Date post: | 09-Jul-2015 |
Category: |
Documents |
Upload: | networksguy |
View: | 292 times |
Download: | 0 times |
Chapter 5: Securing the Network Infrastructure
Security+ Guide to Network Security FundamentalsSecond Edition
Objectives
Work with the network cable plant Secure removable media Harden network devices Design network topologies
Network Cable Plant
Cable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment
Three types of transmission media:• Coaxial cables• Twisted-pair cables• Fiber-optic cables
Coaxial Cables
Coaxial cable was main type of copper cabling used in computer networks for many years
Has a single copper wire at its center surrounded by insulation and shielding
Called “coaxial” because it houses two (co) axes or shafts―the copper wire and the shielding
There were two types of coax Ethernet installations: Thicknet and Thinnet
Thicknet and Thinnet
Thicknet, also known as 10Base5 was the first coax Ethernet installation.• The 10 stands for 10Mbps, the Base is for
baseband signaling and the 5 is 500m signal propagation or max. cable run
• Thicknet used “vampire taps” to add transceivers.
Thinnet, also known as 10Base2 was the second coax Ethernet Installation.• The 2 in 10Base2 stands for the 185m
max. cable run rounded up to 2
Coaxial Cables (continued)
Thin coaxial cable looks similar to the cable that carries a cable TV signal
A braided copper mesh channel surrounds the insulation and everything is covered by an outer shield of insulation for the cable itself
The copper mesh protects the core from interference
BNC connectors: connectors used on the ends of a thin coaxial cable http://en.wikipedia.org/wiki/BNC_connector
Coaxial Cables (continued)
Twisted-Pair Cables
Standard for copper cabling used in computer networks today, replacing thin coaxial cable
Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket
Twisted-Pair Cables (continued)
Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference
Unshielded twisted-pair (UTP) cables do not have any shielding
Twisted-pair cables have RJ-45 connectors
Fiber-Optic Cables
Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal
Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses
A glass tube (cladding) surrounds the core The core and cladding are protected by a
jackethttp://en.wikipedia.org/wiki/Fiber_optic
http://www.jimhayes.com/lennielw/fiber.html
Fiber-Optic Cables (continued)
Classified by the diameter of the core and the diameter of the cladding• Diameters are measured in microns, each
is about 1/25,000 of an inch or one-millionth of a meter (125 microns)
Two types:• Single-mode: used when data must be
transmitted over long distances and has a core of about 9 microns and uses lasers as its light source
• Multimode: supports many simultaneous light transmissions, generated by light-emitting diodes with a core of 62.5 microns
Securing the Cable Plant
Securing cabling outside the protected network is not the primary security issue for most organizations
Focus is on protecting access to the cable plant in the internal network
An attacker who can access the internal network directly through the cable plant has effectively bypassed the network security perimeter and can launch his attacks at will
Securing the Cable Plant
The attacker can capture packets as they travel through the network by sniffing• The hardware or software that performs
such functions is called a sniffer Physical security
• First line of defense• Protects the equipment and infrastructure
itself• Has one primary goal: to prevent
unauthorized users from reaching the equipment or cable plant in order to use, steal, or vandalize it
Securing Removable Media Securing critical information stored on a
file server can be achieved through strong passwords, network security devices, antivirus software, and door locks
An employee copying data to a floppy disk or CD and carrying it home poses two risks:• Storage media could be lost or stolen,
compromising the information• A worm or virus could be introduced to the
media, potentially damaging the stored information and infecting the network
Magnetic Media
Record information by changing the magnetic direction of particles on a platter
Floppy disks were some of the first magnetic media developed
The capacity of today’s 3 1/2-inch disks are 14 MB
Hard drives contain several platters stacked in a closed unit, each platter having its own head or apparatus to read and write information
Magnetic tape drives record information in a serial fashion
Optical Media
Optical media use a principle for recording information different from magnetic media
A high-intensity laser burns a tiny pit into the surface of an optical disc to record a one, but does nothing to record a zero
Capacity of optical discs varies by type A Compact Disc-Recordable (CD-R) disc
can record up to 650 MB of data• A DVD can record from 4GB to 16GB
Data cannot be changed once recorded
Electronic Media
Electronic media use flash memory for storage• Flash memory is a solid state storage
device―everything is electronic, with no moving or mechanical parts
SmartMedia cards range in capacity from 2 MB to 128 MB
The card itself is only 45 mm long, 37 mm wide, and less than 1 mm thick
Electronic Media (continued)
CompactFlash card • Consists of a small circuit board with flash
memory chips and a dedicated controller chip encased in a shell
• Come in 33 mm and 55 mm thicknesses and store between 8MB and 192 MB of data
USB memory stick is becoming very popular • Can hold between 8 MB and 1 GB of
memory• USB hard drives range from 5GB to 40GB
and above.
Keeping Removable Media Secure
Protecting removable media involves making sure that antivirus and other security software are installed on all systems that may receive a removable media device, including employee home computers
Hardening Network Devices
Each device that is connected to a network is a potential target of an attack and must be properly protected
Network devices to be hardened categorized as:• Standard network devices• Communication devices• Network security devices
Hardening Standard Network Devices
A standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router
This equipment has basic security features that you can use to harden the devices
Workstations and Servers
Workstation: personal computer attached to a network (also called a client)• Connected to a LAN and shares resources
with other workstations and network equipment
• Can be used independently of the network and can have their own applications installed
Server: computer on a network dedicated to managing and controlling network services.• Examples are file servers, print servers and
Domain Controllers.
Switches and Routers
Switch• Most commonly used in Ethernet LANs• Receives a packet from one network device
and sends it to the destination device only• Limits the collision domain (part of network
on which multiple devices may attempt to send packets simultaneously)
A switch is used within a single network Routers connect two or more single
networks to form a larger network
Switches and Routers
Switches and routers must also be protected against attacks
Switches and routers can be managed using the Simple Network Management Protocol (SNMP), part of the TCP/IP protocol suite
Software agents are loaded onto each network device to be managed
Switches and Routers - SNMP
Each agent monitors network traffic and stores that information in its management information base (MIB)
A computer with SNMP management software (SNMP management station) communicates with software agents on each network device and collects the data stored in the MIBs
Remote Access Servers
Set of technologies that allows a remote user to connect to a network through the Internet or a wide area network (WAN)
Users run remote access client software and initiate a connection to a Remote Access Server (RAS), which authenticates users and passes service requests to the network
Remote Access Servers
Remote Access Servers
Remote access clients can run almost all network-based applications without modification• Possible because remote access
technology supports both drive letters and universal naming convention (UNC) names
VPNs
VPN stands for Virtual Private Network VPNs come in two flavors:
• Site-to-site (also called LAN-to-LAN)• Remote acess
Site-to-site VPNs securely connect two or more distant locations over the public Internet.• IPSec and IKE are the two protocols that provide
authentication, encryption and integrity checking. Remote access VPNs allow mobile users the
ability to securely connect from home or on the road to the business network.• Remote access VPNs also use IPSec and IKE but
can also use SSL connections via their web browser.
Hardening Network Security Devices
The final category of network devices includes those designed and used strictly to protect the network
Include:• Firewalls• Intrusion-detection systems• Network monitoring and diagnostic devices
Firewalls
Typically used to filter packets Designed to prevent malicious packets
from entering the network or its computers (sometimes called a packet filter)
Typically located outside the network security perimeter as first line of defense
Can be software or hardware configurations
Firewalls (continued)
Software firewall runs as a program on a local computer (sometimes known as a personal firewall)• Enterprise firewalls are software firewalls
designed to run on a dedicated device and protect a network instead of only one computer
• One disadvantage is that it is only as strong as the operating system of the computer
Firewalls (continued)
Filter packets in one of two ways:• Stateless packet filtering: permits or denies
each packet based strictly on the rule base• Stateful packet filtering: records state of a
connection between an internal computer and an external server; makes decisions based on connection and rule base
Can perform content filtering to block access to undesirable Web sites
Firewalls (continued)
An application layer firewall can defend against worms better than other kinds of firewalls• Reassembles and analyzes packet streams
instead of examining individual packets
Intrusion-Detection Systems (IDS)
Devices that establish and maintain network security
Active IDS (or reactive IDS) performs a specific function when it senses an attack, such as dropping packets or tracing the attack back to a source• Installed on the server or, in some
instances, on all computers on the network Passive IDS sends information about
what happened, but does not take action
Intrusion-Detection Systems (IDS)
Host-based IDS monitors critical operating system files and computer’s processor activity and memory; scans event logs for signs of suspicious activity
Network-based IDS monitors all network traffic instead of only the activity on a computer • Typically located just behind the firewall
Other IDS systems are based on behavior:• Watch network activity and report abnormal
behavior• May result in false alarms (false positives)http://www.sans.org/resources/idfaq/ http://www.securityfocus.com/infocus/1670
Network Monitoring and Diagnostic Devices
SNMP enables network administrators to:• Monitor network performance• Find and solve network problems• Plan for network growth
Managed device:• Network device that contains an SNMP
agent• Collects and stores management
information and makes it available to SNMP
Designing Network Topologies
Topology: physical layout of the network devices, how they are interconnected, and how they communicate
Essential to establishing its security Although network topologies can be
modified for security reasons, the network still must reflect the needs of the organization and users
Security Zones
One of the keys to mapping the topology of a network is to separate secure users from outsiders through:• Demilitarized Zones (DMZs) • Intranets• Extranets
Demilitarized Zones (DMZs)
Separate networks that sit outside the secure network perimeter
Outside users can access the DMZ, but cannot enter the secure network
The types of servers that should be located in the DMZ include:• Web servers • E-mail servers• Remote access servers• FTP servers
Demilitarized Zone (DMZ)
Network Address Translation (NAT)
“You cannot attack what you do not see” is the philosophy behind Network Address Translation (NAT) systems
Hides the IP addresses of network devices from attackers
Computers are assigned special IP addresses (known as private addresses)
RFC 1918 addresses• 10.0.0.0 – 10.255.255.255• 172.16.0.0 – 172.31.255.255• 192.168.0.0 – 192.168.255.255
These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network
Port address translation (PAT) is a variation of NAT
Each packet is given the same IP address, but a different TCP port number
Network Address Translation (NAT)
Honeypots
Computers located in a DMZ loaded with software and data files that appear to be authentic
Intended to trap or trick attackers Two-fold purpose:
• To direct attacker’s attention away from real servers on the network
• To examine techniques used by attackers
Honeypots (continued)
Virtual LANs (VLANs)
Segment a network with switches to divide the network into a hierarchy
Core switches reside at the top of the hierarchy and carry traffic between switches
Workgroup switches are connected directly to the devices on the network
Core switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches
Virtual LANs (VLANs)
Virtual LANs (VLANs)
Segment a network by grouping similar users together
Instead of segmenting by user, you can segment a network by separating devices into logical groups (known as creating a VLAN)
Summary
Cable plant: physical infrastructure (wire, connectors, and cables that carry data communication signals between equipment)
Removable media used to store information include:• Magnetic storage (removable disks, hard
drives)• Optical storage (CD and DVD)• Electronic storage (USB memory sticks,
FlashCards)
Summary (continued)
Network devices (workstations, servers, switches, and routers) should all be hardened to repel attackers
A network’s topology plays a critical role in resisting attackers
Hiding the IP address of a network device can help disguise it so that an attacker cannot find it