1 / 21

5-Network Defenses

5-Network Defenses. Dr. John P. Abraham Professor UTPA. Introduction. A common mistake in network security Attempt to patch vulnerabilities in a weak network that was poorly conceived and implemented from the start

dobry
Download Presentation

5-Network Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 5-Network Defenses Dr. John P. Abraham Professor UTPA

  2. Introduction • A common mistake in network security • Attempt to patch vulnerabilities in a weak network that was poorly conceived and implemented from the start • Securing a network begins with the design of the network and includes secure network technologies

  3. Crafting a Secure Network • Security through design • Subnetting, VLAN, DMZ, etc. • Security through network technologies • NAT, NAC, etc. • Network Security Devices • Firewall, proxy server, honeypot, NIDS, etc. • Intrusion Prevention Systems

  4. Security through Network Design Subnetting IP addresses are actually two addresses: one part is a network address and one part is a host address Classful addressing The split between the network and host portions of the IP address originally was set on the boundaries between the bytes Subnetting or subnet addressing Allows an IP address to be split anywhere Networks can essentially be divided into three parts: network, subnet, and host Security+ Guide to Network Security Fundamentals, Third Edition 4

  5. Subnetting • Isolates organizational groups • Decreased network traffic • Improved troubleshooting • Improved utilization of addresses • Minimal impact on external routers • Better organization

  6. VLAN (virtual LAN) Scattered individual units under same organizational unit can be grouped together (logical grouping rather than physical grouping) • In most network environments, networks are divided or segmented by using switches • A VLAN allows scattered users to be logically grouped together even though they may be attached to different switches • Can reduce network traffic and provide a degree of security similar to subnetting: • VLANs can be isolated so that sensitive data is transmitted only to members of the VLAN

  7. Convergence technologies (VOIP, video, etc) vulnerability • Phones affected as OS is attacked • VOIP protocols have very little security • Lack of encryption for voip packages • Spam calls

  8. Demilitarized Zone (DMZ) • Devices that provides service to outside users are isolated, such as email and web servers. • If penetrated, confined to that server rather than the LAN itself.

  9. DMZ example

  10. Network Address Translation (NAT) • NAT hides the private IP addresses assigned to individual machines. A single or pool of public IPs are used for public visibility. • Available private IP 10.0.0.0, 172.16.0.0 and 192.168.0.0 • The NAT device removes the senders private IP from the packet and replaces it with an alias. The NAT device then keeps a table of it and the process is reversed when a packet arrives. • A variation is port address translation. Each packet is given the same IP address but a different port number.

  11. Security through Network Technologies Network Address Translation (NAT) Hides the IP addresses of network devices from attackers Private addresses IP addresses not assigned to any specific user or organization Function as regular IP addresses on an internal network Non-routable addresses Security+ Guide to Network Security Fundamentals, Third Edition 12

  12. Security through Network Technologies (continued) NAT removes the private IP address from the sender’s packet And replaces it with an alias IP address When a packet is returned to NAT, the process is reversed An attacker who captures the packet on the Internet cannot determine the actual IP address of the sender Security+ Guide to Network Security Fundamentals, Third Edition 13

  13. Security through Network Technologies (continued) Security+ Guide to Network Security Fundamentals, Third Edition 14

  14. Network Access Control (NAC) • A special quarantined network area where new devices or guests are allowed to connect to. Only after passing required security checks they are allowed to connect to the LAN. • CISCO – network admission control • Microsoft – Network Access protection • Juniper – Unified access control • Trusted computing group – trusted network connect

  15. Applying Network Security Devices Devices include: Firewalls Proxy servers Honeypots Network intrusion detection systems Host and network intrusion prevention systems Protocol analyzers Internet content filters Integrated network security hardware Security+ Guide to Network Security Fundamentals, Third Edition 16

  16. Firewall • Filtering data packets – a gatekeeper to the network. • Rule based • Allow, block, prompt. • Stateful packet filtering • Packet is not allowed to pass to a client, unless the client requested it from the server.

  17. Example packet filtering rules • See table 5-6 p 167 • Source address = any • Destitation address = internal ip • Port =80

  18. Intercepts internal user requests and processes that request on behalf of the user. It hides the IP address of the client system inside the secure network When a request for webpage is made the client actually contacts the proxy server, which checks to see if that page exists in the cache Proxy Server

  19. Intended to trap attackers. A honeypot is a computer located in a DMZ that is loaded with software and data files that appear to be the real thing. Deflect attention Early warnings of new attacks Examine attacker techniques Honeypot

  20. Network Intrusion Detection Systems (NIDS) • Watches for attempts to penetrate a network. • Table 5-9 p.171 • NIDs looks for suspicious patterns.

More Related