100% found this document useful (2 votes)

27 views

Network Security Administration and Management Advancing Technologies and Practice 1st Edition Dulal Chandra Kar 2024 scribd download

Advancing

Uploaded by

guraljbancy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (2 votes)

27 views

Network Security Administration and Management Advancing Technologies and Practice 1st Edition Dulal Chandra Kar 2024 scribd download

Advancing

Uploaded by

guraljbancy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 81

Visit https://ebookgate.

com to download the full version and

explore more ebooks

Network Security Administration and Management

Advancing Technologies and Practice 1st Edition
Dulal Chandra Kar

_ Click the link below to download _

https://ebookgate.com/product/network-security-
administration-and-management-advancing-technologies-
and-practice-1st-edition-dulal-chandra-kar/

Explore and download more ebooks at ebookgate.com

Here are some recommended products that might interest you.
You can download now and explore!

Advancing Nursing Practice in Pain Management 1st Edition

Eloise Carr

https://ebookgate.com/product/advancing-nursing-practice-in-pain-
management-1st-edition-eloise-carr/

ebookgate.com

The Practice of Network Security Monitoring Understanding

Incident Detection and Response 1st Edition Richard
Bejtlich
https://ebookgate.com/product/the-practice-of-network-security-
monitoring-understanding-incident-detection-and-response-1st-edition-
richard-bejtlich/
ebookgate.com

Implementing NAP and NAC Security Technologies The

Complete Guide to Network Access Control 1st Edition
Daniel V. Hoffman
https://ebookgate.com/product/implementing-nap-and-nac-security-
technologies-the-complete-guide-to-network-access-control-1st-edition-
daniel-v-hoffman/
ebookgate.com

Multimedia Security Technologies for Digital Rights

Management 1st Edition Wenjun Zeng (Editor)

https://ebookgate.com/product/multimedia-security-technologies-for-
digital-rights-management-1st-edition-wenjun-zeng-editor/

ebookgate.com
Network Protocols Handbook Javvin Technologies

https://ebookgate.com/product/network-protocols-handbook-javvin-
technologies/

ebookgate.com

Network and Application Security Fundamentals and

Practices 1st Edition Debashis Ganguly

https://ebookgate.com/product/network-and-application-security-
fundamentals-and-practices-1st-edition-debashis-ganguly/

ebookgate.com

Juvenile Justice Advancing Research Policy and Practice

1st Edition Francine Sherman

https://ebookgate.com/product/juvenile-justice-advancing-research-
policy-and-practice-1st-edition-francine-sherman/

ebookgate.com

TCP IP Network Administration 3rd Edition Craig Hunt

https://ebookgate.com/product/tcp-ip-network-administration-3rd-
edition-craig-hunt/

ebookgate.com

Next generation network services technologies and

strategies 1st Edition Neill Wilkinson

https://ebookgate.com/product/next-generation-network-services-
technologies-and-strategies-1st-edition-neill-wilkinson/

ebookgate.com
Network Security,
Administration and
Management:
Advancing Technology and
Practice
Dulal Chandra Kar
Texas A&M University-Corpus Christi, USA

Mahbubur Rahman Syed

Minnesota State University, Mankato, USA
Senior Editorial Director: Kristin Klinger
Director of Book Publications: Julia Mosemann
Editorial Director: Lindsay Johnston
Acquisitions Editor: Erika Carter
Development Editor: Joel Gamon
Production Editor: Sean Woznicki
Typesetters: Natalie Pronio, Jennifer Romanchak, Milan Vracarich Jr
Print Coordinator: Jamie Snavely
Cover Design: Nick Newcomer

Published in the United States of America by

Information Science Reference (an imprint of IGI Global)
701 E. Chocolate Avenue
Hershey PA 17033
Tel: 717-533-8845
Fax: 717-533-8661
E-mail: cust@igi-global.com
Web site: http://www.igi-global.com/reference

Copyright © 2011 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in
any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher.
Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or
companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark.

Library of Congress Cataloging-in-Publication Data

Network security, administration and management: advancing technology and
practice / Dulal Chandra Kar and Mahbubur Rahman Syed, editors.
p. cm.
Includes bibliographical references and index.
Summary: “This book identifies the latest technological solutions, practices
and principles on network security while exposing possible security threats
and vulnerabilities of contemporary software, hardware, and networked
systems”-- Provided by publisher.
ISBN 978-1-60960-777-7 (hardcover) -- ISBN 978-1-60960-778-4 (ebook) -- ISBN
978-1-60960-779-1 (print & perpetual access) 1. Computer networks--
Management. 2. Computer networks--Security measures. I. Kar, Dulal Chandra,
1960- II. Syed, Mahbubur Rahman, 1952-
TK5105.5.N466724 2011
005.8--dc22
2011010430

British Cataloguing in Publication Data

A Cataloguing in Publication record for this book is available from the British Library.

All work contributed to this book is new, previously-unpublished material. The views expressed in this book are those of the
authors, but not necessarily of the publisher.
Editorial Advisory Board
Luther Troell, Rochester Institute of Technology, USA
Iuon-Chang Lin, National Chung Hsing University, Taiwan, R.O.C.
Christos Bouras, University of Patras, Greece
Gregorio Martinez, University of Murcia, Spain
Timothy J. McGuire, Sam Houston State University, USA
Chuan-Kun Wu, Chinese Academy of Sciences, China
Muhammad Nadzir Marsono, Universiti Teknologi, Malaysia
Mario Garcia, Texas A&M University-Corpus Christi, USA
Jim Holt, Freescale Semiconductor, Inc., USA
John Fernandez, Texas A&M University-Corpus Christi, USA

List of Reviewers
Aftab Ahmad, Norfolk State University, USA
Christos Bouras, University of Patras, Greece
Bruce Hartpence, Rochester Institute of Technology, USA
Jim Holt, Freescale Semiconductor, Inc., USA
Dijiang Huang, Arizona State University, USA
Ajay Katangur, Texas A&M University-Corpus Christi, USA
David Lee, The Ohio State University, USA
Salvador Mandujano, Intel Corporation, USA
B. Dawn Medlin, Appalachian State University, USA
Sumita Mishra, Rochester Institute of Technology, USA
Clifton Mulkey, Texas A&M University-Corpus Christi, USA
Yin Pan, Rochester Institute of Technology, USA
Remzi Seker, University of Arkansas at Little Rock, USA
Christophe Veltsos, Minnesota State University, Mankato, USA
Chuan-Kun Wu, Chinese Academy of Sciences, China
Xun Yi, Victoria University, Australia
Table of Contents

Foreword . ...........................................................................................................................................xiii

Preface . ............................................................................................................................................... xiv

Acknowledgment................................................................................................................................. xxi

Section 1
Network Systems Security

Chapter 1
Basic Device and Protocol Security......................................................................................................... 1
Bruce Hartpence, Rochester Institute of Technology, USA

Chapter 2
Mitigating the Blended Threat: Protecting Data and Educating Users.................................................. 20
Christophe Veltsos, Minnesota State University, Mankato, USA

Chapter 3
Security Issues for Multi-Domain Resource Reservation...................................................................... 38
Christos Bouras, Research Academic Computer Technology Institute (CTI) &
University of Patras, Greece
Kostas Stamos, Research Academic Computer Technology Institute (CTI) &
University of Patras, Greece

Section 2
Authentication and Data Privacy: Passwords and Keys

Chapter 4
Healthcare Employees and Passwords: An Entry Point for Social Engineering Attacks...................... 52
B. Dawn Medlin, Appalachian State University, USA
Douglas May, Appalachian State University, USA
Ken Corley, Appalachian State University, USA
Chapter 5
Public Key Infrastructure....................................................................................................................... 65
Reed Petty, University of Arkansas at Little Rock, USA
Jiang Bian, University of Arkansas at Little Rock, USA
Remzi Seker, University of Arkansas at Little Rock, USA

Chapter 6
Key Management................................................................................................................................... 88
Chuan-Kun Wu, Chinese Academy of Sciences, China

Section 3
Network Security Auditing, Assessment, and Manageability Security

Chapter 7
Security Assessment of Networks........................................................................................................ 115
Aftab Ahmad, Norfolk State University, USA

Chapter 9
Network Manageability Security......................................................................................................... 158
Salvador Mandujano, Intel Corporation, USA

Section 4
Sensor Network Security

Chapter 10
Security and Attacks in Wireless Sensor Networks............................................................................. 183
Murat Al, University of Arkansas at Little Rock, USA
Kenji Yoshigoe, University of Arkansas at Little Rock, USA

Chapter 11
Wireless Sensor Networks: Emerging Applications and Security Solutions....................................... 217
Sumita Mishra, Rochester Institute of Technology, USA
Chapter 12
Privacy Preserving Data Gathering in Wireless Sensor Networks...................................................... 237
Md. Golam Kaosar, Victoria University, Australia
Xun Yi, Victoria University, Australia

Section 5
Security Architectures, Algorithms, and Protocols

Chapter 13
BANBAD: A Centralized Anomaly Detection Technique for Ad Hoc Networks............................... 253
Rajeev Agrawal, North Carolina A&T State University, USA
Chaoli Cai, Western Michigan University, USA
Ajay Gupta, Western Michigan University, USA
Rajib Paul, Western Michigan University, USA
Raed Salih, Western Michigan University, USA

Chapter 14
Data Regulation Protocol for Source-End Mitigation of Distributed Denial of Service..................... 277
Nirav Shah, Arizona State University, USA
Dijiang Huang, Arizona State University, USA

Chapter 15
Instant Messaging Security.................................................................................................................. 288
Zhijun Liu, The Ohio State University, USA
Guoqiang Shu, The Ohio State University, USA
David Lee, The Ohio State University, USA

Compilation of References ............................................................................................................... 324

About the Contributors .................................................................................................................... 348

Index.................................................................................................................................................... 356
Detailed Table of Contents

Foreword . ...........................................................................................................................................xiii

Preface . ............................................................................................................................................... xiv

Acknowledgment................................................................................................................................. xxi

Section 1
Network Systems Security

This is an introductory chapter that addresses security issues of all common networking devices such
as hubs, switches, access points, and routers, as well as vulnerable network protocols such as ARP
(Address Resolution Protocol), SRP (Spanning Tree Protocol), ICMP (Internet Control Message Pro-
tocol), and DHCP (Dynamic Host Configuration Protocol). In addition, the chapter critically examines
security issues in common routing protocols such as RIP (Routing Information Protocol), BGP (Border
Gateway Protocol), and OSPF (Open Shortest Path First), as well as some network management pro-
tocols such as SNMP (Simple Network Management Protocol) and CDP (Cisco Discovery Protocol).
Later, the chapter suggests ways to ensure device security, as well as protocol security to mitigate pos-
sible attacks.

Chapter 2
Mitigating the Blended Threat: Protecting Data and Educating Users.................................................. 20
Christophe Veltsos, Minnesota State University, Mankato, USA

This chapter discusses current trend and evolution in security threats, in which attackers use multiple,
persistent approaches to attack a target. Traditional security technologies and practices such as anti-
virus software, firewalls, intrusion detection systems, cryptosystems, and automated patch delivery
and installation mechanisms are shown to have limitations to mitigate such risks and attacks, known as
blended threats. Accordingly, the author presents new security controls and strategies to mitigate such
evolving risks. In addition, the chapter underscores the need for security awareness education and pro-
poses organized training programs for common users.
Chapter 3
Security Issues for Multi-Domain Resource Reservation...................................................................... 38
Christos Bouras, Research Academic Computer Technology Institute (CTI) &
University of Patras, Greece
Kostas Stamos, Research Academic Computer Technology Institute (CTI) &
University of Patras, Greece

This chapter addresses security issues of the components that are responsible for provisioning multi-
domain network services, particularly for resource reservation and allocation of network services. The
authors discuss the importance of inter-domain security during negotiation of resource reservations, as
well as intra-domain security during initiation and realization of a resource reservation. Corresponding-
ly, architectures and procedures to handle user authentication, trusted communications between mod-
ules or components, and multi-domain user authorization are provided in the context of a case study.
Particularly, the chapter presents security requirements and procedures for protecting against various
types of attacks on a networked system that supports differentiated services and bandwidth on demand
services over multiple domains.

Section 2
Authentication and Data Privacy: Passwords and Keys

This chapter provides an account of security breaches in healthcare industry due to social engineering
attacks and reported results of a simulated study of a social engineering attack on hospital employees to
obtain authentication information such as passwords. The authors identify violations of HIPAA (Health
Insurance Portability and Accountability Act) and HITECH (Health Information Technology and Clini-
cal Health Act) regulations among healthcare employees who are supposed to protect the privacy and
medical records of patients. The chapter also reports research results on the choice of passwords based
on human psychology and memory, and exposes severe deficiencies in the choice of passwords by com-
mon users that can be exploited easily using social engineering techniques. The findings in the chapter
underscore the need for stringent control and aggressive policy.

Chapter 5
Public Key Infrastructure....................................................................................................................... 65
Reed Petty, University of Arkansas at Little Rock, USA
Jiang Bian, University of Arkansas at Little Rock, USA
Remzi Seker, University of Arkansas at Little Rock, USA
Security of modern cryptography relies upon secrecy of keys. Public key infrastructure plays the cru-
cial role in the storage management, distribution, and verification of such keys in cryptography. This
chapter provides a comprehensive overview of popular public key algorithms, their applications in key
exchange and digital signatures, and their vulnerabilities and weaknesses. The chapter identifies several
management challenges based on the very basic foundation of trust upon which the public key infra-
structure relies. In addition, the chapter highlights emerging technologies such as quantum computing
that can make public key cryptographic techniques useless and accordingly discusses implications of
quantum cryptography in cryptography in general.

This chapter describes key management schemes and issues under various application domains such
as mobile ad hoc networks, wireless sensor networks, and mobile telecommunication systems. Topics
on key management include key agreement, group-based key agreement and distribution, PKI (Public
Key Infrastructure) mechanisms, secret sharing scheme based key management, key escrow, password
associated key management, key management in PGP, and key management in UMTS (Universal Mo-
bile Telecommunication System) systems. In addition, the chapter discusses limitations of different
methods used in key management.

Section 3
Network Security Auditing, Assessment, and Manageability Security

Chapter 7
Security Assessment of Networks........................................................................................................ 115
Aftab Ahmad, Norfolk State University, USA

The sheer complexity of network systems warrants a need for a framework that can be used to assess
security in such systems. Specifically, this chapter shows how the ITU-T Network Security Framework
(X.805) can be utilized in a performance model for assessing a security system. As an example, the
chapter uses a model to assess the security of the popular sensor network standard IEEE 802.15.4. The
model can be applied to assess security using security metrics addressing various vulnerabilities and
threats, such as destruction of information, corruption of information, loss of information, information
disclosure, and service interruption.

Chapter 8
Network Security Auditing.................................................................................................................. 131
Yin Pan, Rochester Institute of Technology, USA
Bo Yuan, Rochester Institute of Technology, USA
Sumita Mishra, Rochester Institute of Technology, USA
Network security auditing is a process to assess policies, procedures, and controls to identify security
risks or vulnerabilities in network systems. This chapter describes network auditing process, procedure,
standards, and frameworks. A detailed discussion of procedures and technologies to identify various
network security threats and vulnerabilities is provided. State of the art techniques and procedures for
determination and management of risks are also discussed. Through a series of procedural steps for a
case study, the chapter illustrates different phases of network discovery, network penetration, network
threat analysis, and audit reporting.

Chapter 9
Network Manageability Security......................................................................................................... 158
Salvador Mandujano, Intel Corporation, USA

Network manageability deals with remote administration, management, and service of network de-
vices and any other devices connected to a network, such as servers, laptop computers, PDAs, and cell
phones. This chapter analyzes a number of manageability frameworks, protocols, and services for vari-
ous platforms such as desktops, laptops, servers, and mobile devices for their vulnerabilities and mis-
uses. Among the manageability protocols discussed, OMA (open mobile alliance) device management
protocols for mobile devices to perform firmware updates for changing configurations is noteworthy.
The chapter discusses IPMI (Intelligent Platform Management Interface) standard to monitor and re-
configure server platforms using AMT (Active Management Technology) solution on a chipset created
by Intel Corporation for laptop and desktop systems.

Section 4
Sensor Network Security

Wireless sensor networks belong to a class of ad hoc networks that are very vulnerable to various at-
tacks due to unique characteristics of sensor devices of limited processing power, limited battery life,
and limited memory capacity. Chapter 10 provides a general overview of vulnerabilities, attacks, and
countermeasures in wireless sensor networks, compares salient characteristics and applications of com-
mon wireless technologies with those of wireless sensor networks, describes characteristics of attacks
and corresponding countermeasures as proposed in literature, and qualitatively provides a comparative
analysis of the attacks on wireless sensor networks. Identifying security vulnerabilities is an essential
step towards devising a security solution. The chapter provides an exhaustive list of attacks and cor-
responding defense mechanisms to mitigate or prevent such attacks. Many of these attacks are found
in wireless networks. However, additional attacks, such as denial of sleep attacks to drain battery life,
attacks on data aggregation, node capturing, and tampering are very possible on sensor networks due
to their characteristics. System constraints and security design issues using current security solutions
using cryptographic techniques and other means are discussed in the chapter.
Chapter 11
Wireless Sensor Networks: Emerging Applications and Security Solutions....................................... 217
Sumita Mishra, Rochester Institute of Technology, USA

This chapter provides an overview of emerging applications of wireless sensor networks, correspond-
ingly addresses security concerns, and discusses existing and possible security solutions for such
emerging applications of wireless sensor networks. Existing security solutions are found to be inad-
equate for many emerging sensor network applications that involve collection of highly sensitive data
that requires stringent privacy. In particular, the chapter identifies security issues in Body Area Net-
works (BAN), Smart Grid Networks, and Area Surveillance Networks, and finally, addresses security
requirements for such emerging sensor network applications as secure data storage, key establishment
and management, access control, and link layer security.

Chapter 12
Privacy Preserving Data Gathering in Wireless Sensor Networks...................................................... 237
Md. Golam Kaosar, Victoria University, Australia
Xun Yi, Victoria University, Australia

This chapter presents a computational model as well as a protocol that can be used to maintain data
privacy while performing data aggregation operations by intermediate nodes on data en route to the
base station from a sensor node. According to the computational model, a sensor node perturbs its data,
generates two fragments from the data, and uploads the fragments to two separate semi-trusted servers,
from which a data collector or a base station can collect and combine them. Security proofs provided
by the authors show that any of the servers or any intermediate sensor node neither can discover any
individual data nor can associate any data to an individual. Beyond sensor networks, the scheme has
many other content-privacy sensitive applications such as auction, voting and feedback collection, and
privacy preserving data mining.

Section 5
Security Architectures, Algorithms, and Protocols

This chapter proposes a new efficient algorithm to detect anomalous behavior among the mobile nodes
of an ad hoc network. Based on belief networks of probabilistic graphical models, the algorithm builds
a normal profile during training by utilizing data on relevant features such velocity, displacement, local
computation and communication time, energy consumption, and response time of each node in the net-
work. Using a specific Bayesian inference algorithm, the algorithm can distinguish abnormal behavior
during testing. In a simulated study by the authors, the algorithm is shown to achieve high detection
rates greater than 95%, and with low false alarm rates below 5%. According to the authors, the algo-
rithm can detect anomalies even data is incomplete or missing. The algorithm has many applications,
including intrusion detection in ad hoc networks.

In this chapter, the authors propose a new data regulation protocol that utilizes packet filtering at the
source end to mitigate distributed denial of service attacks. The protocol provides a target controlled
traffic mechanism implemented at the source gateway. Underlying assumption of the protocol is that
the gateway at the source as well as the target can be under attack, but not compromised. The security
analysis of the protocol shows its robustness under various attack scenarios such as source address
spoofing, distributed attacks, and spoofed acknowledgements. A proof of the concept implementation
verifies the claims made by the authors in the chapter.

Contrary to email and similar other systems, IM (Instant Messaging) systems face a different set of
security challenges due to their real-time characteristics. This chapter describes architectures and pro-
tocols of today’s IM systems, identifies threats to IM services, and offers various defense mechanisms.
Particularly, the chapter focuses on the two most damaging attacks, IM spams and IM worms. For IM
spams, new detection and spam filtering mechanisms are proposed. A new architecture for detection
and defense against IM spams are also proposed.

Compilation of References ............................................................................................................... 324

About the Contributors .................................................................................................................... 348

Index.................................................................................................................................................... 356
xiii

Foreword

I had the opportunity to review the content of this book and I was very impressed with the quality and
variety of interesting topics. The collection of these topics could be very useful as support material for
any network security course or as a reference material. These topics cover cryptography (a blended threat
approach by cyber attackers); potential security breaches in healthcare industry and need for better
password management; use of anomaly detection algorithms in intrusion detection systems; security
issues in allocation of network services over multiple federations of networks or services; vulnerability
for network manageability; network security auditing; vulnerability of wireless sensor networks; vulner-
ability of Instant Messaging (IM) due to their real-time characteristics; security issues of all common
networking devices as well as routing protocols; security assessment model for network systems; and a
new data regulation protocol that utilizes packet filtering at the source end to mitigate distributed de-
nial of service attacks.

Cyrus Azarbod
Minnesota State University, Mankato, USA

Cyrus Azarbod, PhD, is currently a professor at the Information Systems and Technology department at Minnesota State
University at Mankato since September of 1985. He has Ph.D. in computer science (databases). Database security, auditing,
and disaster recovery areas are among his focus in teaching and research. Dr. Azarbod is also the founder and CEO of InfoGem
which is an Information System consulting company since 1998. He has provided consulting to many companies such as IBM-
Rochester, Schweser Study Program (A Kaplan Professional Company), General Electric, and Kato Engineering (a subsidiary
of Emerson Company). His training courses and consulting also covers several other areas such as fuzzy relational databases,
multi-level secure database systems, security in statistical databases, data modeling, database design and implementation,
software engineering, data mining and data warehousing, distributed databases, SQL, Oracle database programming and
administration, CASE tools, knowledge discovery, integration of heterogeneous databases, and online course development.
xiv

Preface

The explosive growth and deployment of networking technology that supports connectivity to a diverse
range of computing devices running many network systems and applications poses many complex se-
curity challenges to networking and computer security professionals. To cope with such ever-increasing
security challenges, professionals are often trained with knowledge to handle security problems for
specific hardware and software systems, which may be inadequate and inapplicable if a situation or
system changes. Having a broad background particularly in the contemporary development of network
and information security issues and their solutions would certainly enhance one’s ability to adapt to a
new situation quickly to handle security issues. However, contemporary research results on network and
information security are not readily available in useful or comprehensible form to the people who need
them in a timely manner. Accordingly, this book presents a body of literature based on the current re-
search and trends in network and information security with contemporary security issues and solutions
and preventive measures. This reference will be particularly useful for those who are in administration
and Information Systems management, who are required to be up to date on the latest network and se-
curity concepts, protocols, algorithms, and issues relevant to modern network and Information Systems
and services. This book presents a diverse set of viewpoints from diverse contributors, such as academ-
ics, researchers, and industry professionals.

OBJECTIVES OF THE BOOK

The main purpose of the book is to make current research results on network and information security
available and coherent to networking and security professionals, managers, and administrators who
often lack the necessary background to understand scholarly articles published in journals and confer-
ences. The book is intended to bridge the gap in knowledge between research communities and security
professionals. Specifically, the book aims to accomplish the following objectives:

• To identify, accumulate, and disseminate worldwide, the latest technological solutions, practices,
and principles on network and information security for management, administrative, and research
purposes
• To provide network security professionals and trainers, network systems designers and develop-
ers, and academicians with a book that can serve as a reference
• To provide undergraduate and graduate students in Information Technology, Management
Information Systems, Computer Information Systems, and Information Assurance with a book con-
taining theoretical as well practical details of current network and information security practices
xv

• To highlight future security issues and challenges for ever-expanding and emerging network ser-
vices and systems.

TARGET AUDIENCE

The book is a collection of chapters written by scholars/researchers and professionals well familiar with
the state of the art in the area of computer and network security. The book provides a general coverage
of network and information security issues, concerns, security protocols, architectures, and algorithms.
Recent research results from existing literature on network and information security are reported in the
book in a format understandable and usable by networking professionals including network administra-
tors and Information Systems managers. The book will enable networking professionals grasp emerging
technological developments in networking and to cope with the corresponding security challenges. In
addition, students and educators in computer science, Information Systems, and Information Technology
can use the book as a reference for network and information security. Network designers, network engi-
neers, and network systems developers may use the book as a reference to design, develop, and deploy
networking systems with appropriate considerations for security and ease of administration accordingly.

ORGANIZATION OF THE BOOK

The book is comprised of fifteen self-contained chapters and divided into the following five sections:

• Section 1: Network Systems Security

• Section 2: Authentication and Data Privacy: Passwords and Keys
• Section 3: Network Security Auditing, Assessment, and Manageability Security
• Section 4: Sensor Network Security
• Section 5: Security Architectures, Algorithms, and Protocols

Section 1: Network Systems Security

This section introduces the readers with basic device, protocol, network, system, and inter-domain
security issues and solutions.
Networking devices are integral parts of a computer network and often become targets for attack-
ers and if successful, can make the whole network vulnerable. Internet vulnerabilities of these devices
arise from limited capacity of the devices in terms of memory and processing power, limitations of their
operating protocols and principles, incorrect configurations, and flaws in hardware and software design
and implementation. Chapter 1, “Basic Device and Protocols Security,” by Bruce Hartpence, addresses
security issues of all common networking devices such as hubs, switches, access points, and routers, as
well as vulnerable protocols such as ARP (Address Resolution Protocol), SRP (Spanning Tree Protocol),
ICMP(Internet Control Message Protocol), and DHCP (Dynamic Host Configuration Protocol). In addi-
tion, the chapter examines and exposes security issues in common routing protocols such as RIP (Routing
Information Protocol), BGP (Border Gateway Protocol), and OSPF (Open Shortest Path First) protocols
as well as network management protocols such as SNMP (Simple Network Management Protocol) and
xvi

CDP (Cisco Discovery Protocol) protocols. Finally, the chapter suggests ways to ensure device security,
as well as protocol security, to mitigate possible attacks.
Recent technological development in security software, hardware, and mechanisms, such as anti-virus
programs, firewalls, intrusion detection systems, cryptosystems, and automated patch delivery systems, have
successfully mitigated risks and attacks on cyber based systems and services. However, cyber attackers are
devising more sophisticated attacks to exploit new vulnerabilities that are often overlooked, as network or
systems administrators are only concerned defending their networks, operating systems, and services on
known vulnerabilities. Often such attacks use a blended threat approach in which an attacker uses a num-
ber of methods simultaneously to infect and take control of a target system. Chapter 2, by Dr. Christophe
Veltsos, “Mitigating the Blended Threat: Protecting and Educating Users,” examines this evolving threat,
discusses limitations of traditional security technologies and controls to mitigate this threat, and presents
new security controls to mitigate this type of new evolving risks. In addition, the chapter proposes security
awareness education and training programs for common users to mitigate the blended treat.
Multi-domain resource reservation involves provisioning and allocation of network services over
multiple federations of networks or services. One such example is bandwidth and queue allocations
at the network elements for providing QoS over multiple domains. Cooperating components that are
responsible for provisioning services over multiple domains must ensure inter-domain security during
negotiation of resource reservations, as well as intra-domain security during initiation and realization of
a resource reservation. Chapter 3, “Security Issues for Multi-Domain Resource Reservation,” by Christos
Bouras and Kostas Stamos addresses such security issues in this context and provides architectures and
procedures to handle multi-domain user authentication, trusted communications between inter-domain
modules or components, and multi-domain user authorization. Particularly, the chapter presents security
requirements and procedures for protecting against various types of attacks on a networked system for
differentiated services and “bandwidth on demand” services over multiple domains.

Section 2: Authentication and Data Privacy: Passwords and Keys

In this section, we present three chapters that deal with vulnerabilities of password-based authentication
mechanisms due to social engineering attacks, as well as key management mechanisms and infrastruc-
tures currently used for data privacy and other cryptographic services.
Social engineering attacks exploit inherent human characteristics such as kindness, mutual trust,
willingness to help, et cetera to gain access to unauthorized private information, systems, and services.
A hospital or a healthcare facility is very susceptible to social engineering attacks as unauthorized attack-
ers can easily befriend healthcare workers or providers in such an environment. Chapter 4, “Healthcare
Employees and Passwords: An Entry Point for Social Engineering Attacks,” by Dawn Medlin, Douglas
May, and Ken Corley provides an account of security breaches in healthcare industry and discusses
violations of HIPAA (Health Insurance Portability and Accountability Act) regulations. In addition,
the chapter provides an analysis of research results on the choice of passwords characteristically based
on human psychological traits and memorization ability and exposes severe deficiencies in passwords
used by common masses, as they are very predictable or obtainable easily by social engineering means.
Specifically, the chapter focuses on research on the choice and usage of passwords by employees in
five different hospitals and reports significant findings that employees are very likely to share their
passwords with their family members and other healthcare employees. These findings underscore the
xvii

need for stringent control and aggressive policy, not only in healthcare industry, but also in other similar
industries as well.
Security of modern cryptography relies upon secrecy of keys. Public key infrastructure plays the
crucial role in the storage management, distribution, and verification of such keys in cryptography.
Chapter 5 by Reed Petty, Jiang Brian, and Remzi Seker entitled “Public Key Infrastructure,” presents a
comprehensive overview of popular public key algorithms, their applications in key exchange and digi-
tal signatures, and their vulnerabilities and weaknesses. The chapter identifies several key management
challenges based on the very basic foundation of trust upon which the public key infrastructure relies.
In addition, emerging technologies such as quantum computing that can make public key cryptographic
techniques useless are also discussed. However, quantum cryptography can offer new solutions to all of
our cryptographic needs instead, as stated in the chapter.
Public key cryptography has eliminated the need for a separate secure channel for transmission of
the secret key to be shared by the communicating entities. However, the straightforward application of
public key cryptography for key exchange is vulnerable to man-in-the-middle attacks. The problem is
solved with a public key infrastructure (PKI) that serves as a certifying authority for all public keys. But
managing public key certificates is rather complex as it requires one or more certification authorities,
and the process involves excessive computation and communication cost. Alternatively, identity based
cryptography simplifies the process as it eliminates the need for public certificate verification. Chapter
6 by Chuan-Kun Wu, “Key Management” provides a survey of current key management schemes and
discusses key management issues under various application domains such as mobile ad hoc networks,
wireless sensor networks, and mobile telecommunication systems. Subsequently, the chapter covers
in detail the mechanisms of public key infrastructure, key escrow systems, and the key management
aspects in the PGP email system. In addition, the chapter covers password-based key management as
well as secret sharing scheme based key management schemes. Finally, the author critically delineates
limitations in various key management methodologies.

Section 3: Network Security Auditing, Assessment, and Manageability Security

This section deals with managerial aspects of network security such as standards, frameworks, and
procedures for assessment and auditing of network security as well as security issues of manageability
hardware and software technologies.
Network systems are complex, and hence, require a reference framework to account for all possible
threats and for assessment of security with a good degree of confidence. Chapter 7, “Security Assessment
of Networks” by Aftab Ahmad stresses the need for a framework for security assessment and proposes
an assessment model for network systems. Particularly, the chapter shows how the ITU-T Network
Security Framework (X.805) can be utilized in a performance model for assessing a security system.
As an example, the chapter uses the model to assess the security of the popular sensor network standard
IEEE 802.15.4. The model can be applied to assess security using security metrics addressing vulner-
abilities and threats such as destruction of information, corruption of information, loss of information,
information disclosure, and service interruption.
Existing security technologies such as firewalls, intrusion detection systems, and cryptography, though
they have greatly boosted security for networks and computer systems, are often insufficient to deter
and prevent certain types of attacks, such as Web-based attacks, hidden backdoors, et cetera. Network
security auditing is a process to assess policies, procedures, and controls to identify security risks or
xviii

vulnerabilities in network systems. Network security auditing can expose threats from such attacks by
setting appropriate security policies, procedures, and controls. Chapter 8, “Network Security Auditing”
by Yin Pan, Bo Yuan, and Sumita Mishra introduces network auditing process, procedure, standards,
and frameworks. A detailed discussion of procedures and technologies to identify various network se-
curity threats and vulnerabilities is provided in this chapter. State of the art techniques and procedures
for determination and management of risks are also discussed. Through a series of procedural steps for
a case study, the chapter illustrates different phases of network discovery, network penetration, network
threat analysis, and audit reporting.
Network manageability deals with remote administration, management, and service of network de-
vices and any other devices connected to a network such as servers, laptop computers, PDAs, and cell
phones. Manageability hardware and software technologies allow an administrator through an out of band
channel to remotely access and troubleshoot a system regardless of the conditions or the power state of
the system. Chapter 9, “Network Manageability Security” by Salvador Mandujano analyzes a number
of manageability frameworks, protocols, and services for various platforms such as desktops, laptops,
servers, and mobile devices. Manageability technologies are also vulnerable to attacks and misuses on
the system such as firmware tampering, device tracking, device reconfiguration, loss of administrative
control, and so on. Several manageability protocols are discussed in this chapter including the OMA
(Open Mobile Alliance) device management protocol for mobile devices that can be used to perform
firmware updates and change configurations. The chapter also discusses IPMI (Intelligent Platform
Management Interface) standard to monitor and reconfigure server platforms such as AMT (Active
Management Technology) solution on a chipset created by Intel Corporation for laptop and desktop
systems and DASH (Desktop and Mobile Architecture for System Hardware) as a standard that makes
remote administration of hardware over a TCP/IP network. Finally, it describes and discusses security
issues of SNMP (Simple Network Management Protocol).

Section 4: Sensor Network Security

Wireless sensor networks belong to a class of ad hoc networks that are very vulnerable to various at-
tacks due to unique characteristics of sensor devices of limited processing power, limited battery life,
and limited memory capacity. Accordingly, this section provides a survey of security concerns, attacks,
and solutions for existing, as well as emerging applications of wireless sensor networks. In addition, it
includes a new data privacy protocol that allows in-network data aggregation.
Chapter 10 by Murat Al and Kenji Yoshigoe, “Security and Attacks in Wireless Sensor Networks,”
provides an overview of vulnerabilities, attacks, and countermeasures in wireless sensor networks, com-
pares salient characteristics and applications of wireless sensor networks with those of common wireless
technologies, describes characteristics of attacks and corresponding countermeasures as proposed in
literature, and qualitatively provides a comparative analysis of the attacks on wireless sensor networks.
Identifying security vulnerabilities is an essential step to devise a security solution. The chapter provides
an exhaustive list of attacks and corresponding defense mechanisms to mitigate or prevent such attacks.
Many of these attacks are found in wireless networks. However, additional attacks such as denial of sleep
attacks just to drain battery life, attacks on data aggregation, and node capturing and tampering are very
possible on sensor networks due to their characteristics. System constraints and security design issues
using current security solutions such as cryptographic techniques and other means are also discussed
in this chapter.
xix

Wireless sensor networking technology has found extensive applications in many sectors. Despite
wide applicability, security is a big concern as their environment of deployment is often easily acces-
sible, making a wireless sensor network very vulnerable to attacks. Chapter 11: “Wireless Sensor Net-
works: Emerging Applications and Security Solutions” by Sumita Mishra addresses security concerns
and discusses existing and possible security solutions particularly for emerging applications of wireless
sensor networks. Existing security solutions are found to be inadequate for many emerging sensor net-
work applications involving collection of highly sensitive data that requires stringent privacy. It is very
challenging to design a robust and efficient security scheme for wireless sensor networks due to limited
processing power and battery life of sensor nodes. In particular, the chapter exposes security issues in
Body Area Networks (BAN), Smart Grid Networks, and Area Surveillance Networks, and finally, ad-
dresses security requirements for such emerging sensor network applications in terms of secure data
storage, key establishment and management, key establishment and management, access control, and
link layer security.
Communication activities are excessively more energy consuming than computation in wireless
sensor networks. Data aggregation, or in-network processing of data in a wireless sensor network, is an
attempt to reduce communication overhead to extend the life of the network for an application. However,
data privacy is a big concern since a data aggregating node along a path to the base station can reveal
the data in plaintext. Accordingly, Chapter 12: “Privacy Preserving Data Gathering in Wireless Sensor
Networks” by Md. Golam Kaosar and Xun Yi presents a computational model as well as a protocol that
can be used to maintain data privacy while performing data aggregation operations by intermediate
nodes on data en route to the base station from a sensor node. According to the computational model,
a sensor node perturbs its data, generates two fragments from the data, and uploads the fragments to
two separate semi-trusted servers, from which a data collector or a base station can collect and combine
them. Security proofs provided by the authors shows that any of the servers or any intermediate sensor
node neither can discover any individual data nor can associate any data to an individual. Beyond sensor
networks, the scheme has many other content-privacy sensitive applications such auction, voting and
feedback collection, and privacy preserving data mining.

Section 5: Security Architectures, Algorithms, and Protocols

This final section presents new research results on security architectures, algorithms, and protocols for
detection and prevention of intrusions and distributed denial of service attacks, as well as for controlling
of spams and worms in instant messages.
Many Intrusion Detection Systems for traditional wired networks often use anomaly detection tech-
niques in their core to detection intrusions by comparing an abnormal traffic behavior or pattern with
the normal traffic behavior or pattern. In contrast, such comparison of traffic patterns becomes very
challenging in an ad hoc networking environment due to node mobility and lack of a fixed infrastructure
within the network. Chapter 13: “BANBAD: A Centralized Anomaly Detection Technique for Ad Hoc
Networks” by Rajeev Agrawal, Chaoli Cai, Ajay Gupta, Rajib Paul, and Raed Salih proposes a new
algorithm for anomaly detection that is found to be very suitable for ad hoc networks. The anomaly
detection algorithm is based on statistical Belief Networks (BN) that builds a normal profile during
training by using system features and checks deviation during testing. As ad hoc networks are very
dynamic in nature due to mobility of their nodes, they may hinder any on-going data collection process
for intrusion detection, which can in turn cause a great deal of difficulty in accurate profile generation
by an intrusion detection scheme. As such, existing intrusion detection schemes will not work, due to
xx

constantly changing network configuration and/or incomplete information. As reported in the chapter,
the proposed anomaly detection algorithm is found to detect anomalies even if data is incomplete or
missing in such a dynamic environment.
Distributed Denial of Service (DDoS) attacks on a target host can be launched remotely by an ad-
versary using freely available attacking tools. Categorically, three types of DDoS attacks are possible:
1) a master node recruits a multitude of agent nodes by exploiting their vulnerabilities and carries out a
well-coordinated attack on the target simultaneously, 2) a single malicious node that launches the attack
by spoofing its IP address, and 3) in a hybrid attack, a master node recruits and configures each agent
machine for address spoofing for its outgoing packets.
Chapter 14: “Data Regulation Protocol for Source-End Mitigation of Distributed Denial of Service
Attacks” by Nirav Shah and Dijiang Huang proposes a new data regulation protocol that utilizes packet
filtering at the source end to mitigate distributed denial of service attacks. The protocol provides a target
controlled traffic mechanism implemented at the source gateway in contrast with target-end filtering
network using firewalls. The underlying assumption of the protocol is that the gateway at the source as
well as the target can be under attack, but not compromised. The security analysis of the protocol shows
its robustness under various attack scenarios such as source address spoofing, distributed attacks, and
spoofed acknowledgements. A proof of the concept implementation verifies the claims made by the
authors in the chapter. The proposed protocol holds the gateway of the source network accountable for
all of the egress traffic leaving the network thus providing an incentive for source-end filtering.
Instant Messaging (IM) is a popular and efficient communication mechanism that allows users to chat
from desktops to cellphones and hand held devices. Though simple and convenient, contrary to email
and other similar systems, IM systems face a new security challenges due to their real-time characteris-
tics. Chapter 15: “Instant Messaging Security,” by Zhijun Liu, Guoqiang Shu, and David Lee provides
a review of the architectures and protocols of today’s IM systems, identifies threats to IM services such
as IM spam and IM worm, provides a survey of various defense methods, and eventually, proposes
new, effective solutions for filtering IM spam and controlling IM worm, including smart worm. In this
chapter, several spam detection, controlling, and filtering mechanisms such as challenge-response filter-
ing, fingerprint vector based filtering, Bayesian filtering, and collaborative feedback based filtering are
discussed and evaluated for IM systems. In addition, the authors provide a mathematical model for IM
worm behavior and correspondingly propose defense mechanisms including a topology aware throttling
scheme to slow down worm propagation.
The concept of computer networking started with the purposes of communication, sharing of hard-
ware, data files, and software. The chapters in this book demonstrate how the increase in complexity of
the nature of services provided by networking and rise in the malicious intent of some participants has
made security issues and security management a very core area in communication. The readers will be
familiar with network security administration, its current trends and issues, and find that as wonderful
and useful as networking is for sharing resources and saving cost and time, it has to be secure to even
be considered a solution. Else, it would be creating more problems than it is solving.

Dulal C. Kar
Texas A&M University-Corpus Christi, USA

Mahbubur Rahman Syed

Minnesota State University, Mankato, USA
xxi

Acknowledgment

We would like to thank all of our authors for their scholarly contributions that have made this book a
resourceful document with the contemporary research results in network and information security.
Without their contributions, this book would not be a reality. We thank our editorial advisory board
members for their support in all phases of the book project such as dissemination of our invitation for
book chapters, communicating with prospective authors, and review of book chapters. Our sincere thanks
go to the book chapter reviewers, whose constructive and comprehensive reviews have helped to enhance
the quality of the book in many respects. We acknowledge contributions of our graduate student assis-
tants, Ms. Geetha Sanapala who assisted us in collecting email addresses and preparing email lists of
prospective authors, and Mr. Clifton Mulkey who assisted us in last-minute reviewing of some chapters.
A special note of thanks goes to the staff members of IGI Global for their constant editorial assistance
and professional support that helped to keep the project on schedule. Particularly, we would like to thank
Ms. Erika Carter whose invitation for editorship offered us the opportunity for this editorial service and
Mr. Joel Gamon who supported us with necessary guidance and documents to smoothly manage the
project in all phases since its inception.
Finally, we hope that the readers will be greatly benefitted from the book.

Dulal C. Kar
Texas A&M University-Corpus Christi, USA

Mahbubur Rahman Syed

Minnesota State University, Mankato, USA
Section 1
Network Systems Security
1

Chapter 1
Basic Device and
Protocol Security
Bruce Hartpence
Rochester Institute of Technology, USA

ABSTRACT
Security texts often focus on encryption techniques, firewalls and security for servers. Often missing are
the inherent weaknesses in the very building blocks of modern local area networks. This chapter discusses
the devices and protocols common to every single production network running today in terms of their
basic security vulnerabilities and provides some techniques for reducing security threats. Specifically,
this chapter will cover the operation of routers, switches and access points with a brief mention of
hubs. Protocols covered will include the spanning tree, internet control message, address resolution,
management, and routing protocols. Packet captures and screenshots will be used to illustrate some of
the protocols.

INTRODUCTION In addition, most network activities such as file

transfer are simply implemented with the intent
There is more to network security than encrypting on accomplishing the end goal rather than being
user data, virtual private networks or installing designed with security in mind.
firewalls. While these are very important, we must As a result, we currently deploy networks
review every aspect of network communication to that are plagued by security holes at all levels
ensure that we are providing adequate protection to of the TCP/IP (or OSI) model and every type
network resources. The reality is that every device of networking device. These security holes are
and protocol has its own set of vulnerabilities. present not because a programmer didn’t protect
against buffer overflow or there was a flaw in the
DOI: 10.4018/978-1-60960-777-7.ch001 encryption algorithm, but because devices and

Copyright © 2011, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
Basic Device and Protocol Security

protocols are operating exactly as intended. The resources. No matter the cause, it is clear that a
good news is that with an understanding of basic better firewall isn’t the answer.
behavior and some minor configuration changes,
many of these weaknesses can be minimized or
eliminated entirely. Lastly, by having insight RECONNAISSANCE
into the network and understanding the baseline
measurements, one can more easily respond to Apart from the most obvious or brute force at-
an attack in progress or deal with the aftermath. tacks, exploits usually begin with some sort of
This chapter will examine some of the common investigation or reconnaissance. Depending on the
elements deployed today and how the standard goal of the attack, the recon may be as simple as
operation makes reconnaissance for an attacker driving around looking for an open access point
simpler. We will also discuss some basic steps to that is still using the default configuration or a
help mitigate the security holes. much more in-depth analysis of network traffic,
Sometimes understanding the nature of an at- behavior and resources. The information gained
tack or our vulnerabilities can give us an idea as during this phase of the attack can come from a
to the vectors that might be used. The reverse is wide variety of sources. Employees may be un-
also true. Regardless of your point of view, it is witting accomplices as they are tricked or social
difficult to defend against an attack if you do not engineered into revealing information. Wireless
understand nature of the attack. There are many scans can often be very fruitful and some com-
reasons that an attacker may target a network and panies even post a considerable amount of infor-
attacks are not always for material gain. Some of mation on web pages in order to make employee
these reasons include but are not limited to; resources easier to find. As an example, many
organizations may electronically post the locations
• Spotting an easy target or even IP addresses of printers and servers. The
• Access to user data intent is that employees will now be able to more
• Access to company resources especially easily connect to these devices without having to
bandwidth or storage generate a troublecall to the helpdesk. Of course
• Denial of service this also makes it easier on the bad guy.
• Settling a grudge Some methods of gaining information are
• Competition passive in that the attacker is not actively running
• Fun queries such as a port scan at a system on the
network. The best example is probably eaves-
Underscoring the need to understand the threat dropping or capturing packets. It is interesting
is a series of polls from the Computer Security that many companies do not report problems with
Institute. For more than a decade this organization eavesdropping but a very appropriate question is;
has collected data on attack types, security deploy- “How do you know?” Recon can also be much
ments, personnel skills and many other aspects more aggressive including configuration attempts
of computer crime. Consistently, the top threats or attacking a network element. Auditing compa-
or problems experienced by those responding nies even engage in dumpster diving and waiting
to the poll are viruses, insider abuse and laptop for receptionist coffee breaks to get by security.
theft or fraud (Richardson, 2008). Some insider It is not always obvious what the target actu-
threats result from poorly configured security that ally is. If the attacker takes advantage a switch
gave unauthorized personnel access to restricted weakness, we might say that the switch was under
attack and assume this to be the target. In fact,

2
Basic Device and Protocol Security

this was simply a more active form of reconnais- jacks installed in conference rooms, seating areas
sance. The attacker was hoping to learn something or spare offices.
from the traffic flowing out of the switch. Once For these performance and security reasons,
the information has been obtained, the real attack hubs have largely been replaced with switches.
may begin. One of our major goals with network So, we’re safe from prying eyes right? Wrong.
security is to reduce the ability of the bad guys It turns out that there are other network devices
to complete their reconnaissance. that either behave like a hub in certain situations
or can be forced to act like a hub through some
sort of attack.
EQUIPMENT
Access Points
Every network is comprised of the same basic
equipment and capabilities. Each piece of equip- Another name for an access point is wireless hub.
ment also comes with its own set of security While this isn’t exactly accurate, it is not too
vulnerabilities ranging from exposure of data to far off either. Like a hub, the access point (AP)
allowing control of the device. We’ll start from broadcasts traffic to anyone capable of hearing
the bottom of the TCP/IP protocol stack and work it. The difference is that while an attacker had to
our way up, examining devices at layers one, two get access to a physical port in order to see the
and three and the associated problems. Specifically hub traffic, when an AP is present you only need
we’ll take a look at hubs, access points, switches an antenna. It is like sprinkling ports everywhere.
and routers. Let’s take a little closer look at AP behavior. The
AP has several major responsibilities;
Hubs
• Notifying network users of its presence
While most organizations have moved away from and negotiating connections
hubs, we’ve included them as a reference point. As • Forwarding traffic between the wired and
we know, hubs have some defining characteristics; wireless sections of the network
• Handling traffic for all of the wireless
• They do not possess a great deal of nodes currently connected
intelligence • Encrypting or otherwise securing traffic if
• They repeat traffic out all ports except the configured to do so
source port
• While fast, they do not scale well due to These are requirements of every AP being used
collisions and these standard functions introduce security
• They typically do not filter traffic holes into your network. For the moment we’ll
put aside the broadcast nature of the traffic and
The obvious security problem is that hubs es- discuss these basic AP responsibilities.
sentially broadcast traffic to any node connected An AP uses a special frame called a beacon
which means that an attacker gaining access to to inform you of its presence and includes the
a network port can see everything. However, it wireless communication parameters. This same
is worth noting that this particular behavior can frame advertises the AP to potential attackers.
vary between manufacturers. For example, some The common approach to protect against this is to
vendors isolate slower speed connections. As for remove the SSID or network id from the beacon
access to live ports, it is not uncommon to see frame, so that the beacon does not broadcast the

3
Basic Device and Protocol Security

network name. The reality is that this doesn’t users and encouraging them to connect to rogue
actually hide the network because this same APs (Ciampa, 2007). A probe response with the
information is included in another frame called exposed SSID of “teamJ” is shown in Figure 1.
the probe response. APs also connect the wired and wireless seg-
The probe response is the AP answer to a probe ments together. Traffic flows between the two
request sent from a node that already knows of sides. This means that when nodes on either side
the network. When a valid node wishes to join a of the AP communicate, the AP forwards every-
network, it does not typically wait for a beacon thing. Let’s take a couple of examples. When two
frame. Instead it transmits a probe request to speed wireless nodes communicate, as long as they are
up the association process. So, an attacker wishing connected to the same AP, the transmission is
to learn about your network simply has to wait for limited to the wireless segment and does not cross
the AP to issue a probe response. This is a process to the wired side. The same can be said of two
that can occur several times a second depending on wired nodes communicating as these frames stay
how many nodes are present. In addition, because on their side of the network. However, when one
of roaming behavior and nodes going into sleep node is wireless and one is wired, this traffic ex-
to conserve power, probe requests are a regular ists on both sides of the AP. The problem being
part of the network traffic. In fact, by removing introduced here is that an attacker listening in on
the SSID from the beacon frame, you may actu- wireless traffic can now determine not only the
ally be creating problems for the valid wireless

Figure 1. 802.11 Probe Response

4
Basic Device and Protocol Security

wireless nodes present, but the wired nodes and do not go far enough with their solutions. We
servers as well. have seen a shift to WiFi Protected Access with
If we add broadcast traffic to the mix, we can a Pre-Shared Key (WPA-PSK) instead of WEP,
see that it no longer matters where the node is but these implementations often use short, easy
because AP behavior in the presence of broadcast to guess passphrases.
frames is to send broadcast frames everywhere. Attackers can also learn from non-data traffic
As an example, a wired node generates an address on a wireless network. There is quite a bit more
resolution protocol (ARP) request for a node on management traffic on a wireless network than on
the same network. This type of message is neces- a wired Ethernet network because of the operation
sarily a broadcast frame. If we assume that the of 802.11. Beacon and probe request frames are just
wired node is connected to a switch, the switch two examples. Others include association requests
forwards the ARP request everywhere, includ- and authentication frames. In addition, this traffic
ing the port used by the AP. Upon receipt of the is often not encrypted with the data traffic. It is
ARP request, the AP waits for an opportunity to very common to see unencrypted management
transmit and then broadcasts this ARP request to even if the data is protected. An attacker wish-
the wireless network. ing to learn MAC addresses or see the operation
Propagation distance for a particular wireless of the network with an eye towards breaking the
transmission between wireless hosts is limited by encryption need only capture frames passively.
their surroundings, power level and antenna type. Lastly, 802.11 operations create other vul-
Often APs are equipped with improved transmis- nerabilities because of the management frames.
sion capabilities when compared to wireless nodes. For example, hosts do not authenticate the man-
By handling this traffic, the AP is usually increas- agement frames. In other words, hosts listen to
ing the distance that a transmission will travel. In or obey management frames that they receive,
fact, if we were to compare the network diameter making them easy targets for hijacking or denial
of an ad hoc network to that of an infrastructure of service via the authentication and association
network using APs we would see that installing the conversations. If an attacker forges a disassocia-
AP can double the network footprint. If we add the tion message and sends it to a wireless host, the
signal improvement of an 802.11n network, this host will disconnect from the network. It will
transmission distance is again pushed further out. try to reconnect but this sort of forgery is often
So an attacker can find an AP of a target net- the beginning of a larger attack. To illustrate the
work whether that AP is broadcasting the SSID problem, the node reconnecting goes through the
or not. In addition, we can now see that the traffic WPA-PSK handshake process. This is precisely
in jeopardy is not just that of the wireless nodes what the attacker wanted to see because the infor-
but the wired nodes as well. The AP and nodes mation contained in the handshake is part of the
can be configured to encrypt the transmission keying material and is required in order to perform
which solves some of these problems. However, certain attacks including breaking the encryption.
there are still many organizations and home us-
ers that have not taken this step. The percentage Switches
of wireless networks that are still unencrypted is
astonishing. A recent study revealed that 25% of As a replacement for hubs, switches have done very
small companies running wireless networks do not well especially since the cost per port has come
password protect them (NCSA, 2009). In addition, down, capabilities are greater and link speeds have
those that have deployed encryption techniques improved. Switches also have many features that
often make mistakes on the implementation and hubs never possessed. From a security stand point,

5
Basic Device and Protocol Security

some key benefits to switches include changes to the switch into a hub (Paggen & Vyncke, 2007).
the forwarding behavior (no longer broadcasting A great tool for generating frames is macof.
all traffic), support for virtual local area networks As stated earlier, VLANs can be an effective
(VLANs), basic port security and 802.1X. tool for breaking up a network and make it more
Switches forward based on MAC address (at difficult for an attacker to discover valuable
least for known devices) and consult a source network resources. In a switch without VLANs,
address table before transmitting a frame to the any network host connected to the switch is con-
destination. This means that for a significant nected to the same logical domain as all other
portion of network traffic, only the proper desti- hosts. A VLAN boundary would prevent the host
nation receives the transmission. This is a major from seeing existing layer 2 traffic on the other
improvement over the method used by hubs, even VLANs, effectively breaking a switch into several
if the forwarding decision and processing of the smaller switches. This is an improvement but the
frame cyclical redundancy check (CRC) both in- use of VLANs still does not make the switch or
troduce latency. This method of forwarding is not traffic impervious to attack. In addition to the
without its weaknesses. For unknown addresses, attacks previously mentioned, one of the side
broadcast (a destination MAC address of ff-ff- effects of placing more and more intelligence
ff-ff-ff-ff) and multicast (a destination typically into switches is that they often try to configure
beginning with a first octet of 01) traffic, the switch ports automatically. The goal is to negotiate the
behaves just like a hub in that forwards these connection parameters with the opposite end of
frames out all ports but the source. This process the link. A simple example of this is the speed
is called flooding. VLANs can reduce the effect negotiation for a 10/100/1000 port. Many other
of flooding because they can be used to segment parameters can be negotiated including the port
the switch into smaller logical network segments. mode of operation.
This means that this sort of traffic is only flooded VLANs can span several switches. In order
to a particular VLAN. to convey VLAN membership information be-
In addition to flooding, switches have other tween switches, a trunking protocol is used. A
vulnerabilities because of their basic operation. trunk port understands the trunking protocol and
The source address table or SAT is an example is used by the switch to sort out traffic destined
of one place a switch can be attacked. The switch for the various VLANs. Every frame traveling on
tries to populate the SAT with MAC addresses a trunk line between switches running VLANs
learned from the traffic seen on the network. A will be encapsulated in a trunking protocol. The
typical SAT has enough capacity to store the MAC industry standard trunking protocol is 802.1q. To
addresses of thousands of network devices, and facilitate communication between switches, the
the switch consults and updates this table every ports are often allowed to dynamically determine
time a frame is received. But what happens if the parameters for the link. A port that is permitted
the SAT table space is filled? In this case, the to dynamically configure itself can change to a
switch cannot place a new address into the SAT trunk port as opposed to the normal “access” port
and so must flood any traffic not matching the operation and vice versa.
addresses already in the SAT. A clever attacker An attacker can take advantage of this by
will fill the SAT with addresses by sending extra tricking the switch port into believing that another
traffic to the switch. This traffic has a different switch with a trunk port is present. The attacker
source MAC address in each frame. The result is sends a dynamic trunking protocol message to
that frames destined for the valid network nodes the switch and the switch, believing a neighbor
must be flooded everywhere, essentially turning switch to be present, changes the attackers port

6
Basic Device and Protocol Security

from access mode to trunk mode. Following discussed in more detail in the section on ARP.
basic operation, all broadcast or flooded traffic Like switches, routers participate in protocols
destined for any VLAN will also be sent out any that can be exploited. Examples include ICMP,
trunk ports. The switch is simply trying to reach routing protocols and management. While not all
as many network nodes as possible. Unfortunately of these escalate to ownership of the router itself,
this also includes the attacker. they can be used to easily disrupt network traffic
The other half of an attack like this is to not and operation. A more thorough discussion of
only see traffic, but transmit into the network. ARP, ICMP, routing protocols and management
Once node VLAN membership is determined, the issues can be found later in the chapter.
attacker can generate frames tagged for the proper
VLAN and using the destination MAC address A Word about Network Traffic
of the target. In this way traffic can be directed
to any VLAN or destination known to the switch. Our discussion to this point has focused on network
Lastly, switches participate in other protocols devices and what they effectively give away due to
that have their own vulnerabilities. By exploit- their standard operation. Gaining access to traffic
ing either the structure or operation, an attacker can be a big part of an attackers’ reconnaissance.
can drastically affect network performance and Almost all traffic on a network is what we call
completely disrupt traffic. We will discuss some clear-text”. This means that passive observers
of these in the protocol section of the chapter. can the read the contents of a particular packet
because by default, it is not encrypted. It turns
Routers out that if we were to capture a random series of
packets on a network we would be able to read
Stating the obvious, routers route. Send a packet or see the following items;
to a router for forwarding and it will send it to
the destination. Routers come in many shapes and • The layer 2 header including the MAC
sizes and while they all possess the same basic addresses
functionality, there is a big difference between • The layer 3 header including the IP
what we call a router that might be used in a pro- addresses
duction network and a home gateway product. It • The layer 4 header including the port
is only when we start adding things like filter lists numbers
and policies do routers become a device that can • The application data
contribute to network protection. A home gateway
comes with built in firewall capability, network As for the application data, the amount that
address translation, management interfaces and can be read varies from transaction to transaction
a dynamic host configuration protocol (DHCP) but in many cases all of the content can be read.
server. In many ways, the home gateway is a more For example, an FTP conversation can be read in
secure device out of the box than an access router its entirety including the username and password.
used in a company network. The same is also true for telnet. Many parts of a
Routers are also similar to network hosts. They web page sent over the network via http can be
require IP addresses in order to operate (switches read. An example of this is shown in Figure 2.
and APs do not) and they use and respond to ARP This particular packet was captured while
messages. ARP messages can be used to exploit browsing to the IP address of an unsecured
both host and router traffic through what is called router. As you can see, details regarding the device,
a man in the middle attack. Man in the middle is telephone numbers and essentially any other text

7
Basic Device and Protocol Security

Figure 2. HTTP packet

is visible. For space, this is actually a portion of Address Resolution Protocol (ARP)
the overall packet. Were the entire contents dis-
played here, we could see the MAC addresses, IP The purpose of ARP is to find the MAC address
addresses, port numbers, type of transmission, associated with an IP address. A node initiating
browser used and the destination. This sort of the conversation issues an ARP request for a
information helps the attacker determine the best particular IP address. This is a broadcast frame
type of exploit to use on a particular target. and from our previous discussion we know that
Some developers have taken a step towards both switches and access points forward these
security by encrypting the username and/or everywhere. If the node matching the destina-
password before they are transmitted. However, tion IP address is available, then it will return an
this does not mean that the data is covered by the ARP reply. All hosts use ARP messaging includ-
same encryption. For example, you may need a ing routers. In addition, though not required for
password to access a network share but once you normal operation, if a switch or AP is given an
access a file, we are back to clear text. IP address for management purposes, ARP will
be used here as well.
Note that like many conversations, the ARP
PROTOCOLS messages are easily read by an observer. Once a
node receives a reply, the application traffic can
IP based networks depend on the operation of a now begin to flow because the Ethernet frames
couple of basic protocols. No matter what orga- can be properly addressed. In addition, this newly
nization is running the network, these protocols acquired information is temporarily stored by the
or their cousins are always present. Examples source host in an ARP table. If an attacker can
include the address resolution protocol, spanning corrupt the table, then the host (or the data sent
tree, internet control message protocol and rout- from the host) may be able to be exploited. An
ing protocols. Each of these is critical, and all of example of the ARP table is shown in Figure 3.
these have inherent security flaws. Some operating systems are willing to accept
unsolicited ARP replies. This means that even if
a host never asks for the MAC address of a des-
tination IP, the attacker may supply one in hopes

8
Basic Device and Protocol Security

Figure 3. ARP Table

that the host will populate the ARP table with bad loop to exist, traffic would have the potential to
information. The idea is that the destination IP circulate endlessly to the point of preventing valid
will be mapped to the MAC address of the at- network traffic from flowing. This is because un-
tacker rather than the real destination. However, like IP, layer 2 frames do not possess a time to live
even if the host is not willing to listen to these field and are never removed from the network. In
unsolicited messages, it is possible for an at- this regard, the protocol works very well, albeit
tacker to simply wait for the questions to be asked slowly. For this reason, there have been improve-
and then try to beat the valid answer back to the ments made to STP, namely rapid STP. However,
host. Another approach is to simply fill the network the operational goals are essentially the same;
with answers. The first answer received is assumed eliminate logical loops through the election of a
to be the correct one. It gets worse. Not only will root bridge and the establishment of a tree like
an attacker poison the ARP table of a host, but of structure. This is accomplished via the exchange
the router as well (Nachreiner, 2009). of special STP frames called bridge protocol data
At this point, the host believes that the attacker units or BPDUs. In a topology where loops are
is the router and the router believes that the at- discovered, certain switch ports will be blocked
tacker is the host. Thus the attacker is the “man preventing traffic from flowing in that direction.
in the middle”. Upon receiving traffic from either What is important to realize is that spanning tree
of these, the attacker simply forwards the traffic automatically builds the layer 2 topology.
on after copying anything they desire. In this Part of the behavior during normal operation
way, all traffic between the two devices is at risk. is to allow topology changes when a switch joins
Finally, since ARP is part of normal operations, or leaves the network. At this point, the other
this traffic is never questioned and the attack is switches listen to either new BPDUs or respond
invisible to the nodes involved. Unfortunately, to the loss. Factors affecting the topology changes
we rarely check our ARP tables for bad informa- include the MAC addresses of the switches, path
tion. In fact, it’s quite probable that even if we costs, port IDs and priority values.
read the table, the bad information might not be The problem is that all of the switches listen to
recognized for what it is. this information and must act on it. So, an attacker
wishing to disrupt the operation of the network
Spanning Tree Protocol (STP) can inject BPDUs into the network which can
trigger topology changes. If done often enough
The spanning tree protocol (STP) defined by IEEE or at the right frequency, the network can become
802.1D runs between layer 2 bridges and switches. inoperable because of the constantly changing
The primary mission of STP is to prevent loops pathways (IEEE, 1998). For example, if a network
from occurring in an Ethernet network. Were a has reached steady state such that the traffic flows

9
Basic Device and Protocol Security

in a particular direction, an attacker can inject is not allowed. It can also give us information
BPDUs that will force the traffic to flow in the regarding the presence of a particular IP address
opposite direction. During a topology change, it and aid in path discovery. There are several differ-
is not uncommon for network nodes to experi- ent types of ICMP messages, and several reasons
ence a temporary loss of connectivity. Removing for including ICMP in any discussion of security.
the injected traffic changes the traffic direction The first is that like many network transmissions,
again. The effect can be devastating and is simply these messages are clear text and can aid in net-
taking advantage of the basic behavior of a very work reconnaissance. Examples of important
common protocol. information might be addresses of routers on the
Wireless networks can have additional prob- network, addresses of MobileIP foreign agents
lems because the speeds of the wireless links are or even information about the network settings.
slower than on the wired segments. If all of the The ICMP echo request also provides an at-
network traffic was to be directed over the wireless tacker with a “known good” for many attacks
links, severe bottlenecks or outages could occur as since it usually carries the alphabet as can be
the links were overrun. In addition, many wireless seen in Figure 4. Traffic can be injected into an
devices can act as either access points or bridges. encrypted network which results in the bad guy
Configuration and wiring mistakes can create as having both the unencrypted and the encrypted
many problems as attackers do. version of the same traffic. This makes cracking
the encryption much easier.
Internet Control Message An attacker almost couldn’t ask for an easier
Protocol (ICMP) pattern to match. Once the attacker obtained the
encrypted version of the same thing, working
The Internet Control Message Protocol (ICMP) backwards using the same algorithm reveals the
defined in RFC 826, has two basic functions; er- key used.
ror and information messaging. The protocol is ICMP is also tool for the attacker to use while
designed to provide feedback in the event that a performing reconnaissance on your network or
destination cannot be reached or a transmission staging attacks. Almost all IP based devices are

Figure 4. ICMP Echo Request

10
Basic Device and Protocol Security

programmed to listen and respond to ICMP mes- another form of the man in the middle attack
sages. By using basic programs like PING and outlined in the ARP section.
TRACERT which generate ICMP messages, a The purpose of a redirect message is to inform
potential attacker can find out a great deal about the host of a better pathway to the destination.
your network. The better pathway is actually via a different
PING sweeping is a method by which an entire router. Once the host learns of this, it updates the
address space is “pinged” one address at a time in local routing table and uses that entry from that
order to see which addresses give answers. PING point on. But what if the new pathway was not a
has many options, some of which can be used for router at all but an attacking machine instead?
path discovery. TRACERT is an excellent diag- The host is completely unaware of this because
nostic tool but attackers can use this same tool to redirects are a part of the normal protocol opera-
find their way through your network and gain the tion. The attacker simply made it appear as though
addresses of the router interfaces. Again, these are the redirect message came from a valid router.
basic components of any IP based network and the Once the attacker receives the redirected packets,
devices are simply obeying their normal operation. they are copied and forwarded to the proper des-
In Figure 5 the output from a Windows tracert tination via the proper pathway (Mason & New-
displays not only the router interfaces contacted, comb, 2001). This is also a difficult attack to
but the pathway used. detect because it looks like standard traffic. Re-
Lastly, ICMP messaging, most notably the directs are actually a normal part of networking.
ICMP redirect (see Figure 6) can be used by an Like ARP tables, we rarely check our routing
attacker the poison the host routing table. This is information unless there is a problem. If done
correctly, the man in the middle attack leaves no

Figure 5. Tracing a Route

Figure 6. ICMP Redirect

11
Basic Device and Protocol Security

trace and does not disrupt traffic. Ettercap is Dynamic Host Configuration
another tool to add to the toolbox. Protocol (DHCP)

Routing Protocols The primary purpose of the Dynamic Host Con-

figuration Protocol (DHCP) is to provide a network
Most organizations run some sort of interior rout- host with information required to operate on the
ing protocol to help ensure that all of their network network. Minimally this will include;
segments are reachable and have some protection
against failure. Static routing, while quick and reli- • IP address
able, requires management and the routes do not • Network Mask
automatically failover upon loss. Routers running • Default Gateway
routing protocols exchange information (in clear
text of course), and then decide whether or not However, there are many options associated
to change their local routing tables based on the with DHCP and so a message can include much
received information. Common interior routing more information about the network including an
protocols include the Routing Information Proto- indication of services available and the addresses
col (RIP) and Open Shortest Path First (OSPF). of the computers offering the service. An example
In a RIP packet, information regarding some of a DHCP acknowledgement packet is shown
of the networks known by the router is clearly in Figure 7.
visible. But the real problem with routing proto- In this case we can see that even a basic DHCP
cols is that they are often designed with minimal message will include such items as the IP address,
security in mind. When a router shares information DHCP server address, host name, mask, router
in the form of a RIP table exchange or an OSPF and servers. This information can make DHCP
link state update, other routers participating in messages very attractive to an attacker performing
the same protocol will listen. This is fine if the reconnaissance. Like all of the protocols and
information is valid. However, as with some of the devices discussed in this chapter, DHCP is a part
scenarios already outlined, there is nothing to stop of almost every single network and therefore
an attacker from sending a properly formatted but almost every single network has some level of
nonetheless false routing update. This can force exposure to attack if steps are not taken to secure
all of the routers to change aspects of the routed the conversation.
topology just as we saw with spanning tree. At Problems with DHCP extend well beyond our
a minimum this causes disruption of service but ability to see into the packet. Many servers are
in some cases a clever attacker can route traffic configured with a free pool of addresses so any
off-site and then route it right back to the valid host asking for an IP address will receive one, even
routers. This was demonstrated at the 2008 De- if it doesn’t belong on the network. This is true of
fCon conference where a small team of security most home networks as well since wireless home
researchers hijacked all of the traffic destined for gateways come preconfigured as a DHCP server.
the security conference (Zetter, 2008). While this Even if this free pool of addresses is minimized
particular attack was completed using the Border or removed, IP addresses can be stolen or spoofed
Gateway Protocol (BGP) which is designed for by attackers impersonating valid nodes because
a different type of network, it serves to illustrate the traffic can be captured and read if it is unen-
the problem. crypted. DHCP provides all of the information
that an attacker requires in order to operate on
your network.

12
Basic Device and Protocol Security

Figure 7. DHCP ACK

Industrious hackers can even insert a DHCP called a “community string” as a form of password
server of their own into a network and provide when requesting data from a device or making
IP addresses to hosts. Hosts do not care where configuration changes. The community string
the address comes from, they just want one. In is sent in cleartext of course. While SNMPv3
this way an attacker can direct host to whatever provides increased security, many devices do not
resources they want. support this version or have capability issues. So
it is much more typical to see previous versions
Management Protocols deployed.
There are many web pages that list the default
Management protocols like the Simple Network usernames, passwords and IP addresses for a
Management Protocol (SNMP) and the Cisco wide variety of equipment. The same is true for
Discovery Protocol (CDP) can be very helpful SNMP community strings. Some vendors have
for either obtaining information or controlling early versions of SNMP enabled by default.
network devices remotely. Used with care they When combined with the clear text nature of the
are very powerful allies when trying to keep tabs protocol, SNMP can represent a significant se-
on your network elements and performance. This curity threat. Imagine losing control or your own
is especially true of SNMP. SNMP uses what is network devices because they were using default

13
Basic Device and Protocol Security

SNMP values or sending them in unencrypted and and password in clear text. In addition, HTTP is
unauthenticated. SNMP is also a routable protocol considered insecure because part of its transmis-
which means that devices allowing queries or sion is also viewable. However, there is a lot
control via SNMP can be reached from anywhere. of older equipment that lacks support for more
While CDP is not used to control network ele- advanced protocols. There may be an increased
ments, it does provide a great deal of information cost because HTTPS and SSH are packaged in
and is run by default on all Cisco equipment. An an advanced feature set that may be beyond an
example of a CDP message is seen in Figure 8. In organizations budget. If this is the case, a decision
this case we can see a good deal of information must be made to either find some way of making
about the device. With these details provided, an the connection more secure or disallowing remote
interloper can now tailor the attack to the device, access to the device.
looking up popular or successful exploits against One other notable problem is that many vendors
this particular device and software combination enable the web interface by default. The usernames
(Vladimirov, 2006). and default passwords are well known and an at-
It is instructive to review how we actually tacker need only browse to the correct IP address
connect to a network element when making con- in order to gain control over the device. The http
figuration changes. When sitting in the same packet seen in Figure 2 was obtained in this way.
wiring closet it is common to connect to a device This has been a problem for home gateway devices
via the console or serial port. However, this con- and much higher end production equipment.
nection has a limited physical distance and so
does not scale well as we deploy devices across
the company campus. Typically we perform some ATTACK MITIGATION
level of basic configuration using the console port
and then move to an IP based method for com- Thus far we have discussed some of the security
municating with the device. The most common weaknesses introduced by the devices and proto-
protocols are telnet, SSH, HTTP or HTTPS. cols that are part of almost every single network.
Most security policies specify that telnet shall Often we see that many advanced attacks follow
not be used because it transmits the username a simpler exploit against one of these weaknesses

Figure 8. CDP Packet

14
Basic Device and Protocol Security

and the intended target has little to do with the protocol distribution and utilization numbers but
original harassment. Stated another way, the first also an evaluation of what type of traffic is actu-
attack is only a prelude to another larger, more ally running on the network, especially during
dangerous attack. As an example, early recon- changes and even when the organization is closed.
naissance may reveal the type of devices being Having a lot of nighttime traffic may indicate
used, their operating systems, patch level and any network intrusions. This includes the protocols
applications that might be running. Therefore, if discussed in this chapter and the applications that
we can make it more difficult for the bad guy to the network consumers are using. For example,
complete the first attack, the second more deadly what percentage of your traffic is specific to the
attack may never occur. Internet? How many TCP SYN messages (which
indicate connection requests) do you see over
Baselining a particular period of time? Changes to these
values may indicate problems with services or a
A visit to the doctor almost always results in a check potential attack.
of our weight and blood pressure regardless of the
reason for going. These regular checks provide Protecting Network Devices
the background that assists in future diagnostics.
Without this information we are shooting in the We know that each type of device has its own
dark as to what normal is supposed to be. In the particular set of vulnerabilities. In many cases,
same way, regular checks on the health of your the device also has a set of corresponding security
network make it much easier to solve problems techniques to help defend against threats. What
or keep potential attackers out. The idea is to take follows is a discussion of some of these techniques
a look at what is running on your network, how for each device, except for hubs. The only recom-
well the network currently operates and perform mendation that for hubs is to avoid using them.
some level of testing on your own systems in order Access points have another weakness that most
to discover potential weaknesses. The value of other network devices do not have – they are often
performing top to bottom intrusion tests against deployed where the users can see them, sometimes
every single network asset has been debated with actually being within reach. This is a problem for
some questioning the time and money spent on theft and because most APs have hardware reset
the process. A sample of some of the key points buttons. An attacker can simply push the button to
can be found in an Information Security Magazine put the AP back to the original factory settings or
article in which security experts Bruce Schneier reconfigure it such that it looks like properly set up
and Marcus Ranum outline the issue (Ranum & with the correct SSID, but with the attacker rather
Schneier, 2007). No matter the side of the debate, than the administrator in control. So access points
few dispute the importance of having a good should be deployed out of sight and perhaps with
understanding of what is normal for network a locking mechanism. The only components that
operation. While you may decide to limit the might be visible are the antennas. Even this isn’t
testing that is done against every system, sticking always necessary depending on the construction
your head in the sand is asking for trouble. This materials near the AP.
is true for not only security, but optimization and The following best practices should also be a
troubleshooting as well. part of the wireless configuration;
There are several baseline tests that we might
complete and many of them can be automated. • Change the default configuration values.
These measurements should include items like

15
Basic Device and Protocol Security

• Encrypt the traffic. Minimally WPA2-PSK gardless of the type of device (switch, AP, router,
with a 20 character passphrase. However, etc.) management best practices encompass;
this ties security to the device and not
the user. For more robust security using • Creating accounts for users instead of al-
802.1X with EAP-TLS or PEAP. lowing access without a password or com-
• Filter traffic to/from the wireless segments munity passwords for configuration.
• Even with more robust encryption and au- • Disable telnet and http access to the device.
thentication, wireless users can use VPNs • The network used to manage the device
for access if you believe the threat level should be different than the production net-
sufficient. work. It is not uncommon to use a specially
• Make sure that you periodically survey addressed network that is only accessible
your physical spaces for excessive cover- via internal networks so the management
age, rogue devices, unwanted traffic and IP addresses are not public.
the presence of other potentially harmful • It is always a good idea to save your con-
wireless signals. figurations off of the machine and log con-
• Send APs back to the switch in their own figuration changes or attempts.
VLAN. • Limit the services that are run locally.

The protection for switches focuses primarily Network Protocols

on the individual ports. The important ideas are
limiting the traffic that can be sent out and the In our protocol discussions, we have examined
damage that an attacker can do (Castellini, 2005). several potential vectors that may be used to com-
Switch best practices include; promise a network. Some of these can be addressed
via configuration changes but many cannot. In the
• Using VLANs to segment the network. case of the latter, our primary defenses are either
• All unused ports should be shut down and disallowing the traffic or vigilance.
placed in a VLAN that is not routable and ARP is an example of a protocol that is so
pruned from trunk lines. pervasive and simple, it is difficult to modify the
• Remove dynamic configuration options operation to make is more secure without creating
from the ports. problems for the network. Often we do not realize
• Use port security options. Port security that a problem exists until connectivity problems
tools typically control the number of MAC have been reported. Fortunately, an attacker
addresses associated with a particular port. wishing to exploit ARP has to be on the same
A specific list of allowable MAC address- network as the target and so may be easier to spot.
es can also be maintained. If an unknown However, wireless segments remain a challenge
MAC address or an excessive number of but encryption can help. Our best defense may be
MAC addresses are seen on a particular knowing the values (or at least the vendor codes)
port, the switch can opt to prevent the traf- and locations of the correct MAC addresses. In
fic or even shut the port down. this way, when we see duplication in ARP tables
or changing locations in source address tables we
Router security primarily focuses on manage- may be alerted to a potential problem. The hard
ment and access to the device. The big problem part is that we have to look and these are not usu-
for routers is that they are IP enabled and are often ally on the agenda for the network administrator.
directly accessible from the public Internet. Re-

16
Basic Device and Protocol Security

Minimally network documentation should include packet. A protocol such as OSPF only sends this
an inventory of local MAC addresses. information during the initial configuration of the
ICMP has a profile that is similar to ARP in links. This alone reduces exposure of the data as
that it is part of every network. However, many of the routers only generate simple “HELLO” pack-
the ICMP message types are not used in today’s ets the rest of the time. To help solve our other
networks and so it is possible to block most of problem, OSPF messages can be authenticated
this type of traffic without creating problems for with encrypted passwords so that routers need
your network. For example, most users do not not react to false messages. The data itself is not
use PING or TRACERT and so ICMP can easily encrypted.
be filtered out in these sections of the network. When using DHCP there are some basic
To prevent reconnaissance from outside, routers practices that can help with the security of the
can be configured to ignore or filter out external protocol. We know that DHCP can give away a
requests using ICMP. Lastly, since ICMP is a lot of information about the network. According
handy diagnostic tool, filter rules can be written to WindowsSecurity.com, the first line of defense
to allow only specific devices or users to transmit against such an inherently insecure protocol is
ICMP messages. We must be careful as complex solid physical security for the network. The free
networks occasionally make use of ICMP redirects pool of addresses should be minimized or even
or destination unreachable messages. Eliminating eliminated. There is no reason to give out addresses
ICMP from the network would remove these tools. to every node sending a request. DHCP also has
IPv6 may offer some hope with these protocols the ability to use reservations. Hosts are given an
as ARP is no longer part of network operations. IP address that has been set aside for them based
However our dependence on ICMP actually in- on their MAC address. This server can also log
creases. But, IPv6 has encryption integrated into all lease operations which provides a record of
the protocol for greater privacy. these transactions. To be clear, a clever attacker
Spanning tree is a necessary part of the network can get around these reservations by spoofing a
and one that can be defended to a certain extent. valid MAC address but this often raises red flags.
First, it is possible that your network may not While it is beyond the scope of this chapter it
depend on STP everywhere and so some of the is important to realize that the DHCP server is
vectors can be shut down. Local spanning tree pri- vulnerable and should be patched and hardened.
orities can be set to low values so that an attacker Management protocols such as SNMP and CDP
may have a harder time forcing your topology to should be disabled. More importantly, network
change. In addition, devices can be configured to traffic should be monitored in order to see what
ignore BPDUs that are received on particular ports else is running on the network both intentionally
or unauthorized configuration charges. and by accident. Shutting these protocols down
Routing protocols represent two basic prob- will reduce the information given out and the abil-
lems for a security minded network administrator; ity of attackers to take control of network devices.
exposure of routing information and the possibility There are occasions where remote management
for route manipulation. Fortunately there are fea- is desired and for these, SNMPv3 has the ability
tures and practices that will help in securing this to not only authenticate the messaging but also
portion of the network traffic. Since almost any encrypt the transmission.
routing protocol will handle the basic functions To conclude this section we could say that
required, it is prudent to consider all of capabilities some of our best tools for dealing with the network
during selection. For example, a protocol like RIP security issues discussed in this chapter might be
advertises routing information with every single our awareness of normal network behavior, our

17
Basic Device and Protocol Security

willingness to take a look at what might have Nachreiner, C. (2009). Anatomy of an ARP
changed and applying some basic techniques on poisoning attack. WatchGuard Network Security
network devices and protocols to control what Analyst. Retrieved March 2010 from http://www.
attackers can learn about the network. watchguard.com/infocenter/editorial/135324.asp
NCSA. (2009). October 2009 NCSA / Symantec
small business study. Retrieved March 2010
SUMMARY
from http://staysafeonline.mediaroom.com/index.
php?s=43&item=51
This chapter has focused on devices and proto-
cols that are part of almost every single IP based Paggen, C., & Vyncke, E. (2007). LAN switch
network. Both are more than willing to provide security: What hackers know about your switches.
potential interlopers with information about your Indianapolis, IN: Cisco Press.
operations and architecture through their normal
Ranum, M., & Schneier, B. (2007). Bruce
and expected behavior. By reviewing the basic
Schneier and Marcus Ranum debate the neces-
performance we can get a greater understanding
sity of penetration tests. Information Security
of the threat represented and take a few steps in
Magazine. Retrieved March 2010 from http://
mitigating some of the problems by providing
searchsecurity.techtarget.com/magazineFeature/
less information to the attackers. Specifically
0,296894,sid14_gci1256987_mem1,00.html
we concerned ourselves with STP, ICMP, ARP,
DHCP, routing and management protocols. De- Richardson, R. (2008). 2008 CSI computer crime
vices covered included hubs, switches, access and security survey (pp. 14–15). Computer Se-
points and routers. curity Institute.
Tulloch, M. (2006). DHCP server security. Re-
trieved March 2010 from http://www.windowse-
REFERENCES
curity.com/ articles/DHCP-Security-Part1.html
Castellini, M. J. (2005). LAN switching first step Vladimirov, A. A. (2006). Hacking exposed Cisco
(pp. 205–215). Indianapolis, IN: Cisco Press. Networks – Cisco security secrets and solutions.
Ciampa, M. (2007). CWSP guide to wireless Emeryville, CA: McGraw-Hill.
security (pp. 49–53). Boston, MA: Thompson Zetter, K. (2008). Revealed: The Internet’s big-
Course Technology. gest security hole. Wired Magazine. Retrieved
IEEEComputer Society. (1998). IEEE standard March 2010 from http://www.wired.com/threat-
for Information Technology–telecommunications level/2008/ 08/revealed-the-in/
and information exchange between systems–local
and metropolitan area networks–common speci-
fications part 3: Media Access Control (MAC). ADDITIONAL READING
Mason, A. G., & Newcomb, M. J. (2001). Cisco
Castellini, M. J. (2005). LAN Switching First Step
secure Internet security solutions. Indianapolis,
(pp. 205–215). Indianapolis, IN: Cisco Press.
IN: Cisco Press.
Ciampa, M. (2007). CWSP Guide to Wireless
Security (pp. 49–53). Boston, MA: Thompson
Course Technology.

18
Basic Device and Protocol Security

Comer, D. (2008). Computer Networks and Inter- IEEE Information technology Telecommunica-
nets (5th ed.). Upper Saddle River, NJ: Prentice tions and information exchange between systems
Hall. - Local and metropolitan area networks - Specific
requirements - Part 11: Wireless LAN Medium
Deering, S. (1991). RFC 1256 - ICMP Router
Access Control (MAC) and Physical Layer (PHY)
Discovery Messages.
Specifications,1999.
Forouzan, B. (2003). Data Communications and
IEEE Standard for Local and Metropolitan Area
Networking. New York, NY: McGraw-Hill.
Networks. (2004). Media Access Control (MAC).
Gupta, M. (2006). RFC 4443 - Internet Control Bridges.
Message Protocol (ICMPv6) for the Internet
Johnson, A. (2008). Routing Protocols and Con-
Protocol Version 6 (IPv6). Specification.
cepts. Indianapolis, IN: Cisco Press.
Held, G. (2003). Securing Wireless LANs.
Plummer, D. C. (1982). RFC 826 - Ethernet Ad-
Hoboken, NJ: John Wiley & Sons Inc.
dress Resolution Protocol.
doi:10.1002/0470869690
Postel, J. (1981). RFC 792 – Internet Control
Message Protocol.

19
20

Chapter 2
Mitigating the Blended Threat:
Protecting Data and Educating Users

Christophe Veltsos
Minnesota State University, Mankato, USA

ABSTRACT
While technological controls such as anti-virus, firewall, and intrusion detection, have been widely used
to mitigate risk, cyber-attackers are able to outsmart many such controls by crafting new and more
advanced malware and delivering them via planned attacks, a perfectly blended threat. This chapter
explores this evolving threat and the failure of traditional controls. New strategies are presented to ad-
dress this new threat landscape, including both human and technological approaches to mitigating risks
of doing business in a Web 2.0 world.

INTRODUCTION and breached, including some outside the technol-

ogy sector such as companies in the finance and
In early January 2010, Google shocked the world chemical sectors. The attacks were targeted with
by revealing that it had been hacked. Just a month pinpoint accuracy and the attackers had success-
earlier, hackers had penetrated Google’s systems fully penetrated the technical defenses in place
to steal intellectual property as well as data about at some of the most technologically and security
some of its Gmail service users, notably human savvy companies.
rights activists (Google, 2010; Zetter, 2010). The Financial sector companies, a lucrative target
event was not an isolated case, however, and refor attackers, have also had their share of secu-
ports quickly surfaced that as many as 20 other rity incidents. In early 2009, Heartland Payment
large U.S. companies had been similarly probed Systems announced that its computer systems
had suffered one of the largest data breach ever,
DOI: 10.4018/978-1-60960-777-7.ch002 potentially exposing as many as one hundred and

thirty million credit card transactions (Worthen, new vulnerabilities almost as soon as existing
2009; DatalossDB, 2010). The level of sophistica- ones are being patched, creating a constant game
tion of the attack was termed “light-years more of cat and mouse between security professionals
sophisticated” (Zetter, 2010) than commonly seen and attackers.
malevolent activity. The malware was so deeply As companies embrace the benefits of Web
rooted that an earlier investigation by internal 2.0—a term used broadly to include rich Internet-
employees and regular audits had not been able based applications, Software As A Service, and
to detect its presence. In March 2010, one of the Cloud Computing—new opportunities are created
masterminds behind the attack was convicted for attackers to try to acquire, modify, or destroy
to 20 years in jail for his role in the breach. Yet, company data. As explained in more details in the
this was only one in a string of massive breaches sections that follow, current technological controls
perpetrated by the same small group of attack- have so far proven quite ineffective in countering
ers, who, according to the indictment, would these new and rapidly evolving threats. Existing
“identify potential corporate victims, by, among policies must be updated, or new ones created,
other methods, reviewing a list of Fortune 500 and practices must be adjusted to ensure continued
companies” (US-DOJ, 2010, p. 6). The list of safety and privacy of sensitive data. To date, a
companies infiltrated by this group reads like a company’s best tactic in protecting sensitive data
who’s who of large businesses. For Heartland is the adoption of appropriate technical controls
however, the costs of dealing with the aftermath combined with the education of its workforce
of this incident are still mounting. According to about the risks posed by a Web 2.0 world.
the company’s Q1-2010 SEC filings, it has spent The failure of existing technical controls to
upwards of 139 million dollars to deal with the provide adequate protection against these threats
“processing system intrusion” (US-SEC, 2010). puts greater importance on hardening systems
However, attackers are not solely focused on that handle sensitive data, developing an incident
large, well-funded targets. Any business that has response capability to deal with incidents that are
something of value—be it financial, intellectual, likely to arise, and developing more effective
military or healthcare data—can find itself a target. information security education, training, and
Furthermore, the continued decentralization of IT awareness programs (SETAs). While SETAs need
infrastructure means that there are more systems to be periodically revised in order to stay current
to be secured and sensitive data is likely to flow with company policies and practices as well as the
all throughout the enterprise and beyond with the ever-changing nature of threats, management also
use of Web 2.0 technologies. Meanwhile, infor- needs to evaluate and validate the effectiveness
mation security professionals have the arduous of SETA programs, rather than simply counting
task of ensuring the confidentiality, integrity, and the percentage of employees who have completed
availability (CIA) of data across the enterprise, the annual awareness training.
using a combination of physical, technical, and
administrative controls. Yet, these professionals
have come to realize that many of the technolo- CYBER-CRIME: A CLEAR
gies that work today to protect the company may AND PRESENT DANGER
no longer be effective tomorrow. The need to
continuously adjust one’s security measures is In less than a decade, business executives, gov-
due not only to the rapid adoption of new tech- ernment leaders, and citizens everywhere have
nologies but also to the rapid rate of innovation come to realize the rapid rise of a new problem,
shown by attackers. Attackers are able to exploit one with global actors and victims: cyber-crime.

21
Mitigating the Blended Threat

While relatively new, cyber-crime knows no “the onslaught of malware attacks is increasing,
borders. Worse, attackers can choose to operate both in frequency and sophistication, thus posing
or relocate to areas that have weak legislative or a serious threat to the Internet economy and to
judicial processes or to politically troubled areas national security” (OECD, 2009, p. 11) As early
where bribes may offer protection from law en- as 2006, security researchers called cybercrime
forcement. The truly global nature of this business “an epidemic” (Cymru, 2006, p. 1), and high-
means that anyone, anywhere, can attack anyone lighted the lack of cooperation and enforcement
else, whether they are within shouting distance or as a growth enabler for cyber criminals. Geer
half a world away. (2006), also warned of what was then a visible
Recent reports from law enforcement, incident trend, now a fait-accompli, that attackers would
response companies, or security product vendors pounce if they could mount attacks at low cost
point to a thriving underground market for stolen and with little fear of being caught or prosecuted.
electronic data (Richardson, 2008; Secunia, 2008a; In short, the current level of demand for sen-
Sophos, 2009a; Symantec, 2010; Verizon, 2009), sitive electronic data coupled with the ease by
one that has matured to the point that hackers can which attackers can operate has and continues
increase their profits by specializing in a given to fuel a boom in criminal hacking activity. The
skill-set (e.g. browser hacks or PDF hacks). Ac- presence of a global underground market means
cording to the FBI (2010), cyber-criminals can that anything that has value can be turned into
specialize in being malware coders, stolen data monetary gain for the cyber criminals, thus virtu-
brokers, IT infrastructure administrators, hack- ally guaranteeing further attacks. To make matters
ers, social engineers, hosting providers, money worse, security professionals warn that as more
launderers, as well as leaders or decision makers. companies decide to virtualize their systems and
Much like a traditional marketplace, the move them to the cloud, entirely new classes of
underground market for stolen data sees vary- attacks awaits us (Kellerman, 2010).
ing volumes of leading market items and asking
prices. A Symantec report (2010) showed that the
most sought after item, a valid credit card number, CURRENT ATTACK LANDSCAPE
actually dropped in price in 2009 to as low as
$0.85 per card, down from about $4 in 2008. The Evolution of Attacks
second most sought after item was valid bank ac-
count credentials, priced as low as $15; prices are As Bejtlich (2010) points out, early computer at-
generally believed to be about 5% of an account’s tacks were primarily the domain of government
value. Unlike consumers who have to worry about and military entities, often spying on each other
credit card theft, checking or savings theft, or or disrupting each other’s capabilities. However,
identity theft, businesses have the added burden the threat moved towards the defense industrial
of protecting custodial data – data about others base, and more recently to companies that have
that they need to or are required to handle – as valuable financial or intellectual property that the
well as protecting their own intellectual property, attackers can harness and profit from.
something that is often hard to accurately value. While early hackers may have been after fame,
Deloitte, a frequent advisor to large companies the current crop of cyber criminals are firmly
around the globe, called cyber-crime “the fastest after electronic goods that have monetary value.
growing cyber security threat” (2010, p. 1). The A recent report issued by the United Nations
Organization for Economic Co-operation and Office on Drugs and Crime (UNODC, 2010)
Development warned businesses worldwide that estimates that the figure for Internet-based iden-

22
Random documents with unrelated
content Scribd suggests to you:
The Project Gutenberg eBook of Canto heróico
sobre as façanh. dos portugueses na
expedição de Tripoli
This ebook is for the use of anyone anywhere in the United
States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it away
or re-use it under the terms of the Project Gutenberg License
included with this ebook or online at www.gutenberg.org. If you
are not located in the United States, you will have to check the
laws of the country where you are located before using this
eBook.

Title: Canto heróico sobre as façanh. dos portugueses na

expedição de Tripoli

Author: José Francisco Cardoso

Translator: Manuel Maria Barbosa du Bocage

Release date: April 21, 2024 [eBook #73440]

Language: Latin, Portuguese

Original publication: Lisboa: Off. da Casa Litt. do Arco do Cego,

1800

Credits: Rita Farinha and the Online Distributed Proofreading

Team at https://www.pgdp.net (This file was produced
from images generously made available by National
Library of Portugal (Biblioteca Nacional de Portugal).)

*** START OF THE PROJECT GUTENBERG EBOOK CANTO HERÓICO

SOBRE AS FAÇANH. DOS PORTUGUESES NA EXPEDIÇÃO DE
TRIPOLI ***
JOANNI
AUGUSTISSIMO, PIISSIMO, FELICISSIMO,
PORTUGALIÆ PRINCIPI,
TOTIUSQUE IMPERII GUBERNACULUM
AUSPICATIUS MODERANTI,
BRASILIÆ
MAXIMO DECORI, SPEI, AC FIRMAMENTO,
LITTERARUM
FAUTORI EXIMIO,
DE REBUS A LUSIT. AD TRIPOLIM VIRILIT. GESTIS,

CARMEN

In obsequii, summae reverentiae, gratique animi

Devotionem
Perquam submisse
D. O. C.
JOSEPHUS FRANCISCUS CARDOSO.
Soteropoli Bahiensi
Regius Latinae Linguae Professor,
Ibidemque natus.

ULYSSIPONE,
TYPOGRAPHIA DOMUS LITTERARIÆ AD ARCUM CÆCI.

ANNO M. DCCC.
Suae Regiae Celsitudinis Jussu.
AO
SERENISSIMO, PIISSIMO, FELICISSIMO,
PRINCIPE REGENTE
DE PORTUGAL,
D. JOÃO,
ORNAMENT. PRIM., ESPERANÇA, E ESTABILIDADE
DO BRASIL,
E
PROTECTOR EXIMIO DAS LETRAS

CANTO HEROICO SOBRE AS

FAÇANH. DOS PORTUGUEZES
NA EXPEDIÇAÕ DE TRIPOLI.
Em testemunho de vassalagem, profundo acatamento,
e gratidão, mui respeitosa, e humildemente
D. O. C.
POR
JOSÉ FRANCISCO CARDOSO,
Professor Regio de Grammatica Latina na Cidade da Bahia, e della natural;
TRADUZIDO POR
MANOEL MARIA DE BARBOSA DU BOCAGE.

LISBOA,
NA OFFIC. DA CASA LITTERARIA DO ARCO DO CEGO.
ANNO. M. DCCC.
Por Ordem de S. A. R.
Tels ont été les Grands, dont l’immortelle gloire
Se grave en lettres d’or au Temple de Mémoire.

Le Roi de Prusse Épit. 1. à son Frère.

Forão taes esses Grandes,
Cuja perenne Gloria
Se grava em letras de oiro
No Templo da Memoria.

O Rei da Pruss. Epist. 1. a seu Irmão.

CANTO HEROICO.
Musa, não temas; vibra afoita o plectro.
Se tentas sublimar-te a grandes cousas,
Se mais que a força tua he tua empreza;
Eis NUMEN Bemfazejo inspira o canto,
NUMEN, de QUEM rival não fôra Apollo,
Nem de Aonias Irmans turba engenhosa.
Sonhão Poetas vãos Parnaso, e Pindo;
Hippocrene hé quimera: a ti dimana,
Do Solio desce a ti feliz audacia,
Que a mente acobardada esfórça, agita.
Assim remontarás segura os vôos;
Assim, transpondo os Ceos, transpondo os Mares,
Irás desentranhar, colher arcanos,
Não corruptos na voz da Fama incerta.
Outros (como que folguem de illudir-se)
Mandem rogo importuno aos Deoses do Estro;
Cobicem na Castalia mergulhar-se.
JOAÕ, CUJO Poder no mundo hé tanto,
E a CUJO Arbitrio cabe alçar o humilde,
O elevado abater, protege, ó Musa,
Teos sons, teo metro; e com benigno Aceno
Ordena, que altos feitos apregôes:
Idéa, engenho, ardor de Lá te influem.
Á sombra já de Auspicios tão sagrados,
Claros louvores de immortaes Guerreiros
Anhela celebrar fervendo a mente;
Dizer, com que perfidia atroz, e infanda
Foi pela Maura estirpe despertado
Nos Lusos corações o fogo antigo;
Qual soffreo nova pena a Gente odiosa;
Té que Marte á justiça os constrangesse.
Longe, longe as ficções. TUA ALMA Ingénua
Só quer, PRINCIPE Augusto, a ingenuidade.
Onde o Mar pelas terras mais se alonga,
Em cuja bocca he fama erguera Alcides
Arduas columnas, das fadigas termo,
Jaz annosa Cidade[1], que parece
De Carthago ás ruinas esquivar-se,
Olhando ao longe de Sicilia as praias:
Outróra fundação nobre, opulenta,
Em tanto que do intrépido Navarro
Opprimida não foi com duro assedio:
Hoje triste enseada, e mal seguro
Surgidoiro aos baixeis. Dalli costuma
O rapido chaveco atraiçoado
Ás infestas rapinas arrojar-se;
De miseros mortaes alli mil vezes
C’os sanguentos despojos volve alegre:
Nem se apraz só do roubo a Raça infame,
Nódoa, horror da Razão, da Natureza;
Aos fracos agrilhoa as mãos inermes;
Quaes brutos, os alhêa a preço de oiro,
Ou lhe esmaga a cerviz com jugo indigno:
Eis seo louvor, seo nome, a gloria sua.
Alli preside asperrimo Tyranno[2],
De torpe multidão senhor mais torpe;
Monstro, que desde a infancia exercitado
Em tudo o que os Mortaes nomêão crime,
Sacrilego infractor das Leis mais sanctas,
Delicto algum não vê, que em si não queira,
E dóe-se de o perder, se algum lhe escapa:
Maldade horrivel, que prodigio fôra,
Se estes dos homens sórdido refugo,
Desparzidos no Globo, o não manchassem.
Oh quanto mais se deve estrago, e morte
Ao barbaro Tropel, que hum trato amigo,
E aquella mutua fé, que enlaça os Povos!
Mas se robustas Mãos, que o Sceptro empunhão,
Não chovem contra os Féros inda o raio,
Tempo, tempo virá que exterminada
(O coração mo diz com fausto agoiro)
Apraza acantoar a iniqua Turba
Lá onde dos invernos carregado,
Junto ás extremas Ursas vai Bootes
Regendo a custo o vagaroso carro;
Ou lá onde rebrama o Sul recente,
Haja taes Cidadãos deserta plaga,
Até que a Eternidade absorva as Eras:
E das brenhas no horror, no horror das grutas,
Companheiros das féras, monstros novos,
Vivão de sangue, como as féras vivem,
Na garra, e condição peiores, que ellas.
A Maldade em caracter convertida
Hé sempre mãi do crime, e a Natureza
Já despir-vos não sabe, Artes perversas.
Como ha de a voz saudavel do Remórso
Melhorar corações, depois que a peste
De corrupta Moral se arreiga nelles;
Fermenta, lavra em fim de vêa em vêa,
De séculos a séculos medrando?
Quando os dons se amontôão sobre a culpa?
Quando a penuria a probidade ancêa,
De hum vulgo detestavel accossada?
A tudo a negra Turma inverte os nomes;
O bom desapprovando, ao máo se aferra:
E hé tanta nos crueis do crime a sêde,
O exercicio do mal taes forças ganha,
Domina tanto alli, que nunca omittem
Opportuna estação de perpetrallo,
Ou do ardor de empecer, ou da cobiça
De illegitima presa esporeados;
Como se a Rectidão, como se a Honra,
O que a todos illustra, os deslustrasse.
Não com lingua fallaz taes vozes sólto:
Ninguem no mundo o que descrevo, ignóra.
Quem de olhos carecer, e quem de ouvidos,
Só não conhecerá, quão vis alumnos
Pela terra esparzio o audaz Mafoma,
O refalsado author de Seita infanda.
Que dólos, que traições, que iniquidades
Da caterva brutal provaste há pouco,
Tu, dize, tu, magnanimo Donaldo[3];
Conta os varios successos, conta os riscos,
Os trabalhos, que a ti, e aos teos urdira
Atro perjurio do bilingue Chefe;
Tudo porém troféo das forças tuas.
Lustroso do esplendor de imperio summo,
Tu foste quem primeiro apresentára
A dadiva da Paz, que, apadrinhado
De hum Rei potente[4], o Barbaro implorava.
Quando hé que as condições mais leves forão?
Entreguem-se os Francezes acolhidos
Brandamente de Tripoli nos muros,
Ao throno do Sultão[5] pesada offensa,
Grave infracção tambem do jus Britanno,
Da assentada concordia, e laço antigo.
Bachá, cumpre o dever, e a teos desejos
Verás a conclusão, verás o fructo.
Grão penhor te dará na fé, na dextra
AQUELLE, Cujas Leis adora o Tejo,
Ufano revolvendo arêas de oiro;
Cujas Leis teme o Niger, teme o Ganges;
São freio, acatamento do Amazonas,
Do Argenteo, que em torrentes resonantes
Immensos cabedaes aos Mares levão.
D’alta alliança o Régulo sedento,
Folga, exulta, accelera-se, convida
O animoso Guerreiro ao forte alcáçar.
Quer comtudo exercer primeiro astucias,
Que o feio coração lhe está brotando,
Bemque tanto aproveite, e tanto alcance
No que diz com a Razão, no que he justiça.
Dá-se pressa: ameacem muito embora
Caso fatal as hórridas Muralhas,
Encerre o que encerrar ambigua estancia;
Todo firmado em si, maior que o susto,
Vai demandar o Heróe a hostil morada.
Hé desta arte, que só, que destemido
Carlos[6] outróra ousou nos proprios lares
Encarar o Inimigo exacerbado,
Volvendo illeso aos seos, depois de muito:
Ou tal, fieis annuncios despresando,
Foi Cesar envolver-se entre os Conscriptos,
Dispostos a catástrofe cruenta;
De indócil ao temor, de habituado
Só có a presença a triunfar mil vezes.
Entre as sombras da noite absorto em tanto,
Metido em pensamentos veladores,
Até que ás ondas volte o grande Chefe,
(Se lhe hé dado talvez tornar, qual fôra)
Impéra n’alta Poppa o Delegado[7];
E o lucto, que lhe cinge a fantasia,
Recata com semblante esperançoso.
Partindo prescrevêra o Cabo invicto,
Que, a negar-lhe o regresso indigna força,
Apenas alvejasse a grata Aurora,
Trazendo novo lustre ao Ceo, e á Terra;
Com todo quanto impulso em Lusos cabe,
Os pérfidos Contrarios commettessem.
Nada cura de si; nem quer ausente
Ser obstaculo aos seos: có a idéa erguida
A bens de mais valor, de mais alteza,
A vida se lhe antólha hum sonho, hum nada.
Á mente perspicaz não se lhe esconde,
Sente no coração, votado á Gloria,
Que da existencia a luz hé luz de raio;
Que, se as tubas da Fama os não precedem,
Vastos nomes no Lethes se baralhão
Entre escuro montão de escaços nomes,
O que affecta os sentidos deixa ao vulgo;
Engeita o que hé do vulgo, o que hé da morte,
E mais que humano, e sobranceiro ao Fado,
Quer duração, que os séculos abranja.
Por que os Fabios direi, sós contra hum Povo
Todo o peso da guerra em si tomando?
E o Rei, que deo, morrendo, aos seos victoria,
Rei derradeiro na Cecrópia terra?
Ou porque os Moços, que exhalando as almas,
Ferem, matão, derrubão densas hostes,
Estorvo das correntes, que bebião?
Tropel dez vezes cento (oh maravilha!)
Maior, que seos terriveis Adversarios;
Não visto n’outro tempo, ou n’outros climas,
Nem por outrem guiado ao Marcio jogo?
Vetustos monumentos nada ensinão,
Que dê mais esplendor; ou antes nunca
Se afoitou a idear viril denodo
Empresa mais illustre, audaz, violenta.
Mas como transcender-se as métas podem,
Onde se crê parada a Natureza,
Donaldo o manifesta, o prova ao Mundo.
Alta fama de hum só consente apenas
A Codro, aos Fabios, aos Varões de Esparta
O secundario gráo. Soltando a vida,
Chama o triunfo aos seos o Heróe de Athenas,
Acção rara, exemplar; porém ao Povo
O Cidadão, e o Rei devião tanto,
E a tanto a voz dos Ceos o arrebatava.
Se os trezentos impávidos Romanos
Aos arraiaes hostis se arremessárão,
Forão-lhe origem da proeza estranha
Velha aversão, troféos imaginados,
E agoiros de segura eternidade;
Além de outro incentivo inda mais caro:
Morrer nas armas, escudando a Patria.
Laconios Campiões, sim defendestes
Com requintado alento, e planta immovel
Da apertada Thermópylas o passo;
Mas os deoses, os filhos, pais, e esposas,
Os objectos do culto, e do amor vosso
Á vossa heroicidade objectos forão;
E derão-vos os Fados, que a vingança
Aligeirasse em vós da morte o peso.
Porém de circunstancias mais sublimes
O egregio, immortal Feito se rodêa,
Que me cumpre levar por toda a Terra:
Graveza aos hombros meos descompassada,
E excessiva talvez de Atlante aos hombros.
Não, aqui não se offrece abrilhantada
De attractivos externos a Virtude:
Nua apparece aqui, por si formosa.
Donaldo, avesso ao crime, o crime odêa,
Por amor da Virtude, ama a Virtude.
Nada do que usa erguer ao alto as mentes,
Nem patria, nem desejos de vingança,
Nem propria utilidade, ou qualquer outra
Das humanas paixões Donaldo incita:
Ante si do Dever só tem a imagem,
Seja qual for o effeito, ou lédo, ou triste.
Ai! que tramas dispoem Bando horroroso!
Que ciladas no astuto pensamento!
Plebe sem lei, sem fé prepara á furto
Traidores laços ao Varão, que assoma.
Já na imaginação devóra a presa:
De engenho mais sagaz se crê dotado,
Mais jus colhe ao louvor quem da perfidia
No atroz invento sobresahe aos outros;
Quem das negras, pestiferas entranhas
Crime inaudito, insólito attentado,
Nova abominação vomita, arranca,
Rugindo em torno rábida caterva.
Mal que na odiada arêa a planta imprima,
Esperar n’hum punhal o Incauto, e ás ondas
Em pedaços (que horror!) lançar-lhe os membros.
Hé deste opinião; voto hé daquelle,
Que subito assaltêe impia cohorte
O immune Orgão da Paz, e ferreas pontas
Daqui, dalli no coração lhe embebão,
Quando a infiel Cidade entrar seguro.
Quer outro, que de longe á fronte heroica,
De inviolavel caracter decorada,
D’entre o lume sulfureo vôe a morte.
Outro, que subterránea estrada infensa
Debaixo de seos pés ardendo estoire.
Nem occorre isto só: revezão todos
Horrores, que requintão sobre horrores.
Émulo ardor nos animos damnados
Tanta aos delictos affeição lhe atêa!
Tão preciosa lhe hé, tão doce a infamia!
Mas o Eterno desfez insidia enorme.
Nos olhos do Varão, na voz, no aspecto
Tal reverencia poz, poz tal grandeza,
Que vai por entre a luz, e os Inimigos
Incólume, e sereno. Erão famosos
Por sanguineas, innumeras brutezas,
Quantos desta (a maior) se encarregárão.
Mas quando o pensamento abominoso,
Já já fito na presa, a mão dirige,
Nega-se a mão (que assombro!) ao acto horrendo.
Tres vezes a vontade resoluta
Se a balança á traição; descahe tres vezes
N’hum frigido pavor o algoz Congresso;
Tres vezes fóge o ferro ás mãos, que tremem;
E, a seo pesar, baldada a vil perfidia,
Conduz pela Cidade insidiosa
Inerme o Vencedor triunfo insigne.
Já pisa do Tyranno os pavimentos,
(Não indignos de Caco) ou para dar-lhe
Penhor de amiga paz, ou o ameaço
Do trovão, que no bronze o pólo atrôa.
Eia, em que te detens, Varão prestante?
Por que inda não rebomba o som do raio
Nos insanos ouvidos? Por que em terra
Os féros baluartes não baquêão?
Porque o Regio Baixel não sólta os pannos,
E o barbaro palacio não fulmina?
Crês, que te hé dado achar sobre essa plaga
Huma só vez a fé? Jámais Astréa,
Desde que o Globo hé Globo, estancia teve
Nesse terreno infesto, onde a Verdade,
Onde os Tractados, a Razão se volvem
Nestes dois eixos sós: ou Oiro, ou Medo.
Rompe, rompe as tardanças, não perdóes
Á malvada Nação: com ella expendão
Donativos os mais; tu ferro, e fogo.
A Politica em vão, que tudo aplana,
Em vão contradicções compôr quizera,
Com que as palavras entre si repugnão:
A Progenie de Agar só teme a força.
Em quanto implora a paz, subtis pretextos
Tece o arteiro Bachá, para que frustre
Cláusula, em que somente a Paz se estriba,
Não hé porque o Francez cobice amigo;
Mas hé porque o Francez, e o Luso engane;
De balde, que a sisuda Sapiencia
Rege, illustre Donaldo, as vozes tuas;
E ao doloso Africano o dólo argue.
Tu primeiro lhe expões, quão mal confórma
Có a honra, de que tumido alardêa,
Dar manso gasalhado aos Inimigos
Dos Alliados seos, do grão Monarcha,
A cujo imperio vassalagem deve.
Tu promettes depois, já que ao falsario
Igualmente o Sultão de côr servia,
Mandar-lhe sobre a Poppa Lusitana
A origem do debate, os Prisioneiros,
De barbudas escoltas ladeados,
(Gloria nunca outorgada a Musulmanos).
Desmanchas do Agareno as fraudes todas;
Mas, aos mesmos principios aferrado,
No objecto, em que insistio, tenaz insiste,
E ás vozes da Equidade hé surdo, hé morto.
Colhido havias de experiencia funda,
Quanto a sanha Moirisca apura extremos
Em odio da Justiça, e quanto indóceis
Torne indulgencia os animos ferrenhos.
Que já da Natureza assim viérão.
Mas prompto a derrocar soberbas torres,
E prompto a confundir no horror da morte
Mancebos, e Anciãos, credores della,
Artes macias sobre a impia turba
Todavia exhaurir primeiro intentas:
Vêr, se lugubre quadro de ruinas,
Pela voz da eloquencia reforçado,
Por dita amedrontava a Casta imbelle,
Misérrimo espectáculo poupando,
Que o coração magnánimo te aggrava:
De insólito rubor as ondas tinctas,
Em sangue humano as terras ensopadas.
Mas a doce Piedade que aproveita?
Morre a Esperança; infructuosos jazem
Cuidados, e fadigas: inda geme
A Humanidade em ti, porém releva
Punir da Humanidade os Inimigos.
Em fim braveza hostil o Heróe concebe:
Notando quanto hé cega a Gente infida,
Sahe dos hórridos tectos infamados,
Sahe da féra Cidade, e deixa o porto.
Quem facil atégora ouvia as preces,
Já ferve por calcar insano orgulho:
Não de outra sorte pela selva umbrosa,
Ou quando sobre as Libycas arêas
Famulento caminha o Rei das féras,
Desdenha generoso o Passageiro,
Que, preso do terror, no chão palpita;
Mas se a pé firme alguem lhe está defronte,
Có as garras o derruba, o despedaça;
E audaz, e truculento, e com rugidos
Onde há mais resistencia, alli mais arde:
Succeda que o provoque, o desafie
Duro esquadrão, de lanças erriçado;
Arremessa-se a todas; e se morre,
Morre, como Leão, sem côr de medo.
Dos Lusos entre os vivas sôa o bronze;
E eis sanguinea bandeira açoita os ares,
Preságio de terrifica matança.
A bellicosa Turba em si não cabe;
Armas, armas, (vozêão) guerra, guerra:
Tudo se apresta, e tudo aos postos vôa,
Em quanto a Náo desfere as pandas vélas.
Luz na dextra o murrão; e em fim patentes
As éneas boccas cento agoirão mortes.
Já treme a desleal Cidade impura;
Já para os Ceos estende as mãos profanas;
Já se diz criminosa, e se pragueja.
Breve espaço, em que o animo repouse,
Em que dispa o temor, e se consulte,
Manda ao Luso implorar, que annue ao rogo.
Retarda-se horas doze a justa pena,
Justa há muito, e que em fim será vibrada
Sobre as infamias da Nação proterva.
Lume sereno, que azulava o Pólo,
Medonhas nuvens entretanto abafão;
Sombras pesadas pronosticão males.
Hé voz, que lá no centro dos Infernos,
A bem dos consanguineos Musulmanos,
E em despeito aos Christãos, que Lysia nutre,
Que ora os muros Mahométicos assombrão
Com próximos estragos, ante o sólio
Do torvo Dite Cortesãos immensos
Có as mâos erguidas longamente orárão.
Attento ouvio Sumano os impios votos;
E hum dos Ministros seos, que jaz mais perto,
Ordem recebe de surgir ao Mundo,
De voar n’hum momento á vasta Eolia,
E dos Tufões ao rispido Tyranno
Taes vozes transmittir:»Que altiva Gente,
»Que indómita Nação, capaz de tudo,
»(Por quem malquisto sempre, e defraudado
»O Reino do pavor carece de almas)
»Sobre Quilha arrogante aparta as ondas,
»Os dominios do equóreo Irmão lhe insulta,
»Que tambem da intenção quer advertido;
»Para que ambos có as forças apostadas,
»No mar cavando, erguendo abysmos, serras,
»O Lenho injusto, audaz sacudão, rompão,
»Que apavóra de Tripoli as muralhas,
»A elle Estygio Rei tão importantes:
»Perdidos os pilotos, e arrancada
»Do alto pégo, ou nas férvidas arêas,
»Ou nas sumidas róchas arrebente:
»Os frémitos do auxilio em vão rogado,
»A festiva Cidade escute, e veja
»Nas aguas os Christãos bebendo a morte.»
Disse, e o Nuncio veloz ao Mundo surge,
Á vasta Eolia vôa, e cumpre o mando.
Já rompem da masmorra os Euros bravos;
Já comsigo arrebatão quanto encontrão
Fóge o molle Favonio, fóge o Dia:
Os campos de Nereo a inchar começão:
Ao longe horrendamente o pégo ronca:
Eis subito encanece, e todo hé montes.
Quasi quasi a cahir d’hum, d’outro lado,
Os mastros vergão, as cavernas rangem:
Qual (se alguem a jogou) saltante péla,
Roça o Pinho os Infernos, roça os Astros;
Vai, e vem vezes cento abaixo, acima.
Carrancudos tres Sóes a luz negárão,
Por tres noites o Céo não teve estrellas:
E se Eólo, em seo impeto afracando,
Deo ao dia segundo algum repouso,
O experto General o ardil penetra:
Á guerra apercebidos chamma, e ferro,
Em tanto que, Neptuno fraudulento,
Tomas serena face; ao alto a prôa
Que se enderece, ordena, assim que os ventos
As vagas sobre as vagas encapellão:
Não succeda, que o pélago fervente,
Os insanos Tufôes contra as arêas
Com hum, com outro embate o lenho atirem.
Então, quanto se dá vigor em Numes,
Na lide porfiosa os dois esmerão:
Em roda novo horror carrega os mares.
Os sanhudos Irmãos guerrêão, berrão,
De regiões oppostas rebentando:
Escarcéos, e escarcéos lá se atropellão:
Por longo espaço treme o fundo aquoso;
Como que está Plutão do Estygio centro
C’os duros hombros abalando a Terra.
De taes, e tantas furias assaltado,
Que arte guiar podia o lenho indócil?
Nem lignea robustez, nem cabos valem:
Cahe com ruidoso estalo a rija antenna,
E batem susurrando as rotas vélas.
Destes gravames nada oppresso em tanto,
Por tudo se divide, a tudo acode,
Todos có a voz, e exemplo aviva o Chefe,
Grassando em todos émula virtude:
Não há frôxos: marêão, saltão, correm.
A engenhosa Prudencia em fim triunfa;
Vence a Constancia audaz; e a largos pannos
Vai-se amarando ovante a Náo veleira.
AQUELLE, CUJO Aceno os Astros móve,
QUE rege o Mar, o Vento, o Mundo, o Averno,
Progresso não permitte á raiva undosa:
E se atê-li soffreo, que encarniçados
Marulhos, Furacões travassem guerra,
Foi para que altamente as memorandas
Forças do Luso peito reluzissem.
Noto, Austro, Boreas, Áquilo emmudecem
Manso, e manso: e, despindo as prenhes nuvens,
O Céo veste hum azul sereno, estreme.
Volve o molle Favonio, volve o Dia,
E volvem mais que d’antes amorosos.
Fôra imposto a Tritão pegar do buzio,
Com que as ondas revoque: o buzio toma;
Surde por entre espumas orvalhoso,
A encher có a voz sonora emtorno os mares.
Eis sópra a concha ingente, e mal que sópra,
Resôa pela Aurora, e pelo Occaso.
Tornão violentas a seo leito as vagas:
Esta recua ás Siculas paragens
Por não vasto caminho; aquella ás Syrtes
Fervendo em rôlos vai; remotas margens
Mais tarde outra revê, donde corrêra
Ao nome, que a attrahio, que á patria sua,
E a Tripoli hé commum: tambem alguma
Foi visinhar có as aguas do Oceano:
Tal que d’antes jámais deixára o fundo,
Ao fundo se desliza, e jaz, e dorme.
Na quarta luz emfim desde as alturas
Tostada Multidão, que lá vigia,
Presume illusa descobrir ao longe
Cadaveres boiantes, vergas, táboas:
Há entre elles alguem, que derramados
Té de Lysia os thesoiros vê nas ondas;
E quem menos de lynce arroga os olhos,
Se atreve a assoalhar, crédulo, insano:
»Que se o pégo poupára algum dos Lusos,
»Só reliquias a Náo desmantelada
»Hia reconduzindo aos patrios lares.»
Mas em quanto delira o Povo adusto,
A gávea se desfaz ao sopro amigo:
Tentão de novo defrontar có as praias,
Que á merecida pena em vão se furtão.
Bem que findasse a noite, o róseo Febo
Não com tudo esmaltava o Mar, e a Terra:
Não era o tempo então nem luz, nem sombra.
Porém como surgio dos Thétios braços
O Filho de Hyperion, e os Céos lustrando,
Com seo raio expulsou de todo as trévas,
Alcança de mais perto, e vê primeiro
Navegante Polaca a véla, e remos,
Que aos Nautas patentêa: o Lenho a segue;
Rápida foge: o remo, o vento a ajudão.
Como no espaço azul medrosa Pomba,
Apenas a Aguia sente, apressa os vôos,
Contra as unhas crueis buscando asylo;
E em seos tremores incapaz de escolha,
De lugar em lugar sem tino adeja,
Por ferinos covis, palacios, bosques,
Assim (quão raramente!) escape ás garras:
De igual modo, apurando as ténues forças,
A curta embarcação, para salvar-se
Do inimigo fatal, varia os bordos:
Mas vendo que evitallo hé vão projecto,
Tomada do receio, a prôa inclina
Á conhecida arêa, e quasi encalha.
Já com menos affronta aqui respira;
Porque os baixios arenosos védão
A tremenda invasão da Lusa Quilha.
Então jactanciosa eleva a frente;
As flamulas no tópe lhe florêão;
Guerra ameaça então, e a guerra chama
Braços, a que a distancia tólhe o raio.
Esta audacia, porém, não fica impune:
Que obsta a Mortaes de espirito arrojado,
Quando iroso calor lhe accende o peito?
Ao Mar leves Bateis subito descem,
E commandados de hum, que os sobrepuja,
Vão có a vingança fulminar o aggravo.
Sobre elles, á porfia, a flor dos Lusos
Enceta heroicamente a grave empresa.
Gentilezas á Fama derão todos;
Todos em feitos grandes se estremárão.
Mas o louvor primeiro a ti compete,
Que d’arvore de Pallas[8] te appellidas,
E cinges vencedor com ella a fronte.
Em saltar ao Batel tu te anticipas,
Tu dos igneos peloiros não detido,
Fórças os remos, a inimiga aferras,
Quando a fusca Equipagem temerosa,
Ao fragil seo baixel picando a amarra,
Nas praias dá com elle, dá comsigo,
E nellas imagina resguardar-se:
Tu primeiro tambem sobre os Contrarios
Disparas férreos globos, que os Cyclópes
Forjárão, fabricando a Jove as armas.
Mais inda remanéce, inda te sobrão
No ensejo Marcial discrimes duros,
Assombrosas acções, que te levantem
Ao cimo de fragoso, aéreo monte,
Lá onde em Paços de oiro a Gloria reina
Com sceptro diamantino, e circumdada
De numerosa, esplendida Assemblêa;
Entre as quaes pela mão da Eternidade
Teo vulto surgirá, marmóreo todo.
Para tanto não basta, que empolgasses
O curvo Bórdo opposto, ou que o subissem
Os Companheiros teos, depois de expulsa
A vil Tripulação por vis terrores.
Os azares, e os jubilos se enlêão,
Por que a mesma desgraça, o que no mundo
Hé mal, hé damno a todos, te aproveite.
Repentina resáca a dois comtigo
Constrange a recuar no débil casco,
E á praia arroja os Tres, quando reflue.
Aqui se vê, qual és, que ardor, que alento
Te abrange o coração, te anima o pulso:
N’hum feito Herculeos feitos escureces,
E quanto as Musas fabulárão delles.
Féra gente, de Arábica linhagem,
De tôrva catadura, hirsuta, e negra,
Pelos serros contiguos vagueando,
Á maneira de lobos, se apascenta
Nas rezes dos rebanhos desgarradas;
Ou, émula do Tigre, as selvas rouba,
Rouba os redis; e o medo, o sangue, a morte
Diffunde aqui, e alli. Munio-se agora
De armas de toda a especie: huns vibrão lanças,
Outros forçosa vara, espadas outros,
Ou pedras, ou punhaes, ou fogo, ou settas.
Ei-los das agras serras vem correndo
Acudir aos Irmãos: (quem há que os conte?
São quaes manadas, que devastão campos.)
Como ardida falange escalar tenta
Castello situado em cume alpestre,
Ou romper torreões de alta Cidade:
Huma, e outra Caterva os Tres investe,
E quanto esforço tem, no attaque emprega.
Se a cada qual dos Tres té-li se oppunhão
Moiros cincoenta, os Árabes, que occorrem,
A cada qual dos Tres oppoem milhares,
Todos bravios, formidaveis todos!
Em que facundia taes portentos cabem?
Quem ha que pasme assás de taes portentos?
Quem, se não fôra testemunha o Mundo,
Por fábula, ou por sonho os não teria?
Trôão da Fama no clamor; e vivem
Olhos, que os virão, braços, que os fizerão.
Era para attentar tão nova scena!
O denodado Heróe, e os Dois, que inflamma,
As bravuras sostem de hum Povo inteiro.
Rue a raivosa, rustica Torrente;
Retumba em valle, e valle a grita horrenda.
D’ambos os lados o Guerreiro apertão:
Sibilão tiros, golpes se redobrão:
Mas elle có a sinistra, elle có a dextra
A Multidão rechaça, illeso, immoto.
Aos Barbaros o pejo atiça as furias:
De artes mil desusadas se refazem
Na espantosa refrega; mas sem fructo:
O Varão permanece invulneravel,
E nas Estygias aguas cem mergulha.
Para aqui, para alli a espada hé raio,
Nunca em vão. D’hum, que audaz de perto o arrosta,
Enterra-a nas entranhas; outro que era
De membros gigantêos, de lança enorme,
E exhortava na frente á guerra os tardos,
A dois golpes, não mais, do Luso Achilles
Jaz inerme; e com hum, com outro arranco
O espirito feroz lhe cahe no Inferno.
A este, que na terra ancioso arqueja,
Vão as auras vitaes desamparando;
Aquelle hé tronco só: por toda a parte
Voão braços, cabeças, fervem mortes.
Ó tu, que dos Almeidas tens o agnome[9],
Tu, que ligar podeste em nó lustroso
Ás honras de Mavorte as de Minerva,
Tambem te faz eterno este aureo Dia.
Se os Lusos, que pelejão sobre as praias,
E aquelles, que a Polaca prisioneira
(Sossobrado o Batel) retem no bojo,
Onde de longe os vexa o Mauro insulto;
Se todos volvem salvos, Obra hé tua.
Em quanto por auxilio a huns, e a outros
Envias Alexandre[10], nunca esquivo
Da nobre estrada, que trilhára o Grande,
Ignivomo canhão, que infatigavel
Respondêra a dezoito bronzeas boccas,
E silencio lhe impôz, de novo esparge
Por entre horrivel som, e opáca nuvem
No centro dos cerrados Africanos
Granizo de lethifera metralha.
O primeiro terror tu lhe infundiste,
Tanto que a de Mafoma agreste chusma
Vio córados de sangue arêas, mares:
O mandado Varão croou a empresa.
Rápidamente o remo as ondas varre:
E Sousa[10] impetuoso aos socios chega:
Contra os donos assésta o bronze adverso,
E assim lhes restitue as férreas balas.
Já cede, já fraquêa a Tropa escura,
De convulso temor enregelada.
Ei-los fugindo vão, nem que aves fossem;
Por huma, e outra parte se tresmalhâo,
Crendo sentir estrépito, que os segue.
A bordo então Donaldo os seus convoca;
Corre a abraçallos, e na voz, na face
O cordial prazer exprime a todos.
Memorando as façanhas huma a huma,
Do condigno louvor as enche, as orna,
Altivo de reger tão brava Gente.
Mal que o descanço os animos sanêa,
(Já declinante o Sol do ethéreo cume)
Á terra se avisinha o mais que póde
A bellicosa Náo; e c’os primeiros
Coriscos Marciaes vareja o Bando,
Que em mór tumulto as praias enxamêa.
Do grande lenho á sombra os lenhos breves,
(Porque estanhado o mar jaz em silencio)
Artes, e forças empenhando, intentão
A Maura presa despegar da margem;
Vãmente, que folgando o lindo Coro
Das filhas de Nerêo, sobre ella salta,
A querem para si, lhe chamão sua.
E quem de hum Nume á Prole, aos seos direitos
No patrio senhorio obstar podéra?
Ou pulsos Briarêos onde acharia,
Para o trabalho immenso? Ella, com tudo,
Nereidas, não foi vossa, indaque dignas
Sois de mil dons, e, como Venus, bellas.
O que á Victoria escapa, engole a chamma;
De jus: damno menor maiores véda;
Mais facilmente detrimentos leves
Caracter pertinaz subjugão, domão,
Do que meigo favor o torna grato.
Arde o Pinho, o furor Vulcáneo reina:
Nutre o pez, e o betume as pingues flammas,
Tanto á pressa, que em vão, inda recentes,
Extinguillas quizera industria humana.
Crebros estalos se ouvem: d’entre o fumo
Brotão centelhas mil, como que aspirão
Ás estrellas volver, donde emanárão.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.