Hints for Exercises: Chapter 13

  1. Find out the security policy for your local network. If there is none, formulate one.

    Most policies appear to be "allow anybody to do anything", but this cannot be recommended. Also common is "all Web access is to go through the Web Proxy", and similar for email. But policies can be more complicated, such as "staff are allowed direct Web access, but students must go via a proxy".

    Implementation of the policy is a quite different question.

  2. Find out from your Systems Administrator how many attacks per day your network is getting and what defences they have against them.

    It is common to get many thousands of vulnerability probes per day, but directed active attacks happen less often, unless you are highly visible or popular or you have annoyed someone. More likely a machine is subverted by an email worm or something downloaded from the Web.

    Defences start with firewalls, but should move upwards from there. For example, regular scanning of hosts for unauthorised modifications of files; virus scans of incoming and outgoing email; virus scans of files; timely security upgrade of software systems; checking user passwords are unbreakable; regular service reviews to ensure you are not running unneeded software; reviews of firewall logs; and so on.

  3. Make a list of worms and viruses that are current on the Internet. Ensure your machine is safe against them by upgrading your virus protection and ensuring your firewall is secure. Instigate a regular date in your diary to repeat this exercise.

    Sites like US-CERT provide a lot of useful information, while Viruslist.com and the like keep lists of viruses.

  4. The next time you buy something over the Internet check the authentication of the Web server. Is their certificate what you should expect?

    There will (or should be) a little closed padlock that you can click on to get the certificate. Check the name on the certificate is the same as the website you are visiting. If not, there is something very wrong.

    Also check the expiry date and other information on the certificate to make sure everything is OK.

  5. Read up on social engineering attacks. "The Art of Deception: Controlling the Human Element of Security" by Kevin Mitnick is a useful place to start.

    Social engineering is an ancient art only recently given this modern name. There are very many instances of confidence tricks in real life that could conceivably transfer to the online world.

  6. Get a newly installed machine and put it unprotected onto the Internet. Time how long it takes to it to be attacked and taken over. Repeat for various operating systems.

    This has been reported to be as little as a few minutes for some operating systems. Others OSs reputedly resist for many months without security updates.

  7. Set up a secure VPN between a pair of networks (e.g., home and work). Write notes on the procedure involved and the quality of the connection obtained.

    VPNs come in many flavours: the Microsoft system is relatively easy to install and configure, but has some security issues. IPSec appears to be secure, but is notoriously tricky to configure.

    Some others, like CIPE are suspect, but OpenVPN is worth looking at.

  8. Read up on algorithms and protocols for secrecy and authentication in Bruce Schneier's book "Applied Cryptography".

    Many other books are equally good, but Schneier has a particularly good and clear style.

  9. Read up on why PPTP is considered insecure. Discuss how L2TP differs.

    See Schneier and Mudge, Cryptoanalysis of Microsoft's Point-to-Point Tunneling Protocol and Schneier, Mudge and Wagner Cryptoanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2).

  10. Investigate why SSLv2 is not advised.

  11. Find the various versions of SSL and TLS that your Web browser supports. Also find the list of certification authorities it contains.

    Usually supported are SSLv2, SSLv3 and TLSv1. It is recommended to disable the use of SSLv2 if you can.

    A typical browser contains dozens of authority certificates. A few include

    Equifax
    GTE Corporation
    GlobalSign
    RSA Data Security, Inc
    Thawte
    VISA
    VeriSign
    
    to pick a few of the more well-known names.
  12. Investigate how to program the SSL/TLS layer.

    A big task, but there is plenty of help on the Web, and the O'Reilly book "Network Security with OpenSSL" is a good primer. Also see the GNU TLS documentation.

    There is some initial playing with certificates, but at base it is as simple as opening a socket, creating an SSL/TLS session on the socket (this is where certificates are required), and then using it to read and write data.

Previous Index

Creative Commons License This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.