1 / 138

Lesson 10-Infrastructure Security

Lesson 10-Infrastructure Security. Introduction. Infrastructure security begins with the actual design of the infrastructure itself. The proper use of the right components not only improves performance but also improves security. Background.

eliot
Download Presentation

Lesson 10-Infrastructure Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 10-Infrastructure Security

  2. Introduction • Infrastructure security begins with the actual design of the infrastructure itself. • The proper use of the right components not only improves performance but also improves security.

  3. Background • Today, a computing environment is not isolated from its network components. • Network components are a part of the overall computing environment and have become an essential aspect of a total computing environment. • They rely upon: • Routers, switches, and cables that connect the devices • Firewalls and gateways that manage the communication • Network design • Protocols that are employed

  4. Background • In the CIA of security, the “A” for availability is often overlooked. • Yet availability has moved computing into this networked framework. • Availability has a significant role in security. • A failure in security may lead to a failure in availability. • The system fails to meet user needs.

  5. Background • Security failures • A failure allows unauthorized users to access resources and data. • This compromises integrity or confidentiality. • Failure prevents authorized users from accessing resources and data. • This is often overlooked. • The primary goal of network infrastructure security is to allow all authorized use and deny all unauthorized use of resources.

  6. Objectives • Upon completion of this lesson, the learner will be able to: • List the various types of network devices used to construct networks. • List the types of media used to carry network signals. • List the various types of storage media used to store information. • Describe the various types of network devices used to construct networks.

  7. Objectives • Upon completion of this lesson, the learner will be able to (continued): • Describe the types of media used to carry network signals. • Describe the various types of storage media used to store information. • Describe how the use of security zones and various other topologies provide network-based security. • Define basic terminology for a series of network functions related to information security.

  8. Infrastructure Security • Devices • Media • Security Concerns for Transmission Media • Removable Media • Security Topologies • Tunneling

  9. Devices • Clients • Servers

  10. Complete Network • A complete network computer solution consists of more than just client computers and servers. • Devices are needed to connect clients, servers, wireless, hand-held systems, hubs, switches, routers, wireless access points, and VPN devices.

  11. Workstations • Workstations are the client computers in a client/server model. • Workstation security can be increased by: • Removing unnecessary protocols such as Telnet, NetBIOS, and IPX. • Removing modems unless needed and authorized. • Removing all unnecessary shares. • Renaming the administrator account and adding a strong password.

  12. Workstations • Workstation security can be increased by (continued): • Removing unnecessary user accounts. • Installing an antivirus program and keeping it up-to-date. • Removing or disconnecting the floppy drive if not needed. • Ensuring there is a firewall between the machine and the Internet. • Keeping the OS patched and up-to-date.

  13. Workstation Antivirus Software • Virus can easily spread across machines in a network.

  14. Workstation Antivirus Software • For viruses, workstations are the primary mode of entry into a network. • A virus is a piece of software that is introduced into a network and then executed on a machine. • There are several methods of introducing a virus into a network, but the two most common ways are transfer of an infected file from one machine to another and e-mail. • A file containing a virus can be transferred using floppies, CDs, or FTP. When the transferred file is executed, the virus is propagated.

  15. Workstation Antivirus Software • Personal firewalls are necessary if a machine has an unprotected interface to the Internet. • Disabling or removing unnecessary devices and software from workstations prevents any unauthorized use. • Proper workstation security increases the availability of network resources to users. • It also increases effective operation.

  16. Server Security • Servers host shared applications and data. • Server operating systems are more robust than a workstation system. • They serve multiple users.

  17. Server Security • The security needs vary depending on specific use. • Remove unnecessary protocols. • Examples: Telnet, NetBIOS, IPX, and FTP. • Remove unnecessary shares. • Rename the administrator account. • Secure using a strong password. • Remove unnecessary user accounts. • Keep the OS patched and up-to-date. • Control physical access.

  18. Server Security • Secure server setup requires identification of specific needs of the server. • All services and users should be off the system to improve the system security. • After a server has been built, record MD5 checksums on all crucial files.

  19. Server Antivirus Software • Antivirus protection on servers depends upon the use of the server. • Each server and its role in the network need to be examined independently.

  20. Network Interface Cards (NICs) • A network interface card (NIC) connects a system to a network. It is a card with a connector port. • The most common protocol is Ethernet. • The most common connector is the RJ-45 connector. Comparison of RJ-45 (lower) and phone connectors (upper)

  21. Network Interface Cards (NICs) • A NIC provides lower-level protocol functionality from the OSI model. • The NIC defines the physical layer connection. • Different NICs are used for different physical protocols.

  22. Hubs • Hubs connect devices using the same physical layer of the OSI. • They allow multiple systems to be connected in a star configuration. • All the connections share a single collision domain. • Hubs are signal conditioners that connect multiple devices to a common signal.

  23. Bridges • Bridges connect devices with the same OSI protocol at the physical layer. • They reduce collisions by separating pieces of a network into separate collision domains. • Each cuts the collision problem into half.

  24. Switches • Switches have separate collision domains for each port. • Each port has two collision domains. • From the port to the client on the downstream side. • From the switch to the network upstream. • When full duplex is employed, collisions are virtually eliminated from the two nodes, host and client. • It acts as a security factor since a sniffer sees limited traffic. • With a hub, sniffers can see all traffic to and from connections.

  25. Switches • Switches originally operated at the data-link layer, with routing occurring at the network layer. • Newer switches operate at the network layer. • They bring switching speed to network layer path optimization. • A switch helps inspect packet headers and enforce access control lists.

  26. Virtual Local Area Networks • Switches may implement virtual local area networks (VLANs). • Cisco defines VLAN as a “broadcast domain within a switched network.” • Information is carried in broadcast mode only to devices within a VLAN. • Switches that allow multiple VLANs enable broadcast messages to be segregated into specific VLANs. • Increases network segregation. • Increases throughput and security.

  27. Virtual Local Area Networks • Unused switch ports can be preconfigured into empty VLANs that do not connect to the rest of the network. • They increase security against unauthorized network connections.

  28. Switches • Switches, like routers, are intelligent devices and are subject to hijacking. • If this happens, it is possible to eavesdrop on specific or all communications.

  29. Switch Administration • Switches are administered using the Simple Network Management Protocol (SNMP). • SNMP sends passwords across the network. • Switches are shipped with default passwords and the passwords must be changed at set up.

  30. Securing a Switch • It is important to disable all access protocols other than a serial line, or use Secure Shell (SSH). • Using secure access methods limits the exposure to hackers and malicious users. • Maintaining secure network switches is more important than securing individual boxes. • The span of control to intercept data is much wider on a switch when reprogrammed by a hacker.

  31. Routers • Routers form the backbone of the Internet. • They move traffic from network to network. • They inspect packets from every communication as they move optimized traffic. Routers

  32. Routers • Routers examine each packet for destination addresses. • They determine where to send a packet using algorithms and tables. • They may examine the source address and determine whether to allow a packet to pass. (Implements ACLs). • Some routers act as quasi-application gateways, performing stateful packet inspection and using contents as well as IP addresses to determine whether or not to permit a packet to pass.

  33. Router Security • A security concern of routers is access to its internal functions. • A router may use SNMP and be programmed remotely. • Physical control over a router is absolutely necessary. • If a router is physically accessed by a hacker, it is compromised. • Ensure that administrative passwords are never passed. • Secure mechanisms are used to access the router. • Default passwords are reset to strong passwords.

  34. Firewalls • A firewall is a network device—hardware, software, or a combination. • It enforces a security policy across its connections. Firewall usage

  35. The Security Policy • A security policy is a series of rules that define what traffic is permissible and what traffic is to be blocked or denied. • A key to security policies for firewalls is the principle of least access. • Only allow the necessary access for a function, and block or deny all unneeded functionality.

  36. Firewalls • Security topology determines the network devices that are employed and their location. • A corporate connection to the Internet should pass through a firewall to block all unauthorized network traffic. Firewall usage

  37. How Do Firewalls Work? • Firewalls enforce established security policies through mechanisms, including: • Network Address Translation (NAT) • Basic packet filtering • Stateful packet filtering • ACLs • Application layer proxies

  38. NAT and the Firewall • Network Address Translation (NAT) allows masking of significant amounts of information from outside the network. • It allows an outside entity to communicate with an entity inside the firewall without knowing its address.

  39. Packet Filters • Basic packet filtering involves examining packets, their protocols and destinations, and checking that information against the security policy.

  40. Stateful Packet Filtering • If a packet arrives from outside the network with no record of its being requested, the firewall will block access by dropping it. • Stateful monitoring enables a system to determine which sets of communications are permissible and which should be blocked.

  41. Firewalls and ACL • ACLs are a cornerstone of security in firewalls. • ACLs provide physical access control for electronic access. • Firewalls extend the concept of ACLs by enforcing them at a packet level when packet-level stateful filtering is performed.

  42. Application Layer Firewalls • Some high-security firewalls also employ application layer proxies through which packets are not allowed to traverse the firewall, but data instead flows up to an application that in turn decides what to do with it.

  43. Wireless • Wireless devices bring additional security concerns. • No physical connection to a wireless device allows anyone within range to access the data. • Placing wireless devices behind a firewall stops only physically connected traffic from getting to the device.

  44. Wireless Access Point • The point of entry from a wireless device to a wired network is a wireless access point. • It supports multiple concurrent devices accessing the network. A typical wireless access point

  45. Unauthorized Wireless Access • Configuration of remote access protocols to a wireless access point prevents unauthorized wireless access to the network. • Basic network security for connections can be performed by forcing authentication and verifying authorization.

  46. Wireless WEP • Some wireless devices, such as those for operating on IEEE 802.11 wireless LANs, include security features such as the Wired Equivalent Privacy (WEP). • WEP is designed to prevent wireless sniffing of network traffic over the wireless portion of the network.

  47. Modems • Modem is short for modulator/demodulator. • Modems convert analog signals to digital and vice versa. • They were once a slow method of remote connection that was used to connect client workstations to remote services over standard telephone lines.

  48. DSL VS Modems • A DSL modem provides a direct connection between a subscriber's computer and an Internet connection at the local telephone company's switching station. • Cable modems are set up in shared arrangements that theoretically allow a neighbor to sniff a user's cable modem traffic.

  49. Cable Modems • Cable modems share a party line in the terminal signal area. • Data Over Cable Service Interface Specification (DOCSIS) includes built-in support for security protocols, including authentication and packet filtering, which prevents ordinary subscribers from seeing others' traffic without any specialized hardware.

  50. Cable and DSL Modems • Both cable and DSL services provide a continuous connection, which brings up the question of IP address life for a client. • Most services have a Dynamic Host Configuration Protocol (DHCP) to manage their address space.

More Related