CHAPTER 9: Security Standards and Services 426
Technologies and methodologies exist that can help safeguard against
spoofing of these capability challenges. These include as follows:
Using firewalls to guard against unauthorized transmissions
Not relying on  security through obscurity, the expectation that
using undocumented protocols will protect you
Using various cryptographic algorithms to provide differing levels of 
authentication
Subtle attacks are far more effective than obvious ones. Spoofing has an
advantage in this respect over a straight vulnerability exploit. The concept
of spoofing includes pretending to be a trusted source, thereby increasing
the chances that the attack will go unnoticed.
If the attacks use just occasional induced failures as part of their sub-
tlety, users will often chalk it up to normal problems that occur all the time.
By careful application of this technique over time, users’ behavior can often
be manipulated.
ExErcisE 9.4 ArP spoofing
Address Resolution Protocol (ARP) spoofing can be quickly and easily done
with a variety of tools, most of which are designed to work on UNIX OSs.
One of the best all-around suites is a package called dsniff. It contains an
ARP spoofing utility and a number of other sniffing tools that can be benefi-
cial when spoofing.
To make the most of dsniff, you’ll need a Layer 2 switch into which all
of your lab machines are plugged. It is also helpful to have various other
machines doing routine activities such as Web surfing, checking POP mail,
or using Instant Messenger software.
To run dsniff for this exercise, you will need a UNIX-based 1.
machine. To download the package and to check compatibility, visit
the dsniff Web site at www.monkey.org/~dugsong/dsniff.
Test Day Tip
Knowledge of TCP/IP is really helpful when dealing with spoofing and sequence attacks.

Having a good grasp of the fundamentals of TCP/IP will make the attacks seem less
abstract. Additionally, knowledge of not only what these attacks are but also how they
work will better prepare you to answer test questions.
Network Ports, Services, and Threats 427
After you’ve downloaded and installed the software, you will see a 2.
utility called arpspoof. This is the tool that we’ll be using to imper-
sonate the gateway host. The gateway is the host that routes the
traffic to other networks.
You’ll also need to make sure that IP forwarding is turned on in 3.
your kernel. If you’re using
*
BSD UNIX, you can enable this with
the sysctl command (sysctl –w net.inet.ip.forwarding=1). After
this has been done, you should be ready to spoof the gateway.
4. arpspoof is a really flexible tool. It will allow you to poison the
ARP of the entire LAN or target a single host. Poisoning is the act
of tricking the other computers into thinking that you are another
host. The usage is as follows:
home# arpspoof –i fxp0 10.10.0.1
This will start the attack using interface fxp0 and will intercept any
packets bound for 10.10.0.1. The output will show you the current
ARP traffic.
Congratulations, you’ve just become your gateway.5.
You can leave the arpspoof process running, and experiment in another
window with some of the various sniffing tools which dsniff offers. Dsniff itself
is a jack-of-all-trades password grabber. It will fetch passwords for Telnet, FTP,
HTTP, Instant Messaging (IM), Oracle, and almost any other password that is
transmitted in the clear. Another tool, mailsnarf, will grab any and all e-mail
messages it sees and store them in a standard Berkeley mbox file for later
viewing. Finally, one of the more visually impressive tools is WebSpy. This tool

will grab URL strings sniffed from a specified host and display them on your
local terminal, giving the appearance of surfing along with the victim.
You should now have a good idea of the kind of damage an attacker can
do with ARP spoofing and the right tools. This should also make clear the
importance of using encryption to handle data. In addition, any misconcep-
tions about the security or sniffing protection provided by switched net-
works should now be alleviated thanks to the magic of ARP spoofing!
Man-in-the-Middle Attacks
As you have probably already begun to realize, the TCP/IP protocols were not
designed with security in mind and contain a number of fundamental flaws
that simply cannot be fixed due to the nature of the protocols. One issue that
has resulted from IPv4’s lack of security is the MITM attack. To fully under-
stand how a MITM attack works, let’s quickly review how TCP/IP works.
CHAPTER 9: Security Standards and Services 428
TCP/IP was formally introduced
in 1974 by Vinton Cerf. The original
purpose of TCP/IP was not to provide
security. Rather it was to provide a
high-speed, reliable, communication
network links.
A TCP/IP connection is formed with a three-way handshake. As seen in
Figure 9.9, a host (Host A) that wants to send data to another host (Host B)
will initiate communications by sending a SYN packet. The SYN packet
contains, among other things, the source and destination IP address as well
as the source and destination port numbers. Host B will respond with a
SYN/ACK. The SYN from Host B prompts Host A to send another ACK and
the connection is established.
If a malicious individual can place himself between Host A and Host B,
for example compromising an upstream router belonging to the ISP of one of
the hosts, he can then monitor the packets moving between the two hosts.

It is then possible for the malicious individual to analyze and change packets
coming and going to the host. It is quite easy for a malicious person to per-
form this type of attack on Telnet sessions, but the attacker must first be able
to predict the right TCP sequence number and properly modify the data for
this type of attack to actually work – all before the session times out waiting
for the response. Obviously, doing this manually is hard to pull off; however,
tools designed to watch for and modify specific data have been written and
work very well.
There are a few ways in which you can prevent MITM attacks from
happening, such as using a TCP/IP implementation that generates TCP
sequence numbers that are as close to truly random as possible.
Replay Attacks
In a replay attack, a malicious person captures an amount of sensitive traf-
fic and then simply replays it back to the host in an attempt to replicate
the transaction. For example, consider an electronic money transfer. User
A transfers a sum of money to Bank B. Malicious User C captures User
A’s network traffic, and then replays the transaction in an attempt to cause
the transaction to be repeated multiple times. Obviously, this attack has no
benefit to User C but could result in User A losing money. Replay attacks,
while possible in theory, are quite unlikely due to multiple factors such as
the level of difficulty of predicting TCP sequence numbers. However, it has
been proven that the formula for generating random TCP sequence num-
bers, especially in older OSs, isn’t truly random or even difficult to predict,
which makes this attack possible.
FIGURE 9.9 A Standard TCP/IP Handshake.
Host A
Host B
SYN
SYN/ACK
ACK

Network Ports, Services, and Threats 429
Another potential scenario for a replay attack is this: an attacker replays
the captured data with all potential sequence numbers, in hopes of getting
lucky and hitting the right one, thus causing the user’s connection to drop,
or in some cases, to insert arbitrary data into a session.
As with MITM attacks, the use of random TCP sequence numbers and
encryption like SSH or IPSec can help defend against this problem. The use
of time stamps also helps defend against replay attacks.
DoS
Even with the most comprehensive filtering in place, all firewalls are still
vulnerable to DoS attacks. These attacks attempt to render a network inac-
cessible by flooding a device such as a firewall with packets to the point that
it can no longer accept valid packets. This works by overloading the proces-
sor of the firewall by forcing it to attempt to process a number of packets far
past its limitations. By performing a DoS attack directly against a firewall,
an attacker may be able to get the firewall to overload its buffers and start
letting all traffic through without filtering it, or it may cause the firewall to
shut down all together causing a disruption in normal network functions. If a
technician is alerted to an attack of this type, one way to fend off the attack is
to block the specific IP address that the attack is coming from at the router.
Distributed DoS
An alternative attack that is more difficult to defend against is the distrib-
uted DoS (DDoS) attack. This attack is worse because it can come from a
large number of computers at the same time. This is accomplished either
by the attacker having a large distributed network of systems all over the
world (unlikely) or by infecting normal users’ computers with a Trojan horse
application, which allows the attacker to force the systems to attack spe-
cific targets without the end user’s knowledge. These end-user computers
are systems that have been attacked in the past and infected with a Trojan
horse by the attacker. By doing this, the attacker is able to set up a large

number of systems (called zombies) to perform a DoS attack at the same
time. This type of attack constitutes a DDoS attack. Performing an attack
in this manner is more effective due to the number of packets being sent. In
addition, it introduces another layer of systems between the attacker and the
target, making the attacker more difficult to trace.
Domain Name Kiting
Domain Name Kiting is when someone purchases a domain name, then
soon after deletes the registration only to immediately reregister it. Because
there is normally a five-day registration grace period offered by many domain
CHAPTER 9: Security Standards and Services 430
name registrars, domain kiters will abuse this grace period by canceling the
domain name registrations to avoid paying for them. This way they can use
the domain names without cost.
Because the grace period offered by registrars allows the registration of a
domain name to be canceled without cost or penalty as long as the cancella-
tion comes within five days of the registration, you can effectively own and
use a domain name during this short timeframe without actually paying
for it.
It has become relatively easy to drop a domain name and claim the
refund at the end of the grace period, and by taking advantage of this pro-
cess, abusers are able to keep the registrations active on their most revenue-
generating sites by cycling through cancellations and an endless refresh
of their choice domain name registrations. Because no cost is involved in
turning over the domain names, domain kiters make money out of domains
they are not paying for.
Domain Name Tasting
Another concept that is very similar to Domain Name Kiting is called
Domain Name Tasting. The two are similar in that they are both the abuse
of domain names and the grace period associated with them. Domain Name
Tasters register a domain name to exploit the Web site names for profit.

Domain name investors will register groups of domain names to deter-
mine which namespaces will generate revenue through search engine queries
and pay-per-click advertising mechanisms. They will often register typos of
legitimate business sites hoping for human error to land Internet travelers
on their Web sites, which in turn increases their bottom line.
If it is determined that a specific domain name is not returning profit for
the tasters, then they will simply drop the domain name, claim a refund,
and continue on to the next group of names.
DNS Poisoning
DNS poisoning or DNS cache poisoning occurs when a server is fed altered
or spoofed records that are then retained in the DNS server cache. Once the
DNS cache on a server has been “poisoned” in this fashion, since servers
use their cache as the first mechanism to respond to incoming requests, all
additional queries for the same record will be responded to with the falsified
information.
Attackers can use this method to redirect valid requests to malicious sites.
The malicious sites may be controlled by the offender and contain viruses or
worms that are distributed, or they may be simply be offensive sites already
in existence on the Internet. For example, imagine if your child were to type
Network Access Security 431
in www.barbie.com and instead of connecting to a pretty pink site with Bar-
bie dolls and Barbie games ends up on an adult pornographic Web site.
DNS poisoning is a real threat, which can be reduced by taking a few
security precautions. First, by ensuring that your DNS server is up-to-date
on patches and updates for known vulnerabilities, you will help to ensure
the safety of your DNS cache. Also, by taking advantage of secure DNS
whenever possible and using digital signatures, you will help to reduce the
threat of DNS poisoning.
ARP Poisoning
ARP is a broadcast-based protocol that functions at Layer 2 of the OSI model.

Its purpose is to map a known IP address to its corresponding Media Access
Control (MAC) address in order for a packet to be properly addressed. A MAC
address is a unique number assigned to network interface cards (NICs) by
their manufactures. ARP poisoning occurs when a client machine sends out
an ARP request for another machine’s MAC address information and is sent
falsified information instead. The spoofed ARP message allows the attacker
to associate a MAC address of their choosing to a particular IP address,
which means any traffic meant for that IP address would be mistakenly sent
to the attacker instead. This opens the door for many attack mechanisms
to be used. Once the data has been intercepted, the attacker could choose to
modify the data before forwarding it, which is called a MITM attack or even
launch a denial-of-service attack against a victim by associating a nonexis-
tent MAC address to the IP address of the victim’s default gateway.
NETWORK ACCESS SECURITY
No network security exam would be complete without discussing the
concepts of Access Control, Authentication, and Auditing (AAA). These
three components together make up the concept of Network Access
Security. AAA comprises the most basic fundamentals of work in the IT
security field and is critical to understand for any IT security practitioner.
In this section, you will be introduced to Network Authentication and its
finer details.
Introduction to AAA
AAA is a set of primary concepts that aid in understanding computer and
network security as well as access control. These concepts are used daily to
protect property, data, and systems from intentional or even unintentional
damage. AAA is used to support the confidentiality, integrity, and availability
CHAPTER 9: Security Standards and Services 432
(CIA) security concept, in addition to providing the framework for access
to networks and equipment using Remote Authentication Dial-In User
Service (RADIUS) and Terminal Access Controller Access Control System

(TACACS/TACACS+).
A more detailed description of AAA is discussed in RFC 3127, which
can be found at This RFC contains an
evaluation of various existing protocols against the AAA requirements and
can help you understand the specific details of these protocols. The AAA
requirements themselves can be found in RFC 2989 located at http://tools
.ietf.org/html/rfc2989.
What is AAA?
AAA is a group of processes used to protect the data, equipment, and confi-
dentiality of property and information. As mentioned earlier, one of the goals
of AAA is to provide CIA. CIA can be briefly described as follows:
 Confidentiality The contents or data are not revealed
 Integrity The contents or data are intact and have not been modified
 Availability The contents or data are accessible if allowed
AAA consists of three separate areas that work together. These areas
provide a level of basic security in controlling access to resources and equip-
ment in networks. This control allows users to provide services that assist
in the CIA process for further protection of systems and assets.
Access Control
Access control can be defined as a policy, software component, or hardware
component that is used to grant or deny access to a resource. This can be an
advanced component such as a Smart Card, a biometric device, or network
HEAD OF THE CLASS…
Clarification of Two Key Acronyms
Two specific abbreviations need to be explained to
avoid confusion. For general security study, AAA
is defined as “Access Control, Authentication, and
Auditing.” Do not confuse this with Cisco’s imple-
mentation and description of AAA, which is “Authen-
tication, Auditing, and Accounting.”

The second abbreviation requiring clarification is
CIA. For purposes of the Network+ exam, CIA is defined
as “confidentiality, integrity, and availability.” Other lit-
erature and resources such as the Sarbanes-Oxley Act
and the Health Insurance Portability and Accountabil-
ity Act of 1996 (HIPAA) guidelines may refer to CIA as
“confidentiality, integrity, and authentication.”
Network Access Security 433
access hardware such as routers, remote access points such as Remote
Access Service (RAS), and VPNs, or even the use of wireless access points
(WAPs). It can also be file or shared resource permissions assigned through
the use of a network OS (NOS) such as Microsoft Windows with Active
Directory or UNIX systems using Lightweight Directory Access Protocol
(LDAP), Kerberos, or Sun Microsystem’s Network Information System (NIS)
and Network Information System Plus (NIS+). Finally, it can be a rule set
that defines the operation of a software component limiting entrance to a
system or network.
Authentication
Authentication can be defined as the process used to verify that a machine
or user attempting access to the networks or resources is, in fact, the entity
being presented. For this chapter, nonrepudiation is the method used (time
stamps, particular protocols, or authentication methods) to ensure that
the presenter of the authentication request cannot later deny that they were
the originator of the request. In the following sections, authentication meth-
ods include presentation of credentials (such as a username and password,
Smart Card, or personal identification number [PIN]) to a NOS (logging on
to a machine or network), remote access authentication, and a discussion of
certificate services and digital certificates. The authentication process uses
the information presented to the NOS (such as username and password) to
allow the NOS to verify the identity based on those credentials.

Auditing
Auditing is the process of tracking and reviewing events, errors, access, and
authentication attempts on a system. Much like an accountant’s procedure
for keeping track of the flow of funds, you need to be able to follow a trail
NOTES FROM THE FIELD …
Let’s Talk About Access and Authentication
The difference between access control and authentica-
tion is very important. Access control is used to control
the access to a resource through some means. This could
be thought of as a lock on a door or a guard in a build-
ing. Authentication, on the other hand, is the process
of verifying that the person trying to access whatever
resource is being controlled is authorized to access the
resource. In our analogy, this would be the equivalent
of trying the key or having the guard check your name
against a list of authorized people. So in summary,
access control is the lock and authentication is the key.
CHAPTER 9: Security Standards and Services 434
of access attempts, access grants or denials, machine problems or errors,
and other events that are important to the systems being monitored and
controlled. In the case of security auditing, you will learn about the policies
and procedures that allow administrators to track access (authorized or
unauthorized) to the network, local machine, or resources. Auditing is not
enabled by default in many NOSs, and administrators must often specify
the events or objects to be tracked. This becomes one of the basic lines
of defense in the security and monitoring of network systems. Tracking is
used along with regular reviewing and analysis of the log files generated by
the auditing process to better understand whether the access controls are
working.
Authentication Methods

Authentication, when looked at in its most basic form, is simply the process
used to prove the identity of someone or something that wants access. This
can involve highly complex and secure methods, which may involve higher
costs and more time, or can be very simple. For example, if someone you
personally know comes to your door, you visually recognize them, and if you
want them to enter, you open the door. In this case, you have performed the
authentication process through your visual recognition of the individual. All
authentication processes follow this same basic premise; that we need to
prove who we are or who the individual, service, or process is before we allow
them to use our resources.
Authentication allows a sender and receiver of information to validate
each other as the appropriate entities with which they want to work. If
entities wishing to communicate cannot properly authenticate each other,
there can be no trust in the activities or information provided by either party.
Only through a trusted and secure method of authentication can adminis-
trators provide for a trusted and secure communication or activity.
One-Factor
One-Factor authentication, as simple as username and password combina-
tions, has been used for authenticating uses for many years. Most OSs have
had some form of local authentication that could be used if the OS was
designed to be used by multiple users. Windows, Novell Netware, UNIX,
and Linux have all had local authentication paths early in their development.
Although this is the most common authentication method, it is not without
its problems. From a security standpoint, it is important to understand that
the first line of defense of a system is the creation and maintenance of a
password policy that is enforced and workable. You need to both implement
Network Access Security 435
and enforce the policy to ensure that this rudimentary protection is in place
in your network. Most OSs have methods of using username/password
policies.

Password policies that require a user-created password that is less than six
characters long are generally regarded as having a low (or no) security level.
Password policies that require between 8 and 13 characters are regarded as a
medium security level. Policies requiring 14 or more characters are regarded
as a high security level. These security levels are based on the difficulty
of discovering the password through the use of dictionary and brute force
attacks. In addition, all password policies, regardless of password length,
should require that an acceptable password contain a combination of the
following:
Uppercase and lowercase alphabetic characters
Numbers
Special characters
No dictionary words
No portion of the username in the password
No personal identifiers should be used including birthdays, social 
security number, pet’s name, and so forth
To achieve the medium security level, implement the use of eight char-
acters, including uppercase and lowercase, numbers, and special characters.
For higher security, implement the medium security settings and enforce
the previous settings plus no dictionary words and no use of the username
in the password. Be aware that the higher the number of characters or letters
in a password, the more chance exists that the user will record the password
and leave it where it can be found. Most policies function well around the
eight-character range and require periodic changes of the password as well
as the use of special characters or numbers.
The simplest form of authentication is the transmission of a shared pass-
word between entities wishing to authenticate each other. This can be as
simple as a secret handshake or a key. As with all simple forms of protection,
once knowledge of the secret key or handshake is disclosed to nontrusted
parties, there can no longer be trust in who is using the secrets.

Many methods can be used by an unauthorized person to acquire a
secret key, from tricking someone into disclosing it, to high-tech monitor-
ing of communications between parties to intercept the key as it is passed
between parties. However the code is acquired, once it is in a nontrusted