Security Awareness: Applying Practical Security in Your World Chapter 5: Network Security.

Security Awareness: Applying Security Awareness: Applying Practical Security in Your Practical Security in Your

WorldWorld

Chapter 5: Network SecurityChapter 5: Network Security

Security Awareness: Applying Practical Security in Your World 2

ObjectivesObjectives

Give an overview of how networks work

List and describe three types of network attacks

Explain how network defenses can be used to enhance a network security perimeter

Tell how a wireless local area network (WLAN) functions and list some of its security features


Network Security Network Security

Computer networks in organizations are prime targets for hackers.

Computer networks are also found in homes The growth of home networks has resulted in more

attacks


How Networks Work How Networks Work

Personal computers Isolated from other computers (See Figure 5-1) Function limited to the hardware, software, and

data on that one computer

Computer network Interconnected computers and devices (See Figure 5-2) Sharing increases functionality, reduces costs, and

increases accuracy


How Networks Work (continued)How Networks Work (continued)


How Networks Work (continued)How Networks Work (continued)


Types of NetworksTypes of Networks

Local area network (LAN) A network of computers located relatively close to each other

Wide area network (WAN) A network of computers geographically dispersed


Types of Networks (continued)Types of Networks (continued)


Transmitting DataTransmitting Data

Protocols Sets of rules used by sending and receiving devices to transmit data Both sender and receiver must use same set of rules

Transmission Control Protocol/Internet Protocol (TCP/IP) Most common protocol in use IP Address Unique number assigned to each

device on a TCP/IP network that identifies it from all other devices

Data is divided into smaller units called packets for transmission through a network(See Figure 5-4)


Figure 5-4Figure 5-4


Devices on a NetworkDevices on a Network

Different types of equipment perform different functions Many devices are responsible for sending packets

through the LAN or across a WAN

Router Directs packets “toward” their destination

Network perimeter Line of defense around a network made up of products, procedures and people (See Figure 5-5)


Devices on a Network (continued)Devices on a Network (continued)


Network AttacksNetwork Attacks

Hackers attack network perimeters in different ways Attacks include:

Denial of Service (DoS)

Man-in-the-Middle

Spoofing


Denial of Service (DoS)Denial of Service (DoS)

Normal conditions Computers contact a server with a request

Denial of Service (DoS) Server is flooded with requests, making it unavailable to legitimate users(See Figure 5-6) Attacking computers programmed not to reply to

the server’s response Server “holds the line open” for each request

(See Figure 5-7) and eventually runs out of resources as more requests are received


Denial of Service (DoS) Denial of Service (DoS) (continued)(continued)


Denial of Service (DoS) Denial of Service (DoS) (continued)(continued)


Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)

Distributed Denial of Service (DDoS) Variant of a DoS that uses many computers to attack a target Hacker finds a handler Special software is loaded on the handler and it

searches for zombies Software is loaded on the zombies without the user’s

knowledge Eventually that hacker instructs all zombies to flood

a particular server


Man-in-the-MiddleMan-in-the-Middle

Man-in-the-Middle Two computers are tricked into thinking they are communicating with each other when there is actually a hidden third party between them (See Figure 5-8) Communications can be monitored or modified


Man-in-the-Middle (continued)Man-in-the-Middle (continued)


SpoofingSpoofing Spoofing Pretending to be the legitimate owner

IP Address Spoofing False IP address inserted into packets

ARP Spoofing ARP table changed to redirect packets (See Figure 5-10)

ARP table Address Resolution Protocol table stores list of MAC addresses and corresponding IP addresses (See Figure 5-9)

MAC Address* Media Access Control address is the hardware address of the Network Interface Card (NIC)


Spoofing (continued)Spoofing (continued)


Spoofing (continued)Spoofing (continued)


Network DefensesNetwork Defenses

Three groups of networks defenses:

Devices

Configurations

Countermeasures


DevicesDevices

Firewalls Designed to prevent malicious packets from entering Typically outside the security perimeter

(See Figure 5-11)

Software based Runs as a local program to protect one computer (personal firewall) or as a program on a separate computer (network firewall) to protect the network

Hardware based separate devices that protect the entire network (network firewalls)


Devices (continued)Devices (continued)



Firewall rule base AKA Access control list (ACL) Establishes what action the firewall should take when it receives a packet Allow

Block

Prompt

Should reflect the organization's security policy



Stateless packet filtering Allows or denies packets based strictly on the rule base

Stateful packet filtering Keeps a record of the state of a connection Makes decisions based on the rule base and the

connection



Intrusion Detection System (IDS) Examines the activity on a network Goal is to detect intrusions and take action

Two types of IDS: Host-based IDS Installed on a server or other

computers (sometimes all) Monitors traffic to and from that particular computer

Network-based IDS Located behind the firewall and monitors all network traffic (See Figure 5-12)





Network Address Translation (NAT) Systems Hides the IP address of network devices Located just behind the firewall

(See Figure 5-13)

NAT device uses an alias IP address in place of the sending machine’s real one (See Figure 5-14)

“You cannot attack what you can’t see”







Proxy Server Operates similar to NAT, but also examines packets to look for malicious content Replaces the protected computer’s IP address with

the proxy server’s address

Protected computers never have a direct connection outside the network The proxy server intercepts requests

(See Figure 5-15)

Acts “on behalf of” the requesting client




Network DesignNetwork Design

The key to effective network design is a single point of entry into a network Difficult to maintain Employees or others may bypass security by

installing unauthorized entry points (See Figure 5-16)

Common design tools:Demilitarized Zones (DMZ)

Virtual Private Networks (VPNs)


Network Design (continued)Network Design (continued)



Demilitarized Zones (DMZ) Another network that sits outside the secure network perimeter Outside users can access the DMZ, but not the

secure network (See Figure 5-17)

Some DMZs use two firewalls (See Figure 5-18) This prevents outside users from even accessing the

internal firewall Provides an additional layer of security







Virtual Private Networks (VPNs) A secure network connection over a public network (See Figure 5-19) Allows mobile users to securely access information

Sets up a unique connection called a tunnel





Advantages of VPNs: Low cost

Flexibility

Security

Standards



Honeypots Computer located in a DMZ and loaded with files and software that appear to be authentic, but are actually imitations (See Figure 5-21) Intentionally configured with security holes

Goals: Direct attacker’s attention away from real targets

Examine the techniques used by hackers




Components of a WLANComponents of a WLAN

Wireless network interface card (WNIC) Card inserted into the wireless device that sends and receives signals from the access point

Access point (AP) Acts as the base station and is connected to the wired network Multiple access points allow ease of roaming

(See Figure 5-22)


Components of a WLAN Components of a WLAN (continued)(continued)


Security in a WLANSecurity in a WLAN

WLANs include a different set of security issues

Steps to secure: Turn off broadcast information

MAC address filtering

WEP encryption

Password protect the access point

Physically secure the access point

Use enhanced WLAN security standards whenever possible


SummarySummary

A computer network allows users to share hardware, programs and data. Two types of computer networks are:

Local area network (LAN) computers all close together

Wide area network (WAN) Computers geographically dispersed

On most networks, each computer or device must be assigned a unique address called the IP address.


Summary (continued) Summary (continued)

Hackers attacks network perimeters in several ways: Denial of Service (DoS)

Distributed Denial of Service (DDoS)

Man-in-the-Middle

Spoofing


Summary (continued)Summary (continued)

There are devices that can be installed to make the network perimeter more secure. Firewalls

Hardware or software based

Intrusion-detection system (IDS) Host-based or network-based

Network Address Translation (NAT)

Proxy server



Network security can be enhanced by its design. Single point of entry is best, but hard to maintain

Technologies frequently used to enhance secure network design: Demilitarized zones (DMZ)

Virtual private networks (VPNs)

Honeypots



Wireless local area networks are becoming increasingly common. Two basic components:

Wireless network interface card (WNIC)

Access point (AP)

Securing a WLAN requires additional steps beyond those required for a wired network.

Date post:	20-Dec-2015
Category:	Documents
View:	219 times
Download:	0 times

Security Awareness: Applying Practical Security in Your World Chapter 5: Network Security.

Documents