1 / 56

Chapter 5: Securing the Network Infrastructure

Chapter 5: Securing the Network Infrastructure. Security+ Guide to Network Security Fundamentals Second Edition. Objectives. Work with the network cable plant Secure removable media Harden network devices Design network topologies. Working with the Network Cable Plant.

porter
Download Presentation

Chapter 5: Securing the Network Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 5: Securing the Network Infrastructure Security+ Guide to Network Security Fundamentals Second Edition

  2. Objectives • Work with the network cable plant • Secure removable media • Harden network devices • Design network topologies Security+ Guide to Network Security Fundamentals, 2e

  3. Working with the Network Cable Plant • Cable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment • Three types of transmission media: • Coaxial cables • Twisted-pair cables • Fiber-optic cables Security+ Guide to Network Security Fundamentals, 2e

  4. Coaxial Cables • Coaxial cable was main type of copper cabling used in computer networks for many years • Has a single copper wire at its center surrounded by insulation and shielding • Called “coaxial” because it houses two (co) axes or shafts―the copper wire and the shielding • Thick coaxial cable has a copper wire in center surrounded by a thick layer of insulation that is covered with braided metal shielding Security+ Guide to Network Security Fundamentals, 2e

  5. Coaxial Cables (continued) • Thin coaxial cable looks similar to the cable that carries a cable TV signal • A braided copper mesh channel surrounds the insulation and everything is covered by an outer shield of insulation for the cable itself • The copper mesh channel protects the core from interference • BNC connectors: connectors used on the ends of a thin coaxial cable Security+ Guide to Network Security Fundamentals, 2e

  6. Coaxial Cables (continued) Security+ Guide to Network Security Fundamentals, 2e

  7. Twisted-Pair Cables • Standard for copper cabling used in computer networks today, replacing thin coaxial cable • Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket Security+ Guide to Network Security Fundamentals, 2e

  8. Twisted-Pair Cables (continued) • Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference • Unshielded twisted-pair (UTP) cables do not have any shielding • Twisted-pair cables have RJ-45 connectors Security+ Guide to Network Security Fundamentals, 2e

  9. Fiber-Optic Cables • Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal • Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses • A glass tube (cladding) surrounds the core • The core and cladding are protected by a jacket Security+ Guide to Network Security Fundamentals, 2e

  10. Fiber-Optic Cables (continued) • Classified by the diameter of the core and the diameter of the cladding • Diameters are measured in microns, each is about 1/25,000 of an inch or one-millionth of a meter • Two types: • Single-mode fiber cables: used when data must be transmitted over long distances • Multimode cable: supports many simultaneous light transmissions, generated by light-emitting diodes Security+ Guide to Network Security Fundamentals, 2e

  11. Securing the Cable Plant • Securing cabling outside the protected network is not the primary security issue for most organizations • Focus is on protecting access to the cable plant in the internal network • An attacker who can access the internal network directly through the cable plant has effectively bypassed the network security perimeter and can launch his attacks at will Security+ Guide to Network Security Fundamentals, 2e

  12. Securing the Cable Plant (continued) • The attacker can capture packets as they travel through the network by sniffing • The hardware or software that performs such functions is called a sniffer • Physical security • First line of defense • Protects the equipment and infrastructure itself • Has one primary goal: to prevent unauthorized users from reaching the equipment or cable plant in order to use, steal, or vandalize it Security+ Guide to Network Security Fundamentals, 2e

  13. Securing Removable Media • Securing critical information stored on a file server can be achieved through strong passwords, network security devices, antivirus software, and door locks • An employee copying data to a floppy disk or CD and carrying it home poses two risks: • Storage media could be lost or stolen, compromising the information • A worm or virus could be introduced to the media, potentially damaging the stored information and infecting the network Security+ Guide to Network Security Fundamentals, 2e

  14. Magnetic Media • Record information by changing the magnetic direction of particles on a platter • Floppy disks were some of the first magnetic media developed • The capacity of today’s 3 1/2-inch disks are 14 MB • Hard drives contain several platters stacked in a closed unit, each platter having its own head or apparatus to read and write information • Magnetic tape drives record information in a serial fashion Security+ Guide to Network Security Fundamentals, 2e

  15. Optical Media • Optical media use a principle for recording information different from magnetic media • A high-intensity laser burns a tiny pit into the surface of an optical disc to record a one, but does nothing to record a zero • Capacity of optical discs varies by type • A Compact Disc-Recordable (CD-R) disc can record up to 650 MB of data • Data cannot be changed once recorded Security+ Guide to Network Security Fundamentals, 2e

  16. Optical Media (continued) • A Compact Disc-Rewriteable (CD-RW) disc can be used to record data, erase it, and record again • A Digital Versatile Disc (DVD) can store much larger amounts of data • DVD formats include Digital Versatile Disc-Recordable (DVD-R), which can record once up to 395 GB on a single-sided disc and 79 GB on a double-sided disc Security+ Guide to Network Security Fundamentals, 2e

  17. Electronic Media • Electronic media use flash memory for storage • Flash memory is a solid state storage device―everything is electronic, with no moving or mechanical parts • SmartMedia cards range in capacity from 2 MB to 128 MB • The card itself is only 45 mm long, 37 mm wide, and less than 1 mm thick Security+ Guide to Network Security Fundamentals, 2e

  18. Electronic Media (continued) • CompactFlash card • Consists of a small circuit board with flash memory chips and a dedicated controller chip encased in a shell • Come in 33 mm and 55 mm thicknesses and store between 8MB and 192 MB of data • USB memory stick is becoming very popular • Can hold between 8 MB and 1 GB of memory Security+ Guide to Network Security Fundamentals, 2e

  19. Keeping Removable Media Secure • Protecting removable media involves making sure that antivirus and other security software are installed on all systems that may receive a removable media device, including employee home computers Security+ Guide to Network Security Fundamentals, 2e

  20. Hardening Network Devices • Each device that is connected to a network is a potential target of an attack and must be properly protected • Network devices to be hardened categorized as: • Standard network devices • Communication devices • Network security devices Security+ Guide to Network Security Fundamentals, 2e

  21. Hardening Standard Network Devices • A standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router • This equipment has basic security features that you can use to harden the devices Security+ Guide to Network Security Fundamentals, 2e

  22. Workstations and Servers • Workstation: personal computer attached to a network (also called a client) • Connected to a LAN and shares resources with other workstations and network equipment • Can be used independently of the network and can have their own applications installed • Server: computer on a network dedicated to managing and controlling the network • Basic steps to harden these systems are outlined on page 152 Security+ Guide to Network Security Fundamentals, 2e

  23. Switches and Routers • Switch • Most commonly used in Ethernet LANs • Receives a packet from one network device and sends it to the destination device only • Limits the collision domain (part of network on which multiple devices may attempt to send packets simultaneously) • A switch is used within a single network • Routers connect two or more single networks to form a larger network Security+ Guide to Network Security Fundamentals, 2e

  24. Switches and Routers (continued) • Switches and routers must also be protected against attacks • Switches and routers can be managed using the Simple Network Management Protocol (SNMP), part of the TCP/IP protocol suite • Software agents are loaded onto each network device to be managed Security+ Guide to Network Security Fundamentals, 2e

  25. Switches and Routers (continued) • Each agent monitors network traffic and stores that information in its management information base (MIB) • A computer with SNMP management software (SNMP management station) communicates with software agents on each network device and collects the data stored in the MIBs • Page 154 lists defensive controls that can be set for switches and routers Security+ Guide to Network Security Fundamentals, 2e

  26. Hardening Communication Devices • A second category of network devices are those that communicate over longer distances • Include: • Modems • Remote access servers • Telecom/PBX Systems • Mobile devices Security+ Guide to Network Security Fundamentals, 2e

  27. Modems • Most common communication device • Broadband is increasing in popularity and can create network connection speeds of 15 Mbps and higher • Two popular broadband technologies: • Digital Subscriber Line (DSL) transmits data at 15 Mbps over regular telephone lines • Another broadband technology uses the local cable television system Security+ Guide to Network Security Fundamentals, 2e

  28. Modems (continued) • A computer connects to a cable modem, which is connected to the coaxial cable that brings cable TV signals to the home • Because cable connectivity is shared in a neighborhood, other users can use a sniffer to view traffic • Another risk with DSL and cable modem connections is that broadband connections are charged at a set monthly rate, not by the minute of connect time Security+ Guide to Network Security Fundamentals, 2e

  29. Remote Access Servers • Set of technologies that allows a remote user to connect to a network through the Internet or a wide area network (WAN) • Users run remote access client software and initiate a connection to a Remote Access Server (RAS), which authenticates users and passes service requests to the network Security+ Guide to Network Security Fundamentals, 2e

  30. Remote Access Servers (continued) Security+ Guide to Network Security Fundamentals, 2e

  31. Remote Access Servers (continued) • Remote access clients can run almost all network-based applications without modification • Possible because remote access technology supports both drive letters and universal naming convention (UNC) names • Minimum security features are listed on page 158 Security+ Guide to Network Security Fundamentals, 2e

  32. Telecom/PBX Systems • Term used to describe a Private Branch eXchange • The definition of a PBX comes from the words that make up its name: • Private • Branch • eXchange Security+ Guide to Network Security Fundamentals, 2e

  33. Mobile Devices • As cellular phones and personal digital assistants (PDAs) have become increasingly popular, they have become the target of attackers • Some defenses against attacks on these devices use real-time data encryption and passwords to protect the system so that an intruder cannot “beam” a virus through a wireless connection Security+ Guide to Network Security Fundamentals, 2e

  34. Hardening Network Security Devices • The final category of network devices includes those designed and used strictly to protect the network • Include: • Firewalls • Intrusion-detection systems • Network monitoring and diagnostic devices Security+ Guide to Network Security Fundamentals, 2e

  35. Firewalls • Typically used to filter packets • Designed to prevent malicious packets from entering the network or its computers (sometimes called a packet filter) • Typically located outside the network security perimeter as first line of defense • Can be software or hardware configurations Security+ Guide to Network Security Fundamentals, 2e

  36. Firewalls (continued) • Software firewall runs as a program on a local computer (sometimes known as a personal firewall) • Enterprise firewalls are software firewalls designed to run on a dedicated device and protect a network instead of only one computer • One disadvantage is that it is only as strong as the operating system of the computer Security+ Guide to Network Security Fundamentals, 2e

  37. Firewalls (continued) • Filter packets in one of two ways: • Stateless packet filtering: permits or denies each packet based strictly on the rule base • Stateful packet filtering: records state of a connection between an internal computer and an external server; makes decisions based on connection and rule base • Can perform content filtering to block access to undesirable Web sites Security+ Guide to Network Security Fundamentals, 2e

  38. Firewalls (continued) • An application layer firewall can defend against worms better than other kinds of firewalls • Reassembles and analyzes packet streams instead of examining individual packets Security+ Guide to Network Security Fundamentals, 2e

  39. Intrusion-Detection Systems (IDSs) • Devices that establish and maintain network security • Active IDS (or reactive IDS) performs a specific function when it senses an attack, such as dropping packets or tracing the attack back to a source • Installed on the server or, in some instances, on all computers on the network • Passive IDS sends information about what happened, but does not take action Security+ Guide to Network Security Fundamentals, 2e

  40. Intrusion-Detection Systems (IDSs) (continued) • Host-based IDS monitors critical operating system files and computer’s processor activity and memory; scans event logs for signs of suspicious activity • Network-based IDS monitors all network traffic instead of only the activity on a computer • Typically located just behind the firewall • Other IDS systems are based on behavior: • Watch network activity and report abnormal behavior • Result in many false alarms Security+ Guide to Network Security Fundamentals, 2e

  41. Network Monitoring and Diagnostic Devices • SNMP enables network administrators to: • Monitor network performance • Find and solve network problems • Plan for network growth • Managed device: • Network device that contains an SNMP agent • Collects and stores management information and makes it available to SNMP Security+ Guide to Network Security Fundamentals, 2e

  42. Designing Network Topologies • Topology: physical layout of the network devices, how they are interconnected, and how they communicate • Essential to establishing its security • Although network topologies can be modified for security reasons, the network still must reflect the needs of the organization and users Security+ Guide to Network Security Fundamentals, 2e

  43. Security Zones • One of the keys to mapping the topology of a network is to separate secure users from outsiders through: • Demilitarized Zones (DMZs) • Intranets • Extranets Security+ Guide to Network Security Fundamentals, 2e

  44. Demilitarized Zones (DMZs) • Separate networks that sit outside the secure network perimeter • Outside users can access the DMZ, but cannot enter the secure network • For extra security, some networks use a DMZ with two firewalls • The types of servers that should be located in the DMZ include: • Web servers – E-mail servers • Remote access servers – FTP servers Security+ Guide to Network Security Fundamentals, 2e

  45. Demilitarized Zones (DMZs) (continued) Security+ Guide to Network Security Fundamentals, 2e

  46. Intranets • Networks that use the same protocols as the public Internet, but are only accessible to trusted inside users • Disadvantage is that it does not allow remote trusted users access to information Security+ Guide to Network Security Fundamentals, 2e

  47. Extranets • Sometimes called a cross between the Internet and an intranet • Accessible to users that are not trusted internal users, but trusted external users • Not accessible to the general public, but allows vendors and business partners to access a company Web site Security+ Guide to Network Security Fundamentals, 2e

  48. Network Address Translation (NAT) • “You cannot attack what you do not see” is the philosophy behind Network Address Translation (NAT) systems • Hides the IP addresses of network devices from attackers • Computers are assigned special IP addresses (known as private addresses) Security+ Guide to Network Security Fundamentals, 2e

  49. Network Address Translation (NAT) (continued) • These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network • Port address translation (PAT) is a variation of NAT • Each packet is given the same IP address, but a different TCP port number Security+ Guide to Network Security Fundamentals, 2e

  50. Honeypots • Computers located in a DMZ loaded with software and data files that appear to be authentic • Intended to trap or trick attackers • Two-fold purpose: • To direct attacker’s attention away from real servers on the network • To examine techniques used by attackers Security+ Guide to Network Security Fundamentals, 2e

More Related