Security+ Guide to Network Security Fundamentals,
Fourth Edition
Chapter 6Network Security
Security+ Guide to Network Security Fundamentals, Fourth Edition
Objectives
• List the different types of network security devices and explain how they can be used
• Define network address translation and network access control
• Explain how to enhance security through network design
2
Security Through Network Devices
• Not all applications designed, written with security in mind– Network must provide protection
• Networks with weak security invite attackers
• Aspects of building a secure network– Network devices– Network technologies– Design of the network itself
Security+ Guide to Network Security Fundamentals, Fourth Edition 3
Standard Network Devices
• Security features found in network hardware– Provide basic level of security
• Open systems interconnection (OSI) model– Network devices classified based on function– Standards released in 1978, revised in 1983, still
used today– Illustrates:
• How network device prepares data for delivery
• How data is handled once received
Security+ Guide to Network Security Fundamentals, Fourth Edition 4
Standard Network Devices (cont’d.)
• OSI model breaks networking steps into seven layers– Each layer has different networking tasks– Each layer cooperates with adjacent layers
Security+ Guide to Network Security Fundamentals, Fourth Edition 5
Security+ Guide to Network Security Fundamentals, Fourth Edition 6
Table 6-1 OSI reference model
Standard Network Devices (cont’d.)
• Hubs– Connect multiple Ethernet devices together:
• To function as a single network segment
– Use twisted-pair copper or fiber-optic cables– Work at Layer 1 of the OSI model– Do not read data passing through them– Ignorant of data source and destination– Rarely used today because of inherent security
vulnerability
Security+ Guide to Network Security Fundamentals, Fourth Edition 7
Standard Network Devices (cont’d.)
• Switches– Network switch connects network segments– Operate at Data Link Layer (Layer 2)– Determine which device is connected to each port– Can forward frames sent to that specific device
• Or broadcast to all devices
– Use MAC address to identify devices– Provide better security than hubs
Security+ Guide to Network Security Fundamentals, Fourth Edition 8
Standard Network Devices (cont’d.)
• Network administrator should be able to monitor network traffic– Helps identify and troubleshoot network problems
• Traffic monitoring methods– Port mirroring– Network tap (test access point)
• Separate device installed between two network devices
Security+ Guide to Network Security Fundamentals, Fourth Edition 9
Security+ Guide to Network Security Fundamentals, Fourth Edition 10
Figure 6-1 Port mirroring© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 11
Figure 6-2 Network tap© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 12
Table 6-2 Protecting the switch
Standard Network Devices (cont’d.)
• Routers– Forward packets across computer networks– Operate at Network Layer (Layer 3)– Can be set to filter out specific types of network
traffic
• Load balancers– Help evenly distribute work across a network– Allocate requests among multiple devices
Security+ Guide to Network Security Fundamentals, Fourth Edition 13
Standard Network Devices (cont’d.)
• Advantages of load-balancing technology– Reduces probability of overloading a single server– Optimizes bandwidth of network computers– Reduces network downtime
• Load balancing is achieved through software or hardware device (load balancer)
Security+ Guide to Network Security Fundamentals, Fourth Edition 14
Standard Network Devices (cont’d.)
• Security advantages of load balancing– Can stop attacks directed at a server or application– Can detect and prevent denial-of-service attacks– Some can deny attackers information about the
network• Hide HTTP error pages
• Remove server identification headers from HTTP responses
Security+ Guide to Network Security Fundamentals, Fourth Edition 15
Network Security Hardware
• Specifically designed security hardware devices– Greater protection than standard networking devices
• Firewalls– Hardware-based network firewall inspects packets– Can either accept or deny packet entry– Usually located outside network security perimeter
Security+ Guide to Network Security Fundamentals, Fourth Edition 16
Security+ Guide to Network Security Fundamentals, Fourth Edition 17
Figure 6-3 Firewall location© Cengage Learning 2012
Network Security Hardware (cont’d.)
• Firewall actions on a packet– Allow (let packet pass through)– Block (drop packet)– Prompt (ask what action to take)
• Rule-based firewall settings– Set of individual instructions to control actions
• Settings-based firewall– Allows administrator to create parameters
Security+ Guide to Network Security Fundamentals, Fourth Edition 18
Security+ Guide to Network Security Fundamentals, Fourth Edition 19
Table 6-3 Rule for Web page transmission
Network Security Hardware (cont’d.)
• Methods of firewall packet filtering– Stateless packet filtering
• Inspects incoming packet and permits or denies based on conditions set by administrator
– Stateful packet filtering• Keeps record of state of connection
• Makes decisions based on connection and conditions
Security+ Guide to Network Security Fundamentals, Fourth Edition 20
Network Security Hardware (cont’d.)
• Web application firewall– Looks deeply into packets that carry HTTP traffic
• Web browsers
• FTP
• Telnet
– Can block specific sites or specific known attacks– Can block XSS and SQL injection attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition 21
Network Security Hardware (cont’d.)
• Proxies– Devices that substitute for primary devices
• Proxy server– Computer or application that intercepts and
processes user requests– If a previous request has been fulfilled:
• Copy of the Web page may reside in proxy server’s cache
– If not, proxy server requests item from external Web server using its own IP address
Security+ Guide to Network Security Fundamentals, Fourth Edition 22
Security+ Guide to Network Security Fundamentals, Fourth Edition 23
Figure 6-4 Proxy server© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 24
Figure 6-5 Configuring access to proxy servers© Cengage Learning 2012
Network Security Hardware (cont’d.)
• Proxy server advantages– Increased speed (requests served from the cache)– Reduced costs (cache reduces bandwidth required)– Improved management
• Block specific Web pages or sites
– Stronger security• Intercept malware
• Hide client system’s IP address from the open Internet
Security+ Guide to Network Security Fundamentals, Fourth Edition 25
Network Security Hardware (cont’d.)
• Reverse proxy– Does not serve clients– Routes incoming requests to correct server– Reverse proxy’s IP address is visible to outside
users• Internal server’s IP address hidden
Security+ Guide to Network Security Fundamentals, Fourth Edition 26
Security+ Guide to Network Security Fundamentals, Fourth Edition 27
Figure 6-6 Reverse proxy© Cengage Learning 2012
Network Security Hardware (cont’d.)
• Spam filters– Enterprise-wide spam filters block spam before it
reaches the host
• Email systems use two protocols– Simple Mail Transfer Protocol (SMTP)
• Handles outgoing mail
– Post Office Protocol (POP)• Handles incoming mail
Security+ Guide to Network Security Fundamentals, Fourth Edition 28
Network Security Hardware (cont’d.)
• Spam filters installed with the SMTP server– Filter configured to listen on port 25– Pass non-spam e-mail to SMTP server listening on
another port– Method prevents SMTP server from notifying
spammer of failed message delivery
Security+ Guide to Network Security Fundamentals, Fourth Edition 29
Security+ Guide to Network Security Fundamentals, Fourth Edition 30
Figure 6-7 Spam filter with SMTP server© Cengage Learning 2012
Network Security Hardware (cont’d.)
• Spam filters installed on the POP3 server– All spam must first pass through SMTP server and
be delivered to user’s mailbox– Can result in increased costs
• Storage, transmission, backup, deletion
• Third-party entity contracted to filter spam– All email directed to third-party’s remote spam filter– E-mail cleansed before being redirected to
organization
Security+ Guide to Network Security Fundamentals, Fourth Edition 31
Security+ Guide to Network Security Fundamentals, Fourth Edition 32
Figure 6-8 Spam filter on POP3 server© Cengage Learning 2012
Network Security Hardware (cont’d.)
• Virtual private network (VPN)– Uses unsecured network as if it were secure– All data transmitted between remote device and
network is encrypted
• Types of VPNs– Remote-access
• User to LAN connection
– Site-to-site• Multiple sites can connect to other sites over the
Internet
Security+ Guide to Network Security Fundamentals, Fourth Edition 33
Network Security Hardware (cont’d.)
• Endpoints– Used in communicating VPN transmissions– May be software on local computer– May be VPN concentrator (hardware device)– May be integrated into another networking device
• VPNs can be software-based or hardware-based– Hardware-based generally have better security– Software-based have more flexibility in managing
network traffic
Security+ Guide to Network Security Fundamentals, Fourth Edition 34
Network Security Hardware (cont’d.)
• Internet content filters– Monitor Internet traffic– Block access to preselected Web sites and files– Unapproved sites identified by URL or matching
keywords
Security+ Guide to Network Security Fundamentals, Fourth Edition 35
Security+ Guide to Network Security Fundamentals, Fourth Edition 36
Table 6-4 Internet content filter features
Network Security Hardware (cont’d.)
• Web security gateways– Can block malicious content in real time– Block content through application level filtering
• Examples of blocked Web traffic– ActiveX objects– Adware, spyware– Peer to peer file sharing– Script exploits
Security+ Guide to Network Security Fundamentals, Fourth Edition 37
Network Security Hardware (cont’d.)
• Passive and active security can be used in a network– Active measures provide higher level of security
• Passive measures– Firewall– Internet content filter
• Intrusion detection system (IDS)– Active security measure– Can detect attack as it occurs
Security+ Guide to Network Security Fundamentals, Fourth Edition 38
Network Security Hardware (cont’d.)
• Monitoring methodologies– Anomaly-based monitoring
• Compares current detected behavior with baseline
– Signature-based monitoring• Looks for well-known attack signature patterns
– Behavior-based monitoring• Detects abnormal actions by processes or programs
• Alerts user who decides whether to allow or block activity
– Heuristic monitoring• Uses experience-based techniques
Security+ Guide to Network Security Fundamentals, Fourth Edition 39
Security+ Guide to Network Security Fundamentals, Fourth Edition 40
Table 6-5 Methodology comparisons to trap port-scanning application
Network Security Hardware (cont’d.)
• Host intrusion detection system (HIDS)– Software-based application that can detect attack as
it occurs– Installed on each system needing protection– Monitors system calls and file system access– Can recognize unauthorized Registry modification– Monitors all input and output communications
• Detects anomalous activity
Security+ Guide to Network Security Fundamentals, Fourth Edition 41
Network Security Hardware (cont’d.)
• Disadvantages of HIDS– Cannot monitor network traffic that does not reach
local system– All log data is stored locally– Resource-intensive and can slow system
Security+ Guide to Network Security Fundamentals, Fourth Edition 42
Network Security Hardware (cont’d.)
• Network intrusion detection system (NIDS)– Watches for attacks on the network– NIDS sensors installed on firewalls and routers:
• Gather information and report back to central device
– Passive NIDS will sound an alarm– Active NIDS will sound alarm and take action
• Actions may include filtering out intruder’s IP address or terminating TCP session
Security+ Guide to Network Security Fundamentals, Fourth Edition 43
Security+ Guide to Network Security Fundamentals, Fourth Edition 44
Table 6-6 NIDS evaluation techniques
Network Security Hardware (cont’d.)
• Network intrusion prevention system (NIPS)– Similar to active NIDS– Monitors network traffic to immediately block a
malicious attack– NIPS sensors located in line on firewall itself
Security+ Guide to Network Security Fundamentals, Fourth Edition 45
Network Security Hardware (cont’d.)
• All-in-one network security appliances– One integrated device replaces multiple security
devices
• Recent trend:– Combining multipurpose security appliances with
traditional device such as a router– Advantage of approach
• Network devices already process all packets
• Switch that contains anti-malware software can inspect all packets
Security+ Guide to Network Security Fundamentals, Fourth Edition 46
Security Through Network Technologies
• Internet routers normally drop packet with a private address
• Network address translation (NAT)– Allows private IP addresses to be used on the public
Internet– Replaces private IP address with public address
• Port address translation (PAT)– Variation of NAT
• Outgoing packets given same IP address but different TCP port number
Security+ Guide to Network Security Fundamentals, Fourth Edition 47
Security+ Guide to Network Security Fundamentals, Fourth Edition 48
Table 6-7 Private IP addresses
Figure 6-9 Network address translation (NAT)© Cengage Learning 2012
Security Through Network Technologies (cont’d.)
• Advantages of NAT– Masks IP addresses of internal devices– Allows multiple devices to share smaller number of
public IP addresses
• Network access control– Examines current state of system or network device:
• Before allowing network connection
– Device must meet set of criteria• If not met, NAC allows connection to quarantine
network until deficiencies corrected
Security+ Guide to Network Security Fundamentals, Fourth Edition 49
Security+ Guide to Network Security Fundamentals, Fourth Edition 50
Figure 6-10 Network access control framework© Cengage Learning 2012
Security Through Network Design Elements
• Elements of a secure network design– Demilitarized zones– Subnetting– Virtual LANs– Remote access
Security+ Guide to Network Security Fundamentals, Fourth Edition 51
Demilitarized Zone (DMZ)
• Separate network located outside secure network perimeter
• Untrusted outside users can access DMZ but not secure network
Security+ Guide to Network Security Fundamentals, Fourth Edition 52
Security+ Guide to Network Security Fundamentals, Fourth Edition 53
Figure 6-11 DMZ with one firewall© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition 54
Figure 6-12 DMZ with two firewalls© Cengage Learning 2012
Subnetting
• IP address may be split anywhere within its 32 bits
• Network can be divided into three parts– Network– Subnet– Host
• Each network can contain several subnets
• Each subnet can contain multiple hosts
Security+ Guide to Network Security Fundamentals, Fourth Edition 55
Subnetting (cont’d.)
• Improves network security by isolating groups of hosts
• Allows administrators to hide internal network layout
Security+ Guide to Network Security Fundamentals, Fourth Edition 56
Security+ Guide to Network Security Fundamentals, Fourth Edition 57
Table 6-8 Advantages of subnetting
Security+ Guide to Network Security Fundamentals, Fourth Edition 58
Figure 6-13 Subnets© Cengage Learning 2012
Virtual LANs (VLAN)
• Allow scattered users to be logically grouped together:– Even if attached to different switches
• Can isolate sensitive data to VLAN members
• Communication on a VLAN– If connected to same switch, switch handles packet
transfer– Special “tagging” protocol used for communicating
between switches
Security+ Guide to Network Security Fundamentals, Fourth Edition 59
Remote Access
• Working away from the office commonplace today– Telecommuters– Traveling sales representatives– Traveling workers
• Strong security for remote workers must be maintained– Transmissions are routed through networks not
managed by the organization
• Provides same functionality as local users– Through VPN or dial-up connection
Security+ Guide to Network Security Fundamentals, Fourth Edition 60
Summary
• Standard network security devices provide a degree of security– Hubs, switches, router, load balancer
• Hardware devices specifically designed for security give higher protection level– Hardware-based firewall, Web application firewall
• Proxy server intercepts and processes user requests
• Virtual private network uses unsecured public network and encryption to provide security
Security+ Guide to Network Security Fundamentals, Fourth Edition 61
Summary (cont’d.)
• Intrusion detection system designed to detect attack as it occurs
• Network technologies can help secure a network– Network address translation– Network access control
• Methods for designing a secure network– Demilitarized zones– Virtual LANs
Security+ Guide to Network Security Fundamentals, Fourth Edition 62