Date post: | 31-Dec-2015 |
Category: |
Documents |
Upload: | jonah-davis |
View: | 231 times |
Download: | 4 times |
2
Chapter 1 - Foundations of Network Security
Understand the individuals who might attempt to break into your network
Set goals for developing a network security system
Review the TCP/IP networking fundamentals that you’ll need to secure a network
Describe the elements of IP packets that can be misused by hackers
3
Chapter 1 - Foundations of Network Security
Know the role routers play in a network security perimeter
Secure workstations Understand aspects of Internet-based
communications that present security risks
4
Hackers are looking for: Access to computer systems either for the thrill of it
or for criminal purposes Revenge, where disgruntled current or former
employees want to retaliate against an organization Financial gain through theft of financial information,
such as credit card numbers, or to defraud people out of money with scams
Corporate proprietary information, which can be sold to those that want the data to upgrade their technological capabilities
Knowing Your Enemies
7
Knowing Your Enemies
The attackers are typically: Hackers who gain access to unauthorized network
resources, usually by finding a way to circumvent passwords, firewalls, or other protective measures
Disgruntled employees who want to exact revenge on their place of employment
Script kiddies who are immature programmers that spread viruses and other malicious scripts
Packet monkeys who are interested in blocking Web site activities through Distributed Denial of Service (DDoS) attacks
8
Goals of Network Security
Maintaining Privacy Organizations that hold databases of personal and
financial data need to maintain privacy not only to protect their customers, but to maintain the integrity and credibility of their own organizations
One of the most important and effective ways to maintain privacy of information held on an organization’s network resources is to educate rank-and-file employees about security dangers and security policies
9
Goals of Network Security
Preserving Data Integrity Data integrity is preserved through encryption
methods such as public-key cryptography, which encrypts communications through the use of long blocks of code called keys; users obtain keys in order to view encrypted information
Authenticating Users The process of determining the identity of an
authorized user through the matching of a username and password or by other means is known as authentication
13
Goals of Network Security
Enabling Connectivity To provide security for online transactions, many
businesses set up leased lines, which are point-to-point frame relays or other connections established by telecommunications companies that own the line; leased lines are expensive
To reduce leased line costs, many businesses that already have high-speed Internet connections set up virtual private networks (VPNs), which use encryption, authentication, and data encapsulation to secure systems using the Internet
15
Understanding TCP/IP Networking
TCP/IP is the combination of protocols that allow information to be transmitted from point to point on a network The Open System Interconnects (OSI) model of
network communications breaks communications into seven layers; TCP/IP has its own stack of protocols that roughly correspond to these layers
Understanding the fundamentals of TCP/IP networking will help you understand one of the ways an intruder can get into your network: through the IP addresses of each computer
17
Understanding TCP/IP Networking
IP Addressing Hackers can gain access to networks by determining
actual IP addresses of individual computers; therefore, a fundamental goal of network security is to understand IP addresses and other network addresses so that they can be concealed or changed to deter hackers
IP addresses that are currently in use on the Internet conform to Internet Protocol version 4 (IPv4), which calls for addresses with 32 bits or four bytes of data; IPv6 calls for 128 bits
18
Understanding TCP/IP Networking
IP Addressing (cont.) IP addresses consist of the network address and the
station (or host) address; these two values are combined with a third value, the subnet mask
IP addresses are hidden by using:Network Address Translation (NAT) to translate the non-routable internal addresses into the external interface of the NAT server or Proxy servers, which make all requests from internal computers look like they are coming from the proxy server
20
Understanding TCP/IP Networking
IP Addressing (cont.) IPv4 addresses are broken into address categories
called classes; class designation determines the subnet mask of an IP address
Subnetting is one way to take a single network address and divide it into multiple network addresses by “borrowing” bits from the host portion of the address and subdividing it
IP addresses and their subnet masks must be protected by security devices that perform NAT, by proxy servers, or by VPNs
22
Exploring IP Packet Structure
TCP/IP is a network communications medium which is packet-based, it transmits data in small packages called packets or datagrams Each complete message is broken into multiple
datagrams that contain information about the source and destination IP addresses, a variety of control settings, and the data to be exchanged
The primary packet subdivisions are the header and the data; some packets have an additional section at the end that is called either a trailer or the footer
23
Exploring IP Packet Structure
IP datagrams (cont.) The header is the part of the packet that computers
use to communicate, and it plays an important role in terms of network security and intrusion detection
IP headers contain components called flags Flags can be used by firewalls and IDS systems to:
block packets that don’t meet a predetermined set of rules; allow packets that have criteria that matches at least one rule; set off intrusion alerts if a particular flag or a set of specific criteria, called a signature, is detected by a firewall or IDS system
26
Exploring IP Packet Structure
IP datagrams (cont.) IP spoofing occurs when hackers sneak through the
network by manipulating the header flags, where they specify their own computer as the destination during the process of source routing
The data part of a TCP/IP packet is the part that needs to be protected
Firewalls and VPNs have a number of ways in which they can protect packet data, and in some cases, will work with third-party software to screen the content of network communications for viruses
27
Exploring IP Packet Structure
IP datagrams (cont.) Internet Control Message Protocol (ICMP) is designed
to assist TCP/IP networks with various communication problems, but they can be used by hackers to crash network computers
Because ICMP packets have no authentication method, hackers can attempt man-in-the-middle attacks, in which they impersonate the recipient
Hackers can also transmit packets that send the ICMP Redirect message type to direct traffic to a computer outside the protected network
29
Exploring IP Packet Structure
IP datagrams (cont.) TCP/IP packets also contain TCP headers, which
provide hosts with a different set of flags In particular, hackers can craft a false TCP header
that contains a set Acknowledgement flag as a means to gain illicit access to a network
User Data Protocol (UDP) provides a datagram transport service for IP, but one that is considered unreliable because it is connectionless - this makes it easier for a hacker to send a malformed or dangerous UDP packet to a client
31
Exploring IP Packet Structure
IP datagrams (cont.) IP fragmentation was originally developed as a means
of enabling large packets to pass through early routers that couldn’t handle their size; this created a security problem due to the fragment numbering scheme - hackers can gain access to the network if they modify the IP header to start all fragments at number 1 or higher
To protect against this, configure firewall or packet filters to drop all fragmented packets, especially since fragmentation is rarely used today
32
Exploring IP Packet Structure
IP datagrams (cont.) The Domain Name System (DNS) is a general-
purpose service used mainly on the Internet for translating host names to IP addresses
DNS introduced a security issue since it can be exploited by hackers who perform buffer overflow (sending an overly-long DNS name to the server) or cache poisoning attacks (breaking into cache to retrieve stored DNS addresses)
Most DNS servers today have been patched to eliminate this vulnerability
33
Routing and Access Control
Routers move TCP/IP packets between LANs Every router uses a routing table, which is a list of
network addresses and corresponding gateway IP addresses that a router uses to direct traffic
Some firewalls come packaged in a hardware device that also serves as a router
Access Control Lists (ACLs): Provide hosts with authorized user and group lists, as
well as user authorization levels Protect ACLs with good passwords, and disable Guest
accounts that hackers can exploit
35
Securing Individual Workstations
Workstations that host security software are commonly placed on the network perimeter The perimeter is a vulnerable spot that stands
between the internal LAN and external Internet Some IDS systems are positioned on public servers
outside of the organization’s internal LAN Because they are in a vulnerable location, firewalls
and intrusion detection systems make use of bastion hosts, machines that have been hardened (made more secure) by turning off all unneeded services except the bare essentials
36
Securing Individual Workstations
Securing workstations (cont.) In securing workstations, the choice of system
operating system isn’t as important as the administrator’s familiarity with it
Both the hardware and software that make up a bastion host should be familiar to the administrator
The workstation should present intruders with only a minimal set of resources and open ports
A bare bones workstation configuration reduces the chances of attack; the fewer the resources and openings, the more secure the host is
39
Securing Individual Workstations
Securing workstations (cont.) RAM is important when operating a server, but
because the host that operates the firewall or IDS may only be providing a single service on the network, a great amount of RAM is not necessary
A great amount of hard disk space is required due to the accumulation of vast quantities of records or log files detailing resource access requests
Because the IDS host or firewall is integral to network security, you should obtain a machine with the fastest processor speed you can afford
40
Securing Individual Workstations
Securing workstations (cont.) Secure Windows 2000 and XP computers by installing
the various patches and hotfixes that are released for these operating systems; such updates are regularly issued by Microsoft
Windows 2000 and XP are excellent choices for bastion host operating systems because of their reliability and widespread use as servers; when configuring a bastion host with 2000 or XP, make use of two hardening utilities: Microsoft Baseline Security Analyzer and the Internet Information Server (IIS) Lockdown Tool
42
Securing Individual Workstations
Securing workstations (cont.) UNIX is the most popular Web operating system and
may have fewer security holes than Windows; If an option, follow the stripped-down installation HP-UX, it leaves out unneeded items or services
The UNIX security patches you install must correspond to the installed operating system
Other UNIX issues: install supplemental security software such as TCP Wrapper and Secure Shell (SSH); a remote computer command interface; do logging through the syslog daemon; include a utility called chkconfig
43
Securing Individual Workstations
Day-to-day security maintenance involves maintaining hotfixes, reviewing security logs, and plugging holes as they arise Don’t go it alone - assemble a team Follow a daily list, such as a security task checklist Gather weekly security activity reports from team Get rank-and-file employees involved in security Establish and distribute your security policy Set up a network security perimeter - use firewalls,
DMZs, intrusion detection, and VPNs
44
Web and Internet-basedSecurity Concerns
Internet issues requiring attention: For a home user that regularly uses the Internet, a
firewall’s primary job is to keep viruses from infecting files and preventing Trojan horses from entering the system through back doors
Executable code attached to email messages may be difficult for a firewall or IDS system to detect, but specialty e-mail firewalls monitor and control content - they especially filter out malicious code
Always-on connections are best protected with firewalls, anti-virus software and VPN connections
45
Chapter Summary
You need to know the types of enemies you are up against, and what they are after, in order to defend against them. The individuals who might attempt to intrude on your network might simply be motivated by a desire to see what kinds of data you have and to gain control of your computer. Revenge by disgruntled current or former employees might be the primary motivation, however. Some hackers break into accounts and networks for financial gain. Other want to steal proprietary information either for their own use or for resale to other parties
46
Chapter Summary
You need to set goals for you network security program. These goals originate with an analysis of the risks you face and an assessment of the resources you want to protect. One of the most important goals of any network security effort should be to maintain the privacy of information related to customers and employees alike. Other goals include the preservation of data integrity, the authentication of approved users of network resources, and enabling remote users to connect securely to the internal network
47
Chapter Summary
Some basic knowledge of TCP/IP networking is important not only to configure the firewalls and routers that help Defense in Depth configuration, but also to be aware of vulnerabilities related to IP addresses. Consider using proxy servers or NAT to shield the actual IP addresses from external users
48
Chapter Summary
The IP and TCP header sections of IP packets were explored in detail, because they contain a variety of settings that can be exploited by hackers. These include header information such as the fragmentation flag and the source or destination IP address. ICMP messages such as redirect and echo request can be misused by hackers to either intercept traffic and direct it to a server that they control, or flood a server with so many requests that it can no longer handle other traffic
49
Chapter Summary
Routing and access control are important network concepts because the routers at the perimeter of a network are critical to the movement of all traffic into and out of the network, regardless of whether the traffic is legitimate or harmful. Because of their position on the perimeter, routers can be equipped with their own firewall so that they can perform packet filtering and other functions
50
Chapter Summary
It’s also important to realize the various activities that go into securing the bastion hosts on which your firewall software and intrusion detection programs will be installed. These include obtaining the latest versions of operating system software and checking periodically for any new security patches or hot fixes that have been released. Computers that are expected to host firewall or IDS software or provide public services should be hardened as much as possible by reducing unnecessary software and accounts and by closing any open ports
51
Chapter Summary
Because the Internet and particularly the WWW are playing increasingly important roles in the movement of business-related traffic from one corporate network to another, it’s important to have some understanding of the network security concerns that pertain to e-commerce and online communications. E-mail is one of the most important services you can secure because of the possibility of malicious scripts being delivered in e-mail attachments. The “always on” DSL and cable modem connections that are becoming increasingly popular present new security risks that need to be addressed with firewall and VPN solutions