1 / 54

Chapter 10 Introduction to Network Security

Chapter 10 Introduction to Network Security. Instructor: Nhan Nguyen Phuong. Contents. 1. Network Security Overview and Policies 2. Securing Physical Access to the Network 3. Securing Access to Data 4. Using a Cracker’s Tools to Stop Network Attacks.

mirari
Download Presentation

Chapter 10 Introduction to Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 10Introduction to Network Security Instructor: Nhan Nguyen Phuong

  2. Contents 1. Network Security Overview and Policies 2. Securing Physical Access to the Network 3. Securing Access to Data 4. Using a Cracker’s Tools to Stop Network Attacks Guide to Networking Essentials, Fifth Edition

  3. 1. Network Security Overview and Policies 1.1. Developing a Network Security Policy 1.2. Determining Elements of a Network Security Policy 1.3. Understanding Levels of Security Guide to Networking Essentials, Fifth Edition

  4. Perceptions of network security vary depending on: • People • Industry • Network security should be as unobtrusive as possible, allowing network users to concentrate on the tasks they want to accomplish, rather than how to get to the data they need to perform those tasks • A company that can demonstrate its information systems are secure is more likely to attract customers, partners, and investors Guide to Networking Essentials, Fifth Edition

  5. 1.1. Developing a Network Security Policy • A network security policy describes the rules governing access to a company’s information resources, the enforcement of those rules, and the steps taken if rules are breached • Should also describe the permissible use of those resources after they’re accessed • Should be easy for ordinary users to understand and reasonably easy to comply with • Should be enforceable • Should clearly state the objective of each policy so that everyone understands its purpose Guide to Networking Essentials, Fifth Edition

  6. 1.2. Determining Elements of a Network Security Policy • Elements (minimum for most networks) • Privacy policy • Acceptable use policy • Authentication policy • Internet use policy • Access policy • Auditing policy • Data protection • Security policy should protect organization legally • Security policy should be continual work in progress Guide to Networking Essentials, Fifth Edition

  7. 1.3. Understanding Levels of Security • Security doesn’t come without a cost • Before deciding on a level of security, answer: • What must be protected? • From whom should data be protected? • What costs are associated with security being breached and data being lost or stolen? • How likely is it that a threat will actually occur? • Are the costs to implement security and train users to use a secure network outweighed by the need to provide an efficient, user-friendly environment? • Levels: highly restrictive, moderately restrictive, open Guide to Networking Essentials, Fifth Edition

  8. 1.3.1. Highly Restrictive Security Policies • Include features such as: • Data encryption, complex password requirements, detailed auditing and monitoring of computer and network access, intricate authentication methods, and policies that govern use of the Internet/e-mail • Might require third-party hardware and software • High implementation expense • High design and configuration costs for SW and HW • Staffing to support the security policies • Lost productivity (high learning curve for users) • Used when cost of a security breach is high Guide to Networking Essentials, Fifth Edition

  9. 1.3.2. Moderately Restrictive Security Policies • Most organizations can opt for this type of policy • Requires passwords, but not overly complex ones • Auditing detects unauthorized logon attempts, network resource misuse, and attacker activity • Most NOSs contain authentication, monitoring, and auditing features to implement the required policies • Infrastructure can be secured with moderately priced off-the-shelf HW and SW (firewalls, ACLs) • Costs are primarily in initial configuration and support Guide to Networking Essentials, Fifth Edition

  10. 1.3.3. Open Security Policies • Policy might have simple or no passwords, unrestricted access to resources, and probably no monitoring and auditing • Makes sense for a small company with the primary goal of making access to network resources easy • Internet access should probably not be possible via the company LAN • If Internet access is available company-wide, a more restrictive policy is probably warranted • Sensitive data, if it exists, might be kept on individual workstations that are backed up regularly and are physically inaccessible to other employees Guide to Networking Essentials, Fifth Edition

  11. 1.3.4. Common Elements of Security Policies • Virus protection for servers and desktop computers is a must • There should be policies aimed at preventing viruses from being downloaded or spread • Backup procedures for all data that can’t be easily reproduced should be in place, and a disaster recovery procedure must be devised • Security is aimed not only at preventing improper use of or access to network resources, but also at safeguarding the company’s information Guide to Networking Essentials, Fifth Edition

  12. 2. Securing Physical Access to the Network • If there’s physical access to equipment, there is no security • A computer left alone with a user logged on is particularly vulnerable • If an administrator account is logged on, a person can even give his/her account administrator control • If no user is logged on • People could log on to the computer with their own accounts and access files to which they wouldn’t normally have access • Computer could be restarted and booted from removable media, bypassing the normal OS security • Computer or HDs could be stolen and later cracked Guide to Networking Essentials, Fifth Edition

  13. 2.1. Physical Security Best Practices • When planning your network, ensure that rooms are available to house servers and equipment • Rooms should have locks and be suitable for the equipment being housed • If a suitable room isn’t available, locking cabinets, freestanding or wall mounted, can be purchased to house servers and equipment in public areas • Wiring from workstations to wiring cabinets should be inaccessible to eavesdropping equipment • Physical security plan should include procedures for recovery from natural disasters (e.g., fire or flood) Guide to Networking Essentials, Fifth Edition

  14. 2.1.1. Physical Security of Servers • May be stashed away in lockable wiring closet along with switch to which the server is connected • Often require more tightly controlled environmental conditions than patch panels, hubs, and switches • Server rooms should be equipped with power that’s preferably on a circuit separate from other devices • If you must put servers accessible to people who should not have physical access to them, use locking cabinets • You can purchase rack-mountable servers Guide to Networking Essentials, Fifth Edition

  15. 2.1.2. Security of Internetworking Devices • Routers and switches contain critical configuration information and perform essential network tasks • Internetworking devices, such as hubs, switches, and routers, should be given as much attention in terms of physical security as servers • A room with a lock is the best place for these devices • Wall-mounted enclosure with a lock is second best • Some cabinets come with a built-in fan or have a mounting hole for a fan • They also come with convenient channels for wiring Guide to Networking Essentials, Fifth Edition

  16. 3. Securing Access to Data 3.1. Implementing Secure Authentication and Authorization 3.2. Securing Data with Encryption 3.3. Securing Communication with Virtual Private Networks 3.4. Protecting Networks with Firewalls 3.5. Protecting a Network from Worms, Viruses, and Rootkits 3.6. Protecting a Network from Spyware and Spam Implementing Wireless Security 3.7. Implementing Wireless Security Guide to Networking Essentials, Fifth Edition

  17. Facets • Authentication and authorization • Encryption/decryption • Virtual Private Networks (VPNs) • Firewalls • Virus and worm protection • Spyware protection • Wireless security Guide to Networking Essentials, Fifth Edition

  18. 3.1. Implementing Secure Authentication and Authorization • Administrators must control who has access to the network (authentication) and what logged on users can do to the network (authorization) • NOSs have tools to specify options and restrictions on how/when users can log on to network • Password complexity requirements • Logon hours • Logon locations • Remote logons, among others • File system access controls and user permission settings determine what a user can access on a network and what actions a user can perform Guide to Networking Essentials, Fifth Edition

  19. 3.1.1. Configuring Password Requirements in a Windows Environment • Specify if passwords are required for all users, how many characters a password must be, and whether they should meet certain complexity requirements • XP allows passwords up to 128 characters • Minimum of five to eight characters is typical • If minimum length is 0, blank passwords are allowed • Other options include Maximum/Minimum password age, and Enforce password history • When a user fails to enter a correct password, a policy can be set to lock the user account Guide to Networking Essentials, Fifth Edition

  20. Guide to Networking Essentials, Fifth Edition

  21. 3.1.2. Configuring Password Requirements in a Linux Environment • Linux password configuration can be done globally or on a user-by-user basis • Options in a standard Linux Fedora Core 4 include maximum/minimum password age, and number of days’ warning a user has before password expires • Linux system must be using shadow passwords, a secure method of storing user passwords • Options can be set by editing /etc/login.defs • Use Pluggable Authentication Modules (PAM) to set other options like account lockout, password history, and complexity tests Guide to Networking Essentials, Fifth Edition

  22. 3.1.3. Reviewing Password Dos and Don’ts • Use a combination of uppercase letters, lowercase letters, and numbers • Include one or more special characters • Try using a phrase, e.g., NetW@rk1ng !s C00l • Don’t use passwords based on your logon name, family members’ names, or even your pet’s name • Don’t use common dictionary words unless they are part of a phrase • Don’t make your password so complex that you forget it or need to write it down somewhere Guide to Networking Essentials, Fifth Edition

  23. 3.1.4. Restricting Logon Hours and Logon Location Guide to Networking Essentials, Fifth Edition

  24. Guide to Networking Essentials, Fifth Edition

  25. Authorizing Access to Files and Folders • Windows OSs have two options for file security • Sharing permissions are applied to folders (and only folders) shared over the network • Don’t apply to files/folders if user is logged on locally • These are the only file security options available in a FAT or FAT32 file system • NTFS permissions allow administrators to assign permissions to files as well as folders • Apply to file access by a locally logged-on user too • Enable administrators to assign permissions to user accounts and group accounts • Six standard permissions are available for folders Guide to Networking Essentials, Fifth Edition

  26. Guide to Networking Essentials, Fifth Edition

  27. Guide to Networking Essentials, Fifth Edition

  28. 3.2. Securing Data with Encryption • Use encryption to safeguard data as it travels across the Internet and within the company network • Prevents somebody using eavesdropping technology, such as a packet sniffer, from capturing packets and using the data for malicious purposes • Data on disks can be secured with encryption Guide to Networking Essentials, Fifth Edition

  29. 3.2.1. Using IPSec to Secure Network Data • The most popular method for encrypting data as it travels network media is to use an extension to the IP protocol called IP Security (IPSec) • Establishes an association between two communicating devices • Association is formed by two devices authenticating their identities via a preshared key, Kerberos authentication, or digital certificates • After the communicating parties are authenticated, encrypted communication can commence Guide to Networking Essentials, Fifth Edition

  30. Guide to Networking Essentials, Fifth Edition

  31. Guide to Networking Essentials, Fifth Edition

  32. 3.2.2. Securing Data on Disk Drives Guide to Networking Essentials, Fifth Edition

  33. 3.3. Securing Communication with Virtual Private Networks Guide to Networking Essentials, Fifth Edition

  34. 3.3.1. VPNs in a Windows Environment • Windows supports a special TCP/IP protocol called Point-to-Point Tunneling Protocol (PPTP) • A user running Windows can dial up a Windows server when it’s running RRAS • A VPN could be established permanently across the Internet by leasing dedicated lines at each end of a two-way link and maintaining ongoing PPTP-based communications across that dedicated link • Starting with Windows 2000, Windows supports Layer 2 Tunneling Protocol (L2TP) • Supports advanced authentication and encryption • Requires Windows machines on both sides Guide to Networking Essentials, Fifth Edition

  35. 3.3.2. VPNs in Other OS Environments • Linux implementations of VPNs typically use PPTP or IPSec; an L2TP implementation is now available • One of the most popular VPN solutions for Linux is a free downloadable package called OpenSwan • Novell NetWare provides VPN server connections to corporate networks for VPN clients • Mac OS 9 and later supports VPN client connections to Windows (using PPTP or IPSec) • One method of providing VPN services to connect remote sites is to use routers with VPN capability to form a router-to-router VPN connection Guide to Networking Essentials, Fifth Edition

  36. 3.3.3. VPN Benefits • Advantages of using VPNs • Installing several modems on an RRAS server so that users can dial up the server directly isn’t necessary; instead, users can dial up any ISP • Remote users can usually access an RRAS server by making only a local phone call, as long as they can access a local ISP • When broadband Internet connectivity is available (e.g., DSL, cable modem), remote users can connect to the corporate network at high speed, making remote computing sessions more productive • Additionally, VPNs save costs Guide to Networking Essentials, Fifth Edition

  37. 3.4. Protecting Networks with Firewalls • Firewall: HW device or SW program that inspects packets going into or out of a network or computer, and then discards/forwards them based on rules • Protects against outside attempts to access unauthorized resources, and against malicious network packets intended to disable or cripple a corporate network and its resources • If placed between Internet and corporate network, can restrict users’ access to Internet resources • Firewalls can attempt to determine the context of a packet (stateful packet inspection (SPI)) Guide to Networking Essentials, Fifth Edition

  38. 3.4.1. Using a Router as a Firewall • A firewall is just a router with specialized SW that facilitates creating rules to permit or deny packets • Many routers have capabilities similar to firewalls • After a router is configured, by default, all packets are permitted both into and out of the network • Network administrator must create rules (access control lists) that deny certain types of packets • Typically, an administrator builds access control lists so that all packets are denied, and then creates rules that make exceptions Guide to Networking Essentials, Fifth Edition

  39. 3.4.2. Using Intrusion Detection Systems • An IDS usually works with a firewall or router with access control lists • A firewall protects a network from potential break-ins or DoS attacks, but an IDS must detect an attempted security breach and notify the network administrator • May be able to take countermeasures if an attack is in progress • Invaluable tool to help administrators know how often their network is under attack and devise security policies aimed at thwarting threats before they have a chance to succeed Guide to Networking Essentials, Fifth Edition

  40. 3.4.3. Using Network Address Translation to Improve Security • A benefit of NAT is that the real address of an internal network resource is hidden and inaccessible to the outside world • Because most networks use NAT with private IP addresses, those devices configured with private addresses can’t be accessed directly from outside the network • An external device can’t initiate a network conversation with an internal device, thus limiting an attacker’s options to cause mischief Guide to Networking Essentials, Fifth Edition

  41. 3.5. Protecting a Network from Worms, Viruses, and Rootkits • Malware is SW designed to cause harm/disruption to a computer system or perform activities on a computer without the consent of its owner • A virus spreads by replicating itself into other programs or documents • A worm is similar to a virus, but it doesn’t attach itself to another program • A backdoor is a program installed on a computer that permits access to the computer, bypassing the normal authentication process • To help prevent spread of malware, every computer should have virus-scanning software running Guide to Networking Essentials, Fifth Edition

  42. A Trojan program appears to be something useful, but in reality contains some type of malware • Rootkits are a form of Trojan programs that can monitor traffic to and from a computer, monitor keystrokes, and capture passwords • The hoax virus is one of the worst kinds of viruses • The flood of e-mail from people actually falling for the hoax is the virus! • Malware protection can be expensive; however, the loss of data and productivity that can occur when a network becomes infected is much more costly Guide to Networking Essentials, Fifth Edition

  43. 3.6. Protecting a Network from Spyware and Spam • Spyware: monitors/controls part of a computer at the expense of user’s privacy and to the gain of a third party • Is not usually self-replicating • Many anti-spyware programs are available, and some are bundled with popular antivirus programs • Spam is simply unsolicited e-mail • Theft of e-mail storage space, network bandwidth, and people’s time • Detection and prevention is an uphill battle • For every rule or filter anti-spam software places on an e-mail account, spammers find a way around them Guide to Networking Essentials, Fifth Edition

  44. 3.7. Implementing Wireless Security • Attackers who drive around looking for wireless LANs to intercept are called wardrivers • Wireless security methods • SSID (not easy to guess and not broadcast) • Wired Equivalency Protocol (WEP) • Wi-Fi Protected Access (WPA) • 802.11i • MAC address filtering • You should also set policies: limit AP signal access, change encryption key regularly, etc. Guide to Networking Essentials, Fifth Edition

  45. 4. Using a Cracker’s Tools to Stop Network Attacks 4.1. Discovering Network Resources 4.2. Gaining Access to Network Resources 4.3. Disabling Network Resources Guide to Networking Essentials, Fifth Edition

  46. If you want to design a good, solid network infrastructure, hire a security consultant who knows the tools of the cracker’s trade • A cracker (black hat) is someone who attempts to compromise a network or computer system for the purposes of personal gain or to cause harm • The term hacker has had a number of meanings throughout the years • White hats often use the term penetration tester for their consulting services Guide to Networking Essentials, Fifth Edition

  47. 4.1. Discovering Network Resources • Attackers use command-line utilities such as Ping, Traceroute, Finger, and Nslookup to get information about the network configuration and resources • Other tools used • Ping scanner: automated method for pinging a range of IP addresses • Port scanner: determines which TCP and UDP ports are available on a particular computer or device • Protocol analyzers are also useful for resource discovery because they allow you to capture packets and determine which protocol’s services are running Guide to Networking Essentials, Fifth Edition

  48. Guide to Networking Essentials, Fifth Edition

  49. Guide to Networking Essentials, Fifth Edition

  50. Guide to Networking Essentials, Fifth Edition

More Related