Mark CiampaAustralia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United StatesSecurity+ Guide to NetworkSecurity FundamentalsThird Edition1428340661_ch00_Final.qxd 10/14/08 4:56 PM Page iSecurity+ Guide to Network SecurityFundamentals, Third EditionMark CiampaVice President, Career and ProfessionalEditorial: Dave GarzaExecutive Editor: Stephen HelbaManaging Editor: Marah BellegardeSenior Product Manager: Michelle Ruelos CannistraciDevelopmental Editor: Deb KaufmannEditorial Assistant: Sarah PickeringVice President, Career and ProfessionalMarketing: Jennifer McAveyMarketing Director: Deborah S. YarnellMarketing Manager: Erin CoffinMarketing Coordinator: Shanna GibbsProduction Director: Carolyn MillerProduction Manager: Andrew CrouthContent Project Manager: Jessica McNavichArt Director: Jack PendletonCover photo or illustration:www.istock.comTechnology Project Manager: Joseph PlissManufacturing Coordinator: Denise PowersCopyeditor: Kathy OrrinoProofreader: Brandy LillyCompositor: International Typesetting and Composition© 2009 Course Technology, Cengage LearningALL RIGHTS RESERVED. No part of this work covered by the copyright hereinmay be reproduced, transmitted, stored, or used in any form or by any meansgraphic, electronic, or mechanical, including but not limited to photocopying,recording, scanning, digitizing, taping, web distribution, information networks,or information storage and retrieval systems, except as permitted underSection 107 or 108 of the 1976 United States Copyright Act, without the priorwritten permission of the publisher.For product information and technology assistance, contact us at Cengage Learning Customer & Sales Support, 1-800-354-9706For permission to use material from this text or product, submit all requests online at www.cengage.com/permissionsFurther permissions questions can be e-mailed [email protected]®is a registered trademark of the Microsoft Corporation. Security+ is a registered trademark.Library of Congress Control Number: 2008935589ISBN-13: 978-1-428-34066-4ISBN-10: 1-428-34066-1Course Technology25 Thomson PlaceBoston, MA 02210USACengage Learning is a leading provider of customized learning solutions withoffice locations around the globe, including Singapore, the United Kingdom,Australia, Mexico, Brazil, and Japan. Locate your local office at: www.international.cengage.com/regionCengage Learning products are represented in Canada by Nelson Education, Ltd.For your lifelong learning solutions, visit www.course.cengage.comVisit our corporate website at www.cengage.comPrinted in Canada1 2 3 4 5 6 7 12 11 10 09 08Some of the product names and company names used in this book have been used for identification purposes only and may be trade-marks or registered trademarks of their respective manufacturers and sellers.Microsoft and the Office logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or othercountries. Course Technology, a part of Cengage Learning, is an independent entity from the Microsoft Corporation, and not affiliated withMicrosoft in any manner.Any fictional data related to persons or companies or URLs used throughout this book is intended for instructional purposesonly. At the time this book was printed, any such data was fictional and not belonging to any real persons or companies.Course Technology, the Course Technology logo, and the Shelly Cashman Series®are registered trademarks used under license.Adobe, the Adobe logos, Authorware, ColdFusion, Director, Dreamweaver, Fireworks, FreeHand, JRun, Flash, and Shockwave areeither registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. All othernames used herein are for identification purposes only and are trademarks of their respective owners.Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time inits content without notice. The programs in this book are for instructional purposes only. They have been tested with care, but are not guaranteed for anyparticular intent beyond educational purposes. The author and the publisher do not offer any warranties or representations, nor dothey accept any liabilities with respect to the programs.1428340661_ch00_Final.qxd 10/14/08 6:02 PM Page iiiiiINTRODUCTION xiiiCHAPTER 1Introduction to Security 1Security+ Domain 1.0: Systems SecurityCHAPTER 2Systems Threats and Risks 39CHAPTER 3Protecting Systems 79Security+ Domain 2.0: Network InfrastructureCHAPTER 4Network Vulnerabilities and Attacks 119CHAPTER 5Network Defenses 153CHAPTER 6Wireless Network Security 189Security+ Domain 3.0: Access ControlCHAPTER 7Access Control Fundamentals 225CHAPTER 8Authentication 265Security+ Domain 4.0: Assessments & AuditsCHAPTER 9Performing Vulnerability Assessments 301CHAPTER 10Conducting Security Audits 331Security+ Domain 5.0: CryptographyCHAPTER 11Basic Cryptography 365CHAPTER 12Applying Cryptography 399Security+ Domain 6.0: Organizational SecurityCHAPTER 13Business Continuity 439CHAPTER 14Security Policies and Training 477Brief Contents1428340661_ch00_Final.qxd 10/15/08 10:46 AM Page iiiBrief ContentsivAPPENDIX ACompTIA Security+ 2008 Examination Objectives 509APPENDIX BSecurity Web Sites 517APPENDIX CSelected TCP/IP Ports and Their Threats 523APPENDIX DSample Internet and E-Mail Acceptable Use Policy 527INDEX 5331428340661_ch00_Final.qxd 10/14/08 4:56 PM Page ivvINTRODUCTION xiiiCHAPTER 1Introduction to Security 1Challenges of Securing Information 3Today’s Security Attacks 3Difficulties in Defending against Attacks 7What Is Information Security? 9Defining Information Security 9Information Security Terminology 11Understanding the Importance of Information Security 13Who Are the Attackers? 16Hackers 16Script Kiddies 16Spies 17Employees 17Cybercriminals 17Cyberterrorists 18Attacks and Defenses 19Steps of an Attack 19Defenses against Attacks 20Layering 20Limiting 21Diversity 21Obscurity 22Simplicity 22Surveying Information Security Careers and the Security+ Certification 22Types of Information Security Jobs 22CompTIA Security+ Certification 24Chapter Summary 24Key Terms 25Review Questions 26Hands-on Projects 30Case Projects 35CHAPTER 2Systems Threats and Risks 39Software-Based Attacks 41Infecting Malware 41Concealing Malware 44Malware for Profit 48Hardware-Based