssec.net/</c></a><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">).</c></p>
<p style="Normal" props="margin-top:0.0000in; margin-left:0.0000in; text-indent:0.0000in; dom-dir:ltr; margin-bottom:0.0000in; line-height:1.5; text-align:left; margin-right:0.0000in"></p>
<p style="Normal" props="margin-top:0.0000in; margin-left:0.0000in; text-indent:0.0000in; dom-dir:ltr; margin-bottom:0.0000in; line-height:1.5; text-align:left; margin-right:0.0000in"><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">There are several </c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:italic; text-decoration:none">infrastructure services </c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">that provide a general backbone of standards for the Internet including </c><c props="font-family:Times New Roman; text-decoration:none; lang:en-US; text-position:normal; font-weight:bold; font-style:normal; font-size:12pt">Network Time Protocol </c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">(</c><c props="font-family:Times New Roman; text-decoration:none; lang:en-US; text-position:normal; font-weight:bold; font-style:normal; font-size:12pt">NTP</c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">) and </c><c props="font-family:Times New Roman; text-decoration:none; lang:en-US; text-position:normal; font-weight:bold; font-style:normal; font-size:12pt">Simple Mail Transport Protocol </c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">(</c><c props="font-family:Times New Roman; text-decoration:none; lang:en-US; text-position:normal; font-weight:bold; font-style:normal; font-size:12pt">SMTP</c><c props="font-family:Times New Roman; font-size:12pt; lang:en-US; text-position:normal; font-weight:normal; font-style:normal; text-decoration:none">). Like DNS, these services are critical and it is vital to keep them secure. Although keeping a time server doesn't seem like a big security concern, imagine being in a bank environment where a hacker can change the current date and time of a transaction computer. It is therefor important to keep all these basic services secure to prevent against DNS spoofing, denial of service attacks and SPAM.</c></p>
<p style="Heading 1">Firewalls/DMZs</p>
<p style="Normal" props="line-height:1.5">From the outside world, the first thing a user should hit on your network, assuming that it is connected to a wan or the Internet, is a <c props="font-weight:bold">router/firewall</c>. Some network setups have separate firewalls and routers while others combine the two. A firewall's purpose is to control what information makes it into the internal network. A router's purpose is to make sure information gets to the right places.</p>
<p style="Normal" props="line-height:1.5"></p>
<p style="Normal" props="line-height:1.5">Typically the way administrators setup firewalls is to deny all traffic, and then open up doors for known services that must be accessible from the WAN. A router can specify a <c props="font-weight:bold">DMZ</c> or <c props="font-weight:bold">Demilitarized Zone.</c> Computers within the DMZ are not firewalled. Any traffic going to their IP address will reach them unfiltered. In the case where the internal network is private and uses NAT (i.e. every address within the network starts with 192.168.x.x or 10.0.x.x), then only one computer and reside in the DMZ per real IP address given by the Internet Service Provider or ISP.</p>
<p style="Normal" props="line-height:1.5"></p>
<p style="Normal" props="line-height:1.5">Firewalls are good, but they shouldn't be necessary. A good system administrator should have knowledge of every service running on the system! Many of the early problems with network security came from the face that many operating systems had many of their "features" turned on by default. Even if these services were secure, if an exploit was discovered, the fact that the service is running opens up a security hole. </p>
<p style="Normal" props="line-height:1.5"></p>
<p style="Normal" props="line-height:1.5">In operating systems that have come out within the past two to three years, we see a different approach. In a default install, all the services are typically turned off. We see this in various Linux distributions and even Windows 2003 server. A well designed operating system shouldn't have any services running until an administrator turns them on. </p>
<p style="Normal" props="line-height:1.5"></p>
<p style="Normal" props="line-height:1.5">But what if an administrator isn't very familiar with the operating system and wants to know which services are running? A simple tool to use to discover a running service is a <c props="font-weight:bold">port scanner. </c><c props="font-weight:normal">Many UNIX systems come with a port scanner called </c><c props="font-weight:bold">nmap</c><c props="font-weight:normal"> which can provide a lot of detail about programs which are bound to listening ports on a host. It is important to run a port scanner within the firewall to make sure only the services that are absolutely necessary are running and to run a port scanner outside the firewall to make sure your firewall is also doing its job.</c></p>
<p style="Normal" props="line-height:1.5"></p>
<p style="Normal" props="line-height:1.5"><c props="font-weight:normal">It is important to note that tools are simply tools. They are not replacement for good security. Having a good virus scanner and spy-ware removal tool doesn't mean you should let uses run unrestricted and install any programs they want to off the web. Having a firewall doesn't mean you don't have to secure all your running services. The tools are an added layer of security for potential problems you have all ready dealt with.</c></p>
<p style="Heading 1">Secure Tunnels</p>
<p style="Normal" props="line-height:1.5"><c props="font-weight:normal">So the question arises, what if data needs to be kept confidential during transport outside of a private network? The nice thing about network protocols is that they work in layers. It's easy to take an existing protocol and encapsulate it in a secure layer which requires minimal modification to the original program.</c></p>
<p style="Normal" props="line-height:1.5"></p>
<p style="Normal" props="line-height:1.5"><c props="font-weight:normal">Examples of such protocols include </c><c props="font-weight:bold">IMAPs, POPs</c><c props="font-weight:normal"> and </c><c props="font-weight:bold">https</c><c props="font-weight:normal">. These protocols take an existing protocol such as pop3 for email, and simply add an SSL/TLS layer to the existing protocol. This approach often requires a slight yet manageable modification to existing programs/protocols.</c></p>
<p style="Normal" props="line-height:1.5"></p>
<p style="Normal" props="line-height:1.5"><c props="font-weight:normal">Another approach is much more transparent and makes use of </c><c props="font-weight:bold">Virtual Private Networks</c><c props="font-weight:normal"> or </c><c props="font-weight:bold">VPNs</c><c props="font-weight:normal">. With a VPN, subnets of remote private networks are connected securely across public networks by using encrypted tunnels. Typically VPNs exist at the router level and encrypt traffic destined for foreign private subnets. The client typically doesn't have to be configured for using the VPN and the establish connection will seem like a local one within the private network.</c></p>
<p style="Normal" props="line-height:1.5"></p>
<p style="Normal" props="line-height:1.5"><c props="font-weight:normal">There are many VPN standards. The three most common ones are </c><c props="font-weight:bold">IPsec, PPTP</c><c props="font-weight:normal"> and </c><c props="font-weight:bold">OpenVPN</c><c props="font-weight:normal">. IPsec has been along for a while, unfortunately it is somewhat complex and has many different implementations. When an IPsec connect is properly configured, it does work quite well, however configuring it can be quite a pain. PPTP is actually a variation of the </c><c props="font-weight:bold">Point to Point </c><c props="font-weight:normal">or </c><c props="font-weight:bold">PPP</c><c props="font-weight:normal"> protocol originally designed for dial-up modem access. It's designed more along a client/server paradigm, although it can be used to connect two subnets. OpenVPN is one of the newer protocols and uses the tun/tap virtual interfaces found in Linux/UNIX systems to emulate virtual Ethernet adapters to connect two private networks. </c></p>
<p style="Normal" props="line-height:1.5"></p>
<p style="Normal" props="text-align:left; line-height:1.5; dom-dir:ltr"><c props="font-weight:normal">PPTP and IPSec can be found in default installations of Windows XP. </c><c props="font-weight:bold">Openswan</c><c props="font-weight:normal"> (</c><a xlink:href="http://www.openswan.org/">h<c props="font-weight:normal">ttp://www.openswan.org/</c></a><c props="font-weight:normal">) is an open source implementation of IPsec and there are also open source implementations of PPTP-client (</c><a xlink:href="http://pptpclient.sourceforge.net/"><c props="font-weight:normal">http://pptpclient.sourceforge.net/</c></a><c props="font-weight:normal">) for Linux.</c></p>
<p style="Heading 1">Mobile Clients</p>
<p style="Normal" props="font-family:Times New Roman; font-size:12pt; dom-dir:ltr; color:000000; text-decoration:none; text-align:left; line-height:1.5; text-position:normal; font-weight:normal; font-style:normal"><c props="font-weight:normal">So say you have your private network setup and secure and suddenly your boss comes to you and asks you to implement wireless systems for your network. A security nightmare seems immanent, however there are ways to intelligently secure a wireless network. The two primary concerts are authentication and confidentiality.</c></p>
<p style="Normal" props="text-align:left; line-height:1.5; dom-dir:ltr"></p>
<p style="Normal" props="text-align:left; line-height:1.5; dom-dir:ltr"><c props="font-weight:normal">Naturally you don't want anyone to be able to connect to your wireless access point. So how do you make authenticating users manageable and secure? The simple answer is a </c><c props="font-weight:bold">captive portal</c><c props="font-weight:normal"> for your wireless network. Upon connecting to a wireless access point with a captive portal, the first website you attempt to connect to will reroute you to an https website where you will be promoted for your user name and password. Upon providing that information, the AP logs your MAC address and allows it to be routed though the company's network. Blue Socket (</c><a xlink:href="http://www.bluesocket.com/"><c props="font-weight:normal">http://www.bluesocket.com/</c></a><c props="font-weight:normal">) provides commercial captive portals and m0n0wall (</c><a xlink:href="http://www.m0n0.ch/wall/"><c props="font-weight:normal">http://www.m0n0.ch/wall/</c></a><c props="font-weight:normal">) provides an open source alternative based on FreeBSD.</c></p>
<p style="Normal" props="text-align:left; line-height:1.5; dom-dir:ltr"></p>
<p style="Normal" props="text-align:left; line-height:1.5; dom-dir:ltr"><c props="font-weight:normal">Secondly, and just as important, is confidentiality on your wireless network. There are encryption layers built into the wireless protocol such as WEP, however WEP has had its own security problems. However requiring secure connections from services to hosts on the wireless subnets (i.e. requiring https, pops, etc) combined with using WEP creates a solid layer of confidentiality on a wireless network.</c></p>
<p style="Heading 1">Multimedia Security</p>
<p style="Normal" props="text-align:left; line-height:1.5; dom-dir:ltr"><c props="font-weight:normal">Finally we'll take a look at securing content that's broadcast from your network to the world. Most multimedia protocols on the Internet today are based on UDP. This is because the error checking in TCP really isn't necessary with live video where the goal is to get the media to the destination with as few frames dropped as possible.</c></p>
<p style="Normal" props="text-align:left; line-height:1.5; dom-dir:ltr"></p>
<p style="Normal" props="text-align:left; line-height:1.5; dom-dir:ltr"><c props="font-weight:normal">To ensure good quality of service and as few dropped frames in the video as possible, there are protocols being developed such as </c><c props="font-weight:bold">Secure RSVP</c><c props="font-weight:normal">. Secure RSVP raises several security issues such as message integrity, node authentication, user authentication, non-repudiation, confidentiality, replay attacks and traffic analysis. Secure RSVP is still a work in progress and current solutions for securing RSVP are not complete in and of themselves. (</c><a xlink:href="http://cairo.cs.uiuc.edu/security/secure_rsvp.htm"><c props="font-weight:normal">http://cairo.cs.uiuc.edu/security/secure_rsvp.htm</c></a><c props="font-weight:normal">).</c></p>
<p style="Heading 1">Conclusion</p>
<p style="Normal" props="text-align:left; line-height:1.5; dom-dir:ltr"><c props="font-weight:normal">There are many hardware and software tools for helping secure a network, however these tools should never be used to replace basic knowledge of the network and systems themselves. A system administrator should secure the machines first and then use the tools as an added layer of security. Much of security for network administrators is simply keeping track of and installing the latest security updates to existing software and standards as patches are released to the public.</c></p>
</section>
</abiword>