IP Traffic

There are two kinds of Internet Protocol traffic: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). When a TCP connection is established, data can be sent bidirectionally. This connection is highly reliable and features error-checking but adds some bulk to the transmission.

UDP is a much simpler, connectionless protocol where multiple messages are sent as packets in data chunks, without waiting to verify they’re received. UDP is great for servers dealing with queries from a large volume of clients or for games where speed is critical. There is no error-checking function with UDP, so there is no real guarantee that transmitted packets will actually arrive at their destinations. Instead, with UDP, data is sent as “best effort.”

As we have seen, data can be transmitted in a variety of ways using a variety of technologies. At some level, each technology may include some basic security concepts, but the protocols of the Internet Protocol suite (or TCP/IP) are where most security efforts are focused.

What we are most concerned with is simply host-to-host communication. To facilitate this type of communication, we can use many different protocols depending on what needs to be communicated. For example, which application layer protocol should be used depends on exactly what type of information is being communicated. Email is communicated using the Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP) is the main web protocol.

As the TCP protocol accepts data, it divides it into chunks and adds a TCP header to each chunk creating a TCP segment, as illustrated in Figure 19.2. That segment is then encapsulated by the Internet Protocol (IP) into a datagram known most commonly as a TCP packet. The TCP header contains 10 required fields and an optional extension field. Together these fields provide the information needed to ensure proper and reliable delivery of the data that follows the header.

Unicasts, Broadcasts, and Multicasts

Unicast messaging is the sending of messages to a single network address. Broadcast messaging refers to sending messages to all possible destinations. Multicast messaging sends messages using special address assignments to a specific group of addresses. The differences between unicast, broadcast, and multicast are illustrated in Figure 19.3.

With multicasting, the source only has to send packets once regardless of how many addresses will be receiving it. Network nodes then replicate the packet as needed to reach multiple addresses. Multicast is used for multimedia and content delivery networks. Often UDP is used in multicasts so providers must add error-detection and retransmission schemes to make multicast reliable.

Ports

In addition to the network address, many protocols may also specify a port or a port number. A protocol or application may respond to specific ports in different ways. For example, a web server typically responds to HTTP requests over port 80 but responds to HTTPS requests on port 443.

Ports are seemingly arbitrary conventions, and a large range of port numbers are not generally associated with any particular service so they can be used for a particular application. If a port number is added to a host name or IP address in a web browser, for example, you can create a way to access a particular application or service or even just regular web content.

A port number is a 16-bit number. The first 1,024 port numbers are reserved by convention to identify specific services. Both TCP and UDP protocols use ports. A few common ports and their descriptions are given in Table 19.1.

Port numbers from 1024 to 49151 are registered ports assigned by the Internet Assigned Numbers Authority (IANA). For example, Microsoft SQL Server uses ports 1433 and 1434. Microsoft Windows Internet Name Service (WINS) uses port 1512, etc. Private ports are those from 49152 through 65535.

Understanding ports is critical in managing network security. The easiest way to minimize unwanted scans or restrict access is by monitoring specific ports and port blocking. For example, if you are operating a server that is only a web server, you can restrict outside network access so it can only occur through port 80 and maybe port 443. This way, if someone from outside the network tries to access port 22 or 23 attempting to break in, that request will be blocked.

Routing

Routing is simply the process of selecting the best pathway for transmitting data over a network or between networks, as illustrated in Figure 19.4. A router is a complex device that will route data between networks; a router can be hardware, software, or a combination. Routers mostly deal with IP addresses, which can be used as another way of restricting access. Much of the time a human does not know the IP address of the server they want to access, but instead will know the host name and the domain name.

Domains

Domains are unique realms assigned by an agent, known as a registrar, which has been authorized by the Internet Corporation for Assigned Names and Numbers (ICANN). Some of larger registrars include Network Solutions, GoDaddy, and eNom.

Domains are registered for a renewable period of time, and a root authority can be queried so you can learn the name servers in charge of routing that domain. These name servers will respond to queries with the IP associated with various protocols, and you can learn most of the protocols associated with a domain with a specific type of query.

A top-level domain (TLD) is essentially the domain extension, as shown in Figure 19.5. TLDs are established for countries (for example, US), descriptive groups (.people, .rocks, .attorney, and so on), and generic TLDs (such as .com, .net, .edu, and .gov). Each TLD might have different requirements and could even require that you use a specific registrar to register a domain. The .edu domains and some country-code domains often have specific requirements before you can register a domain in that TLD, such as being an actual learning institution or be located in that country. However, most domains are readily available to anyone and can be quickly and inexpensively registered for a period of one or more years through a registrar.

Security Organizations and Standards

A number of organizations are involved in maintaining network vulnerability resources not dissimilar from virus and malware resources. A variety of commercial entities have grown to serve this vital need, but there are also many public resources and standards available about which you should be aware:

• Security Content Automation Protocol (SCAP) is a method of using various open standards for evaluating vulnerabilities and measuring the potential impact of these vulnerabilities. You can learn more at scap.nist.gov.
• Common Vulnerabilities and Exposures (CVE) is a system for referencing publicly known vulnerabilities. Maintained by MITRE Corporation but backed by the U.S. Department of Homeland Security, CVE is used by SCAP. CVE can be explored in more detail at cve.mitre.org.
• Common Vulnerability Scoring System (CVSS) is a system for scoring vulnerabilities from CVE, making it easier to understand your risks. CVSS can be explored in more detail at www.first.org/cvss.
• Common Platform Enumeration (CPE) is a standardized method of describing and identifying operating system, hardware devices, and application classes on the network. CPE can be explored in more detail at scap.nist.gov/specifications/cpe/.
• Open Vulnerability and Assessment Language (OVAL) is a security community standard for communicating security information such as configuration, vulnerabilities, patch levels, etc. OVAL is essentially a group of XML schemas that describe a language to provide the details needed to assess a network resource for security vulnerabilities. You can learn more about OVAL at oval.mitre.org.

While the Open Checklist Interactive Language (OCIL) has uses beyond security, it provides a conceptual framework for representing nonautomated questions for security checks and is now part of SCAP.

Accessing the Security Settings in Internet Explorer

1. Power on your computer.
2. Log on using your administrative account.
3. In the Search field embedded in your taskbar, type Internet Explorer, as shown in Figure 19.7.

   

4. Left-click on Internet Explorer to open the browser.
5. In the top-right corner is a small gear icon; click it to open a small options list.
6. Highlight Internet Options, and click to launch the Internet Options window, as shown in Figure 19.8.

   

The General tab allows you to change the settings affecting items such as the Home page, browsing history, search defaults, tab displays, and the appearance of various displayed web pages. Browsing History includes cookies, cached web pages, and the history of websites you have visited, provided the Delete Browsing History On Exit box is unchecked. Keep in mind that the tabs related to Internet Security options are labeled General, Security, and Privacy.

Examining Browsing History Options

1. Under the General tab, click on the Settings button located in the Browsing History section to launch the Website Data Settings window.
2. Examine the Temporary Internet Files, History, and Caches And Databases tabs, as shown in Figure 19.9.

This window includes the settings that control how often the system checks for newer versions of visited websites and the location of accumulated web page files. Saving these items helps to load previously visited web pages faster. There is also a setting that controls how much disk space is allocated for saving this information, which can be adjusted for systems where disk space is limited. Notice that you can also change the location of the folder used to store files or to view the files currently contained in it.

3. Click Cancel to close this window. Select Delete, which is also located in the Browsing History section. Figure 19.10 shows the Delete Browsing History window.

This section does far more than just delete your browsing history. In this window, the options for deleting Internet-related content include: Temporary Internet files, Cookies, Download History, and Passwords. Note that some of the content categories are selected by default. All of this information can be useful to an intruder who is attempting to collect data on a user. For instance, if a malicious user were able to access the Internet Explorer information on your stored Form Data or Passwords, the process of stealing your identity to access resources on the network could begin.

4. Read and understand what each option provides, and then record a short description of each in Table 19.2.

   Option	Function

5. Click Cancel to exit this window without deleting any Browsing History options.

Comparing Security Zones

1. Select the Security tab. Figure 19.11 shows the options under the Security tab of the Internet Options window.

This window allows you to assign websites to various security zones.

• The Internet zone contains all the websites not assigned to another zone.
• The Local Intranet zone contains all the websites related to a local network (such as internal web pages).
• The Trusted Sites zone will contain all the websites that a user has deemed safe and unlikely to damage the system.
• The Restricted Sites zone will identify websites already known to contain potentially dangerous content.

With the exception of the zone reserved for the Internet, you can include the sites you choose with the Sites button.

2. With the Internet zone selected, under the Security tab, move the Security Level slider to the Medium setting. Examine the description provided for the Internet zone, the adjusted levels, and the description provided for each level. Record this information in Table 19.3.

   Zone	Description	Level	Details
   Internet
   Local Intranet
   Trusted Sites
   Restricted Sites

3. Select the Local Intranet zone and adjust the Security Level slider to the Low setting. If a Custom Level is already in place, click the Default Level button to restore the slider. Examine the description provided for the Local Intranet zone, the adjusted levels, and the description provided for each level. Record this information in the designated spaces of Table 19.3.
4. Select the Trusted Sites zone and adjust the Security Level slider to the Medium-Low setting. Examine the description provided for the Trusted Sites zone, the adjusted levels, and the descriptions provided for each level. Record this information in the designated spaces of Table 19.3.
5. Finally, select the Restricted Sites zone and try to adjust the slider to a lower setting.

Were you able to adjust it?

6. Examine the description provided for the Restricted Sites zone, the adjusted level, and the description provided for the level. Record this information in the designated spaces of Table 19.3.

Keep in mind that adding sites to the Restricted Sites zone does not block them. However, it prevents them from running programs or any active content. Protected mode can be enabled for both the Internet and Restricted Sites zones, although dong so requires restarting the browser.

If you choose to Enable Protected Mode, it will become more difficult for malicious software to be installed on your computer. Internet Explorer will warn you in the event that a malicious program attempts to install or run itself outside of protected mode.

7. Click the Reset All Zones To Default Level button to restore the security levels to their original settings.
8. Click Cancel to leave the Internet Options window.

Applying Security Zones to Sites

The security zones are a quick and efficient way to broadly define how your browser reacts to various sites, add-ons, programs, and downloads. You have the opportunity, however, to be specific in your choices. You will now test this by adding a website to the Restricted Sites zone, and viewing the results.

1. You should be located at the Home page of your Internet Explorer browser. Navigate to www.msn.com.
2. Notice the page, pictures, videos, advertisements, and anything else that catches your eye.
3. Return to the Internet Options page by selecting the gear icon in the upper-right corner, and then select Internet Options.
4. Select the Security tab to return to the Security Zones page. Select Restricted Sites.
5. Beneath the Restricted Sites logo is a button labeled Sites. Click Sites.

You are now located at the Restricted Sites, Add Website window shown in Figure 19.12.

6. You can enter any website address you choose, or simply use the Add button to add the current website. Click Add.
7. The website is moved below and is now on the Restricted Sites zone. Click Close, and then click Cancel to exit the Internet Options window.

The same approach can be used to add sites to any of the other types of zones as well.

8. Notice the current website, msn.com, has not changed. Click the Refresh button located to the right of the URL or press the F5 button.

Does the site look different?

Figure 19.13 illustrates what msn.com looks like as a restricted site.

9. Click the gear icon in the upper-right corner of the browser window and select Internet Options to return to the Internet Options window.
10. Select the Security tab and then select Restricted Sites. Click the Sites button.
11. Now you can remove msn.com from the Restricted Sites zone. Select msn.com and then click Remove. Click Close.
12. Back at the Internet Options Security tab, click Custom Level to explore the specific options you can choose from within a security zone.

These settings control how Internet Explorer handles various objects associated with web pages, such as ActiveX controls and Java Scripting. Keep in mind that web pages can contain malicious objects designed to damage your system. Restricting how these objects interact with your system can help prevent viruses, Trojans, or malicious scripts from being downloaded to your system without your knowledge.

13. Explore the options available, but don’t change any. Figure 19.14 shows the Security Settings – Restricted Sites Zone window.

    

14. Click Cancel to exit the Security Settings – Restricted Sites Zone window. Click Cancel again to exit the Internet Options window.
15. Refresh the web page by click the Refresh button to the right of the URL.

Is the msn.com website back to normal?

Applying Privacy Controls

Privacy controls for Internet Explorer can help you manage how websites monitor your online activities. You have the opportunity to block all monitoring; however, your online resources will become limited. Beyond malicious software, marketing firms and online shopping outlets use monitoring to make your experience easier and faster.

1. Return to the Internet Options window by clicking the gear icon in the upper-right corner and selecting Internet Options.
2. Select the Privacy tab to reveal the window shown in Figure 19.15.

An attacker only needs to employ a packet sniffing utility to monitor the network traffic and capture a cookie in order to gain access to your credentials (username, password, network address, and so on). With this information in hand, the attacker has the ability to imitate you when they access other sites.

The attacker can also use a technique called cross-site scripting to cause the returning cookie to be redirected to a third-party server operated by the attacker. The attacker can then use the stolen cookie to spoof the original site posing as the original user. The redirection is typically accomplished by simply hiding the script on the site and using social engineering techniques to trick you into clicking on the code. When you do, your cookie is transmitted to the third-party location specified by the attacker.

3. Click on the Security tab and you will notice a scroll bar on the lower left. The level on this has varying degrees of blocking and denying cookies. Scroll through each, evaluating the information on each. Return it to the Medium setting when you’re done.
4. Click on the Privacy tab again and you will see that again you have the ability to select sites to either allow or deny. If you select the Sites button, you will be redirected to another window where you must specify a website. Back on the Privacy Internet Options window, there is an Advanced button. Click on the Advanced button to specify whether you want to allow cookies from them or deny cookies from them.
5. By default, Internet Explorer is set to accept all cookies, in order to permit frequently visited web pages to remember your last visit.
6. For both First-party Cookies and Third-party Cookies, select the Prompt radio button.

Selecting Block will prevent all websites from placing cookies on the machine. However, this may cause problems with websites that require enabled cookies for proper functioning. Selecting Prompt will cause Internet Explorer to ask permission before allowing any cookie to be placed on the system.

Recall that session cookies are cleared when the browser is closed, whereas persistent cookies will remain on the computer until the specified expiration date is reached. You have the option of Always Allow Session Cookies.

7. Click OK to save the changes to cookies. Click OK once more to exit the Internet Options window.
8. Refresh msn.com by selecting the Refresh icon to the right of the URL.

Were you prompted to allow or block a cookie?

Were any cookies from a source that was not msn.com?

Allow or block the cookies at your discretion.

Recognize that even this one site uses multiple cookies. They can be hard to manage, keep track of, and a nuisance if prompted continuously. For this reason, they are allowed. Attackers know this, and that makes cookies a great target for collecting information.

9. Click the gear icon in the upper-right corner of your web browser. Select Internet Options.
10. Return to the Privacy tab. Click the Default button to reset the cookie settings to their default setting.
11. Under Location, click the check box next to Never Allow Websites To Request Your Physical Location.

Websites will often request this information to keep track of your physical location, in order to provide customized results for local services or searches. Unfortunately, they are provided your IP address or MAC address, along with your signal strength if you are on a mobile device.

12. Select Clear Sites to remove any cookies that already contain this information. The option will now be grayed out.
13. By default, the Turn On Pop-up Blocker option is enabled. Click Settings to view more information about options, as shown in Figure 19.16.

    

14. Review the settings and then click Close to exit the window.

The last check box is to Disable toolbars and extensions when InPrivate Browsing starts. InPrivate Browsing prevents Internet Explorer from leaving a trail for others to see. This means items such as cookies, temporary Internet files, and history will not be saved. Leaving this check box marked eliminates possible vulnerabilities that toolbars and extensions bring with them.

Exploring Security Settings

1. Select the Advanced tab within the Internet Options window.
2. Scroll down the Settings options until you reach the Security directory. Review the options in this list.

This list requires a more advanced knowledge of how the Internet works as a network. As you work through this book and continue learning about networks, return to these Advanced Security Settings and review the capabilities of each setting.

3. Click OK to save the default cookie settings.
4. Click the gear icon located in the upper-right corner of your browser window and hover the cursor over Safety.

This area of options gives you a common, quick-access list to enable or disable certain features.

5. In Table 19.4, list the available options.

   Options

6. Close Internet Explorer.