security basics n.
Download
Skip this Video
Download Presentation
Security Basics

Loading in 2 Seconds...

play fullscreen
1 / 120

Security Basics - PowerPoint PPT Presentation


  • 156 Views
  • Uploaded on

Security Basics. Security+ Guide to Network Security Fundamentals Second Edition. Objectives. Identify who is responsible for information security Describe security principles Use effective authentication methods Control access to computer systems Audit information security schemes

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security Basics' - ursula-ball


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security basics

Security Basics

Security+ Guide to Network Security Fundamentals

Second Edition

objectives
Objectives
  • Identify who is responsible for information security
  • Describe security principles
  • Use effective authentication methods
  • Control access to computer systems
  • Audit information security schemes
  • Security Baseline
    • Disable nonessential systems
    • Harden operating systems
    • Harden applications
    • Harden networks

Security+ Guide to Network Security Fundamentals, 2e

identifying who is responsible for information security
Identifying Who Is Responsible for Information Security
  • When an organization secures its information, it completes a few basic tasks:
    • It must analyze its assets and the threats these assets face from threat agents
    • It identifies its vulnerabilities and how they might be exploited
    • It regularly assesses and reviews the security policy to ensure it is adequately protecting its information
    • Who will do this job?
    • Bottom up approach? or Top down approach?

Security+ Guide to Network Security Fundamentals, 2e

identifying who is responsible for information security continued
Identifying Who Is Responsible for Information Security (continued)
  • Bottom-up approach: major tasks of securing information are accomplished from the lower levels of the organization upwards
  • This approach has one key advantage: the bottom-level employees have the technical expertise to understand how to secure information

Security+ Guide to Network Security Fundamentals, 2e

identifying who is responsible for information security continued1
Identifying Who Is Responsible for Information Security (continued)

Security+ Guide to Network Security Fundamentals, 2e

identifying who is responsible for information security continued2
Identifying Who Is Responsible for Information Security (continued)
  • Top-down approach starts at the highest levels of the organization and works its way down
  • A security plan initiated by top-level managers has the backing to make the plan work

Security+ Guide to Network Security Fundamentals, 2e

identifying who is responsible for information security continued3
Identifying Who Is Responsible for Information Security (continued)
  • Chief information security officer (CISO): helps develop the security plan and ensures it is carried out
  • Human firewall: describes the security-enforcing role of each employee

Security+ Guide to Network Security Fundamentals, 2e

understanding security principles
Understanding Security Principles
  • Ways information can be attacked:
    • Crackers can launch distributed denial-of-service (DDoS) attacks through the Internet
    • Spies can use social engineering
    • Employees can guess other user’s passwords
    • Hackers can create back doors
  • Protecting against the wide range of attacks calls for a wide range of defense mechanisms

Security+ Guide to Network Security Fundamentals, 2e

layering
Layering
  • Why layering?
  • Layered security approach has the advantage of creating a barrier of multiple defenses that can be coordinated to thwart a variety of attacks
  • Information security likewise must be created in layers
  • All the security layers must be properly coordinated to be effective

Security+ Guide to Network Security Fundamentals, 2e

layering continued
Layering (continued)

Security+ Guide to Network Security Fundamentals, 2e

limiting
Limiting
  • Limiting access to information reduces the threat against it
  • Only those who must use data should have access to it
  • Access must be limited for a subject (a person or a computer program running on a system) to interact with an object (a computer or a database stored on a server)
  • The amount of access granted to someone should be limited to what that person needs to know or do

Security+ Guide to Network Security Fundamentals, 2e

limiting continued
Limiting (continued)

Security+ Guide to Network Security Fundamentals, 2e

diversity
Diversity
  • Diversity is closely related to layering
  • You should protect data with diverse layers of security, so if attackers penetrate one layer, they cannot use the same techniques to break through all other layers
  • Using diverse layers of defense means that breaching one security layer does not compromise the whole system

Security+ Guide to Network Security Fundamentals, 2e

diversity continued
Diversity (continued)
  • You can set a firewall to filter a specific type of traffic, such as all inbound traffic, and a second firewall on the same system to filter another traffic type, such as outbound traffic
  • Using firewalls produced by different vendors creates even greater diversity

Security+ Guide to Network Security Fundamentals, 2e

obscurity
Obscurity
  • Obscuring what goes on inside a system or organization and avoiding clear patterns of behavior make attacks from the outside difficult

Security+ Guide to Network Security Fundamentals, 2e

simplicity
Simplicity
  • Complex security systems can be difficult to understand, troubleshoot, and feel secure about
  • The challenge is to make the system simple from the inside but complex from the outside

Security+ Guide to Network Security Fundamentals, 2e

using effective authentication methods
Using Effective Authentication Methods
  • Information security rests on three key pillars:
    • Authentication
    • Access control
    • Auditing

Security+ Guide to Network Security Fundamentals, 2e

using effective authentication methods continued
Using Effective Authentication Methods (continued)
  • Authentication:
    • Process of providing identity
    • Can be classified into three main categories:
      • what you know,
      • what you have,
      • what you are
    • Most common method: providing a user with a unique username and a secret password

Security+ Guide to Network Security Fundamentals, 2e

username and password continued
Username and Password (continued)
  • ID management:
    • User’s single authenticated ID is shared across multiple networks or online businesses
    • Attempts to address the problem of users having individual usernames and passwords for each account (thus, resorting to simple passwords that are easy to remember)
    • Can be for users and for computers that share data

Security+ Guide to Network Security Fundamentals, 2e

tokens
Tokens
  • Token: security device that authenticates the user by having the appropriate permission embedded into the token itself
  • Passwords are based on what you know, tokens are based on what you have
  • Proximity card: plastic card with an embedded, thin metal strip that emits a low-frequency, short-wave radio signal

Security+ Guide to Network Security Fundamentals, 2e

biometrics
Biometrics
  • Uses a person’s unique characteristics to authenticate them
  • Is an example of authentication based on what you are
  • Human characteristics that can be used for identification include:
    • Fingerprint – Face
    • Hand – Iris
    • Retina – Voice

Security+ Guide to Network Security Fundamentals, 2e

biometrics continued
Biometrics (continued)

Security+ Guide to Network Security Fundamentals, 2e

certificates
Certificates
  • The key system does not prove that the senders are actually who they claim to be
  • Certificates let the receiver verify who sent the message
  • Certificates link or bind a specific person to a key
  • Digital certificates are issued by a certification authority (CA), an independent third-party organization

Security+ Guide to Network Security Fundamentals, 2e

kerberos
Kerberos
  • Authentication system developed by the Massachusetts Institute of Technology (MIT)
  • Used to verify the identity of networked users, like using a driver’s license to cash a check
  • Typically used when someone on a network attempts to use a network service and the service wants assurance that the user is who he says he is

Security+ Guide to Network Security Fundamentals, 2e

kerberos continued
Kerberos (continued)
  • A state agency, such as the DMV, issues a driver’s license that has these characteristics:
    • It is difficult to copy
    • It contains specific information (name, address, height, etc.)
    • It lists restrictions (must wear corrective lenses, etc.)
    • It expires on a specified date
  • The user is provided a ticket that is issued by the Kerberos authentication server (AS), much as a driver’s license is issued by the DMV

Security+ Guide to Network Security Fundamentals, 2e

challenge handshake authentication protocol chap
Challenge Handshake Authentication Protocol (CHAP)
  • Considered a more secure procedure for connecting to a system than using a password
    • User enters a password and connects to a server; server sends a challenge message to user’s computer
    • User’s computer receives message and uses a specific algorithm to create a response sent back to the server
    • Server checks response by comparing it to its own calculation of the expected value; if values match, authentication is acknowledged; otherwise, connection is terminated

Security+ Guide to Network Security Fundamentals, 2e

challenge handshake authentication protocol chap continued
Challenge Handshake Authentication Protocol (CHAP) (continued)

Security+ Guide to Network Security Fundamentals, 2e

mutual authentication
Mutual Authentication
  • Two-way authentication (mutual authentication) can be used to combat identity attacks, such as man-in-the-middle and replay attacks
  • The server authenticates the user through a password, tokens, or other means

Security+ Guide to Network Security Fundamentals, 2e

mutual authentication continued
Mutual Authentication (continued)

Security+ Guide to Network Security Fundamentals, 2e

multifactor authentication
Multifactor Authentication
  • Multifactor authentication: implementing two or more types of authentication
  • Being strongly proposed to verify authentication of cell phone users who use their phones to purchase goods and services

Security+ Guide to Network Security Fundamentals, 2e

controlling access to computer systems
Controlling Access to Computer Systems
  • Restrictions to user access are stored in an access control list (ACL)
  • An ACL is a table in the operating system that contains the access rights each subject (a user or device) has to a particular system object (a folder or file)

Security+ Guide to Network Security Fundamentals, 2e

controlling access to computer systems continued
Controlling Access to Computer Systems (continued)
  • In Microsoft Windows, an ACL has one or more access control entries (ACEs) consisting of the name of a subject or group of subjects
  • Inherited rights: user rights based on membership in a group
  • Review pages 85 and 86 for basic folder and file permissions in a Windows Server 2003 system

Security+ Guide to Network Security Fundamentals, 2e

mandatory access control mac
Mandatory Access Control (MAC)
  • A more restrictive model
  • The subject is not allowed to give access to another subject to use an object

Security+ Guide to Network Security Fundamentals, 2e

role based access control rbac
Role Based Access Control (RBAC)
  • Instead of setting permissions for each user or group, you can assign permissions to a position or role and then assign users and other objects to that role
  • Users and objects inherit all of the permissions for the role

Security+ Guide to Network Security Fundamentals, 2e

discretionary access control dac
Discretionary Access Control (DAC)
  • Least restrictive model
  • One subject can adjust the permissions for other subjects over objects
  • Type of access most users associate with their personal computers

Security+ Guide to Network Security Fundamentals, 2e

homework 3
Homework 3
  • Kerberos is one of the more secure authentication techniques being used today. Research how kerberos functions, where it is being used, and what are its strengths and weakness. Write a one-page paper on your finding.
  • Due date 10/12

Security+ Guide to Network Security Fundamentals, 2e

auditing information security schemes
Auditing Information Security Schemes
  • Two ways to audit a security system
    • Logging records which user performed a specific activity and when
    • System scanning to check permissions assigned to a user or role; these results are compared to what is expected to detect any differences

Security+ Guide to Network Security Fundamentals, 2e

disabling nonessential systems
Disabling Nonessential Systems
  • First step in establishing a defense against computer attacks is to turn off all nonessential systems
  • The background program waits in the computer’s random access memory (RAM) until the user presses a specific combination of keys (a hot key), such as Ctrl+Shift+P
  • Then, the idling program springs to life

Security+ Guide to Network Security Fundamentals, 2e

disabling nonessential systems continued
Disabling Nonessential Systems (continued)
  • Early terminate-and-stay-resident (TSR) programs performed functions such as displaying an instant calculator, small notepad, or address book
  • In Microsoft Windows, a background program, such as Svchostexe, is called a process
  • The process provides a service to the operating system indicated by the service name, such as AppMgmt

Security+ Guide to Network Security Fundamentals, 2e

disabling nonessential systems continued1
Disabling Nonessential Systems (continued)
  • Users can view the display name of a service, which gives a detailed description, such as Application Management
  • A single process can provide multiple services

Security+ Guide to Network Security Fundamentals, 2e

disabling nonessential systems continued2
Disabling Nonessential Systems (continued)

Security+ Guide to Network Security Fundamentals, 2e

disabling nonessential systems continued3
Disabling Nonessential Systems (continued)

Security+ Guide to Network Security Fundamentals, 2e

disabling nonessential systems continued4
Disabling Nonessential Systems (continued)
  • A service can be set to one of the following modes:
    • Automatic
    • Manual
    • Disabled
  • Besides preventing attackers from attaching malicious code to services, disabling nonessential services blocks entries into the system

Security+ Guide to Network Security Fundamentals, 2e

disabling nonessential systems continued5
The User Datagram Protocol (UDP) provides for a connectionless TCP/IP transfer

TCP and UDP are based on port numbers

Socket: combination of an IP address and a port number

The IP address is separated from the port number by a colon, as in 19814611820:80

Disabling Nonessential Systems (continued)

Security+ Guide to Network Security Fundamentals, 2e

disabling nonessential systems continued6
Disabling Nonessential Systems (continued)

Security+ Guide to Network Security Fundamentals, 2e

hardening operating systems
Hardening Operating Systems
  • Hardening: process of reducing vulnerabilities
  • A hardened system is configured and updated to protect against attacks
  • Three broad categories of items should be hardened:
    • Operating systems
    • Applications that the operating system runs
    • Networks

Security+ Guide to Network Security Fundamentals, 2e

applying updates
Applying Updates
  • A service pack (a cumulative set of updates including fixes for problems that have not been made available through updates) provides the broadest and most complete update
  • A hotfix does not typically address security issues; instead, it corrects a specific software problem

Security+ Guide to Network Security Fundamentals, 2e

applying updates continued
Applying Updates (continued)

Security+ Guide to Network Security Fundamentals, 2e

applying updates continued1
Applying Updates (continued)
  • A patch or a software update fixes a security flaw or other problem
    • May be released on a regular or irregular basis, depending on the vendor or support team
    • A good patch management system includes the features listed on pages 111 and 112 of the text

Security+ Guide to Network Security Fundamentals, 2e

securing the file system
Securing the File System
  • Another means of hardening an operating system is to restrict user access
  • Generally, users can be assigned permissions to access folders (also called directories in DOS and UNIX/Linux) and the files contained within them

Security+ Guide to Network Security Fundamentals, 2e

securing the file system continued
Securing the File System (continued)
  • Microsoft Windows provides a centralized method of defining security on the Microsoft Management Console (MMC)
    • A Windows utility that accepts additional components (snap-ins)
    • After you apply a security template to organize security settings, you can import the settings to a group of computers (Group Policy object)

Security+ Guide to Network Security Fundamentals, 2e

securing the file system continued1
Securing the File System (continued)
  • Group Policy settings: components of a user’s desktop environment that a network system administrator needs to manage
  • Group Policy settings cannot override a global setting for all computers (domain-based setting)
  • Windows stores settings for the computer’s hardware and software in a database (the registry)

Security+ Guide to Network Security Fundamentals, 2e

hardening applications
Hardening Applications
  • Just as you must harden operating systems, you must also harden the applications that run on those systems
  • Hotfixes, service packs, and patches are generally available for most applications; although, not usually with the same frequency as for an operating system

Security+ Guide to Network Security Fundamentals, 2e

hardening servers
Hardening Servers
  • Harden servers to prevent attackers from breaking through the software
  • Web server delivers text, graphics, animation, audio, and video to Internet users around the world
  • Refer to the steps on page 115 to harden a Web server

Security+ Guide to Network Security Fundamentals, 2e

steps to harden a web server
Steps to harden a web server
  • Use ACL to limit a Web surfer’s ability (Table 4-5)
  • Update the server regularly
  • Regularly visit attacker Web sites
  • Delete sample files
  • Isolate the Web server from the internal network?
  • Example the log file regularly
  • Delete unused CGI
  • Encrypts the transmission

Security+ Guide to Network Security Fundamentals, 2e

hardening servers continued
Hardening Servers (continued)
  • Mail server is used to send and receive electronic messages
  • In a normal setting, a mail server serves an organization or set of users
  • All e-mail is sent through the mail server from a trusted user or received from an outsider and intended for a trusted user

Security+ Guide to Network Security Fundamentals, 2e

hardening servers continued1
Hardening Servers (continued)

Security+ Guide to Network Security Fundamentals, 2e

hardening servers continued2
Hardening Servers (continued)

Security+ Guide to Network Security Fundamentals, 2e

hardening servers continued3
Hardening Servers (continued)
  • In an open mail relay, a mail server processes e-mail messages not sent by or intended for a local user
  • File Transfer Protocol (FTP) server is used to store and access files through the Internet
    • Typically used to accommodate users who want to download or upload files

Security+ Guide to Network Security Fundamentals, 2e

hardening servers continued4
Hardening Servers (continued)
  • FTP servers can be set to accept anonymous logons using a window similar that shown in Figure 4-8
  • A Domain Name Service (DNS) server makes the Internet available to ordinary users
    • DNS servers frequently update each other by transmitting all domains and IP addresses of which they are aware (zone transfer)

Security+ Guide to Network Security Fundamentals, 2e

hardening servers continued5
Hardening Servers (continued)

Security+ Guide to Network Security Fundamentals, 2e

hardening servers continued6
Hardening Servers (continued)
  • IP addresses and other information can be used in an attack
  • USENET is a worldwide bulletin board system that can be accessed through the Internet or many online services
  • The Network News Transfer Protocol (NNTP) is the protocol used to send, distribute, and retrieve USENET messages through NNTP servers

Security+ Guide to Network Security Fundamentals, 2e

hardening servers continued7
Hardening Servers (continued)
  • Print/file servers on a local area network (LAN) allow users to share documents on a central server or to share printers
  • Hardening a print/file server involves the tasks listed on page 119 of the text
    • Allowing only trusted users to access the print/file server
    • Letting users pause or cancle their print jobs, but not cancel another person’s job
    • Providing users with ACL
    • Providing read access to users for files stored in public folders
    • Providing read and write access to users for group folders

Security+ Guide to Network Security Fundamentals, 2e

hardening dhcp servers
Hardening DHCP Servers
  • A DHCP server allocates IP addresses using the Dynamic Host Configuration Protocol (DHCP)
  • DHCP servers “lease” IP addresses to clients

Security+ Guide to Network Security Fundamentals, 2e

hardening data repositories
Hardening Data Repositories
  • Data repository: container that holds electronic information
  • Two major data repositories: directory services and company databases
  • Directory service: database stored on the network that contains all information about users and network devices along with privileges to those resources

Security+ Guide to Network Security Fundamentals, 2e

hardening data repositories continued
Hardening Data Repositories (continued)
  • Active Directory is the directory service for Windows
  • Active Directory is stored in the Security Accounts Manager (SAM) database
  • The primary domain controller (PDC) houses the SAM database
  • SQL injection

Security+ Guide to Network Security Fundamentals, 2e

magnetic media
Magnetic Media
  • Record information by changing the magnetic direction of particles on a platter
  • Floppy disks were some of the first magnetic media developed
  • The capacity of today’s 3 1/2-inch disks are 14 MB
  • Hard drives contain several platters stacked in a closed unit, each platter having its own head or apparatus to read and write information
  • Magnetic tape drives record information in a serial fashion

Security+ Guide to Network Security Fundamentals, 2e

optical media
Optical Media
  • Optical media use a principle for recording information different from magnetic media
  • A high-intensity laser burns a tiny pit into the surface of an optical disc to record a one, but does nothing to record a zero
  • Capacity of optical discs varies by type
  • A Compact Disc-Recordable (CD-R) disc can record up to 650 MB of data
  • Data cannot be changed once recorded

Security+ Guide to Network Security Fundamentals, 2e

optical media continued
Optical Media (continued)
  • A Compact Disc-Rewriteable (CD-RW) disc can be used to record data, erase it, and record again
  • A Digital Versatile Disc (DVD) can store much larger amounts of data
    • DVD formats include Digital Versatile Disc-Recordable (DVD-R), which can record once up to 395 GB on a single-sided disc and 79 GB on a double-sided disc

Security+ Guide to Network Security Fundamentals, 2e

electronic media
Electronic Media
  • Electronic media use flash memory for storage
    • Flash memory is a solid state storage device―everything is electronic, with no moving or mechanical parts
  • SmartMedia cards range in capacity from 2 MB to 128 MB
  • The card itself is only 45 mm long, 37 mm wide, and less than 1 mm thick

Security+ Guide to Network Security Fundamentals, 2e

electronic media continued
Electronic Media (continued)
  • CompactFlash card
    • Consists of a small circuit board with flash memory chips and a dedicated controller chip encased in a shell
    • Come in 33 mm and 55 mm thicknesses and store between 8MB and 192 MB of data
  • USB memory stick is becoming very popular
    • Can hold between 8 MB and 1 GB of memory

Security+ Guide to Network Security Fundamentals, 2e

keeping removable media secure
Keeping Removable Media Secure
  • Protecting removable media involves making sure that antivirus and other security software are installed on all systems that may receive a removable media device, including employee home computers

Security+ Guide to Network Security Fundamentals, 2e

hardening network devices
Hardening Network Devices
  • Each device that is connected to a network is a potential target of an attack and must be properly protected
  • Network devices to be hardened categorized as:
    • Standard network devices
    • Communication devices
    • Network security devices

Security+ Guide to Network Security Fundamentals, 2e

hardening standard network devices
Hardening Standard Network Devices
  • A standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router
  • This equipment has basic security features that you can use to harden the devices

Security+ Guide to Network Security Fundamentals, 2e

workstations and servers
Workstations and Servers
  • Workstation: personal computer attached to a network (also called a client)
    • Connected to a LAN and shares resources with other workstations and network equipment
    • Can be used independently of the network and can have their own applications installed
  • Server: computer on a network dedicated to managing and controlling the network
  • Basic steps to harden these systems are outlined on page 152

Security+ Guide to Network Security Fundamentals, 2e

switches and routers
Switches and Routers
  • Switch
    • Most commonly used in Ethernet LANs
    • Receives a packet from one network device and sends it to the destination device only
    • Limits the collision domain (part of network on which multiple devices may attempt to send packets simultaneously)
  • A switch is used within a single network
  • Routers connect two or more single networks to form a larger network

Security+ Guide to Network Security Fundamentals, 2e

switches and routers continued
Switches and Routers (continued)
  • Switches and routers must also be protected against attacks
  • Switches and routers can be managed using the Simple Network Management Protocol (SNMP), part of the TCP/IP protocol suite
  • Software agents are loaded onto each network device to be managed

Security+ Guide to Network Security Fundamentals, 2e

switches and routers continued1
Switches and Routers (continued)
  • Each agent monitors network traffic and stores that information in its management information base (MIB)
  • A computer with SNMP management software (SNMP management station) communicates with software agents on each network device and collects the data stored in the MIBs
  • Page 154 lists defensive controls that can be set for switches and routers

Security+ Guide to Network Security Fundamentals, 2e

hardening communication devices
Hardening Communication Devices
  • A second category of network devices are those that communicate over longer distances
  • Include:
    • Modems
    • Remote access servers
    • Telecom/PBX Systems
    • Mobile devices

Security+ Guide to Network Security Fundamentals, 2e

modems
Modems
  • Most common communication device
  • Broadband is increasing in popularity and can create network connection speeds of 15 Mbps and higher
  • Two popular broadband technologies:
    • Digital Subscriber Line (DSL) transmits data at 15 Mbps over regular telephone lines
    • Another broadband technology uses the local cable television system

Security+ Guide to Network Security Fundamentals, 2e

modems continued
Modems (continued)
  • A computer connects to a cable modem, which is connected to the coaxial cable that brings cable TV signals to the home
  • Because cable connectivity is shared in a neighborhood, other users can use a sniffer to view traffic
  • Another risk with DSL and cable modem connections is that broadband connections are charged at a set monthly rate, not by the minute of connect time

Security+ Guide to Network Security Fundamentals, 2e

remote access servers
Remote Access Servers
  • Set of technologies that allows a remote user to connect to a network through the Internet or a wide area network (WAN)
  • Users run remote access client software and initiate a connection to a Remote Access Server (RAS), which authenticates users and passes service requests to the network

Security+ Guide to Network Security Fundamentals, 2e

remote access servers continued
Remote Access Servers (continued)

Security+ Guide to Network Security Fundamentals, 2e

remote access servers continued1
Remote Access Servers (continued)
  • Remote access clients can run almost all network-based applications without modification
    • Possible because remote access technology supports both drive letters and universal naming convention (UNC) names
  • Minimum security features are listed on page 158

Security+ Guide to Network Security Fundamentals, 2e

mobile devices
Mobile Devices
  • As cellular phones and personal digital assistants (PDAs) have become increasingly popular, they have become the target of attackers
  • Some defenses against attacks on these devices use real-time data encryption and passwords to protect the system so that an intruder cannot “beam” a virus through a wireless connection

Security+ Guide to Network Security Fundamentals, 2e

homework 4
Homework 4

Install a packet sniff etheral

Capture the packets in/out your computer

Try to write a report what you see in the report

Deadline 10/19

Mail the report to me mhyang@cycu.edu.tw

Security+ Guide to Network Security Fundamentals, 2e

hardening networks
Hardening Networks
  • Two-fold process for keeping a network secure:
    • Secure the network with necessary updates
    • Properly configure it

Security+ Guide to Network Security Fundamentals, 2e

firmware updates
Firmware Updates
  • RAM is volatile―interrupting the power source causes RAM to lose its entire contents
  • Read-only memory (ROM) is different from RAM in two ways:
    • Contents of ROM are fixed
    • ROM is nonvolatile―disabling the power source does not erase its contents

Security+ Guide to Network Security Fundamentals, 2e

firmware updates continued
Firmware Updates (continued)
  • ROM, Erasable Programmable Read-Only Memory (EPROM), and Electrically Erasable Programmable Read-Only Memory (EEPROM) are firmware
  • To erase an EPROM chip, hold the chip under ultraviolet light so the light passes through its crystal window
  • The contents of EEPROM chips can also be erased using electrical signals applied to specific pins

Security+ Guide to Network Security Fundamentals, 2e

network configuration
Network Configuration
  • You must properly configure network equipment to resist attacks
  • The primary method of resisting attacks is to filter data packets as they arrive at the perimeter of the network

Security+ Guide to Network Security Fundamentals, 2e

network configuration continued
Network Configuration (continued)
  • Rule base or access control list (ACL): rules a network device uses to permit or deny a packet (not to be confused with ACLs used in securing a file system)
  • Rules are composed of several settings (listed on pages 122 and 123 of the text)
  • Observe the basic guidelines on page 124 of the text when creating rules

Security+ Guide to Network Security Fundamentals, 2e

network configuration continued1
Network Configuration (continued)

Security+ Guide to Network Security Fundamentals, 2e

hardening network security devices
Hardening Network Security Devices
  • The final category of network devices includes those designed and used strictly to protect the network
  • Include:
    • Firewalls
    • Intrusion-detection systems
    • Network monitoring and diagnostic devices

Security+ Guide to Network Security Fundamentals, 2e

firewalls
Firewalls
  • Typically used to filter packets
  • Designed to prevent malicious packets from entering the network or its computers (sometimes called a packet filter)
  • Typically located outside the network security perimeter as first line of defense
  • Can be software or hardware configurations

Security+ Guide to Network Security Fundamentals, 2e

firewalls continued
Firewalls (continued)
  • Software firewall runs as a program on a local computer (sometimes known as a personal firewall)
    • Enterprise firewalls are software firewalls designed to run on a dedicated device and protect a network instead of only one computer
    • One disadvantage is that it is only as strong as the operating system of the computer

Security+ Guide to Network Security Fundamentals, 2e

firewalls continued1
Firewalls (continued)
  • Filter packets in one of two ways:
    • Stateless packet filtering: permits or denies each packet based strictly on the rule base
    • Stateful packet filtering: records state of a connection between an internal computer and an external server; makes decisions based on connection and rule base
  • Can perform content filtering to block access to undesirable Web sites

Security+ Guide to Network Security Fundamentals, 2e

firewalls continued2
Firewalls (continued)
  • An application layer firewall can defend against worms better than other kinds of firewalls
    • Reassembles and analyzes packet streams instead of examining individual packets

Security+ Guide to Network Security Fundamentals, 2e

intrusion detection systems idss
Intrusion-Detection Systems (IDSs)
  • Devices that establish and maintain network security
  • Active IDS (or reactive IDS) performs a specific function when it senses an attack, such as dropping packets or tracing the attack back to a source
    • Installed on the server or, in some instances, on all computers on the network
  • Passive IDS sends information about what happened, but does not take action

Security+ Guide to Network Security Fundamentals, 2e

intrusion detection systems idss continued
Intrusion-Detection Systems (IDSs) (continued)
  • Host-based IDS monitors critical operating system files and computer’s processor activity and memory; scans event logs for signs of suspicious activity
  • Network-based IDS monitors all network traffic instead of only the activity on a computer
    • Typically located just behind the firewall
  • Other IDS systems are based on behavior:
    • Watch network activity and report abnormal behavior
    • Result in many false alarms

Security+ Guide to Network Security Fundamentals, 2e

network monitoring and diagnostic devices
Network Monitoring and Diagnostic Devices
  • SNMP enables network administrators to:
    • Monitor network performance
    • Find and solve network problems
    • Plan for network growth
  • Managed device:
    • Network device that contains an SNMP agent
    • Collects and stores management information and makes it available to SNMP

Security+ Guide to Network Security Fundamentals, 2e

designing network topologies
Designing Network Topologies
  • Topology: physical layout of the network devices, how they are interconnected, and how they communicate
  • Essential to establishing its security
  • Although network topologies can be modified for security reasons, the network still must reflect the needs of the organization and users

Security+ Guide to Network Security Fundamentals, 2e

security zones
Security Zones
  • One of the keys to mapping the topology of a network is to separate secure users from outsiders through:
    • Demilitarized Zones (DMZs)
    • Intranets
    • Extranets

Security+ Guide to Network Security Fundamentals, 2e

demilitarized zones dmzs
Demilitarized Zones (DMZs)
  • Separate networks that sit outside the secure network perimeter
  • Outside users can access the DMZ, but cannot enter the secure network
  • For extra security, some networks use a DMZ with two firewalls
  • The types of servers that should be located in the DMZ include:
    • Web servers – E-mail servers
    • Remote access servers – FTP servers

Security+ Guide to Network Security Fundamentals, 2e

demilitarized zones dmzs continued
Demilitarized Zones (DMZs) (continued)

Security+ Guide to Network Security Fundamentals, 2e

intranets
Intranets
  • Networks that use the same protocols as the public Internet, but are only accessible to trusted inside users
  • Disadvantage is that it does not allow remote trusted users access to information

Security+ Guide to Network Security Fundamentals, 2e

extranets
Extranets
  • Sometimes called a cross between the Internet and an intranet
  • Accessible to users that are not trusted internal users, but trusted external users
  • Not accessible to the general public, but allows vendors and business partners to access a company Web site

Security+ Guide to Network Security Fundamentals, 2e

network address translation nat
Network Address Translation (NAT)
  • “You cannot attack what you do not see” is the philosophy behind Network Address Translation (NAT) systems
  • Hides the IP addresses of network devices from attackers
  • Computers are assigned special IP addresses (known as private addresses)

Security+ Guide to Network Security Fundamentals, 2e

network address translation nat continued
Network Address Translation (NAT) (continued)
  • These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network
  • Port address translation (PAT) is a variation of NAT
  • Each packet is given the same IP address, but a different TCP port number

Security+ Guide to Network Security Fundamentals, 2e

honeypots
Honeypots
  • Computers located in a DMZ loaded with software and data files that appear to be authentic
  • Intended to trap or trick attackers
  • Two-fold purpose:
    • To direct attacker’s attention away from real servers on the network
    • To examine techniques used by attackers

Security+ Guide to Network Security Fundamentals, 2e

honeypots continued
Honeypots (continued)

Security+ Guide to Network Security Fundamentals, 2e

virtual lans vlans
Virtual LANs (VLANs)
  • Segment a network with switches to divide the network into a hierarchy
  • Core switches reside at the top of the hierarchy and carry traffic between switches
  • Workgroup switches are connected directly to the devices on the network
  • Core switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches

Security+ Guide to Network Security Fundamentals, 2e

virtual lans vlans continued
Virtual LANs (VLANs) (continued)

Security+ Guide to Network Security Fundamentals, 2e

virtual lans vlans continued1
Virtual LANs (VLANs) (continued)
  • Segment a network by grouping similar users together
  • Instead of segmenting by user, you can segment a network by separating devices into logical groups (known as creating a VLAN)

Security+ Guide to Network Security Fundamentals, 2e

summary
Summary
  • Creating and maintaining a secure environment cannot be delegated to one or two employees in an organization
  • Major tasks of securing information can be accomplished using a bottom-up approach, where security effort originates with low-level employees and moves up the organization chart to the CEO
  • In a top-down approach, the effort starts at the highest levels of the organization and works its way down

Security+ Guide to Network Security Fundamentals, 2e

summary continued
Summary (continued)
  • Basic principles for creating a secure environment: layering, limiting, diversity, obscurity, and simplicity
  • Basic pillars of security:
    • Authentication: verifying that a person requesting access to a system is who he claims to be
    • Access control: regulating what a subject can do with an object
    • Auditing: review of the security settings

Security+ Guide to Network Security Fundamentals, 2e

summary continued1
Summary (continued)
  • Establishing a security baseline creates a basis for information security
  • Hardening the operating system involves applying the necessary updates to the software
  • Securing the file system is another step in hardening a system

Security+ Guide to Network Security Fundamentals, 2e

summary continued2
Summary (continued)
  • Applications and operating systems must be hardened by installing the latest patches and updates
  • Servers, such as Web servers, mail servers, FTP servers, DNS servers, NNTP servers, print/file servers, and DHCP servers, must be hardened to prevent attackers from corrupting them or using the server to launch other attacks

Security+ Guide to Network Security Fundamentals, 2e

summary continued3
Summary (continued)
  • Cable plant: physical infrastructure (wire, connectors, and cables that carry data communication signals between equipment)
  • Removable media used to store information include:
    • Magnetic storage (removable disks, hard drives)
    • Optical storage (CD and DVD)
    • Electronic storage (USB memory sticks, FlashCards)

Security+ Guide to Network Security Fundamentals, 2e

summary continued4
Summary (continued)
  • Network devices (workstations, servers, switches, and routers) should all be hardened to repel attackers
  • A network’s topology plays a critical role in resisting attackers
  • Hiding the IP address of a network device can help disguise it so that an attacker cannot find it

Security+ Guide to Network Security Fundamentals, 2e

homework 5
Homework 5
  • Download and install zonealarm in your computer
  • Is there any security problem in the personal firewall like zonealarm?
  • Write a report to show how it protect your computer and the problem you found
  • Due date 10/26

Security+ Guide to Network Security Fundamentals, 2e