HostedDB - Dedicated UNIX Servers
-->
Internet Security Professional Reference:Index
Table of Contents


Index

Symbols

* (asterisk) terminal write status, 33
* (asterisk) traceroute command, 39
\ (backslash) in UUCP Permissions file, 120
\ (backslash) with bang addressing, 102
\ (backslash) with UUCP Dialer, 109
“” (double quotes) in chat scripts, 114, 135
! (exclamation point) in procmon.cmd files, 71
! (exclamation point) in UUCP addresses, 101–102
! (exclamation point) telnet command, 46
# (pound) symbol in network configuration file, 20
? (question mark) in process tables, 53
? (question mark) telnet command, 46
3Com Corporation, packet filter vendor, 350
8lgm mailing list, 852

A

-a (arp command options), 40
-a (netstat command options), 35
-a (ruptime command option), 32
ac command, 149
access control lists (ACLs), 667–668
accessing TCP services with netacl, 245
accounting, user accounts with Kerberos, 481
accounting reports, firewall capabilities, 361
accton command, 156
ActivCard, Inc. web site, 574
active attacks, DNS servers, spoofing, 222–223
active hub mechanisms
commercial products, 197
hardware address spoofing, 197
aculog file, Unix audit log, 153
add-on utilities (Pretty Good Privacy), 657–660
adding user accounts to authentication server database (TIS Firewall Toolkit), 280–284
additional-tickets field, KRB_KDC_REQ message, 531
address classes, 9–11
class A, 10
class B, 10
class C, 11
netmask defaults, 12
Address Resolution Protocol (ARP), 18, 20, 40–41
addresses
bang addressing, 101
broadcast, 11
classes, 9–11
destinations, specifying, 18
dotted decimal address, 11
Ethernet, 20
hostname to IP address resolution, 26–27
Internet assignment, 9
Internet-to-Ethernet address translation table, 40
IP (Internet Protocol) addresses, 9–11
hacker access to, 387–389
spoofing, 434–437
multicast, 10
netmasks, 12
networks, pinging with netscan utility (TIS Firewall Toolkit), 295
octets, 10–11
reserved, 11
subnets, 11–14
translating hostnames into IP addresses, 14
UUCP (Unix to Unix CoPy) commands, compatibility with Internet addressing, 101
addresses field, KRB_KDC_REQ message, 531
alert (syslog file severity level), 151
alerts, firewall capabilities, 361
algebraic attacks, cryptanalysis, 602–603
algorithmic entry point scanners, virus scanners, 823–826
ALLOW-POSTDATE field, Kerberos tickets, 527
alt.2600 newsgroup, 857
alt.hacker newsgroup, 857
alt.security newsgroup, 857
alt.security.pgp newsgroup, 857
alt.security.ripem newsgroup, 857
anonymous FTP, vulnerability to hackers, 420
anonymous login (UUCP), 125–126
anonymous mode (FTP), 47
anonymous user account, Internet Information Server (IIS), 688
antivirus programs
behavior blockers, 831
heurisitic scanners, 832–833
integrity checkers, 827–831
memory scanners, 826–827
rating criteria, 820
read stealth viruses, repair process, 837
virus scanners, 820–826
viruses
floppy boot records, 835–836
master boot records, 835–836
partition boot records, 835–836
see also computer viruses
ap-options field, KRB_AP_REQ message, 537
appending to COM files, file viruses, 791
Applet Host security mode, Java applets, 731
applets (Java)
security modes, 731–732
testing, 707, 729–731
viewing with Netscape, 732
Appletviewer (Java), 729–731
application gateways
authentication information, 353
cost, 353
firewall architecture, 353
application level proxies, 356–357
disadvantages, 348
firewalls, 348
performance guidelines for firewalls, 365–366
product comparisons for firewalls, 365–366
Application Log (Windows NT), 163
applications (TIS Firewall Toolkit)
authmgr client, 310–311
authsrv, 276–288, 311–318
clauses, 244
comments, inserting, 244
ftp-gw, 259–264, 318–322
http-gw, 270–275, 322–328
login-sh, 328–329
netacl, 245–249, 330–331
plug-gw, 288–294, 332–333
rlogin-gw, 255–259, 334–335
rules, 244, 255
smap client, 265, 336–337
smapd, 267, 337–339
tn-gw, 249–255, 339–342
x-gw, 275–276, 342–343
architecture
application gateways for firewalls, 353
router-based firewalls, 349–350
stateful packet filters for firewalls, 352
Argus FTP site, 854
Argus network management program, 414
ARMOR configuration keyword (PGP), 650
armor mode (PGP), 639
ARMORLINES configuration keyword (PGP), 650
-arp command (ifconfig), 18
ARP (Address Resolution Protocol), 20
ARP cache entries
deleting, 202
displaying, 202
network-level detection
continuous monitoring, 208–209
periodic polling, 207–208
permanent, inserting, 202–203
arp command, 18, 40–41
ARP cache entries (Windows NT), 202
arp program, vulnerability to hackers, 385
ARP requests, discontinuing, 201
ARP servers
difficulty of configuration, 203
implementing, 203
purpose, 203
ARP spoofing
ARP request discontinuation, 201
defined, 197
detecting, 201, 205–209
host level active detection, detecting, 206
host level passive detection, detecting, 205
inadvertent case studies, 199–201
malicious case studies, 200–201
network-level detection
continuous monitoring, 208–209
detecting, 207
periodic polling, 207–208
preventing, 201–204
process, 198–199
rlogin protocol vulnerability, 192
routers
case studies, 204–205
preventing, 203–204
server level detection, detecting, 206
ARPANET, 8–9
File Transfer Program, 47
asax (audit trail analyzer), 160
asax (web site), 160
Ascend web site, 683
ASCOM web site, 599
ASSERT ERROR (UUCP log file error message), 127
asterisk (*) terminal write status, 33
asterisk (*) traceroute command, 40
asymmetric cryptography, 600–601
asymmetric key encryption, 558–559
AT&T web site, 854
attaching digital signatures to e-mail messages with PGP, 637–643
attackers
ARP spoofing, 198–199
rlogin protocols, problems, 192–193
attacks on network security, 373–386
acquiring login accounts, 378–379
acquiring root access, 379–380
characterizing, 378–381
extend access by hackers, 380–381
modem-based, 409–418
audit trails, 147
analyzing
asax program, 160
chklastlog program, 160
chkwtmp program, 160
auditing utilities, 157–160
DOS utilities, 166–167
Ethernet sniffers, 159–160
open files reports, lsof program, 160
process accounting, 155–157
system monitoring/logging utilities, 160–161
Unix audit logs, 148–155
Windows NT, 162–166
see also logging; messages; reports
-auth host access rule, tn-gw application (TIS Firewall Toolkit), 254
auth (syslog file facility), 151
AUTH_UNIX authentication, 422
authdumpt command, authentication server database management, 284–286
authenticating
clients
in Kerberos networks, 533–537
to network services via Kerberos tickets, 513–515
network logons
certificate-based, 572
encrypted passwords, 572
plaintext passwords, 572
two-factor, 572
passwords with rlogin protocol, 191–192
user accounts with Kerberos, 480–484
workstations in Kerberos, 551–552
authentication
basic, Internet Information Server (IIS), 690
challenge/response, Internet Information Server (IIS), 690
cryptography goals, 566–567
Secure Sockets Layer (SSL), Internet Information Server (IIS), 690
tickets (Kerberos), 512
authentication server, see authsrv
Authentication Service Exchange (Kerberos), 517–520
specifications, 526–533
authenticator field, KRB_AP_REQ message, 538
authenticator-vno field, Kerberos ticket authenticators, 516
authenticators, Kerberos tickets, 515–516
authload command, authentication server database management, 284–286
authmgr client application (TIS Firewall Toolkit), 310–311
installation, 311
options, 311
authmgr command, 284
authorization-data field
Kerberos ticket authenticators, 516
Kerberos tickets, 515
authorizing user accounts with Kerberos, 481
authpriv (syslog file facility), 151
authsrv (authentication server), 276–278, 311–318
adding users to database, 280–284
administrative commands, 280–282
commands, 314–317
compiling, 277
configurations, 277
database management, 284–286
group configurations, 313
installation, 317–318
operations, 286–288
reports, 298–299
rules, 278–279
user configurations, 313
authtime field
Kerberos tickets, 514
KRB_CRED message, 546
KRB_KDC_REP message, 533

B

-b (finger command option), 34
backslash (\) in UUCP Permissions file, 120
with bang addressing, 102
with UUCP Dialer, 109
backup domain controller (Windows NT), 670–671
BAD LOGIN/MACHINE COMBINATION (UUCP log file error message), 127–128
BAKRING configuration keyword (PGP), 650
bang addressing, 101
basic authentication, Internet Information Server (IIS), 690
BATCHMODE command-line option (PGP), 653
baud rates, configuring UUCP networks, 112, 134
Bay Networks, packet filter vendor, 350
bdflush daemon, 57
behavior blockers (viruses)
disadvantages, 831–832
rating criteria, 831–832
virus warnings, 831–832
Bellcore web site, 194
Berkeley Internet Name Daemon (BIND), 225
Berkeley r-commands, 42–45
big endian coding, 725
bin directory (SATAN), 444–445
binary files
integrity, verifying to prevent hacker attacks, 439–440
PGP, vulnerability to hackers, 657
processing with PGP, 638–639
BIND resolver library, 41
bits, determining fixed status, 13
block ciphers, 593–594
Blowfish cipher
downloading, 599
symmetric encryption, 599
unpatented status, 599
BNU (Basic Networking Utilities), 98
Devices file, 105–107
Dialers file, 108–110
Systems file, 110–113
see also EUC
Bolt Beranek and Newman Inc. (BBN), 8
Bones Kerberos distribution, 498–499
boot (run level action field), 74
boot protocols, implementing, 26
boot record viruses
damage to FAT (File Allocation Table), 841
damage to HPFS (High Performance File System), 841–842
damage to NTFS (NT File System), 841–842
dropper programs (Windows NT), 840
floppy disk booting (Windows NT), 840
function, 773–774
multipartite viruses (Windows NT), 840
prevalence, 773–774
repairing, 833–836
Windows NT
installing, 842
virus behaviors, 840–842
boot records, 760
boot viruses, 811
multipartite, 811
network file servers, 811
over networks, 811
peer-to-peer networks, 811
booting
floppy disks
boot record viruses (Windows NT), 840
master boot record viruses (Windows NT), 838
process, 761–762
Windows NT with master boot record infection, 839–840
see system boot
BOOTP daemon, 26
bootpd servers
exploitation by hackers, 397–399
vulnerability to hackers, 397–399
bootwait (run level action field), 75
border routing protocols, 212
bounce to program hole, sendmail program, 381
Bourne shell, daemons, creating, 63–67
BREAK signals for chat scripts (UUCP), 113, 134
bridges
cost, 190
Drawbridge program, 190
installing, 190
versus routers, 190
versus switches, 190
broadcast addresses, 11
defined, 175
promiscuous mode, 175
broadcast command (ifconfig), 18
broadcast storms, debugging, 159
browsers (web)
Netscape, Java support, 732
non-proxy aware, 271–272
proxy aware, 272
running SATAN, 429–430
brute force hacker attacks against PGP (Pretty Good Privacy), 654–655
BSD (Berkeley Software Distribution) code, 54
BSD Unix (University of California at Berkeley), 8
buffers
fingerd program, vulnerability to hackers, 382
overuns, CGI programming in C/C++, 750
bugtraq mailing list, 386, 852
building SATAN, 455–476
bypassing CGIs to ensure security, 745–746
bytecodes (Java), 703, 711
verifying, 721

C

-C options, endmail program, 385
-c count (ping command option), 29
C programming language, CGI libraries, 739, 750
C++ programming language
CGI programming, 750
versus Java, 707–710
caches, DNS corruption, 438
caddr field
Kerberos tickets, 515
KRB_CRED message, 546
KRB_KDC_REP message, 533
Caesar Cipher, symmetric encryption, 582–584
Call-unit (L-devices file field), 132
CALLBACK (Permissions file keyword), 122
CALLBACK REQUIRED, (UUCP log file error message), 127
calling costs, controlling UUCP systems, 110, 124, 133
Canadian Security Intelligence Service web site, 854
CAN’T ACCESS FILE (UUCP log file error message), 127
case studies
ARP spoofing
inadvertent, 199–201
malicious, 200–201
routers, 204–205
external routing protocols, 217
Routing Information Protocol (RIP), route spoofing, 213–215
sniffing low-level protocol information, 178–181
cast statements (Java), 709
CBC (Cipher Block Chaining) encryption, 488
CD-ROM, ENCRYPT application, 578
Central Intelligence Agency web site, 854
CERN WWW Consortium web site, 854
CERT (Computer Emergency Response Team), 850–851
CERT FTP Archive site, 854
CERT_DEPTH configuration keyword (PGP), 650
certificate authorities
CommerceNet, 570
digital certificates, Secure Sockets Layer (SSL), 690–691
secure channels, obtaining, 574–575
U.S. Postal Service, 568–569
Verisign Corporation, 568–569
CFB (Cipher Feedback) encryption, 488
CGIs (Common Gateway Interfaces), 735–740
access restriction, 743
with HTTP, 740
bypassing to ensure security, 745–746
dangers of, 737
data protection, 751–752
decoding, 738–739
encoding, 738–739
environment variables, 741
GET method of data input, vulnerability to hackers, 741–742
Internet Information Server (IIS) interfaces, 687
libraries, 739–740
nobody UIDs, 743
operations, 737–738
passing data
via command-line arguments, 737
via environment variables, 738
via standard input streams, 738
POST method of data input, vulnerability to hackers, 741–742
programming
C, 750
C++, 750
PERL, 747–750
safe languages, 750–751
request logins, 753
running
under program owner UIDs, 744–745
with minimum privileges, 743–744
running from controlled file system, 744
SSI (Server Side Includes), 746–747
vulnerability to hackers, 737, 740–742
web server trust relationships, 740
CGIWrap utility, 745
challenge/response authentication
Internet Information Server (IIS), 690
“nonce,” 677–679
“shared secret,” 677–679
Windows NT logon process, 677–679
characterizing attacks on network security, 378–381
CHARSET configuration keyword (PGP), 650
chat scripts, 109–110
UUCP, 113–116, 134–135
“” (double quotes), 114, 135
defining, 113–116, 134
special characters, 114–115, 135
with TCP/IP, 116
Chat-script (L.sys file field), 134
Check Point Software Firewall-1, 270, 354–355
Checkpoint Software Technologies web site, 682, 856
checksums
collision-proof, 495
crc32, 495
des-mac, 496
des-mac-k, 497
Kerberos support for, 494–497
keyed, 495
rsa-md4, 496
rsa-md4-des, 496
rsa-md4-des-k, 496
rsa-md5, 496
rsa-md5-des, 496
chklastlog (audit trail analyzer), 160
chkwtmp (audit trail analyzer), 160
chmod command (UUCP), 126
CIAC (Computer Incident Advisory Capability) group, 850
archives, 405
web site, 854
ciphers
block, 593–594
encrypted messages, 491
stream, 593–594
ciphertext, 485
circuit gateways for firewalls, 347–348
CISC (Complex Instruction Set Computing) CPUs, 723
Cisco Systems
packet filter vendor, 350–352, 369
web site, 576
Ckpasswd FTP site, 854
cksum field
Kerberos ticket authenticators, 516
KRB_SAFE message, 541
class A addresses, 10
class B addresses, 10
class C addresses, 11
class loader (Java), 720–721
classes
addresses, 9–11
fragile superclasses (C++), 709
Internet Threat Levels, 375
Java, 709
methods, calling with Java, 718
clauses (TIS Firewall Toolkit), 244
netacl, 246
plug-gw, 288–289
rlogin-gw application, 256
smap, 336–337
tn-gw, 250–251
cleartext password mechanisms (Kerberos), 194
CLEARSIG configuration keyword (PGP), 650
clearsigning e-mail messages with PGP, 646–647
client applications (HTTP)
non-proxy aware, 271–272
proxy aware, 272
client requests, Kerberos Key Distribution Center, 526
client/server authentication exchange (Kerberos), 533–539
clients
authenticating
in Kerberos networks, 533–537
to network services via Kerberos tickets, 513–515
Authentication Service exchange with Kerberos, 517–520
Ticket Granting Service exchange with Kerberos, 520–526
Clone command (Java Appletviewer), 730
close (telnet command), 46
CLOSE_WAIT (socket state), 38
CLOSED (socket state), 38
CLOSING (socket state), 38
cname field
Kerberos tickets, 514
KRB_KDC_REP message, 533
KRB_KDC_REQ message, 530
COAST (Computer Operations, Audit, and Security Technology) project, 850
web site, 854
code listings
dfmon daemon, 76–80
dfmon.cfg configuration file, 80–84
procmon command, 84
code signing
defined, 576–577
Microsoft Authenticode, 576–577
collision-proof checksums, 495
COM files
appending file viruses, 791
computer viruses, 768
infection process, 791
overwriting file viruses, 792
prepending file viruses, 791–792
commands
ac, 149
accton, 156
administrative, 29–42
arp, 40–41
authentication server (TIS Firewall Toolkit), 280–282
authload, authentication server database management, 284–286
authmgr, manipulating authentication server database, 284
Berkeley r-commands, 42–45
chmod (UUCP), 126
cu (UUCP), 108, 113, 132–134
dig, 41–42
executing on remote systems, 44–50
finger, 33–35
history, 155
hostname command, 15
ICMP ECHO_REQUEST, 29
ifconfig command, 17–19, 32–33
inetd, 22
Java Appletviewer, 730
kill command, 64
last, 149
lastcomm, 156
logging, 155–157
ls (UUCP), 107
make install (TIS Firewall Toolkit), 237
man, 66
mesg, 433
netstat, 26, 35–38, 158–159, 241
nslookup, 27
ping, 29–31
print, 68–69
processing, changing delay between, 71
procmon, 84–85
ps, 52, 157
rcmd, 45
rcp, 43
remote command execution, 139
require, 71
rlogin, 45
rlogin command, 42
rsh, 44
ruptime command, 31–32
rwho, 32
sa, 157
showmount, 62
sudo, 152
switch user, 152
TCP/IP catagories, 28
telnet, 45–50
tn-gw application (TIS Firewall Toolkit), 252
traceroute, 38–39
uname (UUCP), 102
user commands, 42
uucico (UUCP), 116
uuclean, 140
uustat, 129
uutry (UUCP), 116
who, 76
COMMANDS (Permissions file keyword), 122
COMMENT configuration keyword (PGP), 650
comments, inserting in TIS Firewall Toolkit applications, 244
CommerceNet
certificate authorities, 570
web site, 570
Common Gateway Interfaces, see CGIs
comp.protocols.kerberos, 857
comp.security.announce, 857
comp.security.firewalls, 857
comp.security.misc, 857
comp.security.unix, 857
companion viruses
file renaming process, 803–804
propogation, 803–804
versus file viruses, 803–804
comparing executable files with integrity checkers, 827–831
compilers (Java), 707, 716–719
compiling
authentication servers (TIS Firewall Toolkit), 277
under BSDI, 236
under SunOS, 236
with Java, 713–719
complete trust relationships, PGP keys, 621–622, 630
COMPLETES_NEEDED configuration keyword (PGP), 650
COMPRESS configuration keyword (PGP), 651
compressing e-mail messages with PGP, 638
Computer Emergency Response Team, see CERT
Computer Incident Advisory Capability group, see CIAC group
Computer Operations, Audit, and Security Technology project, see COAST project
Computer Systems Consulting web site, 854
Computer Virus Help Desk web site, 604
computer viruses
assembly language, 757–758
boot record type, repairing, 833–836
classes, polymorphic, 812–813
companion, 803–804
date driven, 757–758
defined, 757–758
DOS
COM files, 768
EXE files, 768–769
SYS files, 769–774
viruses in Windows NT environment, 842–845
file types, 790–803
hardware evolution, 757–758
IBM PC types, 773–809
boot record, 773–774
floppy boot record, 774–782
master boot record, 786–789
partition boot record, 782–786
infected floppy disks, repairing, 833–834
known DOS viruses, 804–805
macros, 770–773
data files, 757–758
new versus old, 770–773
repairing, 837
versus assembly language programs, 772–773
malfunctioning, 805
master boot record, repairing, 834–835
memory resident programs (TSRs), 765–767
multipartite, 820
native variety (Windows NT), 846
partition boot record, repairing, 835
potential damage, 804–805
read stealth, repairing, 836–837
replication methods, 757–758
result of bad programming, 804–805
retro type, 819
slow type, 817–819
sources, 758
stealth, 813–815
targeting
MBRs, 763
PBRs, 765
Windows NT operating system overview, 838–846
worm programs, 808–809
writer demographics, 758
see also anitvirus programs
concept virus
FileSaveAs macro, 807–808
infection process, 806–807
in global macro pool, 807–808
confidential data, sniffing, 178
confidentiality, cryptography goals, 566–567
config directory (SATAN), 443
configuration files
dfmon.cfg, 80–84
/etc/ethers, 20
/etc/exports, 62
/etc/ftpusers, 48
/etc/hosts, 19–20
/etc/hosts.equiv, 23
/etc/hosts.lpd, 25
/etc/inetd.conf, 22–23
/etc/inittab, 57
/etc/networks, 20–21
/etc/passwd, 24
/etc/pcnfsd.conf, 62
/etc/printcap, 25
/etc/procmon.cfg, 70
/etc/protocols, 21
/etc/rc, 55
/etc/sendmail.cf, 60
/etc/service, 21–22
/etc/sockcf, 25
/etc/strcf, 25
/etc/syslog.conf, 28, 59
.netrc, 49
pound (#) symbol, 20
procmon.cfg, 70
procmon.cmd, 70
.rhosts, 23
syslog.conf, 150
/usr/mmdf/mmdftailor, 61
configurations
authentication server (TIS Firewall Toolkit), 277
DNS, for smap client application (TIS Firewall Toolkit), 269–271
firewalls, for NTP server time updates, 241
ftp-gw application (TIS Firewall Tookit), 259–264
http-gw application (TIS Firewall Toolkit), 270–275, 325–327
netacl application (TIS Firewall Toolkit), 245–249
PGP, 649–654
plug-gw application (TIS Firewall Toolkit), 288–289
rlogin-gw application (TIS Firewall Toolkit), 255–259
SATAN, 462–464
smap client application (TIS Firewall Toolkit), 265–267
smapd application (TIS Firewall Toolkit), 267–269
TCP/IP for TIS Firewall Toolkit, 242–243
TIS Firewall Toolkit, preparing for, 238–242
tn-gw application (TIS Firewall Toolkit), 249–255
x-gw application (TIS Firewall Toolkit), 275–276
configuring
firewalls, 358–359
interfaces for networks, 17–19
Internet proxy servers, 683–684
modems (UUCP Devices file), 105–107
Proxy Server
hardware configurations, 692
ports, 686
TLIS connections (UUCP systems), 141–142
trust relationships, 671–672
user accounts, User Manager (Windows NT), 672
UUCP, 105, 131
over TCP/IP, 141–142
Windows NT
ports, 685–686
services, 684–685
confounders, encryption type, 491
connecting
public web servers via Internet Information Server (IIS), 682–683
segments, one-way trust, 186–187
to FTP sites
with ftp-gw application (TIS Firewall Toolkit), 263
with netacl, 247–249, 264
to Gopher sites with http-gw application (TIS Firewall Toolkit), 270–275
to newsgroups with plug-gw application (TIS Firewall Toolkit), 289–292
to remote hosts with rlogin-gw application (TIS Firewall Toolkit), 258
to Telnet sites with tn-gw application (TIS Firewall Toolkit), 252–253
to WWW sites with http-gw application (TIS Firewall Toolkit), 270–275
connections
NNTP with plug-gw application (TIS Firewall Toolkit), 289–292
POP with plug-gw application (TIS Firewall Toolkit), 292–294
TCP
preventing remote access to local services, 396
via modems, 430
via proxy servers, 418
vulnerability to hackers, 383
UDP, preventing remote access to local services, 396
constant pool memory area, JVM stacks, 728–734
continuous monitoring with ARP spoofing, 208–209
Control Panel (SATAN), 457
conventional encryption, e-mail messages with PGP, 640
converting web servers from root to controlled file systems, 744
COPS FTP site, 854
program overview, 379
copy protection, 25
corruption of DNS caches, 438
Counterpane web site, 599
Courtney (SATAN scan detection program), 413
cpd daemon, 25, 58
CPUs (central processing units)
integrating with JVMs, 723
logging time consumption, 157
requirements for daemons, 53
Crack program, 379
cracking user account passwords, 379
crc32 checksums, 495
crealm and cname field, Kerberos ticket authenticators, 516
crealm field
Kerberos tickets, 514
KRB_KDC_REP message, 533
creating
network segmentation with sniffing barriers, 183
trust relationships, 671–672
Windows NT domains, 670–671
crit (syslog file severity level), 151
cron (syslog file facility), 151
cron daemon, 58
cron utility, Unix audit logs, 153
crontab files (UUPC), 58, 128–129
logging usage, 153
cross checking DNS servers for spoofing, 220–221
cryptanalysis
attacks
adaptive chosen plaintext, 602–604
analysis, 601–603
chosen plaintext, 602–604
ciphertext only, 602–604
known plaintext, 602–604
ciphertext techniques, 563
algebraic attacks, 602–603
differential, 602–603
linear, 602–603
overview, 601–603
CryptoAPI, Windows NT Directory Services features, 696
cryptographic algorithm, 563
cryptography
electronic commerce, 564
goals
authentication, 566–567
confidentiality, 566–567
message integrity, 566–567
non-repudiation, 566–567
Internet transmissions, 564
tools
digital certificates, 566–567
digital signatures, 566–567
secure channels, 566–567
cryptolopes, 577
cryptosystems, 563
trap doors, 563–564
ctime field
Kerberos ticket authenticators, 516
KRB_AP_REP message, 539
cu command (UUCP), 108, 113, 132–134
cusec field
Kerberos ticket authenticators, 516
KRB_AP_REP message, 539
customizing Internet Information Server (IIS) directory structure, 688–689
Cypherpunks web site, 854

D

-d (ping command option), 29
-d debug hole, sendmail program, 381
-d host (arp command options), 40
daemon (syslog file facility), 151
daemons, 9, 52–57
bdflush, 57
BOOTP, 26
compared to programs, 52
cpd, 25, 58
CPU requirements, 53
creating
Bourne shell, 63–67
devices, 64
input/output files, 63, 68–69
PERL programming language, 67–72
trapping signals, 64–66, 69
cron, 58
deliver, 61
dfmon, 66
file descriptors, 63
getty, 61
inetd, 61
init, 57
ldsocket, 25
lockd, 62
lpd, 25, 58
lpsched, 58
mountd, 62
named, 27
networks, exploitation by hackers, 395
NFS server, 62
nfsd, 62
pcnfsd, 62
preventing shutdowns, 67–68
procmon, 69–72, 84–96
RARP, 26
required during system boot
HP-UX, 54–55
SCO Unix, 55–56
SunOS, 53
Reverse Address Resolution Protocol, 20
rlogind, 61
routed, 26–27, 61
rpc.statd, 62
RWHO, 28
sco_cpd, 58
sendmail, 47, 60, 153
slink, 25
SNMP, 26
starting Internet super-server, 22–23
statd, 62
swapper, 57
syslog, 28, 59–60
syslogd, 150
update, 57
uudemon.cleanup (UUCP), 129
uudemon.poll (UUCP), 129
DARPA (Defense Projects Advanced Research Agency), 8–9, 21
Data Encryption Standard (DES), 487–489
64-bit inputs, 594–597
adoption by U.S. government, 594–597
algorithm, 594–597
processing, 595–597
alternatives, 598–599
bits reduction, 597–599
brute force attacks, 596–597
DESX version, 597–599
development, 594–597
Federal Information Processing Standard 46 (FIPS), 594–597
keys, 594–597
web resources, 597–599
data exchange on TCP connections, 227
data files and computer viruses, 767
databases
authentication server (TIS Firewall Toolkit) management, 284–286
SATAN, 458
facts records, 467–470
host records, 470–471
records, 467–471
todo records, 471
datagrams, forging, 227–228
Datakey, Inc. web site, 574
DDN Network Information Center, 21
DDN Security Bulletins FTP site, 854
deactivating route spoofing, 210–211
-debug command (ifconfig), 18
debug (syslog file severity level), 152
debug command (ifconfig), 18
debugging
broadcast storms, 159
enabling, 18
networks, 159
connections, 40
permission files (UUCP version 2), 137
UUCP network connections, 116–117
checking file ownership, 117
displaying error messages, 116, 135
log files, 126–128
DEC Ultrix Kerberos, 498, 500
decentralized organizations and router implementation, 350–352
deciphering symmetric encryption, 580–581
decoding CGIs, 738–739
decrypting e-mail messages
with PGP, 616–617, 643–645
without saving to file, 648
defaults
netmask addresses, 12
permissions, 120–121
deleting ARP cache entries, 202
deliver daemon, 61
deploying
insecure segments, 187
segments, case study, 187–190
des-cbc-crc encryption systems, 493
des-cbc-md4 encryption systems, 494
des-cbc-md5 encryption systems, 494
des-mac checksums, 496
des-mac-k checksums, 497
DESlogin 1.3, zero-knowledge authentication mechanisms, 194–195
-dest pattern host access rule, tn-gw application (TIS Firewall Toolkit), 254
dest-address command (ifconfig), 18
detached signatures (PGP), 647–648
detecting
ARP spoofing, 201, 205–209
host level active detection, 206
host level passive detection, 205
network-level detection, 207
server level detection, 206
network security holes, 387–409
via public documentation, 407–418
SATAN scans, 413–414
Device (BNU Devices file field name), 106
Device (L-devices file field), 132
DEVICE FAILED (UUCP log file error message), 127
DEVICE LOCKED (UUCP log file error message), 127
devices
creating, 64
defining local networks, 107
UUCP
devices allowed, 134
file ownership, 107
Devices (Basic Networking Utilities file), 98
Devices file (UUCP), 105–107
dfmon daemon, 66
code listings, 76–80
configuration file, code listings, 80–84
installing, 76
dial-out facilities, logging usage, 153
Dialcodes (Basic Networking Utilities file), 99
Dialcodes file (UUCP), 112–113
DIALER SCRIPT FAILED (UUCP log file error message), 127
dialer-token pairs (BNU Devices file field name), 106
Dialers (Basic Networking Utilities file), 99
Dialers file (UUCP), 108–110
differential cryptanalysis, 602–603
Diffy-Hellman algorithm, 194
dig command, 41–42
Digital Altavista Firewall, 354–355, 369
digital certificates
class levels, 570
cryptography tools, 566–567
message processing, 569
obtaining, 569–570
Secure Sockets Layer (SSL), 690–691
digital envelope, 577
Digital Pathways web site, 574
Digital Signature Initiative (DSig), 576
digital signatures, 571–572
as solution to hardware address spoofing, 197
attaching to e-mail messages with PGP, 637–643
cryptography tools, 566–567
e-mail messages, 613–614
hash functions
message digest algorithms (MDAs), 571–572
Secure Hash Algorithm (SHA), 571–572
message integrity, 571–572
removing from PGP keys, 633–634
digital time stamping of e-mail messages, 572
direct action infectors
file virus types, 795–799
indicators, 799–802
infection process, 799–802
directories
e-mail, world-writeable, vulnerability to hackers, 384
hierarchies (Windows NT), 694–696
SATAN
bin, 444–445
config, 443
html, 445
html/admin, 450
html/data, 450
html/docs, 445–446
html/dots, 446–447
html/images, 447
html/reporting, 447–448
html/running, 448–449
html/tutorials, 449
html/tutorials/vulnerability, 449
include, 443
perl, 454–455
perllib, 444
rules, 443
src, 450
src/boot, 450
src/fping, 452–453
src/misc, 451
src/nfs-chk, 451
src/port_scan, 452
src/rpcgen, 453
src/yp-chk, 453–454
top-level, 442
structure (Internet Information Server)
customizing, 688–689
home, 688–689
private, 688–689
disabling
inetd services, 240
Windows NT services, 684–685
discontinuing ARP requests, 201
disk buffers, flushing, 57
disk monitor daemons, Bourne shell, 63–67
disk file maintenance, 128–129, 140–141
display (telnet command), 46
displaying ARP cache entries, 202
distributing keys (PGP), 612–613
DNS (Domain Name Service) servers, 14, 27
cache corruption, 438
configuring for smap client application (TIS Firewall Toolkit), 269–271
domain names, resolving, 15, 218–219
FQDN (fully qualified domain name), 19
host name resolution, 218
intranet implementation (Windows NT), 679
name resolution
iterative, 219
query efficiency, 219
recursive, 219
SATAN scans, 419
searchlists, security issues, 434
security problems, 221
misdirected queries, 221
spoofing
active attacks, 222–223
cross checking, 220–221
passive attacks, 221–222
preventing, 220–221
rlogin protocol vulnerability, 192
scenarios, 220–221
spoofing defenses
Berkeley Internet Name Daemon (BIND), 225
cached entries limitations, 223–225
discontinued use, 223–225
selective caching, 224–225
Domain Information Groper, 41–42
domains (Windows NT)
account configurations, 669–670
administrative responsbilities, 669–670
audit configurations, 669–670
creating, 670–671
defined, 669–670
trust relationships
creating, 671–672
Windows NT, 669–670
DOS (Disk Operating System)
audit trail utilities, 166–167
COM files, computer viruses, 768
conventional memory
Memory Control Block (MCB), 796–799
EXE files, computer viruses, 768–769
file viruses
potential damage to Windows NT system, 844–845
Windows NT environment, 842–845
SYS files, computer viruses, 769–770
dotted decimal address, 11
double quotes (“”) in chat scripts, 114, 135
down command (ifconfig), 18
downloading
Blowfish cipher, 599
Proxy Server, 694–696
SATAN, 441–442
drop files, SATAN scan rulesets, 472
dropper programs (Windows NT)
boot record viruses, 840
master boot record viruses, 838
Dynamic Host Configuration Protocol (DHCP), 680
dynamic web pages
Internet Information Server (IIS), 686
Java capabilities, 712–713

E

e-data field, KRB_ERROR message, 550
e-mail (electronic mail)
delivery, 61
interaction with Java, 734
messages
clearsigning with PGP, 646–647
compressing with PGP, 638
conventional encryption with PGP, 640
decrypting with PGP, 616–617, 643–645
decrypting without saving to file, 648
detached signatures with PGP, 647–648
digital signatures, 613–614, 637
encrypting with PGP, 615–616, 637, 642–643
filtering with PGP, 637–638
non-repudiation, 613
public key encryption, 641–642
sending with PGP, 639
signing with PGP, 640–643
verifying with PGP, 616–617, 643–645
reports with TIS Firewall Toolkit, 303–304
sendmail daemon, 60
TIS Firewall Toolkit applications, 264–270
world-writeable directories, vulnerability to hackers, 384
e-text field, KRB_ERROR message, 550
eavesdroppers and cryptography, 564–565
ECB (Electronic Codebook) encryption, 488
editing makefiles (TIS Firewall Toolkit), 236
electronic commerce
Digital Signature Initiative (DSig), 576
growth of cryptography, 564
Secure Electronic Transaction (SET) protocol, 576–577
emerg (syslog file severity level), 151
enc-authorization-data field, KRB_KDC_REQ message, 530
enc-part field
Kerberos tickets, 514
KRB_AP_REP message, 538
KRB_CRED message, 546
KRB_KDC_REP message, 533
KRB_PRIV message, 543
ENC-TKT-IN-SKEY field, Kerberos tickets, 527
ENC-TKT-IN-SKEY flag (Kerberos), 512
encapsulation, 18
encoding
CGIs, 738–739
transited fields in Kerberos Ticket Granting Service exchange, 525
ENCRYPT program (CD_ROM), 578
deciphering symmetric encryption, 580–581
monoalphabetic substitution (symmetric encryption), 584–589
substitution (symmetric encryption), 582–584
transposition, 578
encrypted passwords
implementing, 193–194
mechanisms, SRA (Texas A&M), 194
public key cryptography, 193–194
encrypted tunnels on virtual private networks (VPNs), 360–361
encryption, 558
asymmetric key, 558–559
asymmetrical, 195
CBC (Cipher Block Chaining), 488
certificate-based transactions, processing, 569
CFB (Cipher Feedback), 488
confounders, 491
conventional encryption, e-mail messages via PGP, 640
DES, 487–489, 594–597
des-cbc-crc systems, 493
des-cbc-md4 systems, 494
des-cbc-md5 systems, 494
digital certificates, obtaining, 568–570
digital time stamping, 572
drawbacks, 195
e-mail messages with PGP, 615–616, 637, 642–643
ECB (Electronic Codebook), 488
exporting programs for, 489–490
IDEA cryptosystem, 597–599, 607, 640
Internet tunnels, 575–576
Kerberos
keys, 492–493
networks, 485–497
specifications, 491–492
systems, 493–494
national security issues, 485
non-reversible, 560
NULL systems, 493
obtaining public keys, 568–569
OFB (Output Feedback Mode), 488
one-way, 561–562
PGP (Pretty Good Privacy) program, 605–606
armor mode, 639
binary distribution, 609–611
binary files, vulnerability to hackers, 657
clearsigning e-mail messages, 646–647
compressing e-mail messages, 638
configurations, 649–654
conventional encryption, 640
decrypting e-mail messages, 616–617, 643–645
detached signatures, 647–648
encrypting e-mail messages, 615–616, 642–643
filtering e-mail messages, 637–638
For Her Eyes Only messages, 648
history of, 606–608
keys, adding to public key rings, 614–615, 626–628
keys, distributing, 612–613
keys, extracting keys from public key rings, 628–629
keys, fingerprints, 635–636
keys, generating, 611–612, 623–626
keys, pass phrases, 624
keys, management, 622–637
keys, removing from key rings, 633–634
keys, removing signatures from, 633–634
keys, revoking, 636–637
keys, signing, 629–632
keys, trust relationships, 620–622, 630
keys, userids, 624–626
keys, verifying, 635–636
naming keys, 618–619
pass phrases, 610
practical applications, 607–608
processing binary files, 638–639
processing text files, 638–639
public key rings, 619, 633–656
public keyservers, 658
secret key rings, 620, 632–633, 655–656
security, 654–657
sending e-mail messages, 639
signing e-mail messages, 640–643
verifying e-mail messages, 616–617, 643–645
Windows front-end applications, 659
wiping files, 648–649
public key, 195, 486, 558–559, 608, 641–642
secret key, 486–487, 561, 608
Secure Sockets Layer (SSL), 195
Internet Information Server (IIS), 687–688
symmetric key, 558–559
vulnerability to hackers, 438–439
ENCRYPTTOSELF configuration keyword (PGP), 651
endtime field
Kerberos tickets, 514
KRB_CRED message, 546
environ (telnet command), 46
environment variables (CGIs), 741
equivalency, 23–25
err (syslog file severity level), 152
error messages
displaying uucico command (UUCP), 116, 135
UUCP log files, 127–128
error-code field, KRB_ERROR message, 550
Esniff.c, sniffing software, 176
ESTABLISHED (socket state), 38
/etc/ethers network configuration file, 20
/etc/exports configuration file, 62
/etc/ftpusers network configuration file, 48
/etc/hosts network configuration file, 19–20
/etc/hosts.equiv network configuration file, 23
/etc/hosts.lpd network configuration file, 25
/etc/inetd.conf network configuration file, 22–23
/etc/inittab configuration file, 57
/etc/networks network configuration file, 20–21
/etc/passwd network configuration file, 24
/etc/pcnfsd.conf configuration file, 62
/etc/printcap network configuration file, 25
/etc/procmon.cfg configuration file, 70
/etc/protocols network configuration file, 21
/etc/rc configuration file, 55
/etc/sendmail.cf configuration file, 60
/etc/service network configuration file, 21–22
/etc/sockcf network configuration file, 25
/etc/strcf network configuration file, 25
/etc/syslog.conf configuration file, 59
/etc/syslog.conf network configuration file, 28
EthDump, sniffing software, 176
Ethernet, 8
addresses, 20
firewall architecture, 346–347
sniffers, 159–160
EthLoad, sniffing software, 176
etype field
encrypted messages, 491
KRB_KDC_REQ message, 531
eval statement, PERL CGI programming, 749
evaluating firewall protocol paths, 356–357
Event Viewer application (Windows NT), 163–164
Excel for Windows, macro virus infection process, 806–807
exclamation point (!) in procmon.cmd files, 71
exclamation point (!) in UUCP addresses, 101–102
exclamation point (!) telnet command, 46
EXE files
Code Segment (CS), 768–769
computer viruses, 768–769
entry points for file viruses, 793–794
Instruction point (IP), 768–769
integrity checkers, 827–831
repairing virus infections, 836
execute permission, Internet Information Server (IIS), 689
executing code with Java, 722
execution environment, JVM stacks, 727
expect-send pairs, 113–116, 134–135
expiration of Kerberos tickets, 519
exporting encryption programs, 489–490
extensions, adding SATAN scans, 474–475
External Gateway Protocol (EGP), 217
external routing protocols, 211–213
case studies, 217
extracting PGP keys from public key rings, 628–629

F

-f (finger command option), 34
-f (ping command option), 29
-f address-family (netstat command options), 35
-f file (arp command options), 40
factoring process, RSA public key cryptography, 603
facts files, SATAN scan rulesets, 468–473
FAQs (Frequently Asked Questions), Secure Shell program, 416
Farmer, Dan (co-creator of SATAN), 411
FAT (File Allocation Table), boot record viruses, 841
FBI web site, 854
FDISK utility, master boot record, repairing, 834–835
Federal Information Processing Standard 46 (FIPS), 594–597
fields
Kerberos ticket authenticators, 516
KRB_AP_REP message, 538–539
KRB_AP_REQ message, 537–538
KRB_CRED message, 546
KRB_ERROR message, 549
KRB_KDC_REP message, 533
KRB_KDC_REQ message (Kerberos), 529–531
KRB_PRIV message, 543–544
KRB_SAFE message, 541
tickets (Kerberos), 514–515
transited, encoding in Kerberos Ticket Granting Service exchange, 525
file allocation table (FAT), 760
file servers
boot viruses, 811
file virus infection on networks, 809–810
macro viruses, spreading, 812
file systems on networks
unpriveleged access scans by SATAN, 422–423
unrestricted exports, scanning with SATAN, 423
vulnerability to hackers, 401–402
File Transfer Program (ARPANET), 47
file viruses
COM files
appending virus, 791
overwriting virus, 792
prepending virus, 791–792
DOS
potential damage to Windows NT system, 844–845
variety in Windows NT environment, 842–845
EXE files entry points, 793–794
executables, repairing, 836
infection process, 795–799
integrity checkers, detection rate, 828–831
intended functions, 795–799
network file servers, 809–810
peer-to-peer networks, 810
potential for damage, 790
read stealth type, repairing, 836–837
replication process, 790
SYS files entry points, 794
types
direct action, 795–802
memory resident infectors, 795–799, 802–803
Windows 3.1 type in Windows NT environment, 845
files
copying remote terminals, 43
crontab, 58
crontab (UUCP), 128–129
deleting UUCP file maintenance, 129
descriptors, 63
closing, 68
opening, 68
file system
client requests, 62
mount requests, 62
listing open, lsof program, 160
logging access to httpd service (Windows NT), 165
logging file system changes, 161
ownership of UUCP devices, 107
permission (UUCP version 2), 136–139
repairing with integrity checkers, 829–831
status (UUCP), 119, 135
syslog.conf, 59–60
transfer statistics logs, 154
transferring, 47–50
system security, 124
UUCP (Unix to Unix CoPy), 101–103
see also TCP/IP
UNIX audit logs, 148–155
USERFILE (UUCP version 2), transfer entries, 138
UUCP (Unix to Unix CoPy)
devices, 105–107
dialers, 108–110
systems, 110–113
wiping with PGP, 648–649
filtering
e-mail messages with PGP, 637–638
ports, 685–686
Proxy Server options
deny access, 692–693
grant access, 692–693
FIN_WAIT_1 (socket state), 38
FIN_WAIT_2 (socket state), 38
financial account numbers, sniffing, 177–178
finger command, 33–35
finger program, exploitation by hackers, 399
fingerd program, buffer vulnerability to hackers, 382
fingerprints, PGP keys, 635–636
firewalls
alert capabilities, 361
application level proxies, 356–357
performance guidelines, 365–366
product comparisions, 365–366
application proxies, 348
architecture, 346–347
application gateways, 353
router-based, 349–350
stateful packet filters, 352
authentication mechanisms, 360–361
Check Point Software Firewall-1, 354–355, 370
circuit gateways, 347–348
Cisco 2500, 369
configuring, 358–359
for NTP server time updates, 241
Digital AltaVista Firewall, 354–355, 369
flexibility in product comparisons, 359–361
Global Internet Centri, 354–355, 370
GUI, comparison between products, 358–359
imact of Java, 733
internal network security, 681–682
intrusive proxies, 357
ISS SAFESuite, scanning capabilities, 368–370
Livermore Software Laboratories PORTUS, 354–355, 370
Livingston IRX, 369
Milkyway Networks Black Hole, 354–355, 370
Network Address Translation (NAT), 356
Network-1 Firewall/Plus, 354–355, 370
non-intrusive proxies, 357
Opus One Consulting, 346
packet filtering, 347
performance guidelines, 364–365
product comparisons, 364–365
performance guidelines, 362–363
data benchmarks, 363
multiple stream environments, 363
proxy capabilities, 363
single stream environments, 363
personal tunneling, 360–361
protocol paths, 356–357
Raptor Eagle, 354–355
reporting capabilities, 361
routers, decentralized organizations, 350–352
security assesments, 367–368
selection criteria, 348–349
stateful packet filters versus transport firewalls, 355–356
summary evaluation of product comparisons, 369–370
TIS Firewall Toolkit, 234–238
authentication server, 276–288
authmgr client application, 310–311
authsrv, 311–318
compiling under BSDI, 236
compiling under SunOS, 236
disabling IP address forwarding, 242–243
disabling inetd services, 240
FTP site, 408
ftp-gw application, 259–264, 318–322
Help, 305–306
http-gw, 322–328
http-gw application, 270–275
installation, 237–238
login-sh application, 328–329
mailing lists regarding, 306
netacl application, 245–249, 330–331
netperm table, 244–245, 306–310
netscan utility, 295
newsgroups regarding, 305
plug-gw application, 288–294, 332–333
preparing for configuration, 238–242
preventing DNS spoofing, 245
report utilities, 296–310
rlogin-gw application, 255–259, 334–335
smap client application, 265, 336–337
smapd application, 267, 337–339
TCP/IP configurations, 242–243
tn-gw application, 249–255, 339–342
web site, 852
x-gw application, 342–343
x-gw applications, 275–276
TIS Gauntlet, 370
transport level proxies, 356–357
performance guidelines, 365–366
product comparisions, 365–366
Trusted Information Systems’ Gauntlet, 354–355
trusted traffic, 356–357
Unix-based, 354–355
untrusted traffic, 356–357
versus port filtering, 686
virtual private networks (VPNs), 360–361
vulnerability to SATAN, 417–418
Windows NT-based, 354–355
FIRST (Forum of Incident and Response Security Teams), 851
flags, tickets (Kerberos), 509–512
flags field
Kerberos tickets, 514
KRB_KDC_REP message, 533
floppy boot record viruses, 774–782
antivirus program overview, 835–836
infection process, 774–780
new items, infecting, 780–782
potential damage, 782
repairing, 782
floppy disks
BIOS, 761–762
boot records, 760
booting process, 761–762
elements
clusters, 759
heads, 759
sectors, 759
tracks, 759
file allocation table (FAT), 760
infected, repairing, 833–834
logical format, 760
boot record, 760
file allocation table (FAT), 760
partition table, 760
root directories, 760
Power-On Self Test, 761–762
root directories, 760
viral bootstrap programs, 762
virus target, 762
For Her Eyes Only messages (PGP), 648
FORCE command-line option (PGP), 653
forging TCP datagrams, 227–228
Form virus, partition boot record viruses, 786
Forum of Incident and Response Security Teams, see FIRST
FORWARDABLE field, Kerberos tickets, 526
FORWARDABLE flag, Kerberos tickets, 509–512
forwardable tickets (Kerberos), 511–512
FORWARDED field, Kerberos tickets, 526
FORWARDED flag, Kerberos tickets, 509–512
forwarding
IP addresses, disabling for TIS Firewall Toolkit, 242–243
IP forwarding, exploitation by hackers, 405
fping command, hacker exploitation of, 389
FQDN (fully qualified domain name), 19
fragile superclasses (C++), 709
Fremont (network security evaluation system), 412
web site, 854
from field, KRB_KDC_REQ message, 531
FTP (File Transfer Protocol), 47–50
access records, 149
anonymous FTP, vulnerability to hackers, 420
anonymous mode, 47
connections, logging (Windows NT), 164
Internet Information Server (IIS), 686
ftp (syslog file facility), 151
ftp daemon, Unix audit logs, 154
FTP proxy application, see ftp-gw application (TIS Firewall Toolkit)
ftp sites
Argus, 414, 854
binary files, integrity of, 439–440
Bones, 499
CERT, 850–854
CIAC group, 850
Ckpasswd, 854
COAST project, 850
connecting to
with ftp-gw application (TIS Firewall Toolkit), 263
with netacl, 247–249, 264
COPS, 854
DDN Security Bulletins, 854
FIRST, 851
Fremont network security evaluation system, 412
Greatcircle, 855
ISS network security evaluation program, 412
Kerberos Information, 855
NEC Security Tools, 855
netlog program, 414
network security-related, 386
SATAN, 441–442
Secure Shell program, 416, 856
Secure telnet, 856
SNMP FTP Archives, 856
socks IP encapsulation program, 418
TCP wrappers (SATAN scan detection program), 414
Texas A&M University Security Archives, 856
TIS FTP Archive, 856
usage reports (TIS Firewall Toolkit), 302
Vince Cate’s Security Page, 856
Wietse Venema (co-creator of SATAN), 411, 856
Xinetd SATAN scan detection program, 414
ftp-gw application (TIS Firewall Toolkit), 259–264, 318
authentication, 321–322
configurations, 259–264
host access rules, 261–262
installation, 322
options, 319–321
rules, 260
verifying operation of, 262–263
ftpd
Kerberos, 552
password files, 431
scanning with SATAN, 420–422
vulnerability to hackers, 383–384, 391–393
fully qualified domain name (FQDN), 19
functions
http-gw application (TIS Firewall Toolkit), 274
PGP key management, 622

G

Gabriel (SATAN scan detection program), 413
web site, 854
garabage collected heap, JVM stacks, 727
garbage collector (Java), 701, 710
GateD Consortium web site, 215
downloading, 215–216
RIP daemon, 215–216
gateways, 27
Gene Spafford web page, 855
generating key pairs (public key cryptography), 600–601
generic decryption (GD)
market popularity, 824–826
polymorphic viruses, 824–826
virus detection process, 824–826
genUSER program, password files, code listings, 144–145
GET method (CGI data input), vulnerability to hackers, 741–742
getty daemon, 61
global groups (Windows NT), 673
Global Internet Centri, 354–355, 370
Gopher
http-gw application functions (TIS Firewall Toolkit), 327
sites, connecting to with http-gw application (TIS Firewall Toolkit), 270–275
Greatcircle FTP site, 855
gtimes program, code listings, 142–144
GUI (graphical user interface), firewall comparison between products, 358–359

H

hackers
ARP spoofing, 198–199
cryptography, 564–565
rlogin protocol problems, 192–193
hard drives
master boot record, 762–763
repairing, 834–835
partition boot record viruses, 765
repairing, 835
hardware
ARP spoofing process, 198–199
floppy disk elements, 759
hardware address spoofing, 196–197
active hub mechanisms, 197
countermeasures, 197
digital signature solution, 197
hardware barriers
ARP spoofing, 203–204
bridges
cost, 190
installing, 190
versus routers, 190
versus switches, 190
mutually trusting machines, sniffing, 186
secure user segments, sniffing, 184–185
hardware requirements, Internet connections (Windows NT), 680–682
hash functions (digital signatures)
message digest algorithms (MDAs), 571–572
Secure Hash Algorithm (SHA), 571–572
Help (TIS Firewall Toolkit), 305–306
heurisitic scanners
rating criteria, 832–833
virus identification process, 832–833
zero percent false identification rate, 832–833
hierarchies, Windows NT directories, 694–696
history command, 155
history logs, Unix audit logs, 155
holes in network security, 381–385
detecting, 387–409
mailing lists regarding, 386
newsgroups regarding, 386
HoneyDanBer (HDB) UUCP, 98
host access rules
ftp-gw application (TIS Firewall Tookit), 261–262
http-gw application (TIS Firewall Toolkit), 273
rlogin-gw application (TIS Firewall Toolkit), 258–259
tn-gw application (TIS Firewall Tookit), 253–254
host addresses (Kerberos), 547–548
host equivalence file, rlogin protocol, 191–192
Host Equivalency, 23–24
host level active detection, ARP spoofing, 206
host level passive detection, ARP spoofing, 205
host records, SATAN databases, 470–471
host tables, 14
hostname command, 15
hostnames, 102
aliases, 19–20
assigning, 19–20
domain names, 15
guidelines for Internet Request for Comments (RFC), 15
hacker access to, 387–389
host tables, 14
hostname command, 15
networks, 14–15
translating into IP addresses, 14
validating UUCP Permissions file, 124
hosts
addresses, 9
octets, 10–11
ICMB configurations, 210–211
name resolution, DNS servers, 218
network traffic logs, 158–159
network services, 21–22
hosts.equiv files, user accounts, vulnerability to hackers, 382
hosttype files, SATAN scan rulesets, 473
HPFS (High Performance File System), boot record viruses, 841–842
HTML (HyperText Markup Language) directories (SATAN), 445–465
HTTP (HyperText Transfer Protocol)
client applications
non-proxy aware, 271–272
proxy aware, 272
integration with Java, 733
Internet Information Server (IIS), 686
restricting access to CGIs with, 740
http-gw (HTTP proxy application), 322–328
configurations, 270–275, 325–327
functions, 274
Gopher functions, 327
host access rules, 273
installation, 328
interaction with non-proxy aware HTTP clients, 271–272
interaction with proxy aware HTTP clients, 272
operations, 323–324
options, 323
reports, 302
rules, 271
security, 327–328
HTTPD servers
SSL, vulnerability to hackers, 382
Unix audit logs, 155
Windows NT service, 165
HW-AUTHENT flag, Kerberos tickets, 510–512

I

-i (finger command option), 34
-i (netstat command options), 35
-I interface (netstat command options), 35
-i seconds (ping command option), 30
I/O file descriptors, daemons, 63–69
IBM (International Business Machines)
Data Encryption Standard (DES), 594–597
PC computer viruses, 773–809
boot record, 773–774
floppy boot record, 774–782
master boot record, 786–789
partition boot record, 782–786
ICMP (Internet Control Message Protocol), 29
host configurations, 210–211
route spoofing, deactivating, 210–211
ICMP ECHO_REPLY, 29
ICMP ECHO_REQUEST command, 29
ICMP PORT UNREACHABLE, 39
ICMP TIME_EXCEEDED, 38
IDEA cryptosystem, 607, 640
hacking, 655
identd servers, vulnerability to exploitation by hackers, 404
ifconfig command, 17–19
-arp, 18
-debug, 18
arp, 18
broadcast, 18
configurable parameters, 17–18
debug, 18
dest-address, 18
down, 18
metric N, 18
netmask MASK, 18
querrying interface configuration, 32–33
syntax, 17
trailers, 18
up, 18
illegal root access, preventing, 379
implementing
ARP servers, 203
encrypted passwords, 193–194
intranets
DNS server, 679
WINS server, 680
improving network security
with firewalls, 417–418
with Kerberos, 414–415
with Secure Shell program, 416
with SSL, 416–417
inadvertent ARP spoofing, case studies, 199–201
include directory (SATAN), 443
inetd command, 22
inetd daemon, 61
inetd services
disabling, 240
restarting after configurations, 249
super-server, 28
infected floppy disks, repairing, 833–834
infecting (viruses)
COM files, 791
EXE files, 793–794
info (syslog file severity level), 152
Info command (Java Appletviewer), 730
init daemon, 57
initdefault (run level action field), 75
INITIAL flag, Kerberos tickets, 510–512
initial tickets (Kerberos), 510
Innovative Security Products Security web site, 855
insecure segments, deployment strategies, 187
inserting
ARP cache entries, permanent, 202–203
comments in TIS Firewall Toolkit applications, 244
installation (TIS Firewall Toolkit), 237–238
authmgr client application, 311
authsrv application, 317–318
ftp-gw application, 322
http-gw application, 328
login-sh application, 329
netacl application, 331
plug-gw application, 333
rlogin-gw application, 336–337
smap client application, 265, 337
smapd application, 267, 338–339
tn-gw application, 341–342
x-gw application, 343
installing
dfmon daemon, 76
Proxy Server, 692
routers for subnetting, 204–205
Windows NT and boot record viruses, 842
integrity checkers
byte-for-byte matching, 827–831
detection rate, 828–831
disadvantages, 829
executable files, comparison function, 827–831
files
information, 828
repairing, 829–831
rating criteria, 830–831
versus stealth viruses, 830–831
INTERACTIVE configuration keyword (PGP), 651
interfaces
CGI, 687, 736–740
firewalls, comparison between products, 358–359
ISAPI, Internet Information Server (IIS), 687
Java, 709
localhost loopback, 19
networks, 16–17
configuring, 17–19
names, 16
PPP (Point-to-Point Protocol), 17
SLIP (Serial Line Internet Protocol), 17
PGP for Unix, 658–659
querrying configuration, 32–33
SATAN, 456–465
system security, Ethernet promiscuous mode, 160
internal routing protocols, 211–213
International Data Encryption Algorithm (IDEA)
128-bit key, 598–599
algorithm process, 597–599
brute-force attack invulnerability, 598–599
Swiss Federal Institute of Technology, 598–599
versus Data encryption Standard (DES), 598–599
International Traffic and Arms Regulations (ITAR), issues with PGP, 489, 607
Internet, 9
addresses, 9
corporate requirements, 680–682
Domain Name Server, 27
growth of cryptography, 564
proxy servers
access processing, 691–692
configuring, 683–684
RFC 950, 12
security related sites
FTP, 853
WWW, 853
super-server, starting daemons, 22–23
Windows NT hardware requirements, 680–682
Internet Control Message Protocol, see ICMP
Internet Engineering Task Force web site, 575
Internet Information Server (IIS)
anonymous user account, 688
authentication
basic, 690
challenge/response, 690
Secure Sockets Layer (SSL), 690
directory structure, customizing, 688–689
integration with NT security, 687
interfaces
CGI, 687
ISAPI, 687
packet filtering routers, 682–683
permissions
execute, 689
read, 689
write, 689
protocols
FTP, 686
HTTP, 686
public web servers, connecting, 682–683
session encryption, Secure Sockets Layer (SSL), 687–688
versus Microsoft Proxy Server, packet filtering, 682–683
virtual server capabilities, 687
web pages
dynamic, 686
static, 686
Windows NT
components, 664–665
security integration, 687
Internet Protocol, see IP
Internet Request for Comments (RFC), hostname guidelines, 15
Internet RFC Index web site, 855
Internet Server API, see ISAPI
Internet Threat Levels, see ITLs
Internet tunnels
layer 2 forwarding (L2F) protocol, 575–576
point-to-point tunneling protocol (PPTP), 575–576
Internet Worm, Unix/SUN incident, 808–809
Internet-to-Ethernet address translation table, 40
interpreters (Java), 719–722
intranets
DNS Server, implementing, 679
NetBIOS name resolution, 679–680
WINS Server, implementing, 680
intrusive proxies, 357
INVALID flag, Kerberos tickets, 510
invalid tickets (Kerberos), 510
IP (Internet Protocol)
addresses, 9–11
ARP spoofing process, 198–199
forwarding, disabling for TIS Firewall Toolkit, 242–243
hacker access to, 387–389
aliases, 21
encryption technology
authentication header (AH), 231–232
development, 231–232
encapsulating security payload, 231–232
RFCs 825–830, 231–232
SwIPe, 231–232
forwarding, exploitation by hackers, 405
source routing, exploitation by hackers, 405
spoofing, SATAN scans, 434–437
ISAPI (Internet Server API) interface, 687
ISS (network security evaluation program), 412
ISS SAFESuite
firewall security assesments, 367–368
scanning capabilities, 368–370
ITAR (International Traffic and Arms Regulations), issues with PGP, 489, 607
iterative resolution on DNS servers, 219
ITLs (Internet Threat Levels), 374–378
IUSR_computername account, Internet Information Server (IIS), 688

J

Java, 697–699
applets
security modes, 731–732
testing, 707, 729–731
viewing with Netscape, 732
Appletviewer, 728–731
architecture, 711–716
bytecodes, 703, 711
verifying, 721
calling class methods, 718
cast statements, 709
class loader, 720–734
classes, 709
compiler, 707, 716–719
compiling with, 713, 716–719
components, 703–704
dynamic loading capabilities, 712–713
environment features, 706–716
executing code, 722
garbage collector for memory, 701, 710
history of, 704–705
impact on firewalls, 733
integration with HTTP, 733
interaction with e-mail, 734
interfaces, 709
interpreter, 719–722
loading code, 720
memory layout, 718–719
memory management, 701, 710–711
multithreading, 703, 710, 714
Netscape runtime engine, 731
object-orientation, 702–703
opcodes, 717–718
operands, 717–718
performance levels, 699, 703
portability, 699–701
programming language features, 707–711
robustness, 699–701, 713–714
running code, 719–722
runtime
checking, 713
environment, 707
memory layout, 702
reference resolution, 712
security, 698–702, 715–716
setup, 728–734
software support, 700
thread synchronization, 710
versus C++, 707–710
web site, 734
Java Archive Format (JAR), code signing initiative, 576–577
Java Development Kit (JDK), 707
Java Virtual Machines, see JVMs
Joint Electronic Payment Initiative (JEPI), credit card transactions, 576–577
JVMs (Java Virtual Machines), 700, 711, 722–728
instruction set, 724–725
integrating with CPUs, 723
registers, 726
stacks, 726–728
constant pool memory area, 728–734
garabage collected heap, 727
local variables, 726–727
method memory area, 728–734
operand stacks, 727

K

kdc-options field, KRB_KDC_REQ message, 530
KDC_ERR_CANNOT_POSTDATE message (Kerberos Authentication Services exchange), 518
KDC_ERR_ETYPE_NOSUPP message (Kerberos Authentication Services exchange), 518
KDC_ERR_PREAUTH_FAILED message (Kerberos Authentication Services exchange), 518
KDC_ERR_TRTYPE_NOSUPP error message (Kerberos Ticket Granting Service exchange), 523
KEEPBINARY configuration keyword (PGP), 651
Kerberos, 414–415, 478
accounting user accounts, 481
authenticating user accounts, 480–484
Authentication Service Exchange, 517–520
specifications, 526–533
authorizing user accounts, 481
Bones distribution, 498–499
checksums, 494–497
clear text password mechanisms, 194
client detection of modified messages, 539–540
client message encryption, 542–543
client/server authentication exchange, 533–539
clients, authenticating, 533–537
DEC Ultrix distribution, 498–500
encryption, 485–497
keys, 492–493, 536–537
specifications, 491–492
systems, 493–494
ftpd, 552
host addresses, 547–548
Information FTP site, 855
Key Distribution Center, client requests, 526
KRB_CRED message, 544–546
KRB_ERROR messages, 549–551
KRB_KDC_REP message, 532–534
KRB_KDC_REQ message, 528–532
KRB_PRIV message, 542–544
KRB_SAFE message, 539–542
messages, authorization data, 548
MIT version 4, 497
MIT version 5 distribution, 498
naming schemes, 547
network realms, 479–480
intercommunication, 507
naming, 504–505
newsgroups regarding, 553
operations, 478–479
OSF DCE security distribution, 498, 501
port assignments, 551–552
RFCs, 480
sending credentials between hosts by clients, 544–545
servers, 479
principal names, 505–506
Telnet Authentication, 552
Ticket Granting Service exchange, 520–526
specifications, 526–533
tickets, 478, 513–515
authenticators, 512–516
expiration, 519
fields, 514–515
flags, 509–512
forwardable, 511–512
initial, 509
invalid, 509
postdated, 510
preauthenticated, 509–510
proxiable, 511
proxied, 511
renewable, 510–511
requests via Authentication Service exchange, 517–520
requests via Ticket Granting Service exchange, 520–526
time stamps, 547
Transarc distribution, 498–501
vendors
interoperability issues, 500–503
selecting, 499
version 4, 497–498
version 5, 498, 696
interoperability requirements, 501–503
vulnerability to hackers, 484
vulnerability to SATAN, 415
workstation authentication, 551–552
kern (syslog file facility), 151
Key Distribution Center (Kerberos), 526
key field
Kerberos tickets, 514
KRB_CRED message, 546
KRB_KDC_REP message, 533
key pairs, generating (public key cryptography), 600–601
key-expiration field, KRB_KDC_REP message, 533
keyed checksums, 495
keys (Pretty Good Privacy)
adding to public key rings, 614–615, 626–628
distributing, 612–613
extracting from public key rings, 628–629
fingerprints, 635–636
generating, 611–612, 623–626
management, 622–637
naming, 618–619
pass phrases, 624
pass phrases, vulnerability to hackers, 655
public key rings, 619, 633–654
public key rings, vulnerability to hackers, 656
removing from key rings, 633–634
removing signatures from, 633–634
revoking, 636–637
secret key rings, 620, 632–633
secret key rings, vulnerability to hackers, 655–656
signing, 629–632
trust relationships, 620–622, 630
userids, creating, 624–626
verifying, 635–636
keytype fields, encryption keys, 493
keyvalue fields, encryption keys, 493
keywords, netacl application (TIS Firewall Toolkit), 246
kill command, 64
KRB_AP_REP message (Kerberos client/server authentication exchange), 536–539
KRB_AP_REQ message (Kerberos client/server authentication exchange), 534–538
KRB_AS_REP message (Kerberos Authentication Services exchange), 517
generation, 518–519
receipt, 519–520
KRB_AS_REQ message (Kerberos Authentication Services exchange)
generation, 518
receipt, 518
KRB_CRED message (Kerberos), 544–546
KRB_ERROR message (Kerberos Authentication Services exchange), 517
generation, 520
receipt, 520
KRB_KDC_REP message (Kerberos), 532–534
KRB_KDC_REQ message (Kerberos), 528–532
KRB_PRIV message (Kerberos), 542–544
KRB_SAFE message (Kerberos), 539–542
KRB_TGS_REP message (Kerberos Ticket Granting Service exchange), 521
generation, 523–525
receipt, 526
KRB_TGS_REQ message (Kerberos Ticket Granting Service exchange), 521
generation, 521–522
receipt, 522–523
kvno fields, encrypted messages, 491

L

-l (finger command option), 34
-l (ruptime command option), 32
-l username (rsh command options), 44
L-devices (UUCP version 2 file), 98, 131–132
L-dialcodes (UUCP version 2 file), 99
L.cmds file (UUCP version 2), 139
L.sys (UUCP version 2 file), 99
L.sys file (UUCP), 133–135
L_stat (UUCP version 2 file), 100
L_sub (UUCP version 2 file), 100
lags field, KRB_CRED message, 546
LANGUAGE configuration keyword (PGP), 651
last command, 149
last request fields (Kerberos Authentication Server exchange), 548–549
last-req field (KRB_KDC_REP message), 533
LAST_ACK (socket state), 38
lastcomm command, 156
lastlog file, Unix audit log, 148
LAT (Local Address Table), 693
layer 2 forwarding (L2F) protocol, 575–576
ldsocket daemon, 25
letter frequency in monoalphabetic substitution, 587–589
libpcap program, 405
libraries (CGIs), 739–740
license managers, 58
linear cryptanalysis, 602–603
link-state routing protocol, Shortest Path First (SPF), 212–213
LISTEN (socket state), 38
little endian coding, 725
Livermore Software Laboratories PORTUS, 354–355, 370
Livingston FireWall IRX, 369
packet filter products, 350–352
loading code with Java, 720
Local Security Authority (LSA), Windows NT
logon process, 675–677
security model, 668
local variables, JVM stacks, 726–727
local0–7 (syslog file facility), 151
localhost loopback interface, 19
LOCK (DOS audit trail utility), 167
lockd daemon, 62
log files
analyzing
asax program, 160
chklastlog program, 160
chkwtmp program, 160
programs (code listings), 142–145
security porblems, 168–169
syslog fake entries, 168
UUCP, 126–128
error messages, 127–128
troubleshooting network connections, 126
version 2, 139–140
Windows NT
Application Log, 163
Security Log, 164
System Log, 164
TCP/IP applications, 165–166
viewing, 163–164
LOGFILE, UUCP version 2, 139
logging
access to specific files, httpd service (Windows NT), 165
commands, 156–157
CPU time consumption, 157
crontab file usage, 153
dial-out facilities usage, 153
DOS utilities, 166
file system changes, 161
ftp connections (Windows NT), 164
logins, 148–150
messages, 150–152
netlog system sniffer, 161
system resource allocation, 157
user activity, 158
users, 152–153
utilities, tampering, 169
logging on
challenge/response authentication (Windows NT), 677–679
remote, 61
LOGIN FAILED (UUCP log file error message), 127
login prompts, 61
login-sh (authenticating login shell), 328–329
installation, 329
options, 328–329
logins
anonymous (UUCP), 125–126
CGI requests, 753
chat scripts, 113–116, 134–135
correcting for speed differences, 113, 134
lastlog file, 148
tracking, 148–150
current, 148–149
UTMP file, 148–150
LOGNAME (Permissions file keyword), 121
LOGNAME (Permissions file option), 121
logout (telnet command), 46
low-level protocol information, sniffing scenario, 178–181
lpd daemon, 25, 58
lpd-errs file, Unix audit logs, 154
lpr (syslog file facility), 151
lpsched daemon, 58
ls command, UUCP Device file ownership, 107
lsof (web site), 160
lsof program (open file listing), 160

M

-m (netstat command options), 35
MACHINE (Permissions file option), 121
MacPGP, 660
web site, 660
macro viruses, 770–773
ability to avoid detection, 772–773
Concept virus, 806, 845
Excel for Windows, 806
in Windows NT environment, 845
infection process, 806–807
on file servers, spreading, 812
on networks
increasing prevalence, 811–812
platform independence, 811–812
on peer-to-peer networks, spreading, 812
potential damage, 808
repairing, 837
virulence, 806
Word for Windows, 806
macros
global pools, 771–773
local pools, 771–773
versus assembly language programs, 772–773
mail (syslog file facility), 151
Mail Transport Agent, 60
mailing lists
8lgm, 852
bugtraq (network security holes), 386, 852
network security hole-related, 386
TIS Firewall Toolkit-related, 306
make install command (TIS Firewall Toolkit), 237
MAKERANDOM command-line option (PGP), 653
malicious ARP spoofing, case studies, 200–201
man command, 66
marginal trust relationships (PGP), 621–622, 630
MARGINALS_NEEDED configuration keyword (PGP), 651
mark (syslog file facility), 151
master boot record viruses
antivirus program overview, 835–836
complexity of infection, 786
dropper programs (Windows NT), 838
floppy disk booting (Windows NT), 838
hard drives, 762–763
infection process, 786–788
Michelangelo, 839–840
multipartite viruses (Windows NT), 838
new items, infecting, 788
NYB (B1 virus), 789
One-half, 839–840
potential damage, 789
repairing, 834–835
Stoned Monkey virus, 789
virus target, 763
Windows NT
bootup process, 839–840
virus behaviors, 838–840
Maxuuscheds (Basic Networking Utilities file), 99
Maxuuxqts (Basic Networking Utilities file), 99
MAY-POSTDATE flag, Kerberos tickets, 509–511
memory
failures, troubleshooting, 37
Java garbage collector, 701, 710
layout with Java, 718–719
managing with Java, 701, 710–711
printing usage, 35–38
runtime layout with Java, 702
swapper daemons, 57
Memory Control Block (MCB), DOS conventional memory, 796–799
memory resident infectors
anti-virus scanning problem, 802–803
fast infector types, 802–803
file virus types, 795–799, 802–803
infection process, 802–803
memory resident programs (TSRs), “hooking” computer viruses, 765–767
memory scanners
boot record viruses, 826–827
memory resident files, 826–827
rating criteria, 826–827
used for fast infectors, 826–827
mesg command, 433
message digest algorithms (MDAs), digital signatures, 571–572
messages
digital time stamping, 572
displaying error messages, uucico command (UUCP), 116, 135
e-mail
clearsigning with PGP, 646–647
compressing with PGP, 638
conventional encryption with PGP, 640
decrypting with PGP, 616–617, 643–645
decrypting without saving to file, 648
detached signatures with PGP, 647–648
digital signatures, 613–614
digital signatures, attaching with PGP, 637
encrypting with PGP, 615–616, 642–643
encryption, 637
filtering with PGP, 637–638
non-repudiation, 613
public key encryption, 641–642
sending with PGP, 639
signing with PGP, 640–643
verifying with PGP, 616–617, 643–645
Kerberos authorization data, 548
logging, 150–152
syslog, fake, 168
system, logging, 28
system monitoring, 71–72
UUCP log file error messages, 127–128
see also audit trails; logging; reports
method memory area, JVM stacks, 728–734
metric N command (ifconfig), 18
Microsoft Authenticode, code signing initiative, 576–577
Microsoft Proxy Server (Windows NT), 664–665
Microsoft web site, 576
Microsoft Word for Windows, global macro pools, 771–773
Milkyway Networks Black Hole, 354–355, 370
MIT Kerberos version 5, 498
mode (telnet command), 46
modems
calling time scheduling
UUCP L.sys file, 133
UUCP Systems file, 111
configuring
baud rates (UUCP systems), 112, 134
UUCP Devices file, 105–107
initiating calls, UUCP Dialers file, 108–110
network security attacks, 409–418
TCP connections, 430
UUCP networks, specifying phome numbers, 112
UUCP Systems file, retry numbers, 111
modulus
factoring, 603
RSA public key cryptography, 603
monitoring
ARP caches, 208–209
network hackers, 564–565
monoalphabetic substitution
letter frequency, 587–589
symmetric encryption, 584–589
versus Viginere encryption, 590–593
mountd daemon, 62
SATAN showmount scans, 419
msg-type field (Kerberos)
KRB_AP_REQ message, 537
KRB_KDC_REP message, 533
KRB_KDC_REQ message, 529
KRB_PRIV message, 543
KRB_SAFE message, 541
multicast addresses, 10
multipartite viruses, 811
boot record viruses (Windows NT), 838–840
infection process, 820
stealth and polymorphic behavior, 820
multitasking, 714
multithreading
Java, 710, 714
Java capabilities, 703
Windows NT, 665–666
mutually trusting machines, sniffing, 186
MYNAME (Permissions file keyword), 123, 651

N

-n (netstat command options), 35
-n (ping command option), 30
-n (rsh command options), 44
Name (BNU Devices file field name), 105
name resolution
DNS servers, 218
query efficiency, 219
named daemon, 27
names
domain, 15
network interfaces, 16
UUCP system names, 102–103
choosing, 103–104
length limitations, 102
setting, 103
naming
keys in PGP, 618–619
realms (Kerberos), 504–505
National Institute of Standards and Technology (NIST), Data Encryption Standard (DES), 594–597
National Science Foundation, 8
National Security Act of 1947, 485
National Security Agency web site, 855
National Security Institutes web site, 855
native viruses (Windows NT), 846
difficulty in propagation, 846
NEC Security Tools FTP site, 855
netacl (network access control) application, 245–249, 330–331
clauses, 246
configurations, 245–249
FTP connections, establishing, 247–249
installation, 331
options, 330–331
reports, 302–303
rules, 246
starting, 245
NetBIOS, name resolution on intranets, 679–680
netlog sniffer utility, 161, 414
NETLOGON utility (Windows NT), 675–677
NetMan, sniffing software, 176
netmask MASK command (ifconfig), 18
netmasks
defaults, 12
determining for subnets, 14
netperm table (TIS Firewall Toolkit), 244–245, 306–310
.netrc network configuration file, 49
netscan utility (TIS Firewall Toolkit), 295
Netscape
Java Archive Format (JAR), code signing initiative, 576–577
Java runtime engine, 732
Netscape Corporation web site, 855
netstat command, 26, 35–38, 158–159, 241
Network Address Translation (NAT), 356
application transport proxies, 356–357
network administrators, PC usage monitoring, 184–186
network analyzers
cost, 175–176
GUI interface, 175–176
sniffing capabilities, 174
Network General Corporation, 174
Network News Transport Protocol, see NNTP
network segmentation
insecure, 183
preventing sniffing, 181–182
secure, 183
network segments, security case study, 187–190
Network Systems Corporation, packet filter vendor, 350
Network-1 Firewall/Plus, 354–355, 370
web site, 682
network-level detection (ARP spoofing)
continuous monitoring, 208–209
detecting, 207
periodic polling, 207–208
networks
addresses, 9
octets, 10–11
pinging with netscan utility (TIS Firewall Toolkit), 295
subnets, 11–14
authentication methods
certificate-based, 572
encrypted passwords, 572
plaintext passwords, 572
two-factor, 572
configuration files
/etc/ethers, 20
/etc/ftpusers, 48
/etc/hosts, 19–20
/etc/hosts.equiv, 23
/etc/hosts.lpd, 25
/etc/inetd.conf, 22–23
/etc/networks, 20–21
/etc/passwd, 24
/etc/printcap, 25
/etc/protocols, 21
/etc/service, 21–22
/etc/sockcf, 25
/etc/strcf, 25
/etc/syslog.conf, 28
.netrc, 49
.rhosts, 23
connections
configuring (UUCP), 105–107
debugging, 40
testing, 108, 132–133
cryptography
eavesdroppers, 564–565
hackers, 564–565
daemons, exploitation by hackers, 395
debugging, 159
UUCP connections, 108
Ethernet sniffers, 159–160
file server infections, 809–810
file systems
unpriveleged access scans by SATAN, 422–423
unrestricted exports, scanning with SATAN, 423
vulnerability to hackers, 401–402
hostnames, 14–15
hosts
services, 21–22
traffic logs, 158–159
inetd services, disabling, 240
interfaces, 16–17
configuring, 17–19
names, 16
PPP (Point-to-Point Protocol), 17
SLIP (Serial Line Internet Protocol), 17
local machine status, 31–32
macro viruses
impracticality of write protection to DOC files, 811–812
increasing prevalence, 811–812
platform independence, 811–812
memory and printing usage, 35–38
operating systems, hacker determination via telnetd info, 389–391
peer-to-peer environment, file virus infections, 810
physical security, 182
realms (Kerberos), 479–480
intercommunication, 507
naming, 504–505
remote shell access, SATAN scans, 425–427
root access
hacker acquisition of, 379–380
illegal, preventing, 379
routing programs, exploitation by hackers, 403
SATAN scans, detecting, 413–414
security
attacks, modem-based, 409–418
attacks on, 373–386
attacks on, acquiring login accounts, 378–379
attacks on, acquiring root access, 379–380
attacks on, characterizing, 378–381
attacks on, extend access by hackers, 380–381
detecting vulnerabilities via public documentation, 407–418
evaluating for weaknesses, 408–418
FTP sites regarding, 386
hacker-generated patches, 408
holes, 381–385
holes, detecting, 387–409
holes, mailing lists regarding, 386
holes, newsgroups regarding, 386
improving with firewalls, 417–418
improving with Kerberos, 414–415
improving with Secure Shell program, 416
improving with SSL, 416–417
Internet Threat Levels, 374–378
SATAN searches for breaches, 376
scanning with SATAN, 419–420
testing with SATAN, 372–373
web sites regarding, 386
security problems, 564–565
segmenting, 181–182
services
denial reports (TIS Firewall Toolkit), 301
reducing active processes, 239
SATAN scans, 420
status displays, 238
vulnerability to hackers, 440
sniffing, exploitation by hackers, 404–405
SNMP (Windows NT), logging local activity, 165
statistic displays, 241
subsystems, querying, 35–38
Sun Microsystems addresses, 11
TCP connections, vulnerability to hackers, 383
TCP traffic, monitoring, 161
types, 16
user accounts
hacker acquisition of, 378–379
passwords, cracking, 379
UUCP (Unix to Unix CoPy), 100–101
calling time scheduling, 111, 133
configuring, 105–107
debugging connections, 116–117
defining, 110–113
Permissions file, 120–125
virus categories
file-based LANs, 809
Internet networks, 809
peer-to-peer networks, 809
see also octets; subnets
news (syslog file facility), 151
newsgroups
connecting with plug-gw application (TIS Firewall Toolkit), 289–292
Kerberos-related, 553
network security hole-related, 386
TIS Firewall Toolkit-related, 305
NFS
unprivileged access, SATAN scans, 422–423
unrestricted exports, scanning with SATAN, 423–424
watch utility, 161
web site, 161
nfsbug program (hacking network file systems), 401
nfsd daemon, 62
nfsmenu program (hacking network file systems), 401
nfsshell program (hacking network file systems), 401
NIS servers
exploitation by hackers, 402
password protection, 431
SATAN scans, 424
vulnerability to hackers, 402
NIST (U.S. National Institute of Standards and Technology), 855
NNTP (Network News Transport Protocol), 289–292
connections with plug-gw application (TIS Firewall Toolkit), 289–292
vulnerability to/exploitation by hackers, 403
No Access security mode, Java applets, 731
NO CALL (RETRY TIME NOT REACHED) (UUCP log file error message), 127
NO DEVICES AVAILABLE (UUCP log file error message), 128
no trust relationships (PGP), 621–622, 630
nobody UIDs, 743
nodename, 102
non-intrusive proxies, 357
non-proxy-aware HTTP clients, 271–272
non-repudiation
cryptography goals, 566–567
e-mail messages, 613
non-reversible “quick” encryption, 560
nonce
challenge/response authentication (Windows NT), 677–679
field
KRB_CRED message, 546
KRB_KDC_REP message, 533
KRB_KDC_REQ message, 531
NOREAD (Permissions file keyword), 122
Norton Disk Doctor
floppy disks, repairing, 833–834
repairing
floppy boot record viruses, 782
partition boot record viruses, 785
Norton Disk Editor, repairing partition boot record viruses, 785
notice (syslog file severity level), 152
NSFNet, 8
NTFS (NT File System), boot record viruses, 841–842
NULL encryption systems, 493
NWRITE (Permissions file keyword), 122
NYB (B1 virus)
master boot record viruses, 789
system memory infection, 789

O

object-oriented programming with Java, 702–703
obtaining
certificate authorities, secure channels, 574–575
digital certificates, 569–570
Secure Sockets Layer (SSL), 690–691
public keys, 568–569
token authentication devices, 572–574
octets, address values
maximum, 11
reserved, 11
OFB (Output Feedback Mode) encryption, 488
off (run level action field), 75
OK (UUCP log file error message), 128
ONC clients, RPC server support, 62
once (run level action field), 75
ondemand (run level action field), 75
one-time password programs, 432
one-way encryption
digital certificates, 561–562
digital signatures, 561–562
one-way trust, connecting segments, 186–187
online documentation (SATAN), 464–465
OOP (object-oriented programming), 702–703
opcodes (Java), 717–718
open (telnet command), 46
operand stacks (JVMs), 717–718, 727
Opus One Consulting, 346
OSF DCE Kerberos-based security, 498–501
overwriting COM files with file viruses, 792

P

-p (finger command option), 34
-p (rcp command options), 43
-p pattern (ping command option), 30
-p protocol-name (netstat command options), 35
packet filters
disadvantages, 347
firewalls, 347
performance guidelines for firewalls, 364–365
router architecture, 349–350
router products
Cisco 2500 series router, 350–352
Livingston FireWall IRX, 350–352
stateful, 352
vendors
3Com Corporation, 350
Bay Networks, 350
Cisco Systems, 350
Livingston Enterprises, 350
Network Systems Corporation, 350
packet sniffer programs, 438
packets
RIP security issues, 433
sniffing, exploitation by hackers, 404–405
padata field
KRB_KDC_REP message, 533
KRB_KDC_REQ message, 529
padata-type field, KRB_KDC_REQ message, 530
PAGER configuration keyword (PGP), 651
partition boot record viruses
antivirus programs overview, 835–836
boot-up activation, 782–783
Form virus, damage potential, 786
infection process, 783–785
new items, infecting, 785
potential damage, 785
repairing, 785, 835
stealthing technique, 785
pass phrases (PGP), 610
keys, 624
vulnerability to hackers, 655
passive attacks, DNS servers, spoofing, 221–222
passive participants, Routing Information Protocol (RIP), 213–215
passwords
authentication mechanisms, 360–361
backdoor, 169
challenge-response method, 573–574
clear text, 190–191
encrypted, 190–194, 573–574
equivalency, 23–25
files, genUSER program, 144–145
FTP access, 48–50
ftpd, 431
NIS servers
protecting, 431
SATAN scans, 424
one-time, 432
plaintext, 573–574
protection, 430–432
rlogin protocol, 191–192
selection enforcement programs, 432
shadow files, 431
smart card security programs, 432
sniffing, 177
system security, Ethernet sniffers, 159
transmission, 190–196
user accounts, cracking, 379
zero-knowledge authentication, 194–195
patches, hacker-generated, 408
patimestamp field, KRB_KDC_REQ message, 530
pausec field, KRB_KDC_REQ message, 530
PC/DACS (DOS audit trail utility), 166–167
pcnfsd daemon, 62
peer-to-peer networks
boot viruses, 811
file virus infection on networks, 810
macro viruses, spreading, 812
performance guidelines (firewalls)
application level proxies, 365–366
packet filtering, 364–365
transport level proxies, 365–366
PERL (Practical Extraction and Reporting Language)
CGI libraries, 739
CGI programming, 747–750
daemons, creating, 67–72
SATAN, 444, 454–455
permanent ARP cache entries, inserting, 202–203
permission files (UUCP version 2), 136–139
debugging, 137
permissions
add (Windows NT), 674–675
add and read (Windows NT), 674–675
change (Windows NT), 674–675
execute (Windows NT), 689
full control (Windows NT), 674–675
list (Windows NT), 674–675
no access (Windows NT), 674–675
read
Internet Information Server (IIS), 689
Windows NT, 674–675
special access, USERFILE (UUCP version 2), 138
versus rights, 674
write, Internet Information Server (IIS), 689
Permissions (Basic Networking Utilities file), 99
Permissions file (UUCP), 120–121
anonymous login, 125–126
defaults, 120–121
entry rules, 123
keywords, 121–123
validating hostnames, 124
personal tunneling, 360–361
PGP (Pretty Good Privacy), 605–606
add-on utilities, 657–660
armor mode, 639
binary distribution, 609–611
binary files, vulnerability to hackers, 657
brute force hacker attacks, 654–655
clearsigning e-mail messages, 646–647
compressing e-mail messages, 638
configurations, 649–654
conventional encryption, 640
decrypting e-mail messages, 616–617, 643–645
detached signatures, 647–648
encrypting e-mail messages, 615–616, 642–643
filtering e-mail messages, 637–638
For Her Eyes Only messages, 648
history of, 606–608
integration with Unix mailers, 659
keys
adding to public key rings, 614–615, 626–628
distributing, 612–613
extracting from public key rings, 628–629
fingerprints, 635–636
generating, 611–612, 623–626
management, 622–637
naming, 618–619
pass phrases, 624
pass phrases, vulnerability to hackers, 655
public key rings, 619, 633–654
public key rings, vulnerability to hackers, 656
removing from key rings, 633–634
removing signatures from, 633–634
revoking, 636–637
secret key rings, 620
secret key rings, vulnerability to hackers, 655–656
signing, 629–632
trust relationships, 620–622, 630
userids, creating, 624–626
verifying, 635–636
Macintosh-compatible, 660
pass phrases, 610
practical applications, 607–608
processing binary files, 638–639
processing text files, 638–639
public keyservers, 658
security, 654–657
sending e-mail messages, 639
signing e-mail messages, 640–643
UNIX interface, 658–659
verifying e-mail messages, 616–617, 643–645
Windows front-end applications, 659
wiping files, 648–649
PGP and IDEA Archives web site, 855
PGPMenu Unix interface for PGP, 658–659
Phone (BNU Systems file field name), 112
PIDs (process identifiers), procuring, 240
ping command, 29–31
BSD Unix, 31
fault isolation, 31
options, 29–30
pinging
network addresses with netscan utility (TIS Firewall Toolkit), 295
servers to determine firewall/Internet connections, 389
PKE (public key encryption), 608
plug gateways, 355–356
plug-gw (plugboard connectivity) application, 288–294, 332–333
bugs, 333
clauses, 288–289
configurations, 288–289
installation, 333
NNTP connections, 289–292
POP connections, 292–294
rules, 288–289
pname field, KRB_CRED message, 546
point-to-point leased lines, 8
point-to-point tunneling protocol (PPTP), 575–576
Poll (Basic Networking Utilities file), 99
polling ARP caches, network-level detection, 207–208
polymorphic viruses
computer virus classes, 812–813
development of generic decryption (GD) technique, 824–826
difficulty in detection, 812–813
encrypted state, 812–813
infection process, 812–813
virus scanner ineffectiveness, 822–826
POP (Post Office Protocol), 292
connections with plug-gw application (TIS Firewall Toolkit), 292–294
portability of Java, 699
portmap programs
exploitation by hackers, 396–397
rexd services, vulnerability to hackers, 405
secure, 397
vulnerability to hackers, 384
ports
block strategy, 685–686
configuring
Proxy Server, 686
Windows NT, 685–686
connecting to TCP ports, 47
filtering, 685–686
versus firewalls, 686
Kerberos assignments, 551–552
scanning by SATAN, 407
TCP, scanning by hackers, 395–396
UDP, scanning by hackers, 395–396
portscan utility (TIS Firewall Toolkit), 294
scanning TCP services, 241
POST method (CGI data input), 741–742
Post Office Protocol, see POP
POSTDATED field, Kerberos tickets, 527
POSTDATED flag, Kerberos tickets, 510–511
pound (#) symbol in network configuration file, 20
powerfail (run level action field), 75
powerwait (run level action field), 75
PPP (Point-to-Point Protocol), 17
PRE-AUTHENT flag, Kerberos tickets, 510–512
prealm field, KRB_CRED message, 546
preauthenticated tickets (Kerberos), 510
prepending COM files with file viruses, 791–792
Pretty Good Privacy, see PGP
preventing
ARP spoofing, 201–204
routers, 203–204
boot record viruses, 833–836
DNS servers, spoofing attacks, 220–221
executable file viruses, 836
illegal root access, 379
macro viruses, 837
route spoofing, 215–216
sniffing
network segmentation, 181–182
trust relationships, 182
TCP connections to local services from remote systems, 396
UDP connections to local services from remote systems, 396
primary domain controller (Windows NT), 670–671
principal names on Kerberos servers, 506
print command, 68–69
print spoolers, 58
printing
error logs, 154
lpd daemon, 58
network memory usage, 35–38
print spoolers, 58
spool area handler, 25
Private Communication Transport (PCT)
secure channel technologies, 574
versus Secure Sockets Layer (SSL), 575
private key encryption, 487
probes, 39
process accounting
disk space consumption, 156
enabling, 156
reports, 156–157
Unix audit logs, 155
process identifiers (PIDs), procuring, 240
process table, 52–53
processes
listing files in use (lsof program), 160
monitoring daemons, 69–72
network services, reducing activity, 239
reports, 158
processing
binary files with PGP, 638–639
certificate-based transactions, 569
Data Encryption Standard (DES) algorithm, 595–597
messages
digital certificates, 569
digital signatures, 571–572
text files with PGP, 638–639
procmon command, 84
procmon daemon, 69–72
procmon.cfg configuration file, 70–71
procmon.cmd configuration file, 70
product comparisons (firewalls)
application level proxies, 365–366
flexibility, 359–361
packet filtering, 364–365
summary evaluation, 369–370
transport level proxies, 365–366
program file viruses
COM, 767
EXE, 767
SYS, 767
program Segment Prefix (PSP), DOS conventional memory, 796–799
programming CGIs
in C, 750
in C++, 750
in PERL, 747–750
in safe languages, 750–751
programs
compared to daemons, 52
daemons, 9
promiscuous mode, broadcast addresses, 175
Properties command (Java Appletviewer), 730
protecting
IP addresses from spoofing, 436–437
passwords, 430–432
protocols
address resolution protocol, 40
boot, implementing, 26
DARPA, 21
embedding Kerberos tickets, 478
File Transfer Protocol, 47–50
HTTP (HyperText Transfer Protocol)
integration with Java, 733
restricting access to CGIs with, 740
ICMP (Internet Control Message Protocol), 29
NNTP (Network News Transfer Protocol)
connections with plug-gw application (TIS Firewall Tookit), 289–292
vulnerability to/exploitation by hackers, 403
POP (Post Office Protocol), 292
connections with plug-gw application (TIS Firewall Toolkit), 292–294
RIP (Routing Information Protocol)
security issues, 433
SNMP (Simple Network Management Protocol), 26
SSL (Secure Sockets Layer)
httpd randomization, vulnerability to hackers, 382
TCP/IP (Transmission Control Protocol/Internet Protocol), 9
configuring for TIS Firewall Toolkit, 242–243
SATAN scans, 419
UDP (User Datagram Protocol), SATAN scans, 419
vulnerability to network security attacks, 374
Xerox NS Routing Information Protocol, 26, 61
proxiable tickets (Kerberos), 511
proxied tickets (Kerberos), 511
proximity settings, SATAN scans, 464
proxy-aware HTTP clients, 272
PROXY field, Kerberos tickets, 527
PROXY flag, Kerberos tickets, 509–511
Proxy Server
configuring for Internet, 683–684
downloading, 694–696
dual-homed connections, 683–684
filtering options, 692–693
deny access, 692–693
grant access, 692–693
FTP, 692
hardware configurations, 692
HTTP, 692
installing, 692
Internet access process, 691–692
LAT (Local Address Table), 694
ports, configuring, 686
RealAudio, 692
VDOLive, 692
ps command, 52, 157
pty files, security issues, 432–433
PUBDIR (Permissions file keyword), 123
public key certification, Windows NT Directory Services, 696
public key cryptography
encrypted passwords, 193–194
key pairs, generating, 600–601
public key encryption, 486, 558–559, 608
e-mail messages, 641–642
messaging process, 559–562
obtaining, 568–569
uses, 561
public key infrastructure (PKI), X.509 specification, 570–571
public key rings (PGP), 619
adding keys to, 626–628
extracting keys from, 628–629
viewing contents, 632–654
vulnerability to hackers, 656
public keyservers (PGP), 658
public web servers, connecting Internet Information Server (IIS), 682–683
PUBRING configuration keyword (PGP), 652
Purdue University COAST Lab, 225
pvno field (Kerberos)
KRB_AP_REP message, 538
KRB_AP_REQ message, 537
KRB_KDC_REP message, 533
KRB_KDC_REQ message, 529
KRB_PRIV message, 543
KRB_SAFE message, 541
Python CGI programming language, 751

Q - R

-q (finger command option), 34
-q (ping command option), 30
query efficiency, DNS servers, 219
question mark (?) in process tables, 53
question mark (?) telnet command, 46
quit (telnet command), 46
-R (ping command option), 30
-r (netstat command options), 35
-r (ping command option), 30
-r (rcp command options), 43
-r (ruptime command option), 32
r-address field
KRB_CRED message, 546
KRB_SAFE message, 542
r-commands, rlogin protocol, 192
R_stat (UUCP version 2 file), 100
R_sub (UUCP version 2 file), 100
RANDSEED configuration keyword (PGP), 652
Raptor Eagle, 354–355
Raptor Systems web site, 682, 855
RARP (Reverse Address Resolution Protocol), 26
daemon, 26
server level detection (ARP spoofing), 206
use by diskless machines, 206
rating
behavior blockers, 831–832
heurisitic scanners, 832–833
integrity checkers, 830–831
memory scanners, 826–827
virus scanners, 825–826
RC ciphers
designed as replacement for DES, 599
level 2, 599
level 4, 599
level 5, 599
limited key size, 599
RSA Data Security development, 599
rcmd command, 45
RCMP Information Technology web site, 855
rcp command, 43
READ (Permissions file keyword), 122
read permission, Internet Information Server (IIS), 689
read stealth viruses
antivirus programs, 837
repairing, 836–837
realms (Kerberos), 479–480
intercommunication, 507
Kerberos tickets, 514
KRB_KDC_REQ message, 531
naming, 504–505
records, SATAN databases, 467–471
recursive resolution, DNS servers, 219
registers (JVMs), 726
Registry Editor (Windows NT), disabling, 164
Reload command (Java Appletviewer), 730
remote command execution, 139
REMOTE DOES NOT KNOW ME (UUCP log file error message), 128
REMOTE HAS A LCK FILE FOR ME (UUCP log file error message), 128
remote hosts, connecting with rlogin-gw application (TIS Firewall Toolkit), 258
remote login, 61
REMOTE REJECT AFTER LOGIN (UUCP log file error message), 128
REMOTE REJECT, UNKNOWN MESSAGE (UUCP log file error message), 128
remote shell access, SATAN scans, 425–427
removing
PGP keys from key rings, 633–634
signatures from PGP keys, 633–634
RENEW field, Kerberos tickets, 528
renew-till field
Kerberos tickets, 514
KRB_CRED message, 546
KRB_KDC_REP message, 533
RENEWABLE field, Kerberos tickets, 527
renewable tickets (Kerberos), 510–512
RENEWABLE-OK field, Kerberos tickets, 527
repairing
boot record viruses, 833–836
computer viruses, read stealth type, 836–837
file viruses, executables, 836
files, integrity checkers, 829–831
floppy boot record viruses, 782
floppy disks, infected, 833–834
macro viruses, 837
master boot record viruses, 834–835
partition boot record viruses, 785, 835
report utilities (TIS Firewall Toolkit), 296–310
reports
authentication server (TIS Firewall Toolkit), 300–301
FTP site usage (TIS Firewall Toolkit), 302
http-gw application (TIS Firewall Toolkit), 302
netacl application (TIS Firewall Toolkit), 302–303
network connections, 158–159
network service denials (TIS Firewall Toolkit), 301
open files (lsof program), 160
process accounting, 156–157
processes, 158
rlogin-gw application (TIS Firewall Toolkit), 304–305
SATAN scans, 460–462
smap application (TIS Firewall Toolkit), 303–304
system access, sorting, 150
system activity, 149–150
system resource allocation, 157
tn-gw application (TIS Firewall Toolkit), 304–305
see also audit trails; logging; messages
req-body field, KRB_KDC_REQ message, 530
REQUEST (Permissions file keyword), 121
requests, tickets
via Authentication Service exchange, 517–520
via Ticket Granting Service exchange, 520–526
require command, 71
reserved addresses, 11
RESERVED field, Kerberos tickets, 527–528
RESERVED flag, Kerberos tickets, 509–510
resolution (Domain Name Service)
iterative type, 219
recursive type, 219
resolving domain names, 218–219
respawn (run level action field), 75
Restart command (Java Appletviewer), 730
restricting
CGI access, 743
with HTTP, 740
SSI access, 746
retro viruses
antivirus neutralization, 819
infection process, 819
Reverse Address Resolution Protocol, see RARP
revoking PGP keys, 636–637
rexd services (portmap programs)
SATAN scans, 427
vulnerability to hackers, 405
RFCs (request for comments), 480
IP encryption technology, 231–232
Kerberos, 480
.rhosts network configuration file, 23
rights
versus permissions, 674
Windows NT
groups, 674
users, 674
RIP (Routing Information Protocol) security issues, 433
RISC (Reduced Instruction Set Computing) CPUs, 723
Rivest, Shamir & Adelman, see RSA
rlogin command, 42–45
rlogin protocol
host equivalence file, 191–192
password authentication, 191–192
r-commands, 192
security holes, 192–193
vulnerability to ARP spoofing, 192
vulnerability to DNS spoofing, 192
rlogin-gw application (TIS Firewall Toolkit), 334–335
clauses, 256
configurations, 255–259
connecting to remote hosts, 258
host access rules, 258–259
installation, 336–337
options, 334–335
reports, 304–305
rules, 256
verifying operations, 259
rlogind daemon, 61
Ron Rivest’s Security Links web site, 604
root access (networks)
hacker acquisition of, 379–380
illegal, preventing, 379
root directories, 760
rootkit program (hacker coverup), 380
route spoofing, 210
case studies, Routing Information Protocol (RIP), 213–215
deactivating Internet Control Message Protocol (ICMP), 210–211
preventing, 215–216
process, 210
routed daemon, 26–27, 61
router-based architecture for firewalls, 349–350
routers, 12
case studies, ARP spoofing, 204–205
decentralized organizations, 350–352
effect on ARP spoofing, 203–204
preventing ARP spoofing, 203–204
stateful packet filters, 352
routes
dynamic, 27
probes, 39
static, 27
tracing, 38–39
Routing Information Protocol (RIP)
as passive participants, 213–215
GateD software, 215–216
hop counts, 213
part of Xerox Networking System (XNS), 213
route spoofing
case studies, 213–215
preventing, 215–216
vector distance protocol, 213
routing metric, 18
routing protocols
borders, 212
external, 211–213
internal, 211–213
link-state, 212–213
vector distance, 212–213
routing tables, 26–27, 61
querying, 35
rpc.statd daemon, 62
RSA (Rivest, Shamir & Adelman)
algorithm, public key cryptography, 600–601
checksums, 496
cryptographic web site, 852
Data Security web site, 599
keys, hacking, 654–655
modulus, 603
public key cryptosystem, 559
RSA’s Crypto FAQ web site, 604
rsh command, 44
rtime field, KRB_KDC_REQ message, 531
rules (TIS Firewall Toolkit)
authsrv, 278–279
ftp-gw, 260
http-gw, 271
netacl, 246
plug-gw, 288–289
rlogin-gw application, 256
smap client, 266
smapd, 268
tn-gw, 250–251
writing, 255
rulesets, SATAN scans, 471–474
run levels, 57, 73–76
action fields, 74–76
adjusting, 73
SCO OpenServer 5.0, 73–74
viewing current, 76
running
CGIs
from controlled file system web servers, 744
under program owner UIDs, 744–745
with minimum privileges, 743–744
code with Java, 719–722
SATAN from web browsers, 429–430
SATAN scans, 466–467
runtime checking (Java), 713
runtime environment (Java), 707
runtime memory layout (Java), 702
runtime reference resolution (Java), 712
ruptime command, 31–32
rusers program, exploitation by hackers, 399–401
rwall program (RPC services), 433
vulnerability to hackers, 385
rwho command, 32
RWHO daemon, 28
rwho program, exploitation by hackers, 399–401

S

-s (finger command option), 34
-s (netstat command options), 35
-s packetsize (ping command option), 30
-s host address (arp command options), 40
s-address field
KRB_CRED message, 546
KRB_SAFE message, 542
S/KEY, zero-knowledge authentication mechanism, 194–195
sa command, 157
safe-body field, KRB_SAFE message, 541
safecgiperl CGI programming language, 751
SATAN (Security Administrator Tool for Analyzing Networks), 371–373, 410
Admin Guide to Cracking documentation, 465
benefits of, 476
building, 455–476
CIAC web site, 412
components, 410
configurations, 462–464
Control Panel, 457
databases, 458
facts records, 467–470
host records, 470–471
records, 467–471
todo records, 471
detecting scans by, 413–414
directories
bin, 444–445
config, 443
html, 445
html/admin, 450
html/data, 450
html/docs, 445–446
html/dots, 446–447
html/images, 447
html/reporting, 447–448
html/running, 448–449
html/tutorials, 449
html/tutorials/vulnerability, 449
include, 443
perl, 454–455
perllib, 444
rules, 443
src, 450
src/boot, 450
src/fping, 452–453
src/misc, 451
src/nfs-chk, 451
src/port_scan, 452
src/rpcgen, 453
src/yp-chk, 453–454
top-level, 442
downloading, 441–442
FTP sites, 441–442
history of, 410–411
HTML interface, 456–465
impact on network security, 412–413
online documentation, 464–465
Reference documentation, 465
running from web browsers, 429–430
scanning
portmap program services, 397
ports, 407
servers for remote access services, 396
scans
extensions, adding, 474–475
ftpd, 420–422
heavy, 420
IP spoofing, 434–437
light, 419
NIS server password files, 424
normal, 419–420
portmap program forwarding, 424–425
proximity settings, 464
remote shell access, 425–427
result reports, 460
rexd services, 427
rulesets, 471–474
running, 466–467
selecting targets, 459–460
sendmail program, 427–428
tftpd file access, 425
unprivileged NFS access, 422–423
unrestricted NFS exports, 423–424
X servers, 428–429
vendor reaction to, 412–418
versus other network security evaluation programs, 412
Vulnerabilities Tutorials documentation, 465
scanning
ftpd with SATAN, 420–422
network security with SATAN, 419–420
ports by SATAN, 407
TCP ports by hackers, 395–396
TCP services with portscan, 241, 294
UDP ports by hackers, 395–396
web servers for vulnerability, 402
scans (SATAN)
extensions, adding, 474–475
ftpd, 420–422
heavy, 420
IP spoofing, 434–437
light, 419
NIS server password files, 424
NIS servers, 424
normal, 419–420
portmap program forwarding, 424–425
proximity settings, 464
remote shell access, 425–427
result reports, 460
rexd services, 427
rulesets, 471–474
running, 466–467
selecting targets, 459–460
sendmail program, 427–428
tftpd file access, 425
unprivileged NFS access, 422–423
unrestricted NFS exports, 423–424
X servers, 428–429
sci.crypt, 857
SCO OpenServer 5.0, 73–74
SCO Unix dialer programs, 108
SCO Unix operating system, /etc/inetd.config file, 22
sco_cpd daemon, 58
scripts, chat, 109–110
searchlists, DNS security issues, 434
secret key encryption, 486–487, 608
digital envelope, 577
overview, 577
uses, 561
secret key rings (PGP), 620, 633
viewing contents, 632–633
vulnerability to hackers, 655–656
SECRING configuration keyword (PGP), 652
secure channels
cryptographictools, 566–567
future initiatives, 575
obtaining certificate authorities, 574–575
technologies
Private Communication Transport (PCT), 574
Secure Sockets Layer (SSL), 574
Secure Electronic Transaction (SET) protocol
credit card transactions, 576–577
development, 576–577
Secure Hash Algorithm (SHA), digital signatures, 571–572
secure portmap programs, 397
Secure RPC, Diffy-Hellman algorithm, 194
secure rpcbind programs, 397
Secure Shell FTP site, 856
Secure Shell program (network security), 416
Secure Sockets Layer (SSL), 195
defined, 690–691
digital certificates, 690–691
httpd randomization, vulnerability to hackers, 382
Internet Information Server (IIS) session encryption, 687–688
secure channel technologies, 574
versus Private Communication Transport (PCT), 575
vulnerability to SATAN, 416–417
web sites, 417
Windows NT Directory Services, 696
Secure Telnet FTP site, 856
secure user segments, sniffing, 184–185
security
applet modes, 731–732
application gateways, 353
application proxies, 348
ARP requests, discontinuing, 201
ARP spoofing
detecting, 201, 205–209
host-level active detection, 206
host-level passive detection, 205
network-level detection, 207
preventing, 201–204
server-level detection, 206
circuit gateways, 347–348
confidential data, sniffing, 178
encrypted passwords, 193–194
encryption overview, 195
firewalls
assessments, 367–368
selection criteria, 348–349
summary product evaluations, 369–370
FTP sites, 853
hardware address spoofing, 196–197
http-gw application (TIS Firewall Toolkit), 327–328
Internet Information Server (IIS), 687–691
Java, 698–702, 715–716, 728–734
networks
attacks, modem-based, 409–418
attacks on, 373–386
attacks on, acquiring login accounts, 378–379
attacks on, acquiring root access, 379–380
attacks on, characterizing, 378–381
attacks on, extend access by hackers, 380–381
detecting vulnerabilites via public documentation, 407–418
evaluating for weaknesses, 408–418
FTP sites regarding, 386
hacker-generated patches, 408
holes, 381–385
holes, detecting, 387–409
holes, mailing lists regarding, 386
holes, newsgroups regarding, 386
improving with firewalls, 417–418
improving with Kerberos, 414–415
improving with Secure Shell program, 416
improving with SSL, 416–417
Internet Threat Levels, 374–378
SATAN searches for breaches, 376
scanning with SATAN, 419–420
testing with SATAN, 372–373
web sites regarding, 386
packet filtering, 347
passive participants, Routing Information Protocol (RIP), 213–215
passwords
management strategy, 177
shoulder surfers, 177
social engineers, 177
transmission, 190–196
zero-knowledge authentication, 194–195
PC usage, 184–186
PGP, 654–657
rlogin protocol problems, 192–193
route spoofing, 210
routers in decentralized organizations, 350–352
segments, case study, 187–190
sniffing
defined, 174
financial account numbers, 177–178
low-level protocol information, 178
network analyzers, 174
process overview, 174–176
trust relationships, 182
stateful packet filters, 352
UseNet newsgroups, 857
vendors, 852
web sites, 853
Security Account Manager (SAM), Windows NT security model, 668
Security Dynamics web site, 574, 599
Security Log (Windows NT), 164
Security Reference Monitor (Windows NT), 668
segmenting networks, 181–182
segments
insecure, deployment strategies, 187
networks, defined, 181–182
one-way trust, connecting, 186–187
security
case study, 187–190
deployment strategies, 187–190
selecting
firewall criteria, 348–349
stateful packet filters, 355–356
transport firewalls, 355–356
selective caching, 224–225
send (telnet command), 46
SENDFILES (Permissions file keyword), 121
sending e-mail messages with PGP, 639
sendmail, 9
sendmail daemon, 47, 60
Unix audit logs, 153
vulnerability to hackers, 60
sendmail program
bounce to program hole, 381
-C option, vulnerability to hackers, 385
-d debug hole, 381
exploitation by hackers, 393–395
SATAN scans, 427–428
syslog buffer, vulnerability to hackers, 382
vulnerability to hackers, 393–395
web site, 408
sendmail proxy application, see smap application; smapd application
sensitive data, sniffing, 178
seq-number field
Kerberos ticket authenticators, 516
KRB_SAFE message, 541
SEQF (UUCP version 2 file), 100
Serial Line Internet Protocol (SLIP) 17
server level detection, detecting ARP spoofing, 206
Server Message Blocks (SMB), 684–685
security weaknesses, 684–685
Server Side Includes (SSI)
access restrictions, 746
alternatives to, 746–747
CGIs, 746–747
servers
authentication server (TIS Firewall Toolkit), 276–288
bootpd servers, vulnerability to hackers, 397–399
exploitation by hackers, 397–399
ftpd servers, vulnerability to hackers, 391–393
hostnames, hacker access to, 387–389
identd servers, vulnerability to exploitation by hackers, 404
inetd super-server, 28
Kerberos
authentication servers, 479
principal names, 506
protection, 414–415
NFS servers, vulnerability to hackers, 384
NIS servers
exploitation by hackers, 402
passwd files, SATAN scans, 424
password protection, 431
SATAN scans, 424
vulnerability to hackers, 402
pinging to determine firewall/Internet connections, 389
remote, updating remote server database, 28
SNMP servers, vulnerability to/exploitation by hackers, 406–407
starting, 61
web servers
CGI request logins, 753
CGI security issues, 744
CGI trust relationships, 740
converting from root to controlled file systems, 744
SSL protection, 416
X servers, SATAN scans, 428–429
X Windows servers, vulnerability to hackers, 405
services
configuring (Windows NT), 684–685
disabling (Windows NT), 684–685
networks, 21–22
denial reports (TIS Firewall Toolkit), 301
reducing active processes, 239
status displays, 238
vulnerability to hackers, 440
SATAN scan rulesets, 473
TCP
accessing with netacl, 245
scanning with portscan, 241, 294
SESAME (network authentication program), 478, 499
set (telnet command), 46
shadow password files, 431
“shared secret”, challenge/response authentication (Windows NT), 677–679
shell histories, history logs, 155
showmount command, 62
showmount scans (SATAN), 419
SHOWPASS configuration keyword (PGP), 652
SIGABRT (signal), 65
SIGALRM (signal), 65
SIGBUS (signal), 65
SIGCHLD (signal), 65
SIGCONT (signal), 65
SIGEMT (signal), 65
SIGFPE (signal), 65
SIGHUP (signal), 65
SIGILL (signal), 65
SIGINT (signal), 65
SIGIO (signal), 65
SIGKILL (signal), 65
SIGLOST (signal), 65
signal library functions, 66
signals, 64–65
BREAK chat scripts (UUCP), 113, 134
trapping, 64–66, 69
signing
e-mail messages with PGP, 640–643
PGP keys, 629–632
SIGPIPE (signal), 65, 69
SIGPROF (signal), 65
SIGQUIT (signal), 65
SIGSEGV (signal), 65
SIGSTOP (signal), 65
SIGSYS (signal), 65
SIGTERM (signal), 65
SIGTRAP (signal), 65
SIGTSTP (signal), 65
SIGTTIN (signal), 65
SIGTTOU (signal), 65
SIGURG (signal), 65
SIGUSR1 (signal), 65
SIGUSR2 (signal), 65
SIGVTALRM (signal), 65
SIGWINCH (signal), 65
SIGXCPU (signal), 65
SIGXFSZ (signal), 65
sites
ActivCard, Inc., 574
Ascend, 683
ASCOM, 599
AT&T, 854
Bellcore, 194
Canadian Security Intelligence Service, 854
Central Intelligence Agency, 854
CERN WWW Consortium, 854
Checklist, 856
Checkpoint Software Technologies, 682
CIAC, 854
Cisco Systems, 576
COAST Project, 854
CommerceNet, 570
Computer Systems Consulting, 854
Computer Virus Help Desk, 604
Counterpane, 599
Cypherpunks, 854
Datakey, Inc., 574
Digital Pathways, 574
FBI, 854
Fremont, 854
FTP
Argus network management program, 354, 414
binary files, integrity of, 439–440
Bones, 499
CERT, 850–851, 854
CIAC group, 850
Ckpasswd, 854
COAST project, 850
connecting to with ftp-gw application, 263
connecting to with netacl, 247–249, 264
COPS, 854
DDN Security Bulletins, 854
FIRST, 851
Fremont network security evaluation system, 412
Greatcircle, 855
ISS network security evaluation program, 412
Kerberos Information, 855
NEC Security Tools, 855
netlog program, 414
network security-related, 386
SATAN, 441–442
Secure Shell program, 416, 856
Secure Telnet, 856
SNMP FTP Archives, 856
socks IP encapsulation program, 418
TCP wrappers (SATAN scan detection program), 414
Texas A&M University Security Archives, 856
TIS FTP Archive, 856
usage reports (TIS Firewall Toolkit), 302
Vince Cate’s Security Page, 856
Wietse Venema (co-creator of SATAN), 411, 856
Xinetd SATAN scan detection program, 414
Gabriel, 854
GateD Consortium, 215
Gene Spafford, 855
Gopher sites, connecting to with http-gw, 270–275
Innovative Security Products Security, 855
Internet Engineering Task Force, 575
Internet RFC Index, 855
Microsoft, 576
National Security Agency, 855
National Security Institutes, 855
Netscape Corporation, 855
Network-1 Software, 682
NIST (U.S. National Institute of Standards and Technology), 855
PGP and IDEA Archives, 855
Purdue University COAST Lab, 225
Raptor Systems, 682, 855
RCMP Information Technology, 855
Ron Rivest’s Security Links, 604
RSA Data Security, 599
RSA’s Crypto FAQ, 604
Security Dynamics, 574, 599
SRI Computer Science Lab, 856
SSLref Source, 856
Telnet
connecting to with tn-gw application, 252–253
verifying connections with tn-gw, 254–255
Terry Ritter’s Cyphers, 604
Unix Systems Security, 856
U.S. Post Office, 568
VeriSign, 856
ViaCrypt, 856
White Paper Series, 855
SKE (secret key encryption), 608
slc (telnet command), 46
slink daemon, 25
SLIP (Serial Line Internet Protocol), 17
slow viruses
infection process, 817–819
non-stealthing, 817–819
smap (sendmail proxy) application, 336–337
configurations, 265–267
DNS configurations, 269–271
installation, 265, 337
reports, 303–304
smapd (sendmail proxy daemon) application, 337–339
configurations, 267–269
installation, 267, 338–339
options, 337–338
smart card password security programs, 432
sname field
Kerberos tickets, 514
KRB_CRED message, 546
KRB_KDC_REP message, 533
KRB_KDC_REQ message, 530
sniffing
confidential data, 178
data capturing capabilities, 175–176
defined, 174
exploitation by hackers, 404–405
financial account numbers, 177–178
hardware barriers, 183–190
mutually trusting machines, 186
secure user segments, 184–185
low-level protocol information, 178–181
network administrators, troubleshooting, 175–176
passwords, 177
physical security options, 182
process overview, 174–176
software
Esniff.c, 176
EthDump, 176
EthLoad, 176
NetMan, 176
TCPDump, 176
software availability, 175–176
TCP connections, 228–229
trust relationships, 182
use of network analyzers, 174
SNMP (Simple Network Management Protocol), 26
ARP spoofing monitors
arpmon, 208–209
ARPWatch, 208–209
netlog, 208–209
Tricklet, 208–209
daemon, 26
FTP Archives, 856
RMON (remote monitoring) protocol, 208–209
servers, vulnerability to/exploitation by hackers, 406–407
Windows NT, logging local network activity, 165
snmpget program, 406
snmpnetstat program, 406
snmpwalk program, 406
sockets
querying status, 35–38
states, 38
socks
Internet sites, 418
IP encapsulation, 418
vulnerability to SATAN, 418
software (sniffing)
Esniff.c, 176
EthDump, 176
EthLoad, 176
NetMan, 176
TCPDump, 176
source routing, exploitation by hackers, 405
special characters
chat scripts (UUCP), 114–115, 135
UUCP Dialer file, 109
Speed (BNU Devices file field name), 106
Speed (BNU Systems file field name), 112
Speed (L-devices file field), 132
Speed (L.sys file field), 134
spoofing
active attacks on DNS servers, 222–223
Berkeley Internet Name Daemon (BIND), 225
DNS server scenarios, 220–221
DNS spoofing, preventing in TIS Firewall Toolkit configuration, 245
hardware addresses, 196–197
IP spoofing, SATAN scans, 434–437
passive attacks on DNS servers, 221–222
prevention methods
certificate-based, 573–574
two-factor authentication, 573–574
selective caching defense for DNS servers, 224–225
TCP connections, 225–226
SQFILE file, UUCP version 2, 139
SQL Server (Windows NT), transaction logging, 166
SRA (Texas A&M),
encrypted password mechanisms, 194
Secure RPC technology, 194
src directory (SATAN), 450
src/boot directory (SATAN), 450
src/fping directory (SATAN), 452–453
src/misc directory (SATAN), 451
src/nfs-chk directory (SATAN), 451
src/port_scan directory (SATAN), 452
src/rpcgen directory (SATAN), 453
src/yp-chk directory (SATAN), 453–454
srealm field
KRB_CRED message, 546
KRB_KDC_REP message, 533
SRI Computer Science Lab web site, 856
SSI (Server Side Includes)
access restrictions, 746
alternatives to, 746–747
CGIs, 746–747
SSLref Source web site, 856
stacks (Java Virtual Machines)
constant pool memory area, 728–734
execution environment, 727
garbage collected heap, 727
local variables, 726–727
method memory area, 728–734
operand stacks, 727
stages (TCP connections)
data exchange, 227
setup, 226–227
starting netacl application (TIS Firewall Toolkit), 245
starttime field
Kerberos tickets, 514
KRB_CRED message, 546
statd daemon, 62
stateful packet filters
firewall architecture, 352
protocols
IP, 352
TCP, 352
UDP, 352
versus transport firewalls, 355–356
static web pages, Internet Information Server (IIS), 686
status (telnet command), 46
status files (UUCP), 119, 135
STDERR (standard error files), 68
STDIN (standard input files), 68
STDOUT (standard output files), 68
stealth viruses
defined, 813–815
infection process, 815–817
read stealthing, 813–815
size stealthing, 813–815
versus integrity checkers, 830–831
stealthing technique in partition boot record viruses, 785
stime field, KRB_ERROR message, 550
Stoned Monkey virus, master boot record viruses, 789
stream ciphers versus block ciphers, 593–594
streams, querying, 35
STREAMS modules, linking, 25
subexpect-subsend pairs, 113–116, 134–135
subkey field
Kerberos ticket authenticators, 516
KRB_AP_REP message, 539
subnets, 11–14
address interpretation, 12
determining fixed bits, 13
dividing addresses into, 12–14
netmasks, determining, 14
reserved divisions, 12
types, selecting, 13
subnetting router installation, ARP spoofing, 204–205
substitution (symmetric encryption)
Caesar Cipher, 582–584
monoalphabetic, 584–589
SUCCEEDED (UUCP log file error message), 128
sudo command, 152
sulog file, Unix audit log, 152–153
Sun Microsystems, network addresses, 11
superuser access programs, 380
susec field, KRB_ERROR message, 550
swapper daemon, 57
SwIPe, encryption technology, 231–232
switch user command, 152
Symantec AntiVirus Research Center, 786
symmetric encryption
block ciphers, 577–578
Blowfish cipher, 599
ciphertext bit size, 577–578
deciphering, 580–581
digital envelope, 577
monoalphabetic substitution, letter frequency, 587–589
overview, 577
size of keys, 577–578
stream ciphers, 577–578
substitution, 577–578
Caesar Cipher, 582–584
monoalphabetic, 584–589
transposition, 577–578
Vigenere encryption, 590–593
symmetric key encryption, 558–559
symmetric multiprocessing (Windows NT), 665–666
SYN_RECEIVED (socket state), 38
SYN_SENT (socket state), 38
synchronizing threads with Java, 710
SYS files
computer viruses, 769–770
entry points for file viruses, 794
Sysfiles (Basic Networking Utilities file), 99
sysinit (run level action field), 75
SYSLOG (UUCP version2), 139
syslog (syslog file facility), 151
buffers, vulnerability to hackers, 382
daemon, 28, 59–60
files
facilities, 151
messages, fake, 168
severity levels, 151–152
Unix audit log, 150–152
syslog.conf file, 59–60, 150
syslogd daemon, 150
System (L.sys file field), 133
system boot
init daemon, 57
required files
HP-UX, 54–55
SCO Unix, 55–56
SunOS, 53
run levels, 74
System Log (Windows NT), 164
SYSTEM NOT IN Systems (UUCP log file error message), 128
system security
audit trails (Windows NT), 162–166
break-ins, 168
command log files, 157
crontab file, logging usage, 153
dial-out facilities, logging usage, 153
DOS utilities, 166–167
Ethernet sniffers, 159
file transfer logs, 154
generating access reports, 149–150
history logs, shell histories, 155
Host Equivalency, 23–24
intruder indicators, 167
log file utilities
recommendations, 167–169
security problems, 168–169
logging utilities, tampering, 169
logins, UTMP file unreliability, 148
lpd bugs, 154
network connections logs, 158–159
passwords, FTP access, 48–50
permission files (UUCP version 2), 136
process accounting, 155
process activity logs, 158
procmon.cfg configuration file, 71
remote command execution, 139
sendmail logs, SMTP port bugs, 153
TCP wrapper logs, 168
Trusted Host Access, 23–24
trusted hosts list, /etc/hosts.equiv, 23
Unix reporting utilities, 160–161
user privileges, 153
USERFILE (UUCP version 2), 137–138
usernames, recording switched, 152
UUCP
anonymous login, 125–126
CALLBACK Permissions file option, 124
command sequence, 118
debugging network connections, 119–120
open connections, 117–120
Permissions file, 120–125
SENDFILES Permissions file option, 124
validating hostnames, 124
System_Name (BNU Systems file field name), 110
systems
activity, generating reports, 149–150
configuring on the fly, 71
conversations, tracking, 139
information logs, 59–60
messages, logging, 28
names (UUCP systems), 102–103
remote
accessing with chat scripts, 113–116, 134–135
validating identity, 137
run levels, 73–76
viewing current, 76
shutdowns, records, 149
subsystems, querying, 35–38
system monitoring messages, 71–72
troubleshooting log files, 126
UUCP
defining, 110–113
system statistics, 129
Systems (Basic Networking Utilities file), 99
Systems file (UUCP), 110–113, 125
Systems Management Server (Windows NT), monitoring TCP/IP traffic, 166

T

-t (netstat command options), 35
-t (ruptime command option), 32
tables
address resolution protocol, 40–41
host, 14
Internet-to-Ethernet address translation, 40
process, 52–53
routing, 26, 61
Tag command (Java Appletviewer), 730
talk.politics.crypto newsgroup, 857
TALKING (UUCP log file error message), 128
targeting
floppy disks for viruses, 762
master boot records for viruses, 763
partition boot records for viruses, 765
task scheduling, 58
Tcl CGI programming language, 751
TCP (Transmission Control Protocol)
connections
preventing remote access to local services, 396
sniffing, 228–229
spoofing, 225–226
stages, 226–227
via modems, 430
via proxy servers, 418
vulnerability to hackers, 383
datagrams, forging, 227–228
forging without sniffing, 229
ports, scanning by hackers, 395–396
SATAN scans, 419
services
accessing with netacl, 245
scanning with portscan, 241, 294
wrapper log utility, 161, 168
wrappers, 396
SATAN scan detection programs, 413–414
TCP/IP (Transmission Control Protocol/Internet Protocol)
command categories, 28
configuring for TIS Firewall Toolkit, 242–243
forging, case studies, 229–230
history, 8–9
spoofing defense mechanisms
eliminating inactive terminal sessions, 230–231
encryption-based terminal protocol, 230–231
terminal session protocols, 230–231
timesharing machines, 230–231
Systems Management Server, monitoring traffic, 166
TCPDump, sniffing software, 176, 405
telnet protocol, 45–50
command, 45–50
proxy application, see tn-gw application
sites
connecting with tn-gw application (TIS Firewall Toolkit), 252–253
verifying connections with tn-gw application (TIS Firewall Toolkit), 254–255
terminals
* (asterisk) write status, 33
idle time, 33
remote terminal type, 42
remote terminal sessions, 42
terminal emulation, 45–47
see also telnet
Terry Ritter’s Cyphers web site, 604
testing
applets, 707, 729–731
firewall performance guidelines, 362–367
network security with SATAN, 372–373
Texas A&M University Security Archives FTP site, 856
text files, processing with PGP, 638–639
TEXTMODE configuration keyword (PGP), 652
threads, synchronizing with Java, 710
ticket field
KRB_AP_REQ message, 538
KRB_KDC_REP message, 533
Ticket Granting Service exchange (Kerberos), 520–526
specifications, 526–533
tickets (Kerberos), 478, 513–515
authentication, 512
authenticators, 515–516
expiration, 519
fields, 514–515
flags, 509–512
forwardable, 511–512
initial, 510
invalid, 510
postdated, 511
preauthenticated, 510
proxiable, 511
proxied, 511
renewable, 510–511
requests
via Authentication Service exchange, 517–520
via Ticket Granting Service exchange, 520–526
tickets field, KRB_CRED message, 546
till field, KRB_KDC_REQ message, 531
time stamps, Kerberos support, 547
Time_to_Call (BNU Systems file field name), 110
TIME_WAIT (socket state), 38
timestamp field
KRB_CRED message, 546
KRB_SAFE message, 541
TIS (Trusted Information Systems) Firewall Toolkit, 234–238
applications
authentication server, 276–288
authmgr client, 310–311
authsrv, 311–318
clauses, 244
comments, inserting, 244
ftp-gw, 259–264, 318–322
http-gw, 270–275, 322–328
login-sh, 328–329
netacl, 245–249, 330–331
plug-gw, 288–294, 332–333
rlogin-gw, 255–259, 334–335
rules, 244, 255
smap client, 265, 336–337
smapd, 267, 337–339
tn-gw, 249–255, 339–342
x-gw, 275–276, 342–343
compiling
under BSDI, 236
under SunOS, 236
disabling IP address forwarding, 242–243
disabling inetd services, 240
FTP site, 408
Help, 305–306
installation, 237–238
mailing lists regarding, 306
makefiles, editing under BSDI, 236
netperm table, 244–245, 306–310
netscan utility, 295
newsgroups regarding, 305
portscan utility, 294
preparing for configuration, 238–242
preventing DNS spoofing, 245
report utilities, 296–310
TCP/IP configurations, 242–243
web site, 852
TIS FTP Archive, 856
TIS Gauntlet, 370
TMP configuration keyword (PGP), 652
tn-gw (telnet gateway) application, 249–255, 339–342
clauses, 250–251
commands, 252
configurations, 249–255
host access rules, 253–254
installation, 341–342
options, 340–341
reports, 304–305
rules, 250–251
Telnet connections
establishing, 252–253
verifying, 254–255
todo records
SATAN databases, 471
SATAN scan rulesets, 474
toggle (telnet command), 46
token authentication devices, obtaining, 572–574
token ring, 8
top-level directories (SATAN), 442
traceroute command, 38–39
traceroute program, finding IP layer information, 405
trailer encapsulation, 18
trailers command (ifconfig), 18
Transarc Kerberos distribution, 498–501
transited fields, encoding in Kerberos Ticket Granting Service exchange, 514, 525
Transmission Control Protocol/Internet Protocol, see TCP/IP
transmitting passwords, security strategies, 190–196
transport firewalls versus stateful packet filters, 355–356
transport level proxies, 356–357
performance guidelines for firewalls, 365–366
product comparisions in firewalls, 365–366
transposition, symmetric encryption, 578
trap doors in cryptosystems, 563–564
tripwire (Unix file system utility), 161
troubleshooting
memory failures, 37
sniffing by network administrators, 175–176
system log files, 126
trust files, SATAN scan rulesets, 474
trust relationships
configuring, 671–672
creating, 671–672
defined, 671–672
PGP keys, 620–622, 630
security, sniffing, 182
User Manager for Domains utility (Windows NT), 672
Windows NT Directory Services, 696
trust-based networks, vulnerability to hackers, 427
Trusted Host Access, 23–24
Trusted Information Systems’ Gauntlet, 354
Trusted Information Systems, see TIS Firewall Toolkit
two factor auhentication systems, 360–361
Type (BNU Dialers file field name), 109
Type (BNU Systems file field name), 111
Type (L-devices file field), 131
TZFIX configuration keyword (PGP), 653

U

-u (ruptime command option), 32
UDP (User Datagram Protocol)
connections, preventing remote access to local services, 396
ports, scanning by hackers, 395–396
SATAN scans, 419
uname command (UUCP), 102
University of California at Berkeley, 8
Berkeley r-commands, 42–45
Unix
audit logs, 148–155
process accounting, 155–157
firewall systems, 354–355
mailers, integration with PGP, 659
operating systems, /etc/inetd.config file, 22
PGP interface, 658–659
rlogin protocol, 191–192
Security web site, 856
Unix to Unix CoPy, see UUCP
unknown trust relationships (PGP), 621–622, 630
Unrestricted security mode, Java applets, 731
unset (telnet command), 46
UNUSED field, Kerberos tickets, 527
up command (ifconfig), 18
update daemon, 57
U.S. Postal Service
certificate authorities, 568–569
public key encryption, messaging process, 559–562
web site, 568
usec field
KRB_CRED message, 546
KRB_SAFE message, 541
UseNet newsgroups
Kerberos-related, 553
network security hole-related, 386
newsgroups
alt.2600, 857
alt.hacker, 857
alt.security, 857
alt.security.pgp, 857
alt.security.ripem, 857
comp.protocols.kerberos, 857
comp.security.announce, 857
comp.security.firewalls, 857
comp.security.misc, 857
comp.security.unix, 857
sci.crypt, 857
security topics, 857
talk.politics.crypto, 857
TIS Firewall Toolkit-related, 305
user accounts
adding to authentication server database (TIS Firewall Toolkit), 280–284
authenticating with Kerberos, 480–484
authorizing with Kerberos, 481
configuring, User Manager (Windows NT), 672
hacker acquisition of, 378–379
hosts.equiv files, vulnerability to hackers, 382
passwords, cracking, 379
requesting credentials from Kerberos authentication servers, 483
User Manager (Windows NT), security identifiers (SID), 672
UUCP anonymous login, 125–126
user commands, 42
User Manager (Windows NT), user accounts, configuring, 672
User Manager for Domains utility (Windows NT), 672
user-data field, KRB_SAFE message, 541
USERFILE (UUCP version 2), 99
file transfer entries, 138
system security, 137–138
userids, PGP keys, creating, 624–626
usernames
logging, 152–153
system security, Ethernet sniffers, 159
users
currently logged reports, 32
information
distributing, 35
querying, 33–35
logging activity, 158
utilities (CGIWrap), 745
UTMP file, Unix audit log, 148–149
utmp files, vulnerability to hackers, 385
uucheck (Basic Networking Utilities file), 99
uucico (Basic Networking Utilities file), 99
command (UUCP), 116
uuclean (UUCP version 2 file), 99
uuclean command, 140
uucleanup (Basic Networking Utilities file), 99
UUCP (Unix to Unix CoPy), 97
addresses
bang addressing, 101–102
Internet compatibility, 101–102
cancelling jobs, 129
chat scripts, 113–116, 134–135
defining, 113–116, 134
special characters, 114–115, 135
with TCP/IP, 116
configuring, 105, 131
devices, 105–107
over TCP/IP, 141–142
debugging network connections, 116–117
checking file ownership, 117
device connections, 108
displaying error messages, 116, 135
devices
defining for local networks, 107
defining for TCP/IP connections, 107
file ownership, 107
testing connections, 108, 132–133
Dialer file, special characters, 109
directories, file layout, 104–113
files
maintenance, 128–129, 140–141
status, 119, 135
transferring, 101–102
history, 98–100
log files, 126–128
error messages, 127–128
troubleshooting network connections, 126
modem connections, defining phone numbers, 112–113
networks, 100–101
defining, 110–113
Permissions file, 120–121
anonymous login, 125–126
defaults, 120–121
validating hostnames, 124
system names, 102–103
choosing, 103–104
length limitations, 102
setting, 103
system security
anonymous login, 125–126
CALLBACK Permissions file option, 124
command sequence, 118
debugging network connections, 119–120
open connections, 117–120
Permissions file, 120–125
SENDFILES Permissions file option, 124
systems file
calling time scheduling, 111
retry numbers, 111
utilities, Unix audit logs, 154
version 2
commands, 130–131
debugging permission files, 137
file layout, 130–131
permission files, 136–139
versions, 98
file listings, 98–100
verification, 103–104
uucp (syslog file facility), 151
uudemon.admin (Basic Networking Utilities file), 99
uudemon.cleanup (Basic Networking Utilities file), 99, 129
uudemon.day (UUCP version 2 file), 99
uudemon.hour (Basic Networking Utilities file), 99
uudemon.kr (UUCP version 2 file), 100
uudemon.poll (Basic Networking Utilities file), 99, 129
uudemon.wk (UUCP version 2 file), 100
uugetty (Basic Networking Utilities file), 100
uusched (Basic Networking Utilities file), 100
uustat command, 129
uusub (UUCP version 2 file), 100
uutry (Basic Networking Utilities file), 100, 116
uuxqt (Basic Networking Utilities file), 100

V

-v (ping command option), 30
VALIDATE (Permissions file keyword), 123
VALIDATE field
Kerberos tickets, 528
variables, local in JVM stacks, 726–727
vector distance routing protocols, 212–213
vendors for security software, 852
Venema, Wietse (co-creator of SATAN), 411
VERBOSE configuration keyword (PGP), 653
verifying
binary file integrity to prevent hacker attacks, 439–440
e-mail messages with PGP, 616–617, 643–645
firewalls, security assessments, 367–368
ftp-gw application operations, 262–263
Java bytecodes, 721
PGP keys, 635–636
rlogin-gw application operations, 259
Telnet connections with tn-gw application (TIS Firewall Toolkit), 254–255
Verisign Corporation
certificate authorities, 568–569, 690–691
digital certificates, class levels, 570
public key infrastructure (PKI), 570–571
web site, 856
ViaCrypt web site, 856
viewing
applets with Netscape, 732
PostScript files to prevent hacker attacks, 440
public key ring contents, 632–633
secret key ring contents, 632–633
Vigenere encryption versus monoalphabetic substitution, 590–593
Vince Cate’s Security Page, 856
virtual private networks (VPNs), encrypted tunnels, 360–361
virus behaviors (Windows NT)
boot record viruses, 840–842
master boot record viruses, 838–840
virus scanners
advent of algorithmic entry point scanners, 823–826
decryption routines, 821
early versions, 820–826
file search strategies, 820–826
functions, 820–826
generic decryption (GD) in polymorphic viruses, 824–826
lack of success against polymorphic viruses, 822–826
rating criteria, 825–826
use of algorithms, 820–826
wild card signatures, 821–826
viruses, see computer viruses

W

-w (finger command option), 34
wait (run level action field), 75
WANs (wide area networks), firewall architecture, 346–347
warning (syslog file severity level), 152
Watchdog (DOS audit trail utility), 167
web, see WWW (World Wide web)
web pages (Internet Information Server)
dynamic, 686
static, 686
web servers
CGI request logins, 753
CGI security issues, 744
CGI trust relationships, 740
converting from root to controlled file systems, 744
internal network security, protocol isolation, 681–682
replication scheme, 681–682
SSL protection, 416
see also WWW servers
web sites, see WWW sites
White Paper Series web site, 855
who command, 76
whois program, hacker exploitation of, 387
Wietse Venema FTP Archive, 856
Windows, front-end applications for PGP, 659
Windows 3.1 file viruses
in Windows NT environment, 845
Ph33r, 845
TSR type, 845
Windows Internet Naming Service, see WINS
Windows NT
Application Log, 163
ARP cache entries
arp command, 202
displaying, 202
audit trails, 162–166
boot record viruses
dropper programs, 840
floppy disk booting, 840
multipartite viruses, 840
bootup process with master boot record infection, 839–840
components
Internet Information Server (IIS), 664–665
Microsoft Proxy Server, 664–665
crashing Registry Editor, 164
directory hierarchies, 694–696
Directory Auditing dialog box, 162
Directory Services features
CryptoAPI, 595
Kerberos version 5, 595
public key certification, 595
Secure Sockets Layer (SSL), 595
trust relationships, 595
DNS Server, intranet implementation, 679
domain controllers
backup, 670–671
primary, 670–671
domain model, 665
domains
account configurations, 669–670
administrator accounts, 669–670
audit configurations, 669–670
creating, 670–671
defined, 669–670
trust relationships, 669–670
DOS viruses, potential damage, 844–845
Dynamic Host Configuration Protocol (DHCP), 680
enabling auditing, 162
Event Viewer, log entry types, 163–164
features, 664–665
file sharing protocols, 664–665
file viruses, DOS variety, 842–845
firewall systems, 354–355
global groups, 673
Domain Admins, 673
Domain Guests, 673
Domain Users, 673
groups
Administrators, 673
Backup Operators, 673
Guests, 673
Print Operators, 673
Replicators, 673
rights, 674
Server Operators, 673
Users, 673
hardware requirements for Internet connections, 680–682
httpd service, 165
installing with boot record viruses, 842
Kernel Mode, 666
log files
TCP/IP applications, 165–166
viewing, 163–164
logging ftp connections, 164
logon procedure
challenge/response authentication, 677–679
interactive, 675–677
remote, 675–677
logon types
domain, 675–677
local, 675–677
trusted domain, 675–677
macro viruses, virus behavior, 845
master boot record viruses
dropper programs, 838
floppy disk booting, 838
multipartite viruses, 838
Microsoft web site resources, 665
modular design, 665–666
multiple processor platforms, 665–666
multithreading, 665–666
native viruses, 846
permissions
add, 674–675
add and read, 674–675
change, 674–675
full control, 674–675
list, 674–675
no access, 674–675
read, 674–675
ports, configuring, 685–686
proxy server configurations, 683–684
security integration with Internet Information Server (IIS), 687
Security Log, 164
security model
Local Security Authority (LSA), 668
Logon Process, 668
Security Account Manager (SAM), 668
Security Reference Monitor, 667–668
security subsystems
access control lists (ACLs), 667–668
administrator responsibilities, 667–668
Server version, 664
services
configuring, 684–685
disabling, 684–685
SNMP, logging local network activity, 165
SQL Server, transaction logging, 166
subsystems, 666
support of possible worm programs, 808–809
symmetric multiprocessing, 665–666
System Log, 164
Systems Management Server, monitoring TCP/IP traffic, 166
User Mode, 666
users
accounts, 669
file rights, 669
logons, 669
rights, 674
virus behaviors
boot record viruses, 840–842
master boot record viruses, 838–840
overview, 838–846
web servers, internal network security, 681–682
Windows 3.1 file viruses, virus behavior, 845
WINS Server, intranet implementation, 680
workgroup model, 665
Workstation version, 664
WINS (Windows Internet Naming Service) Server, intranet implementation, 680
wiping files with PGP, 648–649
Word for Windows, macro virus infection process, 806–807
workstation authentication in Kerberos, 551–552
World Wide web Consortium (W3C), Digital Signature Initiative, 576
world-writeable e-mail directories, vulnerability to hackers, 384
worm programs
computer viruses, 808–809
lack of PC effects, 808–809
UNIX/SUN incident, 808–809
WRITE (Permissions file keyword), 122
write permission, Internet Information Server (IIS), 689
WRONG MACHINE NAME (UUCP log file error message), 128
WRONG TIME TO CALL (UUCP log file error message), 128
WTMP file, Unix audit log, 149–150
WWW (World Wide web)
browsers
Netscape, Java support, 732
non-proxy aware, 271–272
proxy aware, 272
running SATAN, 429–430
servers
CGI request logins, 753
CGI security issues, 744
CGI trust relationships, 740
converting from root to controlled file systems, 744
HTTPD servers, Unix audit logs, 155
SSL protection, 416
sites
ActivCard, Inc., 574
asax, 160
Ascend, 683
ASCOM, 599
AT&T web site, 854
Bellcore, 194
Canadian Security Intelligence Service, 854
Central Intelligence Agency, 854
CERN WWW Consortium, 854
CGI libraries, 739
CGI specifications, 736
Checklist, 856
Checkpoint Software Technologies, 682
chklastlog, 160
chkwtmp, 160
CIAC Archives, 405, 850, 854
CIAC regarding SATAN, 412
Cisco Systems, 576
COAST Project, 850, 854
CommerceNet, 570
Computer Systems Consulting, 854
Computer Virus Help Desk, 604
Counterpane, 599
Courtney SATAN scan detection program, 413
Cypherpunks, 854
Datakey, Inc., 574
Digital Pathways, 574
Farmer, Dan (co-creator of SATAN), 411
FBI, 854
FIRST, 851
Fremont, 854
Gabriel SATAN Scan Detection, 413, 854
GateD Consortium, 215
Gene Spafford, 855
httpd, 408
Innovative Security Products Security, 855
international law dealing with encryption, 490
Internet Engineering Task Force, 575
Internet RFC Index, 855
ISS network security evaluation program, 412
Java, 734
LOCK, 167
MacPGP, 660
Microsoft, 576
National Security Agency, 855
National Security Institutes, 855
netlog, 161
Netscape Corporation, 855
network security-related, 386
Network-1 Software, 682
NFS watch utility, 161
NIST (U.S. National Institute of Standards and Technology), 855
PGP add-on utilities, 659
PGP and IDEA Archives, 855
Purdue University COAST Lab, 225
Python CGI programming language, 751
Raptor Systems, 682, 855
RCMP Information Technology, 855
Ron Rivest’s Security Links, 604
RSA Cryptography, 852
RSA Data Security, 599
RSA’s Crypto FAQ, 604
Security Dynamics, 574, 599
sendmail program, 408
SESAME, 499
socks IP encapsulation program, 418
SRI Computer Science Lab, 856
SSL, 417
SSLref Source, 856
Tcl CGI programming language, 751
TCP wrapper utility, 161
Terry Ritter’s Cyphers, 604
TIS Firewall Toolkit, 852
tripwire, 161
Unix Systems Security, 856
U.S. Post Office, 568
VeriSign, 856
ViaCrypt, 856
White Paper Series, 855
X Windows security, 429

X - Y - Z

xray, file transfer entry, USERFILE (UUCP version 2), 138
X servers, SATAN scans, 428–429
X Window System Athena Widget set, 235
X Windows proxy application, see x-gw application
X Windows
Security web site, 429
servers, vulnerability to hackers, 405
x-gw (X Windows proxy) application, 275–276, 342–343
configurations, 275–276
installation, 343
options, 343
X.509 specification, public key infrastructure (PKI), 570–571
Xerox NS Routing Information Protocol, 26, 61
-xfer program, hacker exploitation of, 388
Xinetd (SATAN scan detection program), 414
z (telnet command), 46
zero-knowledge authentication mechanisms
DESlogin 1.3, 194–195
passwords, 194–195
RFC 1704, 194–195
S/KEY, 194–195


Table of Contents