Devices

Chapter 9

Learning Objectives

Understand the purpose of a network firewall and the kinds of firewall technology available on the market

Understand the role of routers, switches, and other networking hardware in security

Determine when VPN or RAS technology works to provide a secure network connection

Firewalls

Hardware or software device that provides means of securing a computer or network from unwanted intrusion Dedicated physical device that protects

network from intrusion Software feature added to a router, switch, or

other device that prevents traffic to or from part of a network

Management Cycle forFirewall Protection

1. Draft a written security policy

2. Design the firewall to implement the policy

3. Implement the design by installing selected hardware and software

4. Test the firewall

5. Review new threats, requirements for additional security, and updates to systems and software; repeat process from first step

Drafting a Security Policy

What am I protecting? From whom? What services does my company need to

access over the network? Who gets access to what resources? Who administers the network?

Available Targets and Who Is Aiming at Them

Common areas of attack Web servers Mail servers FTP servers Databases

Intruders Sport hackers Malicious hackers

Who Gets Access to Which Resources?

List employees or groups of employees along with files and file servers and databases and database servers they need to access

List which employees need remote access to the network

Who Administers the Network?

Determine individual(s) and scope of individual management control

Designing the Firewallto Implement the Policy

Select appropriate technology to deploy the firewall

What Do Firewalls Protect Against?

Denial of service (DoS) Ping of death Teardrop or Raindrop attacks SYN flood LAND attack Brute force or smurf attacks IP spoofing

How Do Firewalls Work?

Network address translation (NAT) Basic packet filtering Stateful packet inspection (SPI) Access control lists (ACL)

Network Address Translation (NAT)

Only technique used by basic firewalls Enables a LAN to use one set of IP addresses for

internal traffic and a second set for external traffic

Each active connection requires a unique external address for duration of communication

Port address translation (PAT) Derivative of NAT Supports thousands of simultaneous connections on a

single public IP address

Basic Packet Filtering

Firewall system examines each packet that enters it and allows through only those packets that match a predefined set of rules

Can be configured to screen information based on many data fields:

Protocol type IP address TCP/UDP port Source routing information

Stateful Packet Inspection (SPI)

Controls access to network by analyzing incoming/outgoing packets and letting them pass or not based on IP addresses of source and destination

Examines a packet based on information in its header Enhances security by allowing the filter to

distinguish on which side of firewall a connection was initiated; essential to blocking IP spoofing attaches

Access Control Lists (ACL)

Rules built according to organizational policy that defines who can access portions of the network

Access-list 101 permit tcp any 1.2.1.222 0.0.0.0 eq 80 Access-list 101 deny ip any 1.2.1.222 0.0.0.0

Routers

Network management device that sits between network segments and routes traffic from one network to another

Allows networks to communicate with one another

Allows Internet to function Act as digital traffic cop (with addition of

packet filtering)

How a Router Moves Information

Examines electronic envelope surrounding a packet; compares address to list of addresses contained in router’s lookup tables

Determines which router to send the packet to next, based on changing network conditions

How a Router Moves Information

Beyond the Firewall

Demilitarized zone (DMZ) Bastion hosts (potentially)

Demilitarized Zone

Area set aside for servers that are publicly accessible or have lower security requirements

Sits between the Internet and internal network’s line of defense

Stateful device fully protects other internal systems Packet filter allows external traffic only to services

provided by DMZ servers Allows a company to host its own Internet

services without sacrificing unauthorized access to its private network

Bastion Hosts

Computers that reside in a DMZ and that host Web, mail, DNS, and/or FTP services

Gateway between an inside network and an outside network

Defends against attacks aimed at the inside network; used as a security measure

Unnecessary programs, services, and protocols are removed; unnecessary network ports are disabled

Do not share authentication services with trusted hosts within the network

Application Gateways

Also known as proxy servers Monitor specific applications (FTP, HTTP,

Telnet) Allow packets accessing those services to

go to only those computers that are allowed

Good backup to packet filtering

Application Gateways

Security advantages Information hiding Robust authentication and logging Simpler filtering rules

Disadvantage Two steps are required to connect inbound or

outbound traffic; can increase processor overhead

OSI Reference Model

Architecture that classifies most network functions

Seven layers Application Presentation Session Transport Network Data-Link Physical

The OSI Stack

Layers 4 and 5 Where TCP and UDP ports that control

communication sessions operate Layer 3

Routes IP packets Layer 2

Delivers data frames across LANs

Limitations of Packet-Filtering Routers

ACL can become long, complicated, and difficult to manage and comprehend

Throughput decreases as number of rules being processed increases

Unable to determine specific content or data of packets at layers 3 through 5

Switches

Provide same function as bridges (divide collision domains), but employ application-specific integrated circuits (ASICs) that are optimized for the task

Reduce collision domain to two nodes (switch and host)

Main benefit over hubs Separation of collision domains limits the possibility

of sniffing

Switches

Switch Security

ACLs Virtual Local Area Networks (VLANs)

Virtual Local Area Network

Uses public wires to connect nodes Broadcast domain within a switched network Uses encryption and other security mechanisms

to ensure that Only authorized users can access the network Data cannot be intercepted

Clusters users in smaller groups Increases security from hackers Reduces possibility of broadcast storm

Security Problems with Switches

Common ways of switch hijacking Try default passwords which may not have

been changed Sniff network to get administrator password

via SNMP or Telnet

Securing a Switch

Isolate all management interfaces Manage switch by physical connection to a

serial port or through secure shell (SSH) or other encrypted method

Use separate switches or hubs for DMZs to physically isolate them from the network and prevent VLAN jumping

continued…

Securing a Switch

Put switch behind dedicated firewall device

Maintain the switch; install latest version of software and security patches

Read product documentation Set strong passwords

Quick Quiz

The process by which a private IP address in a corporate network is translated into a public address by a router or firewall is called_____________

True or False: Advanced firewalls use stateful packet inspection to improve security.

A computer providing public network services that resides inside a corporate network but outside its firewall is called a ______.

True or False: IP packets are routed by layer 2 of the OSI model.

A feature available in some switches that permit separating the switch into multiple broadcast domains is called _________.

Wireless

Almost anyone can eavesdrop on a network communication

Encryption is the only secure method of communicating with wireless technology

Modems

DSL versus Cable Modem Security

DSL Direct connection between computer/network and the

Internet Cable modem

Connected to a shared segment; party line Most have basic firewall capabilities to prevent files

from being viewed or downloaded Most implement the Data Over Cable Service

Interface Specification (DOCSIS) for authentication and packet filtering

Dynamic versus Static IP Addressing

Static IP addresses Provide a fixed target for potential hackers

Dynamic IP addresses Provide enhanced security By changing IP addresses of client machines,

DHCP server makes them moving targets for potential hackers

Assigned by the Dynamic Host Configuration Protocol (DHCP)

Remote Access Service (RAS)

Provides a mechanism for one computer to securely dial in to another computer

Treats modem as an extension of the network

Includes encryption and logging Accepts incoming calls Should be placed in the DMZ

Security Problems with RAS

Behind physical firewall; potential for network to be compromised

Most RAS systems offer encryption and callback as features to enhance security

Telecom/Private Branch Exchange (PBX)

PBX Private phone system that offers features such

as voicemail, call forwarding, and conference calling

Failure to secure a PBX can result in toll fraud, theft of information, denial of service, and enhanced susceptibility to legal liability

IP-Based PBX

PBX Security Concerns

Remote PBX management Hoteling or job sharing

Many move codes are standardized and posted on the Internet

Virtual Private Networks

Provide secure communication pathway or tunnel through public networks (eg, Internet)

Lowest levels of TCP/IP are implemented using existing TCP/IP connection

Encrypts either underlying data in a packet or the entire packet itself before wrapping it in another IP packet for delivery

Further enhances security by implementing Internet Protocol Security (IPSec)

Intrusion Detection Systems (IDS)

Monitor networks and report on unauthorized attempts to access any part of the system

Available from many vendors Forms

Software (computer-based IDS) Dedicated hardware devices (network-based IDS)

Types of detection Anomaly-based detection Signature-based detection

Computer-based IDS

Software applications (“agents”) are installed on each protected computer

Make use of disk space, RAM, and CPU time to analyze OS, applications, system audit trails

Compare these to a list of specific rules Report discrepancies

Can be self-contained or remotely managed Easy to upgrade software, but do not scale well

Network-based IDS

Monitors activity on a specific network segment

Dedicated platforms with two components Sensor

Passively analyzes network traffic Management system

Displays alarm information from the sensor

Anomaly-based Detection

Builds statistical profiles of user activity and then reacts to any activity that falls outside these profiles

Often leads to large number of false positives Users do not access computers/network in static,

predictable ways Cost of building a sensor that could hold enough

memory to contain the entire profile and time to process the profiles is prohibitively large

Signature-based Detection

Similar to antivirus program in its method of detecting potential attacks

Vendors produce a list of signatures used by the IDS to compare against activity on the network or host

When a match is found, the IDS take some action (eg, logging the event)

Can produce false positives; normal network activity may be construed as malicious

Network Monitoring and Diagnostics

Essential steps in ensuring safety and health of a network (along with IDS)

Can be either stand-alone or part of a network-monitoring platform HP’s OpenView IBM’s Netview/AIX Fidelia’s NetVigil Aprisma’s Spectrum

Ensuring Workstation andServer Security

Remove unnecessary protocols such as NetBIOS or IPX

Remove unnecessary user accounts Remove unnecessary shares Rename the administrator account Use strong passwords

Personal Firewall Software Packages

Offer application-level blocking, packet filtering, and can put your computer into stealth mode by turning off most if not all ports

Many products available, including: Norton Firewall ZoneAlarm Black Ice Defender Tiny Software’s Personal Firewall

Firewall Product Example

Antivirus Software Packages

Necessary even on a secure network Many vendors, including:

McAffee Norton Computer Associates Network Associates

Mobile Devices

Can open security holes for any computer with which these devices communicate

Chapter Summary

Virtual isolation of a computer or network by implementing a firewall through software and hardware techniques: Routers Switches Modems Various software packages designed to run on

servers, workstations, and PDAs

continued…

Chapter Summary

Virtual private networks (VPNs) Private branch exchanges (PBX) Remote Access Services (RAS)

Quick Quiz

The standard used to help secure cable modem communications is called ____________

True or False: Static IP addressing is the most secure form of addressing.

True or False: RAS should be placed in the DMZ. A _____________ is used to provide a secure

communication channel through the public Internet ______________ based IDS uses statistical profiles.