560 likes | 796 Views
Chapter 5: Securing the Network Infrastructure. Security+ Guide to Network Security Fundamentals Second Edition. Objectives. Work with the network cable plant Secure removable media Harden network devices Design network topologies. Working with the Network Cable Plant.
E N D
Chapter 5: Securing the Network Infrastructure Security+ Guide to Network Security Fundamentals Second Edition
Objectives • Work with the network cable plant • Secure removable media • Harden network devices • Design network topologies Security+ Guide to Network Security Fundamentals, 2e
Working with the Network Cable Plant • Cable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment • Three types of transmission media: • Coaxial cables • Twisted-pair cables • Fiber-optic cables Security+ Guide to Network Security Fundamentals, 2e
Coaxial Cables • Coaxial cable was main type of copper cabling used in computer networks for many years • Has a single copper wire at its center surrounded by insulation and shielding • Called “coaxial” because it houses two (co) axes or shafts―the copper wire and the shielding • Thick coaxial cable has a copper wire in center surrounded by a thick layer of insulation that is covered with braided metal shielding Security+ Guide to Network Security Fundamentals, 2e
Coaxial Cables (continued) • Thin coaxial cable looks similar to the cable that carries a cable TV signal • A braided copper mesh channel surrounds the insulation and everything is covered by an outer shield of insulation for the cable itself • The copper mesh channel protects the core from interference • BNC connectors: connectors used on the ends of a thin coaxial cable Security+ Guide to Network Security Fundamentals, 2e
Coaxial Cables (continued) Security+ Guide to Network Security Fundamentals, 2e
Twisted-Pair Cables • Standard for copper cabling used in computer networks today, replacing thin coaxial cable • Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket Security+ Guide to Network Security Fundamentals, 2e
Twisted-Pair Cables (continued) • Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference • Unshielded twisted-pair (UTP) cables do not have any shielding • Twisted-pair cables have RJ-45 connectors Security+ Guide to Network Security Fundamentals, 2e
Fiber-Optic Cables • Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal • Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses • A glass tube (cladding) surrounds the core • The core and cladding are protected by a jacket Security+ Guide to Network Security Fundamentals, 2e
Fiber-Optic Cables (continued) • Classified by the diameter of the core and the diameter of the cladding • Diameters are measured in microns, each is about 1/25,000 of an inch or one-millionth of a meter • Two types: • Single-mode fiber cables: used when data must be transmitted over long distances • Multimode cable: supports many simultaneous light transmissions, generated by light-emitting diodes Security+ Guide to Network Security Fundamentals, 2e
Securing the Cable Plant • Securing cabling outside the protected network is not the primary security issue for most organizations • Focus is on protecting access to the cable plant in the internal network • An attacker who can access the internal network directly through the cable plant has effectively bypassed the network security perimeter and can launch his attacks at will Security+ Guide to Network Security Fundamentals, 2e
Securing the Cable Plant (continued) • The attacker can capture packets as they travel through the network by sniffing • The hardware or software that performs such functions is called a sniffer • Physical security • First line of defense • Protects the equipment and infrastructure itself • Has one primary goal: to prevent unauthorized users from reaching the equipment or cable plant in order to use, steal, or vandalize it Security+ Guide to Network Security Fundamentals, 2e
Securing Removable Media • Securing critical information stored on a file server can be achieved through strong passwords, network security devices, antivirus software, and door locks • An employee copying data to a floppy disk or CD and carrying it home poses two risks: • Storage media could be lost or stolen, compromising the information • A worm or virus could be introduced to the media, potentially damaging the stored information and infecting the network Security+ Guide to Network Security Fundamentals, 2e
Magnetic Media • Record information by changing the magnetic direction of particles on a platter • Floppy disks were some of the first magnetic media developed • The capacity of today’s 3 1/2-inch disks are 14 MB • Hard drives contain several platters stacked in a closed unit, each platter having its own head or apparatus to read and write information • Magnetic tape drives record information in a serial fashion Security+ Guide to Network Security Fundamentals, 2e
Optical Media • Optical media use a principle for recording information different from magnetic media • A high-intensity laser burns a tiny pit into the surface of an optical disc to record a one, but does nothing to record a zero • Capacity of optical discs varies by type • A Compact Disc-Recordable (CD-R) disc can record up to 650 MB of data • Data cannot be changed once recorded Security+ Guide to Network Security Fundamentals, 2e
Optical Media (continued) • A Compact Disc-Rewriteable (CD-RW) disc can be used to record data, erase it, and record again • A Digital Versatile Disc (DVD) can store much larger amounts of data • DVD formats include Digital Versatile Disc-Recordable (DVD-R), which can record once up to 395 GB on a single-sided disc and 79 GB on a double-sided disc Security+ Guide to Network Security Fundamentals, 2e
Electronic Media • Electronic media use flash memory for storage • Flash memory is a solid state storage device―everything is electronic, with no moving or mechanical parts • SmartMedia cards range in capacity from 2 MB to 128 MB • The card itself is only 45 mm long, 37 mm wide, and less than 1 mm thick Security+ Guide to Network Security Fundamentals, 2e
Electronic Media (continued) • CompactFlash card • Consists of a small circuit board with flash memory chips and a dedicated controller chip encased in a shell • Come in 33 mm and 55 mm thicknesses and store between 8MB and 192 MB of data • USB memory stick is becoming very popular • Can hold between 8 MB and 1 GB of memory Security+ Guide to Network Security Fundamentals, 2e
Keeping Removable Media Secure • Protecting removable media involves making sure that antivirus and other security software are installed on all systems that may receive a removable media device, including employee home computers Security+ Guide to Network Security Fundamentals, 2e
Hardening Network Devices • Each device that is connected to a network is a potential target of an attack and must be properly protected • Network devices to be hardened categorized as: • Standard network devices • Communication devices • Network security devices Security+ Guide to Network Security Fundamentals, 2e
Hardening Standard Network Devices • A standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router • This equipment has basic security features that you can use to harden the devices Security+ Guide to Network Security Fundamentals, 2e
Workstations and Servers • Workstation: personal computer attached to a network (also called a client) • Connected to a LAN and shares resources with other workstations and network equipment • Can be used independently of the network and can have their own applications installed • Server: computer on a network dedicated to managing and controlling the network • Basic steps to harden these systems are outlined on page 152 Security+ Guide to Network Security Fundamentals, 2e
Switches and Routers • Switch • Most commonly used in Ethernet LANs • Receives a packet from one network device and sends it to the destination device only • Limits the collision domain (part of network on which multiple devices may attempt to send packets simultaneously) • A switch is used within a single network • Routers connect two or more single networks to form a larger network Security+ Guide to Network Security Fundamentals, 2e
Switches and Routers (continued) • Switches and routers must also be protected against attacks • Switches and routers can be managed using the Simple Network Management Protocol (SNMP), part of the TCP/IP protocol suite • Software agents are loaded onto each network device to be managed Security+ Guide to Network Security Fundamentals, 2e
Switches and Routers (continued) • Each agent monitors network traffic and stores that information in its management information base (MIB) • A computer with SNMP management software (SNMP management station) communicates with software agents on each network device and collects the data stored in the MIBs • Page 154 lists defensive controls that can be set for switches and routers Security+ Guide to Network Security Fundamentals, 2e
Hardening Communication Devices • A second category of network devices are those that communicate over longer distances • Include: • Modems • Remote access servers • Telecom/PBX Systems • Mobile devices Security+ Guide to Network Security Fundamentals, 2e
Modems • Most common communication device • Broadband is increasing in popularity and can create network connection speeds of 15 Mbps and higher • Two popular broadband technologies: • Digital Subscriber Line (DSL) transmits data at 15 Mbps over regular telephone lines • Another broadband technology uses the local cable television system Security+ Guide to Network Security Fundamentals, 2e
Modems (continued) • A computer connects to a cable modem, which is connected to the coaxial cable that brings cable TV signals to the home • Because cable connectivity is shared in a neighborhood, other users can use a sniffer to view traffic • Another risk with DSL and cable modem connections is that broadband connections are charged at a set monthly rate, not by the minute of connect time Security+ Guide to Network Security Fundamentals, 2e
Remote Access Servers • Set of technologies that allows a remote user to connect to a network through the Internet or a wide area network (WAN) • Users run remote access client software and initiate a connection to a Remote Access Server (RAS), which authenticates users and passes service requests to the network Security+ Guide to Network Security Fundamentals, 2e
Remote Access Servers (continued) Security+ Guide to Network Security Fundamentals, 2e
Remote Access Servers (continued) • Remote access clients can run almost all network-based applications without modification • Possible because remote access technology supports both drive letters and universal naming convention (UNC) names • Minimum security features are listed on page 158 Security+ Guide to Network Security Fundamentals, 2e
Telecom/PBX Systems • Term used to describe a Private Branch eXchange • The definition of a PBX comes from the words that make up its name: • Private • Branch • eXchange Security+ Guide to Network Security Fundamentals, 2e
Mobile Devices • As cellular phones and personal digital assistants (PDAs) have become increasingly popular, they have become the target of attackers • Some defenses against attacks on these devices use real-time data encryption and passwords to protect the system so that an intruder cannot “beam” a virus through a wireless connection Security+ Guide to Network Security Fundamentals, 2e
Hardening Network Security Devices • The final category of network devices includes those designed and used strictly to protect the network • Include: • Firewalls • Intrusion-detection systems • Network monitoring and diagnostic devices Security+ Guide to Network Security Fundamentals, 2e
Firewalls • Typically used to filter packets • Designed to prevent malicious packets from entering the network or its computers (sometimes called a packet filter) • Typically located outside the network security perimeter as first line of defense • Can be software or hardware configurations Security+ Guide to Network Security Fundamentals, 2e
Firewalls (continued) • Software firewall runs as a program on a local computer (sometimes known as a personal firewall) • Enterprise firewalls are software firewalls designed to run on a dedicated device and protect a network instead of only one computer • One disadvantage is that it is only as strong as the operating system of the computer Security+ Guide to Network Security Fundamentals, 2e
Firewalls (continued) • Filter packets in one of two ways: • Stateless packet filtering: permits or denies each packet based strictly on the rule base • Stateful packet filtering: records state of a connection between an internal computer and an external server; makes decisions based on connection and rule base • Can perform content filtering to block access to undesirable Web sites Security+ Guide to Network Security Fundamentals, 2e
Firewalls (continued) • An application layer firewall can defend against worms better than other kinds of firewalls • Reassembles and analyzes packet streams instead of examining individual packets Security+ Guide to Network Security Fundamentals, 2e
Intrusion-Detection Systems (IDSs) • Devices that establish and maintain network security • Active IDS (or reactive IDS) performs a specific function when it senses an attack, such as dropping packets or tracing the attack back to a source • Installed on the server or, in some instances, on all computers on the network • Passive IDS sends information about what happened, but does not take action Security+ Guide to Network Security Fundamentals, 2e
Intrusion-Detection Systems (IDSs) (continued) • Host-based IDS monitors critical operating system files and computer’s processor activity and memory; scans event logs for signs of suspicious activity • Network-based IDS monitors all network traffic instead of only the activity on a computer • Typically located just behind the firewall • Other IDS systems are based on behavior: • Watch network activity and report abnormal behavior • Result in many false alarms Security+ Guide to Network Security Fundamentals, 2e
Network Monitoring and Diagnostic Devices • SNMP enables network administrators to: • Monitor network performance • Find and solve network problems • Plan for network growth • Managed device: • Network device that contains an SNMP agent • Collects and stores management information and makes it available to SNMP Security+ Guide to Network Security Fundamentals, 2e
Designing Network Topologies • Topology: physical layout of the network devices, how they are interconnected, and how they communicate • Essential to establishing its security • Although network topologies can be modified for security reasons, the network still must reflect the needs of the organization and users Security+ Guide to Network Security Fundamentals, 2e
Security Zones • One of the keys to mapping the topology of a network is to separate secure users from outsiders through: • Demilitarized Zones (DMZs) • Intranets • Extranets Security+ Guide to Network Security Fundamentals, 2e
Demilitarized Zones (DMZs) • Separate networks that sit outside the secure network perimeter • Outside users can access the DMZ, but cannot enter the secure network • For extra security, some networks use a DMZ with two firewalls • The types of servers that should be located in the DMZ include: • Web servers – E-mail servers • Remote access servers – FTP servers Security+ Guide to Network Security Fundamentals, 2e
Demilitarized Zones (DMZs) (continued) Security+ Guide to Network Security Fundamentals, 2e
Intranets • Networks that use the same protocols as the public Internet, but are only accessible to trusted inside users • Disadvantage is that it does not allow remote trusted users access to information Security+ Guide to Network Security Fundamentals, 2e
Extranets • Sometimes called a cross between the Internet and an intranet • Accessible to users that are not trusted internal users, but trusted external users • Not accessible to the general public, but allows vendors and business partners to access a company Web site Security+ Guide to Network Security Fundamentals, 2e
Network Address Translation (NAT) • “You cannot attack what you do not see” is the philosophy behind Network Address Translation (NAT) systems • Hides the IP addresses of network devices from attackers • Computers are assigned special IP addresses (known as private addresses) Security+ Guide to Network Security Fundamentals, 2e
Network Address Translation (NAT) (continued) • These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network • Port address translation (PAT) is a variation of NAT • Each packet is given the same IP address, but a different TCP port number Security+ Guide to Network Security Fundamentals, 2e
Honeypots • Computers located in a DMZ loaded with software and data files that appear to be authentic • Intended to trap or trick attackers • Two-fold purpose: • To direct attacker’s attention away from real servers on the network • To examine techniques used by attackers Security+ Guide to Network Security Fundamentals, 2e