1 / 63

Devices

Devices. Chapter 9. Learning Objectives. Understand the purpose of a network firewall and the kinds of firewall technology available on the market Understand the role of routers, switches, and other networking hardware in security

neith
Download Presentation

Devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Devices Chapter 9

  2. Learning Objectives • Understand the purpose of a network firewall and the kinds of firewall technology available on the market • Understand the role of routers, switches, and other networking hardware in security • Determine when VPN or RAS technology works to provide a secure network connection

  3. Firewalls • Hardware or software device that provides means of securing a computer or network from unwanted intrusion • Dedicated physical device that protects network from intrusion • Software feature added to a router, switch, or other device that prevents traffic to or from part of a network

  4. Management Cycle forFirewall Protection • Draft a written security policy • Design the firewall to implement the policy • Implement the design by installing selected hardware and software • Test the firewall • Review new threats, requirements for additional security, and updates to systems and software; repeat process from first step

  5. Drafting a Security Policy • What am I protecting? • From whom? • What services does my company need to access over the network? • Who gets access to what resources? • Who administers the network?

  6. Available Targets and Who Is Aiming at Them • Common areas of attack • Web servers • Mail servers • FTP servers • Databases • Intruders • Sport hackers • Malicious hackers

  7. Who Gets Access to Which Resources? • List employees or groups of employees along with files and file servers and databases and database servers they need to access • List which employees need remote access to the network

  8. Who Administers the Network? • Determine individual(s) and scope of individual management control

  9. Designing the Firewallto Implement the Policy • Select appropriate technology to deploy the firewall

  10. What Do Firewalls Protect Against? • Denial of service (DoS) • Ping of death • Teardrop or Raindrop attacks • SYN flood • LAND attack • Brute force or smurf attacks • IP spoofing

  11. How Do Firewalls Work? • Network address translation (NAT) • Basic packet filtering • Stateful packet inspection (SPI) • Access control lists (ACL)

  12. Network Address Translation (NAT) • Only technique used by basic firewalls • Enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic • Each active connection requires a unique external address for duration of communication • Port address translation (PAT) • Derivative of NAT • Supports thousands of simultaneous connections on a single public IP address

  13. Basic Packet Filtering • Firewall system examines each packet that enters it and allows through only those packets that match a predefined set of rules • Can be configured to screen information based on many data fields: • Protocol type • IP address • TCP/UDP port • Source routing information

  14. Stateful Packet Inspection (SPI) • Controls access to network by analyzing incoming/outgoing packets and letting them pass or not based on IP addresses of source and destination • Examines a packet based on information in its header • Enhances security by allowing the filter to distinguish on which side of firewall a connection was initiated; essential to blocking IP spoofing attaches

  15. Access Control Lists (ACL) • Rules built according to organizational policy that defines who can access portions of the network • Access-list 101 permit tcp any 1.2.1.222 0.0.0.0 eq 80 • Access-list 101 deny ip any 1.2.1.222 0.0.0.0

  16. Routers • Network management device that sits between network segments and routes traffic from one network to another • Allows networks to communicate with one another • Allows Internet to function • Act as digital traffic cop (with addition of packet filtering)

  17. How a Router Moves Information • Examines electronic envelope surrounding a packet; compares address to list of addresses contained in router’s lookup tables • Determines which router to send the packet to next, based on changing network conditions

  18. How a Router Moves Information

  19. Beyond the Firewall • Demilitarized zone (DMZ) • Bastion hosts (potentially)

  20. Demilitarized Zone • Area set aside for servers that are publicly accessible or have lower security requirements • Sits between the Internet and internal network’s line of defense • Stateful device fully protects other internal systems • Packet filter allows external traffic only to services provided by DMZ servers • Allows a company to host its own Internet services without sacrificing unauthorized access to its private network

  21. Bastion Hosts • Computers that reside in a DMZ and that host Web, mail, DNS, and/or FTP services • Gateway between an inside network and an outside network • Defends against attacks aimed at the inside network; used as a security measure • Unnecessary programs, services, and protocols are removed; unnecessary network ports are disabled • Do not share authentication services with trusted hosts within the network

  22. Application Gateways • Also known as proxy servers • Monitor specific applications (FTP, HTTP, Telnet) • Allow packets accessing those services to go to only those computers that are allowed • Good backup to packet filtering

  23. Application Gateways • Security advantages • Information hiding • Robust authentication and logging • Simpler filtering rules • Disadvantage • Two steps are required to connect inbound or outbound traffic; can increase processor overhead

  24. OSI Reference Model • Architecture that classifies most network functions • Seven layers • Application • Presentation • Session • Transport • Network • Data-Link • Physical

  25. The OSI Stack • Layers 4 and 5 • Where TCP and UDP ports that control communication sessions operate • Layer 3 • Routes IP packets • Layer 2 • Delivers data frames across LANs

  26. Limitations of Packet-Filtering Routers • ACL can become long, complicated, and difficult to manage and comprehend • Throughput decreases as number of rules being processed increases • Unable to determine specific content or data of packets at layers 3 through 5

  27. Switches • Provide same function as bridges (divide collision domains), but employ application-specific integrated circuits (ASICs) that are optimized for the task • Reduce collision domain to two nodes (switch and host) • Main benefit over hubs • Separation of collision domains limits the possibility of sniffing

  28. Switches

  29. Switch Security • ACLs • Virtual Local Area Networks (VLANs)

  30. Virtual Local Area Network • Uses public wires to connect nodes • Broadcast domain within a switched network • Uses encryption and other security mechanisms to ensure that • Only authorized users can access the network • Data cannot be intercepted • Clusters users in smaller groups • Increases security from hackers • Reduces possibility of broadcast storm

  31. Security Problems with Switches • Common ways of switch hijacking • Try default passwords which may not have been changed • Sniff network to get administrator password via SNMP or Telnet

  32. Securing a Switch • Isolate all management interfaces • Manage switch by physical connection to a serial port or through secure shell (SSH) or other encrypted method • Use separate switches or hubs for DMZs to physically isolate them from the network and prevent VLAN jumping continued…

  33. Securing a Switch • Put switch behind dedicated firewall device • Maintain the switch; install latest version of software and security patches • Read product documentation • Set strong passwords

  34. Quick Quiz • The process by which a private IP address in a corporate network is translated into a public address by a router or firewall is called_____________ • True or False: Advanced firewalls use stateful packet inspection to improve security. • A computer providing public network services that resides inside a corporate network but outside its firewall is called a ______. • True or False: IP packets are routed by layer 2 of the OSI model. • A feature available in some switches that permit separating the switch into multiple broadcast domains is called _________.

  35. Wireless • Almost anyone can eavesdrop on a network communication • Encryption is the only secure method of communicating with wireless technology

  36. Modems

  37. DSL versus Cable Modem Security • DSL • Direct connection between computer/network and the Internet • Cable modem • Connected to a shared segment; party line • Most have basic firewall capabilities to prevent files from being viewed or downloaded • Most implement the Data Over Cable Service Interface Specification (DOCSIS) for authentication and packet filtering

  38. Dynamic versus Static IP Addressing • Static IP addresses • Provide a fixed target for potential hackers • Dynamic IP addresses • Provide enhanced security • By changing IP addresses of client machines, DHCP server makes them moving targets for potential hackers • Assigned by the Dynamic Host Configuration Protocol (DHCP)

  39. Remote Access Service (RAS) • Provides a mechanism for one computer to securely dial in to another computer • Treats modem as an extension of the network • Includes encryption and logging • Accepts incoming calls • Should be placed in the DMZ

  40. Security Problems with RAS • Behind physical firewall; potential for network to be compromised • Most RAS systems offer encryption and callback as features to enhance security

  41. Telecom/Private Branch Exchange (PBX) • PBX • Private phone system that offers features such as voicemail, call forwarding, and conference calling • Failure to secure a PBX can result in toll fraud, theft of information, denial of service, and enhanced susceptibility to legal liability

  42. IP-Based PBX

  43. PBX Security Concerns • Remote PBX management • Hoteling or job sharing • Many move codes are standardized and posted on the Internet

  44. Virtual Private Networks • Provide secure communication pathway or tunnel through public networks (eg, Internet) • Lowest levels of TCP/IP are implemented using existing TCP/IP connection • Encrypts either underlying data in a packet or the entire packet itself before wrapping it in another IP packet for delivery • Further enhances security by implementing Internet Protocol Security (IPSec)

  45. Intrusion Detection Systems (IDS) • Monitor networks and report on unauthorized attempts to access any part of the system • Available from many vendors • Forms • Software (computer-based IDS) • Dedicated hardware devices (network-based IDS) • Types of detection • Anomaly-based detection • Signature-based detection

  46. Computer-based IDS • Software applications (“agents”) are installed on each protected computer • Make use of disk space, RAM, and CPU time to analyze OS, applications, system audit trails • Compare these to a list of specific rules • Report discrepancies • Can be self-contained or remotely managed • Easy to upgrade software, but do not scale well

More Related