Security+ Guide to Network Security Fundamentals, 2e
Chapter 6
Web Security
At a Glance
Instructor’s Notes

Chapter Overview

Chapter Objectives

Technical Notes

Lecture Notes

Quick Quizzes

Discussion Questions

Additional Activities
6-1
Security+ Guide to Network Security Fundamentals, 2e
6-2
Instructor’s Notes
Chapter Overview
In this chapter, students will explore the vulnerabilities and ways to protect basic communications. To ensure Web
security, students will look at the attacks against e-mail systems, the World Wide Web, and instant messaging, and
learn how to defend these systems from attackers.
Chapter Objectives
After reading this chapter, students will be able to:




Protect e-mail systems
List World Wide Web vulnerabilities
Secure Web communications
Secure instant messaging
Technical Notes
HANDS-ON
PROJECTS
Project 6-1
Project 6-2
Project 6-3
Project 6-4
HARDWARE
DEVICES REQUIRED
Computer PC
Computer PC
Computer PC
Computer PC
OPERATING SYSTEM
REQUIRED
Windows XP
Windows XP
Windows XP
Windows XP
Project 6-5
Computer PC
Windows XP
OTHER RESOURCES
Internet connectivity
Internet connectivity
Internet connectivity
Microsoft Outlook or
Outlook Express
Microsoft Office Outlook
and Internet connectivity
This chapter should not be completed in one class session. It is recommended that you split the chapter into at least
two class sessions, if possible. The amount of subject matter to be covered can be covered in anywhere between a 3to 5-hour period, plus any at-home exercises you wish to assign.
Lecture Notes
Protecting E-Mail Systems
E-mail has replaced the fax machine as the primary communication tool for businesses. E-mail has also become a
prime target of attackers and must be protected.
How E-Mail Works
E-mail systems use two Transmission Control Protocol/Internet Protocol (TCP/IP) protocols to send and receive
messages. The Simple Mail Transfer Protocol (SMTP) handles outgoing mail, while the Post Office Protocol
(POP, more commonly known as POP3 for the current version) is responsible for incoming mail, as shown in
Figure 6-1 on page 191 of the text.
Quick Reference
Discuss the steps of how e-mail works as listed on page 191 of the text.
Security+ Guide to Network Security Fundamentals, 2e
6-3
The SMTP server on most machines uses a program called sendmail to do the actual sending, so this queue is called
the sendmail queue. Sendmail periodically tries to resend the messages in its queue, normally about every
15 minutes.
After messages are downloaded, they are generally erased from the POP3 server. Deleting retrieved messages from
the mail server and then storing them on a single local computer can make it difficult to manage messages from
multiple computers. IMAP (Internet Mail Access Protocol; the current version is IMAP4) is a more advanced
protocol that solves these problems. With IMAP, the e-mail remains on the e-mail server.
E-mail attachments are documents in a binary format, such as word processing documents, spreadsheets, sound
files, or pictures. These nontext documents must be converted into a text format before they can be transmitted. The
typical process is for three bytes from the binary file to be extracted and converted to four text characters.
E-Mail Vulnerabilities
As critical as e-mail is to a user or an organization, several e-mail vulnerabilities can be exploited by attackers.
These weaknesses include malware, spam, and hoaxes.
Malware
Because of its ubiquity, e-mail has become the primary carrier for malware, replacing floppy disks as the means by
which this malicious code is transported. E-mail is the malware transport mechanism of choice for two reasons.
First, because almost all Internet users have e-mail, it has the broadest base for attacks. Second, malware can use email to propagate itself. A worm can enter a user’s computer through an e-mail attachment and then send itself out
to all users listed in the address book, or attach itself as a reply to all unread e-mail messages.
E-mail clients can be particularly susceptible to macro viruses. A macro is a script that records the steps a user
performs. A macro virus uses macros to carry out malicious functions. The most effective defense against e-mail
malware is threefold. First, users must be educated about how malware can enter a system through e-mail, and
proper policies must be enacted to reduce the risk of infection. E-mail users should be instructed to never open
attachments that have any of the following file extensions:


.bat
.exe
 .ade
 .pif
 .usf
Second, antivirus software and firewall products must be installed and properly configured to prevent malicious
code from entering the network through e-mail. Finally, procedures, including turning off ports and eliminating open
mail relay servers, must be developed and enforced.
Spam
The amount of spam, or unsolicited e-mail, that flows across the Internet is difficult to judge. According to a Pew
Memorial Trust survey of approximately 30 billion daily e-mail messages, almost half are spam. This survey also
reports that spam is having a negative impact on users:



Twenty-five percent of e-mail users say the ever-increasing volume of spam has reduced their overall use
of e-mail.
Fifty-two percent of e-mail users indicate that spam has made them less trusting of e-mail in general.
Seventy percent of e-mail users say spam has made being online unpleasant or annoying.
Security+ Guide to Network Security Fundamentals, 2e
6-4
The U.S. Congress passed a law in late 2003 entitled the Controlling the Assault of Non-Solicited Pornography
and Marketing Act of 2003 (CAN-SPAM). The provisions of that law are summarized in Table 6-1 on page 195 of
the text. You can filter e-mails at the edge of the network to prevent spam from entering the SMTP server. Also use
a blacklist of spammers to block any e-mail that originates from their e-mail addresses. Sophisticated e-mail filters
can use a technique known as Bayesian filtering. The user divides e-mail messages that have been received into two
piles, spam and not-spam.
Hoaxes
E-mail messages that contain false warnings or fraudulent offerings are known as hoaxes. On pages 196 and 197 of
the text are sample phony offers from some infamous hoaxes. Unlike spam, hoaxes are almost impossible to filter.
The defense against e-mail hoaxes is to ignore them. Any e-mail message that appears as though it could not be true
probably is not. E-mail phishing is also a growing practice among attackers. A message that falsely identifies the
sender as someone else is sent to unsuspecting recipients.
E-Mail Encryption
Two technologies are used to protect e-mail messages as they are being transported. These encryption schemes are
Secure/Multipurpose Internet Mail Extensions and Pretty Good Privacy.
Secure/Multipurpose Internet Mail Extensions (S/MIME)
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a protocol that adds digital signatures and
encryption to Multipurpose Internet Mail Extensions (MIME) messages.
Quick Reference
Discuss the features of S/MIME as shown on page 198 of the text.
Pretty Good Privacy (PGP)
Another program that encrypts e-mail messages is Pretty Good Privacy (PGP). PGP functions much like S/MIME
by encrypting messages using digital signatures. As an option, a user can sign an e-mail message without encrypting
it, verifying the sender but not preventing anyone from seeing the contents. PGP first compresses the message.
Compression reduces these patterns and enhances resistance to cryptanalysis. PGP then creates a session key, which
is a one-time-only secret key. This key is a number generated from the random movements of the mouse and the
keystrokes typed. PGP uses a passphrase to encrypt the private key on the local computer. A passphrase is a longer
and more secure version of a password. Typically composed of multiple words, a passphrase is more secure against
dictionary attacks.
Quick Quiz
1.
The __________ handles outgoing mail, while the __________ is responsible for incoming mail.
ANSWER: Simple Mail Transport Protocol (SMTP); Post Office Protocol (POP)
2.
__________ are frequently used in electronic spreadsheets to permit a novice user to manipulate the data, such
as search for specific text, without requiring a detailed knowledge of spreadsheets. ANSWER: Macros
3.
___________ is also having a detrimental effect on work productivity. ANSWER: Spam
4.
__________ are almost impossible to filter. ANSWER: Hoaxes
5.
A(n) __________ is a longer and more secure version of a password. ANSWER: passphrase
Security+ Guide to Network Security Fundamentals, 2e
6-5
Examining World Wide Web Vulnerabilities
Buffer overflow attacks are common ways to gain unauthorized access to Web servers. SMTP relay attacks allow
spammers to send thousands of e-mail messages to users. Another foothold for Web attacks comes from Web
programming tools.
Although dynamic content is widely used on the Web to create dynamic pages, it can also be used by attackers. This
is sometimes known as repurposed programming, or using programming tools in ways more harmful than for
what they were originally intended.
JavaScript
One popular technology used to make dynamic content is JavaScript. When a Web site that uses JavaScript is
accessed, the HTML document with the JavaScript code is downloaded onto the user’s computer. The Web browser
then executes that code within the browser using the Virtual Machine (VM), which is a Java interpreter as shown
in Figure 6-6 on page 201 of the text. Several defense mechanisms prevent JavaScript programs from causing
serious harm. First, JavaScript does not support certain capabilities.
In addition, JavaScript has no networking capabilities. However, other security concerns remain. JavaScript
programs can capture and send user information without the user’s knowledge or authorization. JavaScript security
is handled by restrictions within the Web browser. Figure 6-7 on page 202 of the text shows the VM settings in the
Internet Explorer Security Settings dialog box.
Java Applet
Another popular Web programming tool that can be repurposed is a Java applet. A Java applet is a separate
program. Java applets are stored on the Web server and then downloaded onto the user’s computer along with the
HTML code. Java applets are illustrated in Figure 6-8 on page 203 of the text. Java applets can also be made into
hostile programs. The defense against a hostile Java applet is a sandbox. Downloaded Java applet programs are
supposed to run within a security sandbox, which is like a fence that surrounds the program and keeps it away from
private data and other resources on a local computer.
You should be aware of two types of Java applets and their relation to sandboxes. An unsigned Java applet is a
program that does not come from a trusted source. A signed Java applet has a digital signature that proves the
program is from a trusted source and has not been altered. Figure 6-9 on page 204 of the text shows a Java applet
dialog box that is the work of an attacker attempting to obtain a password by socially engineering the information
out of the user. The primary defense against Java applets is using the appropriate settings of the Web browser.
Figure 6-10 on page 204 of the text shows the Internet Explorer settings for Java applets.
ActiveX
ActiveX is a set of technologies developed by Microsoft. An outgrowth of two other Microsoft technologies called
OLE (Object Linking and Embedding) and COM (Component Object Model), ActiveX is not a programming
language but a set of rules for how applications should share information. ActiveX controls represent a specific way
of implementing ActiveX.
An ActiveX control is similar to a Java applet in that it can perform many of the same functions. Unlike Java
applets, however, ActiveX controls do not run in a sandbox, but have full access to the Windows operating system.
ActiveX controls are managed through Internet Explorer. It is recommended that ActiveX controls be set to the most
restricted level, which is shown in Figure 6-11 on page 206 of the text.
Security+ Guide to Network Security Fundamentals, 2e
Quick Reference
6-6
Discuss the security concerns that ActiveX poses as illustrated on pages 205 and
206 of the text.
Cookies
A cookie is a computer file that contains user-specific information. The need for cookies is based on Hypertext
Transfer Protocol (HTTP). Instead of the Web server asking the user for this information each time he visits that
site, the Web server can store that personal information in a file on the local computer. Because cookies can contain
sensitive information such as usernames and other private information, attackers often target cookies. In addition,
cookies can be used to determine which Web sites you are viewing.
A first-party cookie is created from the Web site you are currently viewing. However, some Web sites attempt to
access cookies they did not create. If you went to www.b.org, that site might attempt to get the cookie A-ORG from
your hard drive. The cookie is now known as a third-party cookie because it was not created by the Web site that
attempts to access the cookie. Figure 6-12 on page 208 of the text illustrates the cookie security settings for Internet
Explorer.
Common Gateway Interface (CGI)
The Common Gateway Interface (CGI) is a set of rules that describes how a Web server communicates with other
software on the server and vice versa. CGI has been commonly used to allow a Web server to display information
from a database on a Web page for a user to enter information through a Web form that is deposited in a database.
CGI scripts create security risks because they do not filter user input properly and can issue commands via Web
URLs. CGI security can be enhanced by properly configuring CGI, disabling any CGI scripts or programs that are
unnecessary, and checking program code that uses CGI for any vulnerabilities.
8.3 Naming Conventions
In the Microsoft Disk Operating System (DOS), filenames were limited to eight characters followed by a period and
a three-character extension, such as Filename.doc. This was called the 8.3 naming convention. Recent versions of
Windows do not have this restriction and allow filenames to contain up to 256 characters. However, to maintain
backward compatibility with DOS, Windows automatically creates an 8.3 “alias” filename for every long filename.
The 8.3 naming convention introduces a security vulnerability with some Web servers. Microsoft Internet
Information Server 4.0 and other Web servers can inherit privileges from parent directories instead of the requested
directory using a long filename. The solution to this vulnerability is to disable the creation of the 8.3 alias by making
a change in the Windows registry database. However, in doing so, older programs that do not recognize long
filenames will no longer be able to access the files or subdirectories.
Securing Web Communications
The most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol. One
implementation of this protocol is the Hypertext Transport Protocol over Secure Sockets Layer.
Security+ Guide to Network Security Fundamentals, 2e
6-7
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
Secure Sockets Layer (SSL) is a protocol developed by Netscape for securely transmitting documents over the
Internet. SSL uses a private key to encrypt data that is transferred over the SSL connection. SSL version 2.0 is the
most widely supported version. A protocol similar to SSL is Personal Communications Technology (PCT), which
was developed by Microsoft.
Transport Layer Security (TLS) is a protocol that guarantees privacy and data integrity between applications
communicating over the Internet. TLS is an extension of SSL, and they are often referred to as SSL/TLS. The
SSL/TLS protocol is made up of two layers. The TLS Handshake Protocol allows authentication between the server
and the client and the negotiation of an encryption algorithm and cryptographic keys before any actual data is
transmitted. Figure 6-14 on page 211 of the text shows the browser settings for TLS and SSL.
FORTEZZA is another secure connection protocol. FORTEZZA is a U.S. government security standard that
satisfies what is known as the Defense Messaging System security architecture because it has a cryptographic
mechanism that provides message confidentiality, integrity, authentication, and access control to messages,
components, and even systems.
Secure Hypertext Transport Protocol (HTTPS)
One common use of SSL is to secure Web HTTP communication between a browser and a Web server. This secure
version is “plain” HTTP sent over SSL/TLS and named Hypertext Transport Protocol over SSL. It is sometimes
designated as HTTPS, which is the extension to the HTTP protocol that supports it. Whereas SSL/TLS creates a
secure connection between a client and a server over which any amount of data can be sent securely, HTTPS is
designed to transmit individual messages securely.
Securing Instant Messaging
Depending on the service, e-mail messages may take several minutes to be posted to the POP3 account. A
complement to e-mail that overcomes these drawbacks is instant messaging (IM). IM allows a sender to enter short
messages that the recipient sees and can respond to immediately.
Quick Reference
Discuss the different tasks that can be performed with IM as listed on page 212
of the text. Also, discuss some of the steps to secure IM as listed on page 213 of
the text.
Quick Quiz
1.
Programming tools that can be __________ are JavaScript, Java applets, and ActiveX controls.
ANSWER: repurposed
2.
A(n) ___________ is like a fence that surrounds the program and keeps it away from private data and other
resources on a local computer. ANSWER: sandbox
3.
___________ controls can be signed or unsigned. ANSWER: ActiveX
4.
__________ can contain sensitive information such as usernames and other private information that attackers
often target. ANSWER: Cookies
5.
___________ allows a sender to enter short messages that the recipient sees and can respond to immediately.
ANSWER: Instant messaging (IM)
Security+ Guide to Network Security Fundamentals, 2e
Discussion Questions
1.
Discuss the difference between spam and a hoax.
2.
Discuss the advantages and disadvantages of instant messaging.
Additional Activities
1.
Have students conduct research looking for different software that can be used to reduce spam.
2.
Have students troubleshoot a computer that contains spam and malware, then have them develop procedures
they can use to remove such components.
6-8