44
1 Network Security ITEC 370 George Vaughan Franklin University
| Date post: | 27-Dec-2015 |
| Category: |
Documents |
| Upload: | ralf-perry |
| View: | 215 times |
| Download: | 0 times |
1
Network Security
ITEC 370
George Vaughan
Franklin University
2
Sources for Slides
• Material in these slides comes primarily from course text, Guide to Networking Essentials,Tomsho, Tittel, Johnson (2007).
• Other sources are cited in line and listed in reference section.
3
TCP/IP and OSI ModelsTCP/IP and OSI Models (OSI-Model, n.d.) and (Tomsho, 2007)
TCP/IP Layers
PDU OSI Layers Function Devices - Apps Standards
7 Application Network process to application, Initiates or accepts a request to transfer data
Browsers, servers, Gateways
HTTP, SNMP, FTP, Telnet
6 Presentation Adds formatting, display, and encryption of information
Gateways ASCII, MPEG, SSH, SSL
Application Data
5 Session Adds communication session control information, Login/Logout
DNS, Gateways
NetBIOS
Transport Segments 4 Transport Adds End-to-end connections and reliability, re-sequencing, flow control
Gateways TCP, UDP
Network Packets 3 Network Path determination and logical addressing (IP), translates MAC address to logical address
Routers IP, ICMP, ARP, NetBEUI, IPSec
LLC Frames 2 Data Link
MAC
Adds error checking and physical addressing (MAC & LLC)
Switches, Bridges, NICs
802.3, 802.11, FDDI
Link
Bits 1 Physical Media, signal and binary transmission, sends data as a bit stream
Hubs, Repeaters
10Base-T, T1, E1
4
Developing a Network Security Policy
Tomsho, Tittel, Johnson (2007) • A network security policy describes the rules governing
access to a company’s information resources, the enforcement of those rules, and the steps taken if rules are breached– Should also describe the permissible use of those
resources after they’re accessed– Should be easy for ordinary users to understand and
reasonably easy to comply with– Should be enforceable– Should clearly state the objective of each policy so
that everyone understands its purpose
5
Determining Elements of a Network Security Policy
Tomsho, Tittel, Johnson (2007) • Elements (minimum for most networks)
– Privacy policy– Acceptable use policy– Authentication policy– Internet use policy– Access policy– Auditing policy– Data protection
• Security policy should protect organization legally• Security policy should be continual work in progress
6
Understanding Levels of Security
Tomsho, Tittel, Johnson (2007) • Security doesn’t come without a cost• Before deciding on a level of security, answer:
– What must be protected?– From whom should data be protected?– What costs are associated with security being
breached and data being lost or stolen?– How likely is it that a threat will actually occur?– Are the costs to implement security and train users to
use a secure network outweighed by the need to provide an efficient, user-friendly environment?
• Levels: highly restrictive, moderately restrictive, open
7
Highly Restrictive Security Policies
Tomsho, Tittel, Johnson (2007) • Include features such as:
– Data encryption, complex password requirements, detailed auditing and monitoring of computer and network access, intricate authentication methods, and policies that govern use of the Internet/e-mail
• Might require third-party hardware and software
• High implementation expense
– High design and configuration costs for SW and HW
– Staffing to support the security policies
– Lost productivity (high learning curve for users)
• Used when cost of a security breach is high
8
Moderately Restrictive Security Policies
Tomsho, Tittel, Johnson (2007) • Most organizations can opt for this type of policy• Requires passwords, but not overly complex ones• Auditing detects unauthorized logon attempts, network
resource misuse, and attacker activity– Most NOSs contain authentication, monitoring, and
auditing features to implement the required policies• Infrastructure can be secured with moderately priced off-
the-shelf HW and SW (firewalls, ACLs)• Costs are primarily in initial configuration and support
9
Open Security Policies
Tomsho, Tittel, Johnson (2007) • Policy might have simple or no passwords, unrestricted
access to resources, and probably no monitoring and auditing
• Makes sense for a small company with the primary goal of making access to network resources easy
• Internet access should probably not be possible via the company LAN– If Internet access is available company-wide, a more
restrictive policy is probably warranted• Sensitive data, if it exists, might be kept on individual
workstations that are backed up regularly and are physically inaccessible to other employees
10
Common Elements of Security Policies
Tomsho, Tittel, Johnson (2007) • Virus protection for servers and desktop computers is a
must• There should be policies aimed at preventing viruses
from being downloaded or spread• Backup procedures for all data that can’t be easily
reproduced should be in place, and a disaster recovery procedure must be devised
• Security is aimed not only at preventing improper use of or access to network resources, but also at safeguarding the company’s information
11
Securing Physical Access to the Network
Tomsho, Tittel, Johnson (2007) • If there’s physical access to equipment, there is no security
– A computer left alone with a user logged on is particularly vulnerable
• If an administrator account is logged on, a person can even give his/her account administrator control
– If no user is logged on• People could log on to the computer with their own
accounts and access files to which they wouldn’t normally have access
• Computer could be restarted and booted from removable media, bypassing the normal OS security
• Computer or HDs could be stolen and later cracked
12
Physical Security Best Practices
Tomsho, Tittel, Johnson (2007) • When planning your network, ensure that rooms are
available to house servers and equipment– Rooms should have locks and be suitable for the
equipment being housed• If a suitable room isn’t available, locking cabinets,
freestanding or wall mounted, can be purchased to house servers and equipment in public areas
• Wiring from workstations to wiring cabinets should be inaccessible to eavesdropping equipment
• Physical security plan should include procedures for recovery from natural disasters (e.g., fire or flood)
13
Physical Security of Servers
Tomsho, Tittel, Johnson (2007) • May be stashed away in lockable wiring closet along with
switch to which the server is connected• Often require more tightly controlled environmental
conditions than patch panels, hubs, and switches• Server rooms should be equipped with power that’s
preferably on a circuit separate from other devices• If you must put servers accessible to people who should
not have physical access to them, use locking cabinets– You can purchase rack-mountable servers
• Make sure there is sufficient cooling.
14
Security of Internetworking Devices
Tomsho, Tittel, Johnson (2007) • Routers and switches contain critical configuration
information and perform essential network tasks– Internetworking devices, such as hubs, switches, and
routers, should be given as much attention in terms of physical security as servers
• A room with a lock is the best place for these devices • Wall-mounted enclosure with a lock is second best
– Some cabinets come with a built-in fan or have a mounting hole for a fan
– They also come with convenient channels for wiring
• Make sure there is sufficient cooling.
15
Securing Access to Data
Tomsho, Tittel, Johnson (2007) • Facets
– Authentication and authorization– Encryption/decryption– Virtual Private Networks (VPNs)– Firewalls– Virus and worm protection– Spyware protection– Wireless security
16
Authentication and Authorization
• Authentication – Forcing a party to prove their true identity– Login process, certificates, shared keys– Applies to both clients and servers
• Authorization:– Only applies after party has been
authenticated– Access Control (file permissions, Access
Control Lists, etc.)
17
Implementing Secure Authentication and Authorization
Tomsho, Tittel, Johnson (2007) • Administrators must control who has access to the
network (authentication) and what logged on users can do to the network (authorization)– NOSs have tools to specify options and restrictions on
how/when users can log on to network• Password complexity requirements• Logon hours• Logon locations• Remote logons, among others
– File system access controls and user permission settings determine what a user can access on a network and what actions a user can perform
18
Configuring Password Requirements in a Windows Environment
Tomsho, Tittel, Johnson (2007)
• Specify if passwords are required for all users, how many characters a password must be, and whether they should meet certain complexity requirements
• XP allows passwords up to 128 characters– Minimum of five to eight characters is typical– If minimum length is 0, blank passwords are allowed
• Other options include Maximum/Minimum password age, and Enforce password history
• When a user fails to enter a correct password, a policy can be set to lock the user account
19
Configuring Password Requirements in a Linux Environment
Tomsho, Tittel, Johnson (2007)
• Linux password configuration can be done globally or on a user-by-user basis
• Options in a standard Linux Fedora Core 4 include maximum/minimum password age, and number of days’ warning a user has before password expires
– Linux system must be using shadow passwords, a secure method of storing user passwords
– Options can be set by editing /etc/login.defs
• Use Pluggable Authentication Modules (PAM) to set other options like account lockout, password history, and complexity tests
20
Reviewing Password Dos and Don’ts
Tomsho, Tittel, Johnson (2007) • Use a combination of uppercase letters, lowercase
letters, and numbers• Include one or more special characters• Try using a phrase, e.g., NetW@rk1ng !s C00l• Don’t use passwords based on your logon name, family
members’ names, or even your pet’s name• Don’t use common dictionary words unless they are part
of a phrase• Don’t make your password so complex that you forget it
or need to write it down somewhere
21
Authorizing Access to Files and Folders
Tomsho, Tittel, Johnson (2007) • Windows OSs have two options for file security
– Sharing permissions are applied to folders (and only folders) shared over the network
• Don’t apply to files/folders if user is logged on locally• These are the only file security options available in a
FAT or FAT32 file system– NTFS permissions allow administrators to assign
permissions to files as well as folders• Apply to file access by a locally logged-on user too• Enable administrators to assign permissions to user
accounts and group accounts• Six standard permissions are available for folders
22
Authorizing Access to Files and Folders (continued)
Tomsho, Tittel, Johnson (2007)
23
Authorizing Access to Files and Folders (continued)
Tomsho, Tittel, Johnson (2007)
24
Securing Data with Encryption
Tomsho, Tittel, Johnson (2007) • Use encryption to safeguard data as it travels across
the Internet and within the company network– Prevents somebody using eavesdropping technology,
such as a packet sniffer, from capturing packets and using the data for malicious purposes
• Data on disks can be secured with encryption
25
Using IPSec to Secure Network Data
Tomsho, Tittel, Johnson (2007) • The most popular method for encrypting data as it
travels network media is to use an extension to the IP protocol called IP Security (IPSec)– Establishes an association between two
communicating devices• Association is formed by two devices
authenticating their identities via a preshared key, Kerberos authentication, or digital certificates
– After the communicating parties are authenticated, encrypted communication can commence
26
IPSec Wikipedia-IPSec (n.d).
• IP Security• A set of protocols operating at the Network layer
(layer 3).• 2 Modes
– Transport Mode:• Only payload in packet is encrypted (header is not)• Host to Host communication
– Tunnel Mode:• Entire IP packet is encrypted, including header• Encapsulated in another packet for routing across internet.• Network to Network communication
27
Securing Data on Disk
• Windows allows data to be encrypted at the folder level– Can optional include subfolders– Based on owner of file– Groups of users can be defined
• Linux allows data to be encrypted:– GPG (GNU Privacy Guard) from FSF.– GPG is available for Windows also
28
VPN Wikipedia-VPN
• VPN – Virtual Private Network• A virtual (logical) private network running on top of a
public network (e.g. Internet).• Useful for providing remote access without using
dedicated lines.• 2 parts: ‘inside’ network which is trusted and ‘outside’
part which is not trusted.• VPN Server manages authentication• When active, all access from client to outside must pass
through a firewall – makes client act as if it was in the ‘inside’ network.
29
Securing Communication with Virtual Private Networks
Tomsho, Tittel, Johnson (2007)
30
VPN Benefits
Tomsho, Tittel, Johnson (2007) • Advantages of using VPNs
– Installing several modems on an RRAS server so that users can dial up the server directly isn’t necessary; instead, users can dial up any ISP
– RRAS = Windows Routing and Remote Access Server.– Remote users can usually access an RRAS server by making
only a local phone call, as long as they can access a local ISP– When broadband Internet connectivity is available (e.g., DSL,
cable modem), remote users can connect to the corporate network at high speed, making remote computing sessions more productive
• Additionally, VPNs save costs
31
Protecting Networks with Firewalls
Tomsho, Tittel, Johnson (2007) • Firewall: HW device or SW program that inspects
packets going into or out of a network or computer, and then discards/forwards them based on rules– Protects against outside attempts to access
unauthorized resources, and against malicious network packets intended to disable or cripple a corporate network and its resources
– If placed between Internet and corporate network, can restrict users’ access to Internet resources
• Firewalls can attempt to determine the context of a packet (stateful packet inspection (SPI))
32
Types of Firewalls
Wikipedia-firewall (n.d.) • Packet Filter Firewall:
– Stateless– Rules are static
• Circuit Level Firewall:– Stateful– Can determine if packet is a new or part of an
existing connection.• Application Layer Firewall:
– Also known as proxy based firewalls
33
Using a Router as a Firewall
Tomsho, Tittel, Johnson (2007) • A firewall is just a router with specialized SW that
facilitates creating rules to permit or deny packets• Many routers have capabilities similar to firewalls
– After a router is configured, by default, all packets are permitted both into and out of the network
– Network administrator must create rules (access control lists) that deny certain types of packets
• Typically, an administrator builds access control lists so that all packets are denied, and then creates rules that make exceptions
34
Using Intrusion Detection Systems
Tomsho, Tittel, Johnson (2007) • An IDS usually works with a firewall or router with access control
lists– A firewall protects a network from potential break-ins or DoS
attacks, but an IDS must detect an attempted security breach and notify the network administrator
– May be able to take countermeasures if an attack is in progress– Invaluable tool to help administrators know how often their
network is under attack and devise security policies aimed at thwarting threats before they have a chance to succeed
– Too many false positives will result in the IDS being ignored
35
NAT
Wikipedia-NAT (n.d.) • Network Address Translation (IP-masquerading)• Router/Firewall replaces internal IP source address in IP
packet with its own IP address when send packets out. • Router/Firewall reverses process for incoming packets.• Useful for hiding the Identify of real IP addresses behind
the firewall• Can be used for IP address reuse
– multiple machines share same IP address– Common in home routers– ISP assigns single public IP address– Router maps to multiple private IP addresses– TCP and UDP port numbers used for de-multiplexing
36
Using Network Address Translation to Improve Security
Tomsho, Tittel, Johnson (2007) • A benefit of NAT is that the real address of an internal
network resource is hidden and inaccessible to the outside world– Because most networks use NAT with private IP
addresses, those devices configured with private addresses can’t be accessed directly from outside the network
– An external device can’t initiate a network conversation with an internal device, thus limiting an attacker’s options to cause mischief
37
Protecting a Network from Worms, Viruses, and Rootkits
Tomsho, Tittel, Johnson (2007) • Malware is SW designed to cause harm/disruption to a
computer system or perform activities on a computer without the consent of its owner– A virus spreads by replicating itself into other
programs or documents– A worm is similar to a virus, but it doesn’t attach itself
to another program– A backdoor is a program installed on a computer that
permits access to the computer, bypassing the normal authentication process
– To help prevent spread of malware, every computer should have virus-scanning software running
38
Protecting a Network from Worms, Viruses, and Rootkits (continued)
Tomsho, Tittel, Johnson (2007)
• A Trojan Horse program appears to be something useful, but in reality contains some type of malware
• Rootkits are a form of Trojan programs that can monitor traffic to and from a computer, monitor keystrokes, and capture passwords– Used to hide files, programs form O.S.
– Sony added rootkits to audio CDs to prevent copying
• The hoax virus is one of the worst kinds of viruses
– The flood of e-mail from people actually falling for the hoax is the virus!
• Malware protection can be expensive; however, the loss of data and productivity that can occur when a network becomes infected is much more costly
• Phishing – social engineering– E.g. fake (web) services used to collect sensitive data
39
Protecting a Network from Spyware and Spam
Tomsho, Tittel, Johnson (2007) • Spyware: monitors/controls part of a computer at the
expense of user’s privacy and to the gain of a third party– Is not usually self-replicating– Many anti-spyware programs are available, and some
are bundled with popular antivirus programs• Spam is simply unsolicited e-mail
– Theft of e-mail storage space, network bandwidth, and people’s time
– Detection and prevention is an uphill battle• For every rule or filter anti-spam software places
on an e-mail account, spammers find a way around them
40
Implementing Wireless Security
Tomsho, Tittel, Johnson (2007), Wikipedia • Attackers who drive around looking for wireless LANs to intercept
are called wardrivers• Wireless security methods
– SSID (not easy to guess and not broadcast)• Service Set Identifier – identifies network
– Wired Equivalency Protocol (WEP)• 1999 – Can be cracked in 2 minutes w available software
– Wi-Fi Protected Access (WPA)• 2003 – Stronger than WEP. Not supported by all access points.
– 802.11i• 2004 – same as WPA2, superset of WPA.
– MAC address filtering• Access control list based on MAC address
• You should also set policies: limit AP signal access, change encryption key regularly, etc.
41
Using a Cracker’s Tools to Stop Network Attacks
Tomsho, Tittel, Johnson (2007) • If you want to design a good, solid network
infrastructure, hire a security consultant who knows the tools of the cracker’s trade– A cracker (black hat) is someone who attempts to
compromise a network or computer system for the purposes of personal gain or to cause harm
– The term hacker has had a number of meanings throughout the years
– White hats often use the term penetration tester for their consulting services
42
Discovering Network Resources
Tomsho, Tittel, Johnson (2007) • Attackers use command-line utilities such as Ping,
Traceroute, Finger, and Nslookup to get information about the network configuration and resources
– Other tools used
• Ping scanner: automated method for pinging a range of IP addresses
• Port scanner: determines which TCP and UDP ports are available on a particular computer or device
• Protocol analyzers are also useful for resource discovery because they allow you to capture packets and determine which protocol’s services are running
43
Disabling Network Resources
Tomsho, Tittel, Johnson (2007) • A denial-of-service (DoS) attack is an attacker’s
attempt to tie up network bandwidth or network services so that it renders those resources useless to legitimate users– Packet storms typically use the UDP protocol
because it’s not connection oriented– Half-open SYN attacks use TCP’s handshake to tie
up a server with invalid TCP sessions, thereby preventing real sessions from being created
– In a ping flood, a program sends a large number of ping packets to a host
44
References
Tomsho, Tittel, Johnson (2007). Guide to Networking Essentials. Boston: Thompson Course Technology.
Odom, Knott (2006). Networking Basics: CCNA 1 Companion Guide. Indianapolis: Cisco Press
Wikipedia (n.d.). OSI Model. Retrieved 09/12/2006 fromhttp://en.wikipedia.org/wiki/OSI_Model
Wikipedia-IPSec (n.d). IPsec. Retrieved 01/30/2007 from:http://en.wikipedia.org/wiki/Ipsec
Wikipedia-VPN (n.d.). Virtual Private Network. Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Vpn
Wikipedia-firewall (n.d.) Firewall (Networking).Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Firewall
Wikipedia-NAT (n.d.) Network Address Translation. Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Network_address_translation
