WIXLIB

516795 FM.F10/1/022:59 PMPage iNetworkSecurityFORDUMmIES‰

516795 FM.F10/1/022:59 PMPage ii

516795 FM.F10/1/022:59 PMPage iiiNetworkSecurityFORDUMmIES‰by Chey Cobb, CISSP

516795 FM.F10/1/022:59 PMPage ivNetwork Security For Dummies Published byWiley Publishing, Inc.909 Third AvenueNew York, NY 10022www.wiley.comCopyright 2003 by Wiley Publishing, Inc., Indianapolis, IndianaPublished by Wiley Publishing, Inc., Indianapolis, IndianaPublished simultaneously in CanadaNo part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 ofthe 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorizationthrough payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA01923, (978) 750-8400, fax (978) 750-4744. Requests to the Publisher for permission should be addressed to the LegalDepartment, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447,e-mail: permcoordinator@wiley.com.Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, TheDummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com and related trade dress are trademarks or registeredtrademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated withany product or vendor mentioned in this book.LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHOR HAVE USED THEIR BESTEFFORTS IN PREPARING THIS BOOK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THEACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS BOOK AND SPECIFICALLY DISCLAIM ANY IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATEDOR EXTENDED BY SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A PROFESSIONALWHERE APPROPRIATE. NEITHER THE PUBLISHER NOR AUTHOR SHALL BE LIABLE FOR ANY LOSS OF PROFIT ORANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL,OR OTHER DAMAGES.For general information on our other products and services or to obtain technical support, please contact our CustomerCare Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be availablein electronic books.Library of Congress Control Number: 2002110283ISBN: 0-7645-1679-5Manufactured in the United States of America10 9 8 7 6 5 4 3 2 11O/SS/RQ/QS/INis a trademark of Wiley Publishing, Inc.

516795 FM.F10/1/022:59 PMPage vAbout the AuthorChey Cobb began her career in information security while at the NationalComputer Security Association (now known as TruSecure/ICSA Labs). Duringher tenure as the NCSA award-winning Webmaster, she discovered that Webservers often created security holes in networks and became an outspokenadvocate of systems security.Later, while developing secure networks for the Air Force in Florida, her workcaptured the attention of the U.S. intelligence agencies. Chey moved to Virginiaand began working for the National Reconnaissance Office (NRO) as the SeniorTechnical Security Advisor on highly classified projects. Ultimately, she wenton to manage the security program at an overseas site.Chey is now semi-retired and has moved back to her native Florida. Shewrites books and articles on computer security and is a frequent speakerat security conferences. Her e-mail address is chey@patriot.net.

516795 FM.F10/1/022:59 PMPage vi

516795 FM.F10/1/022:59 PMPage viiDedicationDedicated to Claire Deserable Ewertz, who would have been so proud.Author’s AcknowledgmentsMany thanks to Melody, Andrea, Kevin, and all the other people who workbehind the scenes and never get a pat on the back. Thanks for all yourhard work to make me look so good in print! I hope we can all work togetheragain soon.Thanks to David Fugate, my agent, for helping me to decide to do this book.I look forward to a long relationship!Last, but not least, thanks to my husband, Stephen, and our daughter, Erinwho make it all worthwhile — even though I can be a nasty ogre whenI’m writing!

516795 FM.F10/1/022:59 PMPage viiiPublisher’s AcknowledgmentsWe’re proud of this book; please send us your comments through our online registration formlocated at www.dummies.com/register/.Some of the people who helped bring this book to market include the following:Acquisitions, Editorial,and Media DevelopmentProject Editor: Andrea C. BoucherAcquisitions Editor: Melody LayneTechnical Editor: Kevin Beaver, CISSPEditorial Manager: Carol SheehanPermissions Editor: Carmen KrikorianProductionProject Coordinator: Nancee ReevesLayout and Graphics: Amanda Carter,LeAndra Johnson, Jackie Nicholas,Jeremey UngerProofreader: TECHBOOKS Production ServicesIndexer: TECHBOOKS Production ServicesMedia Development Manager: Laura VanWinkleMedia Development Supervisor:Richard GravesEditorial Assistant: Amanda FoxworthCartoons: Rich Tennant, www.the5thwave.comPublishing and Editorial for Technology DummiesRichard Swadley, Vice President and Executive Group PublisherAndy Cummings, Vice President and PublisherMary C. Corder, Editorial DirectorPublishing for Consumer DummiesDiane Graves Steele, Vice President and PublisherJoyce Pepple, Acquisitions DirectorComposition ServicesGerry Fahey, Vice President of Production ServicesDebbie Stailey, Director of Composition Services

516795 FM.F10/1/022:59 PMPage ixContents at a GlanceIntroduction .1Part I: The Path to Network Security .7Chapter 1: Starting Down the Road to Network Security .9Chapter 2: Evaluating and Documenting Your Network Situation .39Chapter 3: Assessing the Risks .53Chapter 4: Planning and Implementing Security Policies and Procedures .65Part II: Your Network Is Your Business .83Chapter 5: Choosing Controls without Breaking the Bank .85Chapter 6: You Could Be Liable If . . . . .101Chapter 7: Building a Secure Network from Scratch .117Part III: The All-Important Security Mechanisms .127Chapter 8: Anti-Virus Software .129Chapter 9: Firewalls and Brimstone .141Chapter 10: Intrusion Detection Systems .155Chapter 11: Access Controls/Privileges .167Part IV: Special Needs Networking .189Chapter 12: When Patchwork Doesn’t Mean Quilting: Unix Systems .191Chapter 13: Boarding Up Your MS Windows .201Chapter 14: Is Anything Eating Your Mac? .221Chapter 15: Application Software Patching .233Chapter 16: Very Precious Network Security .251Chapter 17: Securing Your Wireless Network .261Chapter 18: E-Commerce Special Needs .273Part V: Dealing with the Unthinkable .287Chapter 19: Emergency! Incident Response .289Chapter 20: Disaster Recovery .305Chapter 21: Who Did the Dirty: Computer Forensics .321

516795 FM.F10/1/022:59 PMPage xPart VI: The Part of Tens .335Chapter 22: Ten Best Security Practices .337Chapter 23: Ten Best Security Web Sites .345Chapter 24: Ten Security Tools Every Network Security Geek Should Have .349Chapter 25: Ten Questions to Ask a Security Consultant .353Index .359

516795 FM.F10/1/022:59 PMPage xiTable of ContentsIntroduction .1About This Book .1How to Use This Book .2What You Don’t Need to Read .2Foolish Assumptions .2How This Book Is Organized .2Part I: The Path to Network Security .3Part II: Your Network Is Your Business .3Part III: The All-Important Security Mechanisms .3Part IV: Special Needs Networking .3Part V: Dealing with the Unthinkable .4Part VI: The Part of Tens .4Icons Used in This Book .4Where to Go from Here .5Part I: The Path to Network Security .7Chapter 1: Starting Down the Road to Network Security . . . . . . . . . . . 9Identifying the Important Network Security Issues .10Passwords .10Viruses, e-mail, and executable files .11Software .12Social engineering .13Getting to Know Your Network .14Connections .14Workstations and servers .18Your network users .19Tools and Procedures .20Paper and pencil .20Administrative accounts .21Port scanners .21Network mappers .22Vulnerability assessment .22Upper-management support .22An assessment team .23

516795 FM.Fxii10/1/022:59 PMPage xiiNetwork Security For DummiesKnowing Your Enemy .24Hackers .24Virus writers .26Employees — former and current .27The competition .28The Basic Rules of Network Security .29Use strong passwords .30Always use anti-virus software .32Always change default configurations .33Don’t run services you don’t need .34Immediately install security updates .34Back up early and often .34Protect against surges and losses .35Know who you trust .36Chapter 2: Evaluating and Documenting Your Network Situation . . . 39The Hands-On/On-Knees Network Security Survey .39The hardware checklist .40Completing the hardware checklist .40The software checklist .43Completing the software checklist .44Checking the Locks and Keys .45Logical Access Controls .47Personnel Interviews .48Assets You May Not Have Considered .49The Assessment Cycle .49Document What You’ve Got .50Licenses and agreements .50Employees’ personal property .51Chapter 3: Assessing the Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Risk Assessment Basics .54Vulnerabilities Threats Risks .55How likely are the threats? .58How often can threats occur and what will it cost me? .60The Cost of countermeasures .62Risk Mitigation versus Risk Avoidance .64Chapter 4: Planning and Implementing Security Policiesand Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Deciding on the Security Policies .66Make the policy reasonable .66Make the policy enforceable .67Be consistent .67

516795 FM.F10/1/022:59 PMPage xiiiTable of ContentsSample Policies .67Appropriate Internet usage .68Anti-virus policy .70Employee agreement .71Writing the Security Policies .72Who’s in charge? .72Security by committee — really! .73Some key policies .74Ready, Set, Implement .76Who does what? .77Buy-in, education, and awareness .77Part II: Your Network Is Your Business .83Chapter 5: Choosing Controls without Breaking the Bank . . . . . . . . . 85The Good, Fast, Cheap Triangle .86Setting Your Requirements .87The Pros and Cons of Products .90Antivirus scanners .90Packet-filtering routers .91Firewalls .92Intrusion Detection Systems .94Dealing with Vendors .94Negotiations .95Bells and whistles .96Who’s Going to Do the Work? .96Outsourcing and Consultants .98Questions to ask .98Some advice .99Chapter 6: You Could Be Liable If . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101U.S. Computer Laws .102Fraud and abuse .102Intellectual property .104Privacy laws .105State and Foreign Laws .107States .108Overseas laws and safe harbor .113Privacy and Monitoring .114Sticky Wickets — Ethics .115Case one .115Case two .115Case three .115Case four .115Contacting the Authorities .116xiii