Part I Introduction

This document supplies information and references for Internet Services and Network Security. This paper provides clear steps by step procedure on how to install, configure, and troubleshoot web servers, FTP servers, DNS servers, and DHCP servers, not only in Microsoft Windows but in Debian Linux as well. It will also deal with Network Security Basics, Network Address Translation, and Virtual Private Networks. The first part will tackle about Internet Services, including particulars concerning the Web Server, File Transfer Protocol, DNS Server, and DHCP Server. A Web server is a computer program that delivers (serves) content, such as Web pages, using the Hypertext Transfer Protocol (HTTP), over the World Wide Web. Under the Web Server, it will be composed of installation and configuration of Apache2 (for Linux) and Internet Information System (for Microsoft), as well as some tips on how to troubleshoot web servers. File Transfer Protocol is a method of transferring files (web pages for example) from your local PC to your web server. This section will discuss about how to install and configure FTP server in MS 2003, how to install and configure VSFTP and ProFTP in Debian Linux. Next is Domain Name Service server, a server that translates DNS names (such as malwarecity.com) into an IP address that is actually used for communication on the Internet. This part will deal with installing DNS server in Microsoft Windows 2003 and how to configure and secure BIND9 in Debian Linux. The last topic of Internet Services deals with DHCP servers. The Dynamic Host Configuration Protocol (DHCP) is a computer networking protocol used by hosts to retrieve IP address assignments and other configuration information. This includes how to install and configure DHCP server in Microsoft Windows 2003 and in Debian Linux. The second part mainly concerns about Network Security. This section is composed of Network Security Basics, network Address Translator (NAT), and Virtual Private Networks (VPN). Network security basics is composed of implementing Network Zoning (The process of allocating resources in a SAN to load balance the devices connected to the network.), and how to secure network devices. Second part is how to configure and manage Network Address Translation (A type of network connection that lets a virtual machine use the IP address and MAC address of the host). Lastly, Network
1

Security section will tackle about Virtual Private Network (A computer network that uses a public network (eg, the Internet) to transmit private data), it includes the purpose of VPNs, its types, and how to install it, configure and troubleshoot.

PART II INTERNET SERVICES

A. WEB SERVER A.1- Installation of Linux Web Server (Apache2) A.2- Installation of Microsoft Web Server (IIS) A.3- Configuration of Apache2 and IIS (Internet Information System) A.4- Maintenance and Troubleshooting of Web Server B. FTP SERVER B.1- Howto Install FTP Server in Microsoft Windows 2003 B.2- Howto Configure FTP Server in Microsoft Windows 2003 B.3- Howto Install ProFTP and VSFTP Server in Debian Linux B.4- Howto Configure ProFTP and VSFTP Server Debian Linux C. DNS SERVER C.1- Howto Install DNS Server in Microsoft Windows 2003
2

C.2- Howto Configure BIND9 in Debian Linux C.3- Howto Secure BIND9 in Debian Linux D. DHCP SERVER D.1- Howto Install DHCP Server in Microsoft Windows 2003 and Debian Linux D.2- Howto Configure DHCP Server in MS 2003 and Debian Linux A. WEB SERVER A.1 Installation of Linux Web Server (Apache2) Download source Get the source from http://httpd.apache.org/download.cgi (httpd2.2.4.tar.gz). These instructions are known to work with all 2.x.x Apache versions. Unpack, configure, compile Go to the directory with the downloaded file and enter: # tar -xzf httpd-2.2.4.tar.gz # cd httpd-2.2.4 # ./configure --prefix=/usr/local/apache2 --enable-so --with-includedapr Edit httpd.conf Before you start Apache server, edit the httpd.conf file according to your needs. # vi /usr/local/apache2/conf/httpd.conf Setup access privileges Dont forget to setup Apache access privileges to your www directories: # chown -R apache2:www /foo/path_to_your_www_documents_root # chmod -R 750 /foo/path_to_your_www_documents_root "apache2" and "www" are the user and user group created. Start and stop apache server After everything is set up, start Apache: # /usr/local/apache2/bin/apachectl start Similarly, if you wish to stop Apache, type: # /usr/local/apache2/bin/apachectl stop
3

Automatic startup Its a good idea to let your Apache server start automatically after each system reboot. To setup Apache automatic startup, do: # cp /usr/local/apache2/bin/apachectl /etc/init.d # chmod 755 /etc/init.d/apachectl # chkconfig --add apachectl # chkconfig --level 35 apachectl on A.2 Installation of MS Web Server (IIS) This topic describes 3 methods for installing IIS: Using the Configure Your Server Wizard. Using Add or Remove Programs from Control Panel. Using unattended setup. To install IIS using the Configure Your Server Wizard 1 From the Start menu, click Manage Your Server. . 2 Under Managing Your Server Roles, click Add or remove a role. . 3 Read the preliminary steps in the Configure Your Server Wizard and click . Next. 4 Under Server Role, click Application server (IIS, ASP.NET) and then click . Next. By default, the wizard installs and enables IIS, COM+, and DTC. 5 If you want to serve either of the optional technologies (FrontPage Server . Extensions or ASP.NET), on the Application Server Options page, select the appropriate check boxes, and then click Next. 6 Read the summary and click Next. . 7 Complete the wizard, and then click Finish. . To install IIS, add components, or remove components using Control Panel 1 From the Start menu, click Control Panel. . 2 Double-click Add or Remove Programs. . 3 Click Add/Remove Windows Components. . 4 In the Components list box, click Application Server. . 5 Click Details.
4

. 6 Click Internet Information Services Manager. . 7 Click Details to view the list of IIS optional components. For a detailed . description of IIS optional components, see "Optional Components" in this topic. 8 Select all optional components you wish to install. . Unattended Setup To simplify the process of setting up IIS on multiple computers running a member of the Windows Server 2003 family, you can run setup unattended. To do this, create and use an answer file, which is a customized script that automatically answers the setup questions. A.3 Configuration of Apache2 and Internet Information System (IIS) -Configuring Apache21. Creating a Web Development Directory cd mkdir webdev cd webdev mkdir site1 site2 We now have a directory called webdev under our home directory. Within the webdev directory are two directories called site1 and site2. 2. Create Some Test Files cd ~/webdev/site1 echo 'Site1 works!' > index.html cd ../site2 echo 'Site2 works!' > index.html 3. Enable the Sites in Apache. Go to /etc/apache2/sites-available. cd /etc/apache2/sites-available 4. As root, copy the default file as site1. sudo cp default site1 5. Repeat the process to create a site2 file. As root, edit the site1 configuration file.
5

sudo nano site1 6. You now need to enable your new site. sudo a2ensite site1 7. You should get a message telling you that you need to reload Apache to activate the new configuration. But first you need to edit your /etc/hosts file. sudo nano /etc/hosts 8. Edit the first line adding site1 to the end of the line. You can now reload Apache. sudo /etc/init.d/apache2 reload 9. Site1 is now enabled. Check it by browsing to http://site1/. If everything worked right, you should see a web page that says "Site1 works! Repeat the procedure to enable site2, etc. If you get an error like apache2: Could not determine the servers fully qualified domain name, using 127.0.0.1 for localhost, you can fix it with this command. echo "ServerName localhost" | sudo tee /etc/apache2/conf.d/fqdn 10. Then, reload Apache to eliminate the error. sudo /etc/init.d/apache2 reload -Configuring Internet Information System1. Once it has completely installed you will have to open it a) First go to the Control Panel again and click "Performance and Maintenance" and then navigate to "Administrative Tools". b) Now you should see "Internet Information Services"; open the program up 2. If it opens then congratulations, you have successfully installed it. 3. In the left panel select "Websites" 4. Here you will see if it is running or not, the local IP Address it is configured on, and the current port it is using 5. Now right click on "Default Web site" and click properties, then go to the "Web site" tab. Change the IP Address to what your local IP Address is if it is not already set 6. Now decide what port you want to use (anything above 1024 should be fine). You can leave it at port 80 but only if your ISP doesn't block it. If you do decide to change the port then note than whenever you navigate to your website then your syntax must be "domain.com:portnumber".
6

7. After you have decided on the port you need to open the port in

your router. To do this type in you gateway in a browser and follow the steps there. 8. Next go to the "Home Directory" tab, and select a local path. You should use "driveletterofWindows:\Inetpub\wwwroot". This folder was automatically created upon installation 9. Now go to the "Documents" tab. Here you can set a default document to redirect to if no document is typed into the url. To add a new document to the list click "Add" and then type in the name 10. Next close the properties window and right click on "Default Web Site" again. This time rollover "New" and then click "Virtual Directory" (you don't have to do this but it is a good practice). Select a logical name for your virtual directory such as "root" or something similar as to avoid confusion 11. Now expand "Default Web Site" and you should see the name of your virtual directory. Expand the directory and you should see all of the files in there that are in your "Home Directory". Relax, you are almost done 12. Once again, right click on "Default Web Site", this time rollover "All Tasks" and click on "Permissions Wizard". 13. Now test to see if your site works. 14. To access your site from another location that is not on your network then type: http:// externalIPaddress:port/virtualdirectory/ (once again if you did not change the port from port 80 then type: http:// externalIPaddress/virtualdirectory/ 15. To find out your external IP Address then go to http://whatismyip.com or http://ipaddressfinder.info

A.4 Maintenance and Troubleshooting of Web Server The Web Server Does Not Respond Verify That the Network Connections Are Enabled 1. Click Start, right-click Control Panel, and then click Open. 2. Double-click Network Connections, and then click the connection that is being used for the Web server access. 3. Verify that the connection is connected. Verify That the Inetinfo.exe Program Is Running 1. Press CTRL+ALT+DELETE. 2. Click Task Manager. 3. Click the Processes tab, and then verify that the Inetinfo.exe process is listed in the Image Name column. Verify That Startup Type Is Set to Automatic
7

1. Click Start, right-click My Computer, and then click Manage. 2. In the left pane, expand Services and Applications, and then click

Services. 3. In the list of services, locate World Wide Web Publishing, and then verify that Automatic appears in the Startup type column and that Started appears in the Status column. Users Cannot Access the Web Server Even Though the Server Is Running and the Network and Internet Connections Are Enabled Verify That WINS Server Is Installed 1. Click Start, point to Control Panel, double-click Add or Remove programs, and then click Add/Remove Windows Components. 2. Click Networking Services, and then click Details. 3. Verify that the Windows Internet Naming Service (WINS) check box is selected, correctly configured, and working on the network. Verify That DNS Server Is Installed 1. Click Start, point to Control Panel, and then double-click Add or Remove programs. 2. Click Add/Remove Windows Components, click Networking Services, and then click Details. 3. Verify that Domain Name System (DNS) is installed, and that the DNS servers (or server) are connected and working on the network. Users Can Access the Web Server but Not the Contents of the Web Server Verify the Authentication and Encryption Levels on the Web Server 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In Internet Information Services Manager, expand Server_Name, and then expand Web Sites. 3. Right-click the Web site in question, and then click Properties. 4. Click the Directory Security tab, and then under Authentication and access control, click Edit. 5. Verify that the correct authentication and encryption settings are set at the server. Verify the Web Sharing Permissions 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In Internet Information Services Manager, expand Server_Name, and then expand Web Sites. 3. Right-click the default Web site, and then click Properties. 4. Click the Home Directory tab, and then under Local Path, verify that the appropriate client access permissions are set, as follows: o Read o Write o Directory browsing
8

In the Execute Permissions box, select one of the following: o None o Scripts Only o Scripts and Executables Verify That the IP Address and Domain Name Are Not Set to Deny Access 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. In Internet Information Services Manager, expand Server_Name, and then expand Web Sites. 3. Right-click the Web site in question, and then click Properties. 4. Click the Directory Security tab, and then under IP Address and Domain Name Restrictions, click Edit. 5. Verify that the By default, all computers will be option is not set to Denied Access. Verify That the Root Folder and All Files Are Present and Intact 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Expand Server_Name, and then expand Web Sites. 3. Right-click the Web site in question, and then click Open. 4. Verify that the (Inetpub\wwwroot) folder is intact and that it includes all of the necessary .htm files for the Web site. For example, confirm that the default document (typically Default.htm or Index.htm) is listed. Users Cannot Use File Transfer Protocol (FTP) with Web Server Verify that the FTP Server Service Is Installed 1. Click Start, point to Control Panel, double-click Add or Remove programs, and then click Add/Remove Windows Components. 2. Double-click Application Server, and then double-click Internet Information Services (IIS). 3. Verify that the File Transfer Protocol (FTP) Service check box is selected. If it is not selected, click to select it, and then click OK. Verify the Permissions for FTP 1. Click Start, point to Administrative Tools, and then click Internet Information Services IIS Manager. 2. Expand Server_Name, and then expand FTP Sites. 3. Right-click the FTP site, and then click Properties. 4. Click the Home Directory tab, and then grant the appropriate permissions on folders that are used for FTP, including write permissions to those who upload documents to the server. Verify That the Default FTP Publishing Service Is Started 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Expand Server_Name, and then expand FTP Sites. 3. Right-click the default FTP site. 4. Verify that it is started. If it is not started, click Start. 5. Additionally, verify that the Default FTP Publishing Service is started.
9

6. Click Start, right-click My Computer, and then click Manage. 7. In the Computer Management dialog box, expand Services and

Applications. 8. Click Services, and then in the right panel, verify that FTP Publishing Service is listed as Started in the Status column. If the service is not started, select it, and then click Start in the upper-left link. Or, click Restart. Users Cannot Send or Receive E-mail Messages Through the Web Server Verify That SMTP Service Is Installed 1. Click Start, point to Control Panel, double-click Add or Remove programs, and then click Add/Remove Windows Components. 2. Double-click Application Server, and then double-click Internet Information Services (IIS). 3. Verify that the SMTP Service check box is selected. If it is not selected, click to select it, and then click OK. Verify That SMTP Service Is Started 1. Click Start, right-click My Computer, and then click Manage. 2. In the Computer Management dialog box, expand Services and Applications. 3. Click Services, and then in the right panel, verify that Simple Mail Transfer Protocol (SMTP) is listed as Started in the Status column. If it is not started, start it. 4. Additionally, you may want to verify that the Default SMTP Virtual Server or any SMTP Virtual Server that was created, is started. 5. To do that, Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 6. expand Server_Name. 7. Right-click the Default SMTP Virtual Server or the SMTP Virtual Server you created and determine whether it is started. If it is not started, click Start. Newsgroups Are Not Working on the Web Server Verify That NNTP Service Is Installed 1. Click Start, point to Control Panel, double-click Add or Remove programs, and then click Add/Remove Windows Components. 2. Double-click Application Server, and then double-click Internet Information Services (IIS). 3. Verify that the NNTP Service check box is selected. If it is not selected, click to select it, and then click OK. Verify That There Are Virtual Directories Configured for the Newsgroup 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Expand Server_Name, and then expand Default NNTP Virtual Server or any NNTP Virtual Server that you have created.
10

3. Click Virtual Directories.

4. Verify that there are virtual directories set up for the newsgroup. Verify the Security and Size Settings for Users 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Expand Server_Name, right-click Default NNTP Virtual Server or any NNTP Virtual Server that you have created, and then click Properties. 3. Click the Access tab, and then click Authentication. Select one or more authentication methods. Microsoft NNTP Service verifies the user's identity and grants access to the requested content as determined by your Windows access control list (ACL) settings. Click OK. 4. Click the Settings tab, and then configure the correct settings for size and postings. 5. Click the Security tab, and then grant appropriate permissions to the Windows user account. If required, click Add to add Windows user accounts and groups to the list of NNTP virtual server operators. Verify That Users Are Connecting to the Service 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager. 2. Expand Server_Name, and then expand NNTP Virtual Server. 3. Click Current Sessions, and then verify that the users are connecting to the service. B. FTP SERVER B.1 Howto Install FTP Server in MS Windows 2003 1. Click Start, Control Panel, and then click Add or Remove Programs. 2. Click Add/Remove Windows Components. 3. In the Components list, click Application Server, click Internet Information Services (IIS) (but do not select or clear the check box), and then click Details. 4. Select the following check boxes: Common Files File Transfer Protocol (FTP) Service Internet Information Services Manager 5. Select the check boxes next to any other IIS-related service or subcomponent that you want to install, and then click OK. 6. Click Next. 7. When you are prompted, insert the Windows Server 2003 CD-ROM into the computer's CD-ROM or DVD-ROM drive or provide a path to the location of the files, and then click OK. 8. Click Finish.

11

B.2 Howto configure FTP server in MS Windows 2003 1. Start Internet Information Services Manager or open the IIS snap-in. 2. Expand Server_name, where Server_name is the name of the server. 3. Expand FTP Sites 4. Right-click Default FTP Site, then click Properties. 5. Click the Security Accounts tab. 6. Select the Allow Anonymous Connections check box, and then select the Allow only anonymous connections check box. 7. Click the Home Directory tab. 8. Select the Read and Log visits check boxes, and then click to clear the Write check box. 9. Click OK. 10. Quit Internet Information Services Manager or close the IIS snap-in. B.3 How to Install ProFTP and VSFTP Server in Debian Linux -Installation of ProFTP1. Download and install the ProFTP.

apt-get install proftpd 2. It will ask you if you want to install it with inetd or standalone. inetd is for occasional use (it will be loaded on demand).You need to select standalone and click ok button. -Installation of VSFTP1. Download and install the ftp server VSFTPD. debian# apt-get install vsftpd B.4 How to Configure ProFTP and VSFTP server in Debian Linux -Configuring ProFTP Server1. By default proftp configuration file is located under /etc i.e /etc/proftpd.conf 2. Now you need to edit the /etc/proftpd.conf file using vi or any other editor and you need to change the following Directives or add the following directives for proftp server configuration these are only some of basic directives.

12

ServerName -- Configure the name displayed to connecting users ServerName proftp server ServerIdent -- Set the message displayed on connect ServerIdent on Welcome to proftp server UseReverseDNS -- Toggle rDNS lookups UseReverseDNS off IdentLookups -- Toggle ident lookups IdentLookups off DefaultRoot -- Sets default chroot directory DefaultRoot ~ MaxClients -- Limits the number of users that can connect Maxclients 30 MaxClientsPerHost -- Limits the connections per client machine MaxClientsPerHost 50 3. After adding these directives you need to restart your proftpd server to take these changes effect. #/etc/init.d/proftpd restart -Configuring VSFTP Server1. Firstly we need to create a password file for the users. You can use the

htpasswd utility that comes with apache, but in its normal use, it only supports passwords up to 8 characters long. If you want to support longer passwords, either use a different PAM module, or use md5-crypt passwords. 2. If apache is installed already, first create a password file for the first user (called bob). debian# htpasswd -c /etc/vsftpd/passwd bob for subsequent users just use debian# htpasswd /etc/vsftpd/passwd alice
3. Next we need to edit the vsftpd configuration file /etc/vsftpd.conf

listen=YES anonymous_enable=NO local_enable=YES virtual_use_local_privs=YES write_enable=YES connect_from_port_20=YES

13

secure_chroot_dir=/var/run/vsftpd pam_service_name=vsftpd guest_enable=YES user_sub_token=$USER local_root=/var/www/sites/$USER chroot_local_user=YES hide_ids=YES

4. We've turned anonymous access off, and enabled local access which

we need for virtual users, and we've specified that each user will be chrooted to their own web directory, so user bob will be chrooted to /var/www/sites/bob. Although the manual says that local_root will fail silently if the folder doesn't exist, that will not happen as we've turned on chrooting, so in the event of a folder error, the user will get a 500 error from the ftp server. 5. Finally configure PAM to use the password file, so edit /etc/pam.d/vsftpd # Customized login using htpasswd file auth required pam_pwdfile.so pwdfile /etc/vsftpd/passwd account required pam_permit.so 6. You need the account line as vsftpd requires both auth and account to work, so as we are using virtual users without any account expiry information, we use the default pam_permit module for account authentication.

C. DNS SERVER

C.1 How to Install DNS Server in MS Window 2003 1. 2. 3. 4. 5. 6. Click Start, point to Settings, and then click Control Panel. Double-click Add/Remove Programs. Click Add and Remove Windows Components. The Windows Components Wizard starts. Click Next. Click Networking Services, and then click Details. Click to select the Domain Name System (DNS) check box, and then click OK. 7. Click OK to start server Setup. The DNS server and tool files are copied to your computer. 8. Continue to the next step to configure the DNS server.

14

C.2 How to Configure BIND9 in Debian Linux 1. This includes adding the following options: allow-transfer, allow-query, allow-recursion and version. You can either limit this on the global section or on a per-zone basis. This information is documented in the bind-doc package, read more on this on /usr/share/doc/bind/html/index.html once the package is installed. 2. Imagine that your server is connected to the Internet and to your internal (your internal IP is 192.168.1.2) network (a basic multi-homed server), you do not want to give any service to the Internet and you just want to enable DNS lookups from your internal hosts. You could restrict it by including in /etc/bind/named.conf: options{ allow-query { 192.168.1/24; } ; allow-transfer { none; } ; allow-recursion { 192.168.1/24; } ; listen-on { 192.168.1.2; } ; forward { only; } ; forwarders { A.B.C.D; } ; }; 3. The listen-on option makes the DNS bind to only the interface that has the internal address, but, even if this interface is the same as the interface that connects to the Internet (if you are using NAT, for example), queries will only be accepted if coming from your internal hosts. If the system has multiple interfaces and the listen-on is not present, only internal users could query, but, since the port would be accessible to outside attackers, they could try to crash (or exploit buffer overflow attacks) on the DNS server. You could even make it listen only on 127.0.0.1 if you are not giving DNS service for any other systems than yourself. 4. The version.bind record in the chaos class contains the version of the currently running bind process. This information is often used by automated scanners and malicious individuals who wish to determine if one's bind is vulnerable to a specific attack. By providing false or no information in the version.bind record, one limits the probability that one's server will be attacked based on its published version. To provide your own version, use the version directive in the following manner: options { ... various options here ... version "Not available."; }; 5. Changing the version.bind record does not provide actual protection against attacks, but it might be considered a useful safeguard. C.3 Howto secure BIND9 in Debian Linux
15

There are different issues that can be tackled in order to secure the Domain server daemon, which are similar to the ones considered when securing any given service: Configuring the daemon itself properly so it cannot be misused from the outside. This includes limiting possible queries from clients: zone transfers and recursive queries. Limit the access of the daemon to the server itself so if it is used to break in, the damage to the system is limited. This includes running the daemon as a non-privileged user and Chrooting it. Bind configuration to avoid misuse You should restrict some of the information that is served from the DNS server to outside clients so that it cannot be used to retrieve valuable information from your organization that you do not want to give away. 1. This includes adding the following options: allow-transfer, allow-query, allow-recursion and version. You can either limit this on the global section (so it applies to all the zones served) or on a per-zone basis. This information is documented in the bind-doc package, read more on this on /usr/share/doc/bind/html/index.html once the package is installed. 2. Imagine that your server is connected to the Internet and to your internal (your internal IP is 192.168.1.2) network (a basic multi-homed server), you do not want to give any service to the Internet and you just want to enable DNS lookups from your internal hosts. You could restrict it by including in /etc/bind/named.conf: options { allow-query { 192.168.1/24; } ; allow-transfer { none; } ; allow-recursion { 192.168.1/24; } ; listen-on { 192.168.1.2; } ; forward { only; } ; forwarders { A.B.C.D; } ; }; 3. The listen-on option makes the DNS bind to only the interface that has the internal address, but, even if this interface is the same as the interface that connects to the Internet (if you are using NAT, for example), queries will only be accepted if coming from your internal hosts. If the system has multiple interfaces and the listen-on is not present, only internal users could query, but, since the port would be accessible to outside attackers, they could try to crash (or exploit buffer overflow attacks) on the DNS server. You could even make it
16

listen only on 127.0.0.1 if you are not giving DNS service for any other systems than yourself. 4. The version.bind record in the chaos class contains the version of the currently running bind process. This information is often used by automated scanners and malicious individuals who wish to determine if one's bind is vulnerable to a specific attack. By providing false or no information in the version.bind record, one limits the probability that one's server will be attacked based on its published version. To provide your own version, use the version directive in the following manner: options { ... various options here ... version "Not available."; }; 5. Changing the version.bind record does not provide actual protection against attacks, but it might be considered a useful safeguard. A sample named.conf configuration file might be the following: acl internal { 127.0.0.1/32; 10.0.0.0/8; aa.bb.cc.dd; }; acl friendly { ee.ff.gg.hh; aa.bb.cc.dd; 127.0.0.1/32; 10.0.0.0/8; }; // localhost // internal // eth0 IP

// slave DNS // eth0 IP // localhost // internal

options { directory "/var/cache/bind"; allow-query { internal; }; allow-recursion { internal; }; allow-transfer { none; }; }; // From here to the mysite.bogus zone // is basically unmodified from the debian default logging { category lame-servers { null; }; category cname { null; }; }; zone "." { type hint; file "/etc/bind/db.root"; };
17

zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // zones I added myself zone "mysite.bogus" { type master; file "/etc/bind/named.mysite"; allow-query { any; }; allow-transfer { friendly; }; }; Changing BIND's user Regarding limiting BIND's privileges you must be aware that if a non-root user runs BIND, then BIND cannot detect new interfaces automatically, for example when you put a PCMCIA card into your laptop. Check the README.Debian file in your named documentation (/usr/share/doc/bind/README.Debian) directory for more information about this issue. There have been many recent security problems concerning BIND, so switching the user is useful when possible. 2. In the Debian packages for BIND version 9 (since the 9.2.1-5 version, available since sarge) the bind user is created and used by setting the OPTIONS variable in /etc/default/bind9. If you are using BIND version 9 and your name server daemon is not running as the bind user verify the settings on that file. 3. To run BIND under a different user, first create a separate user and group for it (it is not a good idea to use nobody or nogroup for
1.

18

every service not running as root). In this example, the user and group named will be used. You can do this by entering: addgroup named adduser --system --home /home/named --no-create-home --ingroup named \ --disabled-password --disabled-login named Notice that the user named will be quite restricted. If you want, for whatever reason, to have a less restrictive setup use: adduser --system --ingroup named named Now you can either edit /etc/init.d/bind with your favorite editor and change the line beginning with
4.

start-stop-daemon --start to start-stop-daemon --start --quiet --exec /usr/sbin/named -- -g named -u named Or you can change (create it if it does not exit) the default configuration file and introduce the following: OPTIONS="-u named -g named" Change the permissions of files that are used by Bind, including /etc/bind/rndc.key:
5.

-rw-r-----

1 root

named

77 Jan 4 01:02 rndc.key

and where bind creates its pidfile, using, for example, /var/run/named instead of /var/run: $ mkdir /var/run/named $ chown named.named /var/run/named $ vi /etc/named.conf [ ... update the configuration file to use this new location ...] options { ... pid-file "/var/run/named/named.pid"; }; [ ... ] Also, in order to avoid running anything as root, change the reload line in the init.d script by substituting:
6.

19

reload) /usr/sbin/ndc reload to: reload) $0 stop sleep 1 $0 start All you need to do now is to restart bind via /etc/init.d/bind restart, and then check your syslog for two entries like this:
7.

Sep 4 15:11:08 nexus named[13439]: group = named Sep 4 15:11:08 nexus named[13439]: user = named Chrooting the name server To achieve maximum BIND security, now build a chroot jail around your daemon. There is an easy way to do this: the -t option. This will make Bind chroot itself into the given directory without you needing to set up a chroot jail and worry about dynamic libraries. The only files that need to be in the chroot jail are: dev/null etc/bind/ - should hold named.conf and all the server zones sbin/named-xfer - if you do name transfers var/run/named/ - should hold the PID and the name server cache (if any) this directory needs to be writable by named user var/log/named - if you set up logging to a file, needs to be writable for the named user dev/log - syslogd should be listening here if named is configured to log through it 1. In order for your Bind daemon to work properly it needs permission in the named files. This is an easy task since the configuration files are always at /etc/named/. Take into account that it only needs read-only access to the zone files, unless it is a secondary or cache name server. If this is your case you will have to give read-write permissions to the necessary zones (so that zone transfers from the primary server work). 2. If you are setting up a full chroot jail (i.e. not just -t) for Bind in Debian, make sure you have the following files in it:
20

dev/log - syslogd should be listening here dev/null etc/bind/named.conf etc/localtime etc/group - with only a single line: "named:x:GID:" etc/ld.so.cache - generated with ldconfig lib/ld-2.3.6.so lib/libc-2.3.6.so lib/ld-linux.so.2 - symlinked to ld-2.3.6.so lib/libc.so.6 - symlinked to libc-2.3.6.so sbin/ldconfig - may be deleted after setting up the chroot sbin/named-xfer - if you do name transfers var/run/ 3. And modify also syslogd listen on $CHROOT/dev/log so the named server can write syslog entries into the local system log. 4. If you want to avoid problems with dynamic libraries, you can compile bind statically. You can use apt-get for this, with the source option. It can even download the packages you need to properly compile it. You would need to do something similar to: $ apt-get source bind # apt-get build-dep bind $ cd bind-8.2.5-2 (edit src/port/linux/Makefile so CFLAGS includes the 'static' option) $ dpkg-buildpackage -rfakeroot -uc -us $ cd .. # dpkg -i bind-8.2.5-2*deb 5. After installation, you will need to move around the files to the chroot jail you can keep the init.d scripts in /etc/init.d so that the system will automatically start the name server, but edit them to add --chroot /location_of_chroot in the calls to start-stop-daemon in those scripts or use the -t option for BIND by setting it in the OPTIONS argument at the /etc/default/bind9 (for version 9) configuration file. D. DHCP SERVER D.1 Howto Install DHCP Server in Microsoft Windows 2003 and Debian Linux - Installing the DHCP in Microsoft Windows 2003-

21

1. Click Start, point to Control Panel, and then click Add or Remove

Programs.
2. In the Add or Remove Programs dialog box, click Add/Remove Windows

Components.
3. In the Windows Components Wizard, click Networking Services in the

Components list, and then click Details.

4. In the Networking Services dialog box, click to select the Dynamic Host

Configuration Protocol (DHCP) check box, and then click OK.

5. In the Windows Components Wizard, click Next to start Setup. Insert

the Windows Server 2003 CD-ROM into the computer's CD-ROM or DVD-ROM drive if you are prompted to do so. Setup copies the DHCP server and tool files to your computer. 6. When Setup is completed, click Finish. -Installing The DHCP Server in Debian Linux1. Install our DHCP server on our Debian Sarge system: Apt-get install dhcp3-server 2. You will be asked a few questions: On what network interfaces should the DHCP server listen? Click eth0 Please configure the DHCP server as soon as the installation finishes. Click Ok The version 3 DHCP server is now non-authoritative by default. Click Ok 3. At the end of the installation you will see errors like these: Generating /etc/default/dhcp3-server... Starting DHCP server: dhcpd3 failed to start - check syslog for diagnostics. invoke-rc.d: initscript dhcp3-server, action "start" failed. D.2 Howto Configure DHCP Server in Microsoft Windows 2003 and Debian Linux -Configuring the DHCP Server in Microsoft Windows 20031. Click Start, point to Programs, point to Administrative Tools, and then

click DHCP.
2. In the console tree, right-click the DHCP server on which you want to

create the new DHCP scope, and then click New Scope.
3. In the New Scope Wizard, click Next, and then type a name and

description for the scope. This can be any name that you want, but it should be descriptive enough so that you can identify the purpose of the scope on your network (for example, you can use a name such as "Administration Building Client Addresses"). Click Next.
22

4. Type the range of addresses that can be leased as part of this scope

(for example, use a range of IP addresses from a starting IP address of 192.168.100.1 to an ending address of 192.168.100.100). Because these addresses are given to clients, they must all be valid addresses for your network and not currently in use. If you want to use a different subnet mask, type the new subnet mask. Click Next. 5. Type any IP addresses that you want to exclude from the range that you entered. This includes any addresses in the range described in step 4 that may have already been statically assigned to various computers in your organization. Typically, domain controllers, Web servers, DHCP servers, Domain Name System (DNS) servers, and other servers, have statically assigned IP addresses. Click Next. 6. Type the number of days, hours, and minutes before an IP address lease from this scope expires. This determines how long a client can hold a leased address without renewing it. Click Next, and then click Yes, I want to configure these options now to extend the wizard to include settings for the most common DHCP options. Click Next. 7. Type the IP address for the default gateway that should be used by clients that obtain an IP address from this scope. Click Add to add the default gateway address in the list, and then click Next. 8. If you are using DNS servers on your network, type your organization's domain name in the Parent domain box. Type the name of your DNS server, and then click Resolve to make sure that your DHCP server can contact the DNS server and determine its address. Click Add to include that server in the list of DNS servers that are assigned to the DHCP clients. Click Next, and then follow the same steps if you are using a Windows Internet Naming Service (WINS) server, by adding its name and IP address. Click Next. 9. Click Yes, I want to activate this scope now to activate the scope and allow clients to obtain leases from it, and then click Next. 10. Click Finish. 11. In the console tree, click the server name, and then click Authorize on the Action menu. -Configuring DHCP server in Debian LinuxThe main Configuration file for DHCP server is /etc/dhcp3/dhcpd.conf 1. Before doing any changes take backup copy of this file and add the following lines: option domain-name "test1.com"; option domain-name-servers 192.0.0.1, 194.2.0.50; option routers 192.0.0.151; default-lease-time 3600; subnet 192.0.0.0 netmask 255.255.255.0 {
23

arrange 192.0.0.200 192.0.0.254; } First line provides the name field for the clients, second line gives DNS for for the clients, third one is for router ip,fourth one is lease time fifth line is subnet and netmask details, sixth line is ipaddress range for your client. 2. If you want to configure static ipaddress for some machines follow this host hostname { hardware ethernet 00:B0:CF:8B:49:37; fixed-address 192.0.0.19; } First line name of the host you want to configure static ip address,second one is MAC address of that perticular machine,if you want to find the MAC address of that machine you need to run the "ifconfig" command,third one is ipaddress you want to assign to that perticular machine. 3. You need to restart the DHCP daemon to take effect of your new changes. #/etc/init.d/dhcp3-server restart
4. If it restarts without any errors your configuration is correct. If you get

any errors you need to check the log files for more error information #tail /var/log/messages

PART III NETWORK SECURITY

24

A. NETWORK SECURITY BASICS A.1- Howto Implement Network Zoning A.2- Howto Secure Network Devices B. NETWOK ADDRESS TRANSLATOR (NAT) B.1- Howto Configure NAT B.2- Howto Manage NAT C. VIRTUAL PRIVATE NETWORKS (VPN) C.1- Purpose of VPNs C.2- Types of VPNs C.3- Howto Install, Configure, and Troubleshoot VPNs in Microsoft Windows 2003 A.1 Howto Implement Network Zoning 1. SAN Zoning is relatively easy to configure on most Fibre Channel switches. In the case of our Qlogic Corp. SANbox 2 Fibre Channel switch, we used their SANsurfer 2 management software to set up our zones.
25

2. Using SANsurfer 2's zone management interface we created a zone set for our switch.

3. After creating the zone set, we created two SAN zones within the set to accommodate two network segments.

26

4. Once the zones were configured, the process of assigning servers and RAID devices to specific zones was a simple drag and drop operation. We created a zone for each of our servers and assigned each of them a port from our two-port Hitachi RAID unit.

A.2 Howto Secure Network Devices -Threats and CountermeasuresAn attacker looks for poorly configured network devices to exploit. Common vulnerabilities include weak default installation settings, wide-open access controls, and unpatched devices. Information Gathering

27

Information gathering can reveal detailed information about network topology, system configuration, and network devices. An attacker uses this information to mount pointed attacks at the discovered vulnerabilities. Vulnerabilities Common vulnerabilities that make your network susceptible to an attack include: The inherently insecure nature of the TCP/IP protocol suite Configuration information provided by banners Exposed services that should be blocked Attacks Common information-gathering attacks include: Using Tracert to detect network topology Using Telnet to open ports for banner grabbing Using port scans to detect open ports Using broadcast requests to enumerate hosts on a subnet Countermeasures You can employ the following countermeasures: Use generic service banners that do not give away configuration information such as software versions or names. Use firewalls to mask services that should not be publicly exposed. Sniffing Sniffing, also called eavesdropping, is the act of monitoring network traffic for data, such as clear-text passwords or configuration information. With a simple packet sniffer, all plaintext traffic can be read easily. Also, lightweight hashing algorithms can be cracked and the payload that was thought to be safe can be deciphered. Vulnerabilities Common vulnerabilities that make your network susceptible to data sniffing include: Weak physical security Lack of encryption when sending sensitive data Services that communicate in plain text or weak encryption or hashing Attacks The attacker places packet sniffing tools on the network to capture all traffic. Countermeasures Countermeasures include the following: Strong physical security that prevents rogue devices from being placed on the network Encrypted credentials and application traffic over the network Spoofing Spoofing, also called identity obfuscation, is a means to hide one's true identity on the network. A fake source address is used that does not represent the actual packet originator's address. Spoofing can be used to hide the original source of an attack or to work around network access
28

control lists (ACLs) that are in place to limit host access based on source address rules. Vulnerabilities Common vulnerabilities that make your network susceptible to spoofing include: The inherently insecure nature of the TCP/IP protocol suite Lack of ingress and egress filtering. Ingress filtering is the filtering of any IP packets with untrusted source addresses before they have a chance to enter and affect your system or network. Egress filtering is the process of filtering outbound traffic from your network. Attacks An attacker can use several tools to modify outgoing packets so that they appear to originate from an alternate network or host. Countermeasures You can use ingress and egress filtering on perimeter routers. Session Hijacking With session hijacking, also known as man in the middle attacks, the attacker uses an application that masquerades as either the client or the server. This results in either the server or the client being tricked into thinking that the upstream host is the legitimate host. However, the upstream host is actually an attacker's host that is manipulating the network so that it appears to be the desired destination. Session hijacking can be used to obtain logon information that can then be used to gain access to a system or to confidential information. Vulnerabilities Common vulnerabilities that make your network susceptible to session hijacking include: Weak physical security The inherent insecurity of the TCP/IP protocol suite Unencrypted communication Attacks An attacker can use several tools to combine spoofing, routing changes, and packet manipulation. Countermeasures Countermeasures include the following: Session encryption Stateful inspection at the firewall Denial of Service A denial of service attack is the act of denying legitimate users access to a server or services. Network-layer denial of service attacks usually try to deny service by flooding the network with traffic, which consumes the available bandwidth and resources. Vulnerabilities Vulnerabilities that increase the opportunities for denial of service include:
29

The inherent insecurity of the TCP/IP protocol suite Weak router and switch configuration Unencrypted communication Service software bugs Attacks Common denial of service attacks include: Brute force packet floods, such as cascading broadcast attacks SYN flood attacks Service exploits, such as buffer overflows Countermeasures Countermeasures include: Filtering broadcast requests Filtering Internet Control Message Protocol (ICMP) requests Patching and updating of service software

-MethodologySecurity begins with an understanding of how the system or network that needs to be secured works. Router The router is the outermost security gate. It is responsible for forwarding IP packets to the networks to which it is connected. These packets can be inbound requests from Internet clients to your Web server, request responses, or outgoing requests from internal clients. The router should be used to block unauthorized or undesired traffic between networks. The router itself must also be secured against reconfiguration by using secure administration interfaces and ensuring that it has the latest software patches and updates applied. Firewall The role of the firewall is to block all unnecessary ports and to allow traffic only from known ports. The firewall must be capable of monitoring incoming requests to prevent known attacks from reaching the Web server. Coupled with intrusion detection, the firewall is a useful tool for preventing attacks and detecting intrusion attempts, or in worst-case scenarios, the source of an attack. Like the router, the firewall runs on an operating system that must be patched regularly. Its administration interfaces must be secured and unused services must be disabled or removed. Switch The switch has a minimal role in a secure network environment. Switches are designed to improve network performance to ease administration. For this reason, you can easily configure a switch by sending specially formatted packets to it. For more information. -Router ConsiderationsThe router is the very first line of defense. It provides packet routing, and it can also be configured to block or filter the forwarding of packet types that
30

are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP). If you don't have control of the router, there is little you can do to protect your network beyond asking your ISP what defense mechanisms they have in place on their routers. Patches and Updates Subscribe to alert services provided by the manufacturer of your networking hardware so that you can stay current with both security issues and service patches. As vulnerabilities are found and they inevitably will be found good vendors make patches available quickly and announce these updates through e-mail or on their Web sites. Always test the updates before implementing them in a production environment. Protocols Denial of service attacks often take advantage of protocol-level vulnerabilities, for example, by flooding the network. To counter this type of attack, you should: Use ingress and egress filtering. Screen ICMP traffic from the internal network. Use Ingress and Egress Filtering Spoofed packets are representative of probes, attacks, and a knowledgeable attacker. Incoming packets with an internal address can indicate an intrusion attempt or probe and should be denied entry to the perimeter network. Likewise, set up your router to route outgoing packets only if they have a valid internal IP address. Verifying outgoing packets does not protect you from a denial of service attack, but it does keep such attacks from originating from your network. Screen ICMP Traffic from the Internal Network Blocking ICMP traffic at the outer perimeter router protects you from attacks such as cascading ping floods. Other ICMP vulnerabilities exist that justify blocking this protocol. While ICMP can be used for troubleshooting, it can also be used for network discovery and mapping. Therefore, control the use of ICMP. If you must enable it, use it in echo-reply mode only. Prevent TTL Expired Messages with Values of 1 or 0 Trace routing uses TTL values of 1 and 0 to count routing hops between a client and a server. Trace routing is a means to collect network topology information. By blocking packets of this type, you prevent an attacker from learning details about your network from trace routes. Do Not Receive or Forward Directed Broadcast Traffic Directed broadcast traffic can be used to enumerate hosts on a network and as a vehicle for a denial of service attack. For example, by blocking specific source addresses, you prevent malicious echo requests from causing cascading ping floods. -Administrative Access31

From where will the router be accessed for administration purposes? Decide over which interfaces and ports an administration connection is allowed and from which network or host the administration is to be performed. Restrict access to those specific locations. Do not leave an Internet-facing administration interface available without encryption and countermeasures to prevent hijacking. In addition: Disable Unused Interfaces Only required interfaces should be enabled on the router. An unused interface is not monitored or controlled, and it is probably not updated. This might expose you to unknown attacks on those interfaces. Apply Strong Password Policies Brute force password software can launch more than just dictionary attacks. It can discover common passwords where a letter is replaced by a number. For example, if "p4ssw0rd" is used as a password, it can be cracked. Always use uppercase and lowercase, number, and symbol combinations when creating passwords. Use Static Routing Static routing prevents specially formed packets from changing routing tables on your router. An attacker might try to change routes to cause denial of service or to forward requests to a rogue server. By using static routes, an administrative interface must first be compromised to make routing changes. Audit Web Facing Administration Interfaces Also determine whether internal access can be configured. When possible, shut down the external administration interface and use internal access methods with ACLs. -ServicesOn a deployed router, every open port is associated with a listening service. To reduce the attack surface area, default services that are not required should be shut down. Examples include bootps and Finger, which are rarely required. You should also scan your router to detect which ports are open. -Auditing and Logging By default, a router logs all deny actions; this default behavior should not be changed. Also secure log files in a central location. Modern routers have an array of logging features that include the ability to set severities based on the data logged. An auditing schedule should be established to routinely inspect logs for signs of intrusion and probing. -Intrusion DetectionWith restrictions in place at the router to prevent TCP/IP attacks, the router should be able to identify when an attack is taking place and notify asystem administrator of the attack. Attackers learn what your security priorities are and attempt to work around them. Intrusion Detection Systems (IDSs) can show where the perpetrator is attempting attacks. -Firewall Considerations32

A firewall should exist anywhere you interact with an untrusted network, especially the Internet. It is also recommended that you separate your Web servers from downstream application and database servers with an internal firewall. After the router, with its broad filters and gatekeepers, the firewall is the next point of attack. In many (if not most) cases, you do not have administrative access to the upstream router. Many of the filters and ACLs that apply to the router can also be implemented at the firewall. The configuration categories for the firewall include: Patches and Updates Subscribe to alert services provided by the manufacturer of your firewall and operating system to stay current with both security issues and service patches. Filters Filtering published ports on a firewall can be an effective and efficient method of blocking malicious packets and payloads. Filters range from simple packet filters that restrict traffic at the network layer based on source and destination IP addresses and port numbers, to complex application filters that inspect application-specific payloads. A defense in depth approach that uses layered filters is a very effective way to block attacks. Logging and Auditing Logging all incoming and outgoing requests regardless of firewall rules allows you to detect intrusion attempts or, even worse, successful attacks that were previously undetected. Historically, network administrators sometimes had to analyze audit logs to determine how an attack succeeded. In those cases, administrators were able to apply solutions to the vulnerabilities, learn how they were compromised, and discover other vulnerabilities that existed. Apply the following policies for logging and log auditing. Log all traffic that passes through the firewall. Maintain healthy log cycling that allows quick data analysis. The more data you have, the larger the log files size. Make sure the firewall clock is synchronized with the other network hardware. Perimeter Networks A firewall should exist anywhere your servers interact with an untrusted network. If your Web servers connect to a back-end network, such as a bank of database servers or corporate network, a screen should exist to isolate the two networks. While the Web zone has the greatest degree of exposure, a compromise in the Web zone should not result in the compromise of downstream networks. By default, the perimeter network should block all outbound connections except those that are expected. -Switch Considerations33

A switch is responsible for forwarding packets directly to a host or network segment, rather than sharing the data with the entire network. Therefore, traffic is not shared between switched segments. This is a preventive measure against packet sniffing between networks. An attacker can circumvent this security by reconfiguring switching rules using easily accessed administrative interfaces, including known account names and passwords and SNMP packets. Patches and Updates Patches and updates must be tested and installed as soon as they are available. VLANs Virtual LANs allow you to separate network segments and apply access control based on security rules. However, a VLAN enhances network performance, but doesn't necessarily provide security. Limit the use of VLANs to the perimeter network (behind the firewall) since many insecure interfaces exist for ease of administration. For more information about VLANs, see the article "Configuring VLANS" on the Cisco Web site. Insecure Defaults To make sure that insecure defaults are secured, change all factory default passwords and SNMP community strings to prevent network enumeration or total control of the switch. Also investigate and identify potentially undocumented accounts and change the default names and passwords. These types of accounts are often found on well-known switch types and are well publicized and known by attackers. Services Make sure that all unused services are disabled. Also make sure that Trivial File Transfer Protocol (TFTP) is disabled, Internet-facing administration points are removed, and ACLs are configured to limit administrative access. Encryption Although it is not traditionally implemented at the switch, data encryption over the wire ensures that sniffed packets are useless in cases where a monitor is placed on the same switched segment or where the switch is compromised, allowing sniffing across segments. -Additional ConsiderationsThe following considerations can further improve network security: Ensure that clocks are synchronized on all network devices. Set the network time and have all sources synchronized to a known, reliable time source. Use Terminal Access Controller Access Control System (TACACS) or Remote Authentication Dial-In User Service (RADIUS) authentication for highly secure environments as a means of limiting administrative access to the network. Define an IP network that can be easily secured using ACLs at subnets or network boundaries whenever possible.
34

-Snapshot of a Secure NetworkThe table below provides a snapshot of the characteristics of a secure network. The security settings are abstracted from industry security experts and real-world applications in secure deployments. You can use the snapshot as a reference point when evaluating your own solution. Component Router Patches and Updates Characteristic Router operating system is patched with up-to-date software. Unused protocols and ports are blocked. Ingress and egress filtering is implemented. ICMP traffic is screened from the internal network. TTL expired messages with values of 1 or 0 are blocked (route tracing is disabled). Directed broadcast traffic is not forwarded. Large ping packets are screened. Routing Information Protocol (RIP) packets, if used, are blocked at the outermost router. Unused management interfaces on the router are disabled. A strong administration password policy is enforced. Static routing is used. Web-facing administration is disabled. Unused services are disabled (for example bootps and Finger). Logging is enabled for all denied traffic. Logs are centrally stored and secured. Auditing against the logs for unusual patterns is in place. IDS is in place to identify and notify of an active attack. Firewall software and OS are patched with latest security updates. Packet filtering policy blocks all but required traffic in both directions. Application-specific filters are in place to restrict unnecessary traffic. All permitted traffic is logged. Denied traffic is logged. Logs are cycled with a frequency that allows quick data analysis.
35

Protocols

Administrative access

Services

Auditing and logging

Intrusion detection Firewall Patches and updates

Filters Logging and auditing

Perimeter networks Switch Patches and updates VLANs Insecure defaults Services Encryption Other Log synchronization Administrative access to the network Network ACLs

All devices on the network are synchronized to a common time source. Perimeter network is in place if multiple networks require access to servers. Firewall is placed between untrusted networks. Latest security patches are tested and installed or the threat from known vulnerabilities is mitigated. Make sure VLANs are not overused or overly trusted. All factory passwords are changed. Minimal administrative interfaces are available. Access controls are configured to secure SNMP community strings. Unused services are disabled. Switched traffic is encrypted. All clocks on devices with logging capabilities are synchronized. TACACS or RADIUS is used to authenticate administrative users. The network is structured so ACLs can be placed on hosts and networks.

B. NETWOK ADDRESS TRANSLATOR (NAT) B.1 Howto Configure NAT Let's look at how to translate addresses. For more specifics than follow, I'll have to refer you to the Cisco Command Configuration Guide, which is very lucid. The NAT section of the IP chapter is particularly well-written and clear. It has good illustrations and explains in detail what happens as a packet is forwarded through the NAT router. 1. Here's a minimal sample configuration for static address translation. We assume Ethernet 0 is "inside" and Serial 0 is "outside". Private network 10.0.0.0 is used inside, and 192.1.1.0 outside. We'll translate 10.1.2.3 to 192.1.1.2 (and vice versa). The words "inside source" emphasize that the inside source address is what's getting changed. ip nat inside source static 10.1.2.3. 192.1.1.2 interface ethernet 0 ip address 10.1.2.1 255.255.255.0 ip nat inside interface serial 0
36

ip address 192.1.1.1 255.255.255.0 ip nat outside You may add address mappings or inside or outside interfaces as necessary. 2. Let's look at dynamic (pooled) translation. Same network and addresses as before. We'll set up a pool of addresses, translating sources in the range 10.1.2.0 through 10.1.2.255 to the range 192.1.1.10 through 20. The access list indicates what source addresses can be translated. The idea of the third line is that inside source addresses matching list 20 get translated to addresses from the pool named LegalPool. ip nat pool LegalPool 192.1.1.10 192.1.1.20 access-list 20 permit 10.1.2.0.0.0.0.255 ip nat inside source list 20 pool LegalPool interface ethernet 0 ip address 10.1.2.1 255.255.255.0 ip nat inside interface serial 0 ip address 92.1.1.1 255.255.255.0 ip nat outside 3. And then there's address overloading (port multiplexing). To obtain a sample configuration for doing port multiplexing, add the word "overload" at the end of the "ip nat inside source" line. This gives the router permission to start sharing addresses. ip nat inside source list 20 pool LegalPool overload You can configure outside source address translation similarly, changing "inside source" to "outside source" in the above examples. 4. Let's look at how to do static outside address translation, supposing subnet 10.1.5.0 occurs both inside and outside (we're connecting to another company here). We only need to talk to the outside machine 10.1.5.3, and we'll readdress it as private address192.168.1.1 on the inside (if we use 10.1.5.x, we have more complex routing issues to think about). This might call for something like the following. ip nat outside source static 10.1.5.3 192.168.1.1 interface ethernet 0 ip address 10.1.2.1 255.255.255.0 ip nat inside interface serial 0 ip address 10.1.3.1 255.255.255.0 ip nat outside
37

This sort of thing can also be done dynamically, using a pool of inside addresses, and an access list to match the outsidesource address, much like our earlier dynamic example. 5. You can even translate both ways, changing the source addresses as packets go through the router in either direction. Just combine the "inside source" and "outside source" configurations. 6. Finally, there's TCP Load Distribution. We define a pool of addresses containing the real hosts' addresses, ending with "type rotary". The access list now permits the IP address of the virtual host, i.e. what the outside world thinks is the host address. So the virtual host is 192.1.1.50, with the real hosts being 10.1.2.20 through 30. ip nat pool ServerPool 10.1.2.20 10.1.2.30 type rotary access-list 30 permit 192.1.1.50 0.0.0.0 ip nat inside destination list 30 pool ServerPool interface ethernet 0 ip address 10.1.2.1 255.255.255.0 ip nat inside interface serial 0 ip address 192.1.1.1 255.255.255.0 ip nat outside 7. There are also commands to tune address translation. The dynamic translations time out after non-use; the timeout period is configurable. (Without overloading, the timeout is 24 hours). The number is how many seconds before timeout. ip nat translation timeout 3600 8. With overloading, there is finer control, for UDP, DNS, and TCP, also Finish and Reset packets: ip ip ip ip nat nat nat nat translation translation translation translation udp-timeout 3600 dns-timeout 3600 tcp-timeout 3600 finrst- timeout 3600

(Please note this does not recommend 3600 seconds as a timeout, just using it to demonstrate the syntax of the command.)

B.2 Howto Manage NAT

38

-Commands to Manage NAT1. To clear the dynamic translation table before timeout occurs: clear ip nat translation * 2. You can also clear specific entries. To see what's there: show ip nat translations show ip nat translations verbose 3. There's also: show ip nat statistics 4. There are also NAT debug commands. These include: debug ip nat debug ip nat 110 debug ip nat detailed Don't use these debug commands in a production router, you'll have more output than you could possibly have wanted. -Restrictions on Using the Precision Server to Manage NAT EnvironmentsThe following restrictions currently apply to the management of NAT environments using the Precision Server: The Precision Server can discover one or more NAT environments, but they must all be using static NAT address mapping. The Precision Server can discover devices in multiple NAT domains, regardless of whether the private IP addresses of the devices are duplicated in other NAT domains, as long as the public IP address of each device in each domain is unique. Devices within a NAT domain that have only private IP addresses cannot be discovered or managed by the Precision Server. The discovery process must discover the NAT environment from outside, that is, from the public network. Virtual IP addresses such as HSRP (Hot Standby Routing Protocol) addresses cannot be mapped. The real physical address must be used. The following must be supplied before the discovery is run: o The addresses of all supported NAT gateways. o The NAT gateway translations must be discovered. This can be done either automatically or by supplying the NATTextFileAgent discovery agent with a flat file of public to private IP address mappings. C. VIRTUAL PRIVATE NETWORKS (VPN)
39

C.1 Purpose of VPN VPN gives extremely secure connections between private networks linked through the Internet. It allows your remote computer(s) to act as though they were on the same secure, local (USU) network. Allows you to be at home or anywhere Internet access is available and access the USU network and computer systems in the same way as if you were connected directly at USU. Almost impossible for someone to tap or interfere with data in the VPN tunnel. C.2 Types of VPN PPTP VPN (Dial-up VPN) A simple method for VPN is PPTP. It is a software based VPN system that uses your existing Internet connection. By using your existing Internet connection, a secure "tunnel" is created between two points allowing a remote user to connect to a remote network. You can setup this type of connection with various types of software or hardware. Windows Server has a PPTP build-it and you can connect to it via a native VPN client within Windows. Juniper and Cisco also have this ability, but require 3rd party software to be loaded on remote workstations. There is some overhead associated with this as all data transmitted and received in encrypted. The can be referred to as the poor man's VPN. There is little to no cost to setup this type of VPN, and you can often use your existing equipment and software. It is sometimes referred to as "dial-up VPN" because when the client software connects it looks like its dialing up. See the diagram below:

40

Site-to-Site VPN Site-to-site is the same much the same thing as point-to-point except there is no "dedicated" line in use. Each site has it's own internet connection which may not be from the same ISP or even the same type. One may have a T1 while the other only has DSL. Unlike point-to-point, the routers at both ends do all the work. They do all the routing and encryption. This is an easy way to connect two offices without having each user "dail-up" using a PPTP connection. Site-to-site VPNs can work with hardware or software-based firewall devices. On the software side, you can use something like Clarkconnect. On the hardware side, you can have many different devices to choose from. Personally, I use the Juniper SSG firewalls. The technology commonly used with this type of setup is IPsec or GRE.

Point-to-Point VPN A traditional VPN can also come as a point-to-point. These are also referred to as "leased-line VPNs." Simply put, two or more networks are connected using a dedicated line from an ISP. These lines can be packet or circuit switched. For example, T1's, Metro Ethernet, DS3, ATM or something else. The main strength of using a leased line is the direct point-to-point connection. It does not go out over the public Internet, so there performance is not degraded by routing problems, latency, and external congestion. See the diagram below:

41

These types of connections can be expensive. A physical "loop" of wire or fiber must be used to connect the destinations. However, these are true point-to-point connections the maximum throughput can usually be achieved. Meaning, a T1 passes data at a full 1.54 Mbps. Leased line point-to-point connections are usually required when two offices need to transfer large amounts of data. MPLS VPNs MPLS is a true "ISP-tuned" VPN. It requires 2 or more sites connected via the same ISP or an "on-net" connection*. There is a way to configure this using different ISP's or "off-net" but you never get the same performance. I've tried... While it does use your existing Internet connection, tweaks are made by your ISP for performance and security.

42

MPLS (Multi-Protocol Label Switching) was originally designed to improve the store-and-forward speed of routers. MPLS was created as a team effort on the part of Ipsilon, Cisco, IBM, and Toshiba. These companies worked together as part of the IETF (Internet Engineering Task Force) and MPLS was born. MPLS does perform better than a siteto-site VPN because there is less overhead, and the routing between sites is optimized by static routes from your ISP. Most larger ISPs can even bring your data center (if you have one) into your MPLS network. A real MPLS network should provide ping times between sites in under 10 ms. Traditional site-to-site VPNs can range anywhere from 30 ms (at best) to over 100 ms. C.3 Howto Install, Configure, and Troubleshoot VPNs in Microsoft Windows 2003 -Installing and Enabling VPN1. On the Microsoft Windows 2000 VPN computer, confirm that both the connection to the Internet and the connection to your local area network (LAN) are correctly configured. 2. Click Start, point to Administrative Tools, and then click Routing and Remote Access. 3. Click the server name in the tree, and click Configure and Enable Routing and Remote Access on the Action menu, and then click Next. 4. In the Common Configurations dialog box, click Virtual private network (VPN server), and then click Next. 5. In the Remote Client Protocols dialog box, confirm that TCP/IP is included in the list, click Yes, all of the available protocols are on this list, and then click Next. 6. In the Internet Connection dialog box, select the Internet connection that will connect to the Internet, and then click Next. 7. In the IP Address Assignment dialog box, select Automatically in order to use the DHCP server on your subnet to assign IP addresses to dialup clients and to the server. 8. In the Managing Multiple Remote Access Servers dialog box, confirm that the No, I don't want to set up this server to use RADIUS now checkbox is selected. 9. Click Next, and then click Finish. 10. Right click the Ports node, and then click Properties. 11. In the Ports Properties dialog box, click the WAN Miniport (PPTP) device, and then click Configure. 12. In the Configure Device - WAN Miniport (PPTP) dialog box, do one of the following:
43

If you do not want to support direct user dialup VPN to modems installed on the server, click to clear the Demand-Dial Routing Connections (Inbound and Outbound) check box. o If you do want to support direct user dialup VPN to modems installed on the server, click to select the Demand-Dial Routing Connections (Inbound and Outbound) check box. 13. Type the maximum number of simultaneous PPTP connections that you want to allow in the Maximum Ports text box. (This may depend on the number of available IP addresses. 14. Repeat steps 11 through 13 for the L2TP device, and then click OK.
o

-How to Configure the VPN Server Configuring the Remote Access Server as a Router

For the remote access server to forward traffic properly inside your network, you must configure it as a router with either static routes or routing protocols, so that all of the locations in the intranet are reachable from the remote access server. To configure the server as a router: 1. Click Start, point to Administrative Tools, and then click Routing and Remote Access. 2. Right-click the server name, and then click Properties. 3. On the General tab, click to select Enable This Computer As A Router. 4. Select either Local area network (LAN) routing only or LAN and demand-dial routing, and then click OK to close the Properties dialog box. How to Configure PPTP Ports

Confirm the number of PPTP ports that you need. To verify the number of ports or to add ports, follow these steps: 1. Click Start, point to Administrative Tools, and then click Routing and Remote Access. 2. In the console tree, expand Routing and Remote Access, expand the server name, and then click Ports. 3. Right-click Ports, and then click Properties. 4. In the Ports Properties dialog box, click WAN Miniport (PPTP), and then click Configure. 5. In the Configure Device dialog box, select the maximum number of ports for the device, and then select the options to specify whether the device accepts incoming connections only, or both incoming and outgoing connections. How to Manage Addresses and Name Servers

44

The VPN server must have IP addresses available in order to assign them to the VPN server's virtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of the connection process. The IP address assigned to the VPN client is assigned to the virtual interface of the VPN client. How to Manage Access Configure the dial-in properties on user accounts and remote access policies to manage access for dial-up networking and VPN connections. o Access by User Account If you are managing remote access on a user basis, click Allow Access on the Dial-In tab of the user's Properties dialog box for those user accounts that are allowed to create VPN connections. If the VPN server is allowing only VPN connections, delete the default remote access policy called "Allow Access If Dial-In Permission Is Enabled." Then create a new remote access policy with a descriptive name, such as VPN Access If Allowed By User Account. o Access by Group Membership If you are managing remote access on a group basis, click the Control access through remote access policy radio button on all user accounts by using the Active Directory Users and Computers Console in Administrator Tools or MMC snap-in. Create a Windows 2000 group with members who are allowed to create VPN connections. If the VPN server allows only VPN connections, delete the default remote access policy called Allow Access If Dial-In Permission Is Enabled. Next, create a new remote access policy with a descriptive name such as VPN Access If Member Of VPN-Allowed Group. If the VPN server also allows dial-up networking remote access services, do not delete the default policy; instead move it so that it is the last policy to be evaluated. -Troubleshooting of VPNTroubleshooting Remote Access VPNs Unable to Establish a Remote Access VPN Connection a) Cause: The machine name of the client computer is the same as the machine name of another computer on the network. Solution: Verify that the machine names of all computers on the network and connecting to the network are using unique machine names. b) Cause: The Routing and Remote Access service is not started on the VPN server. Solution: Verify the state of the Routing and Remote Access service on the VPN server. c) Cause: Remote access is not enabled on the VPN server. Solution: Enable remote access on the VPN server.
45

d) Cause: PPTP or L2TP ports are not enabled for inbound remote access

e)

f)

g)

h)

i)

j)

requests. Solution: Enable PPTP or L2TP ports, or both, for inbound remote access requests. Cause: The LAN protocols used by the VPN clients are not enabled for remote access on the VPN server. Solution: Enable the LAN protocols used by the VPN clients for remote access on the VPN server. Cause: All of the PPTP or L2TP ports on the VPN server are already being used by currently connected remote access clients or demanddial routers. Solution: Verify that all of the PPTP or L2TP ports on the VPN server are not already being used by clicking Ports in Routing and Remote Access. If necessary, change the number of PPTP or L2TP ports to allow more concurrent connections. Cause: the VPN server does not support The tunneling protocol of the VPN client. By default, Windows 2000 remote access VPN clients use the Automatic server type option, which means that they try to establish an L2TP over IPSec-based VPN connection first, and then they try a PPTP-based VPN connection. If VPN clients use either the Point-to-Point Tunneling Protocol (PPTP) or Layer-2 Tunneling Protocol (L2TP) server type option, verify that the selected tunneling protocol is supported by the VPN server. By default, a computer running Windows 2000 Server and the Routing and Remote Access service is a PPTP and L2TP server with five L2TP ports and five PPTP ports. To create a PPTP-only server, set the number of L2TP ports to zero. To create an L2TP-only server, set the number of PPTP ports to zero. Solution: Verify that the appropriate number of PPTP or L2TP ports is configured. Cause: The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common authentication method. Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common authentication method. Cause: The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common encryption method. Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common encryption method. Cause: The VPN connection does not have the appropriate permissions through dial-in properties of the user account and remote access policies.
46

Solution: Verify that the VPN connection has the appropriate permissions through dial-in properties of the user account and remote access policies. In order for the connection to be established, the settings of the connection attempt must: a. Match all of the conditions of at least one remote access policy. b. Be granted remote access permission through the user account (set to Allow access) or through the user account (set to Control access through Remote Access Policy) and the remote access permission of the matching remote access policy (set to Grant remote access permission). c. Match all the settings of the profile. d. Match all the settings of the dial-in properties of the user account. k) Cause: The settings of the remote access policy profile are in conflict with properties of the VPN server. The properties of the remote access policy profile and the properties of the VPN server both contain settings for: a. Multilink b. Bandwidth allocation protocol c. Authentication protocols d. If the settings of the profile of the matching remote access policy are in conflict with the settings of the VPN server, the connection attempt is rejected. For example, if the matching remote access policy profile specifies that the EAP-TLS authentication protocol must be used and EAP is not enabled on the VPN server, the connection attempt is rejected. Solution: Verify that the settings of the remote access policy profile are not in conflict with properties of the VPN server l) Cause: The answering router is unable to validate the credentials of the calling router (user name, password, and domain name). Solution: Verify that the credentials of the VPN client (user name, password, and domain name) are correct and can be validated by the VPN server. m) Cause: There are not enough addresses in the static IP address pool. Solution: If the VPN server is configured with a static IP address pool, verify that there are enough addresses in the pool. If all of the addresses in the static pool have been allocated to connected VPN clients, the VPN server is unable to allocate an IP address, and the connection attempt is rejected. Modify the static IP address pool if needed. n) Cause: The VPN client is configured to request its own IPX node number and the VPN server is not configured to allow IPX clients to request their own IPX node number. Solution: Configure the VPN server to allow IPX clients to request their own IPX node number.
47

o) Cause: The VPN server is configured with a range of IPX network

p)

q)

r)

s)

numbers that are being used elsewhere on your IPX network. Solution: Configure the VPN server with a range of IPX network numbers that is unique to your IPX network. Cause: The authentication provider of the VPN server is improperly configured. Solution: Verify the configuration of the authentication provider. You can configure the VPN server to use either Windows 2000 or RADIUS to authenticate the credentials of the VPN client. Cause: The VPN server cannot access Active Directory. Solution: For a VPN server that is a member server in a mixed-mode or native-mode Windows 2000 domain that is configured for Windows 2000 authentication, verify the following: a. The RAS and IAS Servers security group exists. If not, create the group and set the group type to Security and the group scope to Domain local. b. The RAS and IAS Servers security group has Read permission to the RAS and IAS Servers Access Check object. c. The computer account of the VPN server computer is a member of the RAS and IAS Servers security group. You can use the netsh ras show registeredserver command to view the current registration. You can use the "netsh ras add registeredserver" command to register the server in a specified domain. If you add (or remove) the VPN server computer to the RAS and IAS Servers security group, the change does not take effect immediately (due to the way that Windows 2000 caches Active Directory information). To immediately effect this change, you need to restart the VPN server computer. d. For a native-mode domain, the VPN server has joined the domain. Cause: A Windows NT 4.0 VPN server cannot validate connection requests. Solution: If VPN clients are dialing in to a VPN server running Windows NT 4.0 that is a member of a Windows 2000 mixed-mode domain, verify that the Everyone group is added to the Pre-Windows 2000 Compatible Access group with the following command: a. "net localgroup "Pre-Windows 2000 Compatible Access"" b. If not, type the following command at a command prompt on a domain controller computer, and then restart the domain controller computer: c. net localgroup "Pre-Windows 2000 Compatible Access" everyone /add Cause: The VPN server is unable to communicate with the configured RADIUS server. Solution: If your RADIUS server is only reachable through your Internet interface, add an input filter and an output filter to the
48

Internet interface for UDP port 1812 (based on RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)"), or UDP port 1645 (for older RADIUS servers) for RADIUS authentication and UDP port 1813 (based on RFC 2139, "RADIUS Accounting"), or UDP port 1646 (for older RADIUS servers) for RADIUS accounting. t) Cause: Cannot connect to the VPN server over the Internet using the Ping.exe utility. Solution: Due to the PPTP and L2TP over IPSec packet filtering that is configured on the Internet interface of the VPN server, Internet Control Message Protocol (ICMP) packets used by the ping command are filtered out. To enable the VPN server to respond to ICMP (ping) packets, you need to add an input filter and an output filter that allow traffic for IP protocol 1 (ICMP traffic).

49

Part IV Suggestions
Due to the information discussed about installation and configuration of different servers in Microsoft and in Debian. We see the differences of their procedure, and the disadvantages and advantages between the two of them. Known vulnerabilities of IIS includes: it may allow an attacker to obtain elevated privileges. The second vulnerability may allow a remote attacker to cause a denial of service condition. The third vulnerability may allow a remote attacker to upload a file onto the vulnerable server and possibly execute it. The final vulnerability is a cross site scripting vulnerability. So we suggest blocking external access at the network boundary, unless service is required by external parties. For services not meant for public use, restrict access to trusted hosts and networks only. Disallow anonymous access to services. Do not follow links provided by unknown or untrusted sources. Modify default configuration files, to disable any unwanted behavior. In terms of choosing between IIS and Apache2, IIS has higher reliability because it has less vulnerability than Apache2, though Apache2 is easier to configure and manage and it is free. In the case of FTP server, with known disadvantages such as passwords and file contents are sent in clear text, allowing unwanted eavesdropping. It is hard to filter active mode FTP traffic on the client side by using a firewall, since the user must open a random port to make this connection. It is possible to tell a server to send data to an arbitrary port of a third computer. FTP has a number of security drawbacks, but you can overcome them in some cases. You can restrict an individual Linux user's access to non-anonymous FTP, and you can change the configuration to not display the FTP server's software version information, but unfortunately, though very convenient, FTP logins and data transfers are not encrypted. For added security, you may restrict FTP access to certain users by adding them to the list of users in the /etc/vsftpd.ftpusers file. The VSFTPD package creates this file with a number of entries for privileged users that normally shouldn't have FTP access. As FTP doesn't encrypt passwords, thereby increasing the risk of data or passwords being compromised, it is a good idea to let these entries remain and add new entries for additional security. Using DNS should provide high level security and convenience for users who install it and configure. But the disadvantage of using DHCP is that the name does not change when you get a new IP address. The DNS name is associated with your IP address and therefore does change. This only presents a problem if other clients try to access your machine by its DNS name.
50

NAT helps to protect your network or simply make connectivity easier. But there are drawbacks to NAT as well. We suggest lessening the complexity in implementing this, improving its lack of public addresses; solve compatibility problems with certain applications and problems with security protocols, strengthen its poor support for client access: In terms of VPNs we suggest the following: since one disadvantage of a VPN is that deployment requires a high-level of knowledge and understanding of such factors as public network security. VPN security requires password and data encryption. Network addresses may also be encrypted for added security. To avoid security and deployment problems, planning is necessary and proper precautions should be taken. Another disadvantage of the VPN is that its availability and performance are difficult to control. Typically, VPN speeds are much slower than those experienced with a traditional connection. At times, some VPNs appear to be a bit unsafe in terms of connectivity as well. For a variety of reasons, users may have a hard time staying on the VPN from time to time. While this may be annoying, the security offered by a VPN often outweighs the grief caused by occasional connection problems. But aside of these drawbacks, implementing VPN is cost saving and provides better scalability. Threats in internet services and networks security are inevitable. So we recommend that a proper education about securing networks should be learned by individuals who are concerned in these matters. We should be well educated on the several countermeasures against different attacks and threats. It is also important to keep your network resources and servers up to date too. Different web servers, network zoning, network address translator, and virtual private networks have their own advantages and disadvantages. The security, convenience in managing, and reliability of these servers should be develop to provide better internet services and well-built network security.

51

Part V Notes
Internet Services A. WEB SERVER A.1- http://www.developertutorials.com/tutorials/linux/how-to-installapache-2-on-linux-7-12-19-962/ A.2http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Lib rary/IIS/ A.3- http://tuxtweaks.com/2009/07/how-to-configure-apache-linux/ http://technet.microsoft.org A.4- http://flylib.com/books/en/3.372.1.84/1/ B. FTP SERVER B.1- support.microsoft.com/kb/323384 B.2- support.microsoft.com/kb/323384 B.3- http://howto.gumph.org/content/setup-virtual-users-anddirectories-in-vsftpd/ http://www.debianadmin.com/proftpd-server-installation-andconfiguration.html B.4- http://howto.gumph.org/content/setup-virtual-users-anddirectories-in-vsftpd/ http://www.debianadmin.com/proftpd-server-installation-andconfiguration.html C. DNS SERVER C.1http://www.petri.co.il/install_and_configure_windows_2003_dns_server. htm C.2- http://www.debian.org C.3- http://www.debian.org/doc/manuals/securing-debian-howto/ D. DHCP SERVER D.1- http://support.microsoft.com/kb/323416 http://www.howtoforge.com/dhcp_server_linux_debian D.2- http://support.microsoft.com/kb/323416 http://www.debian.org/dhcp.htm
52

Network Security A. NETWORK SECURITY BASICS A.1- http://www.comptechdoc.org/docs/craig/sanzoning/ A.2- http://msdn.microsoft.com/en-us/library/ff648651.aspx B. NETWOK ADDRESS TRANSLATOR (NAT) B.1- http://www.netcraftsmen.net/resources/archived-articles/427.html B.2- http://technet.microsoft.com/enus/library/cc739126%28WS.10%29.aspx C. VIRTUAL PRIVATE NETWORKS (VPN) C.1- http://it.usu.edu/htm/faq/faq_q=2182 C.2- http://skullbox.net/vpn.php C.3- http://support.microsoft.com/kb/308208

53