Guide to Networking Essentials Fifth Edition - PowerPoint PPT Presentation

1 / 51
About This Presentation
Title:

Guide to Networking Essentials Fifth Edition

Description:

Virus protection for servers and desktop computers is a must ... One of the most popular VPN solutions for Linux is a free downloadable package called OpenSwan ... – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 52
Provided by: shsu
Category:

less

Transcript and Presenter's Notes

Title: Guide to Networking Essentials Fifth Edition


1
Guide to Networking EssentialsFifth Edition
  • Chapter 10
  • Introduction to Network Security

2
Objectives
  • Develop a network security policy
  • Secure physical access to network equipment
  • Secure network data
  • Use tools to find network security weaknesses

3
Network Security Overview and Policies
  • Perceptions of network security vary depending
    on
  • People
  • Industry
  • Network security should be as unobtrusive as
    possible, allowing network users to concentrate
    on the tasks they want to accomplish, rather than
    how to get to the data they need to perform those
    tasks
  • A company that can demonstrate its information
    systems are secure is more likely to attract
    customers, partners, and investors

4
Developing a Network Security Policy
  • A network security policy describes the rules
    governing access to a companys information
    resources, the enforcement of those rules, and
    the steps taken if rules are breached
  • Should also describe the permissible use of those
    resources after theyre accessed
  • Should be easy for ordinary users to understand
    and reasonably easy to comply with
  • Should be enforceable
  • Should clearly state the objective of each policy
    so that everyone understands its purpose

5
Determining Elements of a Network Security Policy
  • Elements (minimum for most networks)
  • Privacy policy
  • Acceptable use policy
  • Authentication policy
  • Internet use policy
  • Access policy
  • Auditing policy
  • Data protection
  • Security policy should protect organization
    legally
  • Security policy should be continual work in
    progress

6
Understanding Levels of Security
  • Security doesnt come without a cost
  • Before deciding on a level of security, answer
  • What must be protected?
  • From whom should data be protected?
  • What costs are associated with security being
    breached and data being lost or stolen?
  • How likely is it that a threat will actually
    occur?
  • Are the costs to implement security and train
    users to use a secure network outweighed by the
    need to provide an efficient, user-friendly
    environment?
  • Levels highly restrictive, moderately
    restrictive, open

7
Highly Restrictive Security Policies
  • Include features such as
  • Data encryption, complex password requirements,
    detailed auditing and monitoring of computer and
    network access, intricate authentication methods,
    and policies that govern use of the
    Internet/e-mail
  • Might require third-party hardware and software
  • High implementation expense
  • High design and configuration costs for SW and HW
  • Staffing to support the security policies
  • Lost productivity (high learning curve for users)
  • Used when cost of a security breach is high

8
Moderately Restrictive Security Policies
  • Most organizations can opt for this type of
    policy
  • Requires passwords, but not overly complex ones
  • Auditing detects unauthorized logon attempts,
    network resource misuse, and attacker activity
  • Most NOSs contain authentication, monitoring, and
    auditing features to implement the required
    policies
  • Infrastructure can be secured with moderately
    priced off-the-shelf HW and SW (firewalls, ACLs)
  • Costs are primarily in initial configuration and
    support

9
Open Security Policies
  • Policy might have simple or no passwords,
    unrestricted access to resources, and probably no
    monitoring and auditing
  • Makes sense for a small company with the primary
    goal of making access to network resources easy
  • Internet access should probably not be possible
    via the company LAN
  • If Internet access is available company-wide, a
    more restrictive policy is probably warranted
  • Sensitive data, if it exists, might be kept on
    individual workstations that are backed up
    regularly and are physically inaccessible to
    other employees

10
Common Elements of Security Policies
  • Virus protection for servers and desktop
    computers is a must
  • There should be policies aimed at preventing
    viruses from being downloaded or spread
  • Backup procedures for all data that cant be
    easily reproduced should be in place, and a
    disaster recovery procedure must be devised
  • Security is aimed not only at preventing improper
    use of or access to network resources, but also
    at safeguarding the companys information

11
Securing Physical Access to the Network
  • If theres physical access to equipment, there is
    no security
  • A computer left alone with a user logged on is
    particularly vulnerable
  • If an administrator account is logged on, a
    person can even give his/her account
    administrator control
  • If no user is logged on
  • People could log on to the computer with their
    own accounts and access files to which they
    wouldnt normally have access
  • Computer could be restarted and booted from
    removable media, bypassing the normal OS security
  • Computer or HDs could be stolen and later cracked

12
Physical Security Best Practices
  • When planning your network, ensure that rooms are
    available to house servers and equipment
  • Rooms should have locks and be suitable for the
    equipment being housed
  • If a suitable room isnt available, locking
    cabinets, freestanding or wall mounted, can be
    purchased to house servers and equipment in
    public areas
  • Wiring from workstations to wiring cabinets
    should be inaccessible to eavesdropping equipment
  • Physical security plan should include procedures
    for recovery from natural disasters (e.g., fire
    or flood)

13
Physical Security of Servers
  • May be stashed away in lockable wiring closet
    along with switch to which the server is
    connected
  • Often require more tightly controlled
    environmental conditions than patch panels, hubs,
    and switches
  • Server rooms should be equipped with power thats
    preferably on a circuit separate from other
    devices
  • If you must put servers accessible to people who
    should not have physical access to them, use
    locking cabinets
  • You can purchase rack-mountable servers

14
Security of Internetworking Devices
  • Routers and switches contain critical
    configuration information and perform essential
    network tasks
  • Internetworking devices, such as hubs, switches,
    and routers, should be given as much attention in
    terms of physical security as servers
  • A room with a lock is the best place for these
    devices
  • Wall-mounted enclosure with a lock is second best
  • Some cabinets come with a built-in fan or have a
    mounting hole for a fan
  • They also come with convenient channels for wiring

15
Securing Access to Data
  • Facets
  • Authentication and authorization
  • Encryption/decryption
  • Virtual Private Networks (VPNs)
  • Firewalls
  • Virus and worm protection
  • Spyware protection
  • Wireless security

16
Implementing Secure Authentication and
Authorization
  • Administrators must control who has access to the
    network (authentication) and what logged on users
    can do to the network (authorization)
  • NOSs have tools to specify options and
    restrictions on how/when users can log on to
    network
  • Password complexity requirements
  • Logon hours
  • Logon locations
  • Remote logons, among others
  • File system access controls and user permission
    settings determine what a user can access on a
    network and what actions a user can perform

17
Configuring Password Requirements in a Windows
Environment
  • Specify if passwords are required for all users,
    how many characters a password must be, and
    whether they should meet certain complexity
    requirements
  • XP allows passwords up to 128 characters
  • Minimum of five to eight characters is typical
  • If minimum length is 0, blank passwords are
    allowed
  • Other options include Maximum/Minimum password
    age, and Enforce password history
  • When a user fails to enter a correct password, a
    policy can be set to lock the user account

18
Configuring Password Requirements in a Windows
Environment (continued)
19
Configuring Password Requirements in a Linux
Environment
  • Linux password configuration can be done globally
    or on a user-by-user basis
  • Options in a standard Linux Fedora Core 4 include
    maximum/minimum password age, and number of days
    warning a user has before password expires
  • Linux system must be using shadow passwords, a
    secure method of storing user passwords
  • Options can be set by editing /etc/login.defs
  • Use Pluggable Authentication Modules (PAM) to set
    other options like account lockout, password
    history, and complexity tests

20
Reviewing Password Dos and Donts
  • Use a combination of uppercase letters, lowercase
    letters, and numbers
  • Include one or more special characters
  • Try using a phrase, e.g., NetW_at_rk1ng !s C00l
  • Dont use passwords based on your logon name,
    family members names, or even your pets name
  • Dont use common dictionary words unless they are
    part of a phrase
  • Dont make your password so complex that you
    forget it or need to write it down somewhere

21
Restricting Logon Hours and Logon Location
22
Restricting Logon Hours and Logon Location
(continued)
23
Authorizing Access to Files and Folders
  • Windows OSs have two options for file security
  • Sharing permissions are applied to folders (and
    only folders) shared over the network
  • Dont apply to files/folders if user is logged on
    locally
  • These are the only file security options
    available in a FAT or FAT32 file system
  • NTFS permissions allow administrators to assign
    permissions to files as well as folders
  • Apply to file access by a locally logged-on user
    too
  • Enable administrators to assign permissions to
    user accounts and group accounts
  • Six standard permissions are available for folders

24
Authorizing Access to Files and Folders
(continued)
25
Authorizing Access to Files and Folders
(continued)
26
Securing Data with Encryption
  • Use encryption to safeguard data as it travels
    across the Internet and within the company
    network
  • Prevents somebody using eavesdropping technology,
    such as a packet sniffer, from capturing packets
    and using the data for malicious purposes
  • Data on disks can be secured with encryption

27
Using IPSec to Secure Network Data
  • The most popular method for encrypting data as it
    travels network media is to use an extension to
    the IP protocol called IP Security (IPSec)
  • Establishes an association between two
    communicating devices
  • Association is formed by two devices
    authenticating their identities via a preshared
    key, Kerberos authentication, or digital
    certificates
  • After the communicating parties are
    authenticated, encrypted communication can
    commence

28
Using IPSec to Secure Network Data (continued)
29
Using IPSec to Secure Network Data (continued)
30
Securing Data on Disk Drives
31
Securing Communication with Virtual Private
Networks
32
VPNs in a Windows Environment
  • Windows supports a special TCP/IP protocol called
    Point-to-Point Tunneling Protocol (PPTP)
  • A user running Windows can dial up a Windows
    server when its running RRAS
  • A VPN could be established permanently across the
    Internet by leasing dedicated lines at each end
    of a two-way link and maintaining ongoing
    PPTP-based communications across that dedicated
    link
  • Starting with Windows 2000, Windows supports
    Layer 2 Tunneling Protocol (L2TP)
  • Supports advanced authentication and encryption
  • Requires Windows machines on both sides

33
VPNs in Other OS Environments
  • Linux implementations of VPNs typically use PPTP
    or IPSec an L2TP implementation is now available
  • One of the most popular VPN solutions for Linux
    is a free downloadable package called OpenSwan
  • Novell NetWare provides VPN server connections to
    corporate networks for VPN clients
  • Mac OS 9 and later supports VPN client
    connections to Windows (using PPTP or IPSec)
  • One method of providing VPN services to connect
    remote sites is to use routers with VPN
    capability to form a router-to-router VPN
    connection

34
VPN Benefits
  • Advantages of using VPNs
  • Installing several modems on an RRAS server so
    that users can dial up the server directly isnt
    necessary instead, users can dial up any ISP
  • Remote users can usually access an RRAS server by
    making only a local phone call, as long as they
    can access a local ISP
  • When broadband Internet connectivity is available
    (e.g., DSL, cable modem), remote users can
    connect to the corporate network at high speed,
    making remote computing sessions more productive
  • Additionally, VPNs save costs

35
Protecting Networks with Firewalls
  • Firewall HW device or SW program that inspects
    packets going into or out of a network or
    computer, and then discards/forwards them based
    on rules
  • Protects against outside attempts to access
    unauthorized resources, and against malicious
    network packets intended to disable or cripple a
    corporate network and its resources
  • If placed between Internet and corporate network,
    can restrict users access to Internet resources
  • Firewalls can attempt to determine the context of
    a packet (stateful packet inspection (SPI))

36
Using a Router as a Firewall
  • A firewall is just a router with specialized SW
    that facilitates creating rules to permit or deny
    packets
  • Many routers have capabilities similar to
    firewalls
  • After a router is configured, by default, all
    packets are permitted both into and out of the
    network
  • Network administrator must create rules (access
    control lists) that deny certain types of packets
  • Typically, an administrator builds access control
    lists so that all packets are denied, and then
    creates rules that make exceptions

37
Using Intrusion Detection Systems
  • An IDS usually works with a firewall or router
    with access control lists
  • A firewall protects a network from potential
    break-ins or DoS attacks, but an IDS must detect
    an attempted security breach and notify the
    network administrator
  • May be able to take countermeasures if an attack
    is in progress
  • Invaluable tool to help administrators know how
    often their network is under attack and devise
    security policies aimed at thwarting threats
    before they have a chance to succeed

38
Using Network Address Translation to Improve
Security
  • A benefit of NAT is that the real address of an
    internal network resource is hidden and
    inaccessible to the outside world
  • Because most networks use NAT with private IP
    addresses, those devices configured with private
    addresses cant be accessed directly from outside
    the network
  • An external device cant initiate a network
    conversation with an internal device, thus
    limiting an attackers options to cause mischief

39
Protecting a Network from Worms, Viruses, and
Rootkits
  • Malware is SW designed to cause harm/disruption
    to a computer system or perform activities on a
    computer without the consent of its owner
  • A virus spreads by replicating itself into other
    programs or documents
  • A worm is similar to a virus, but it doesnt
    attach itself to another program
  • A backdoor is a program installed on a computer
    that permits access to the computer, bypassing
    the normal authentication process
  • To help prevent spread of malware, every computer
    should have virus-scanning software running

40
Protecting a Network from Worms, Viruses, and
Rootkits (continued)
  • A Trojan program appears to be something useful,
    but in reality contains some type of malware
  • Rootkits are a form of Trojan programs that can
    monitor traffic to and from a computer, monitor
    keystrokes, and capture passwords
  • The hoax virus is one of the worst kinds of
    viruses
  • The flood of e-mail from people actually falling
    for the hoax is the virus!
  • Malware protection can be expensive however, the
    loss of data and productivity that can occur when
    a network becomes infected is much more costly

41
Protecting a Network from Spyware and Spam
  • Spyware monitors/controls part of a computer at
    the expense of users privacy and to the gain of
    a third party
  • Is not usually self-replicating
  • Many anti-spyware programs are available, and
    some are bundled with popular antivirus programs
  • Spam is simply unsolicited e-mail
  • Theft of e-mail storage space, network bandwidth,
    and peoples time
  • Detection and prevention is an uphill battle
  • For every rule or filter anti-spam software
    places on an e-mail account, spammers find a way
    around them

42
Implementing Wireless Security
  • Attackers who drive around looking for wireless
    LANs to intercept are called wardrivers
  • Wireless security methods
  • SSID (not easy to guess and not broadcast)
  • Wired Equivalency Protocol (WEP)
  • Wi-Fi Protected Access (WPA)
  • 802.11i
  • MAC address filtering
  • You should also set policies limit AP signal
    access, change encryption key regularly, etc.

43
Using a Crackers Tools to Stop Network Attacks
  • If you want to design a good, solid network
    infrastructure, hire a security consultant who
    knows the tools of the crackers trade
  • A cracker (black hat) is someone who attempts to
    compromise a network or computer system for the
    purposes of personal gain or to cause harm
  • The term hacker has had a number of meanings
    throughout the years
  • White hats often use the term penetration tester
    for their consulting services

44
Discovering Network Resources
  • Attackers use command-line utilities such as
    Ping, Traceroute, Finger, and Nslookup to get
    information about the network configuration and
    resources
  • Other tools used
  • Ping scanner automated method for pinging a
    range of IP addresses
  • Port scanner determines which TCP and UDP ports
    are available on a particular computer or device
  • Protocol analyzers are also useful for resource
    discovery because they allow you to capture
    packets and determine which protocols services
    are running

45
Discovering Network Resources (continued)
46
Discovering Network Resources (continued)
47
Discovering Network Resources (continued)
48
Gaining Access to Network Resources
  • One of the easiest resources to open is one in
    which no password is set
  • Check all devices that support Telnet, FTP,
    e-mail, and Web services
  • Verify that passwords are set on all devices and
    disable any unnecessary services
  • If an attackers needs to learn user
    name/password
  • Finger may be used to discover user names
  • Linux, NetWare, and Windows servers have default
    administrator names that are often left unchanged
  • Attacker may then use a password-cracking tool

49
Disabling Network Resources
  • A denial-of-service (DoS) attack is an attackers
    attempt to tie up network bandwidth or network
    services so that it renders those resources
    useless to legitimate users
  • Packet storms typically use the UDP protocol
    because its not connection oriented
  • Half-open SYN attacks use TCPs handshake to tie
    up a server with invalid TCP sessions, thereby
    preventing real sessions from being created
  • In a ping flood, a program sends a large number
    of ping packets to a host

50
Summary
  • A network security policy describes rules
    governing access to a companys information
    resources
  • Should contain these types of policies privacy
    policy, acceptable use policy, authentication
    policy, Internet use policy, auditing policy, and
    data protection policy
  • Must secure physical access to network resources
  • Securing access to data includes authentication
    and authorization, encryption/decryption, VPNs,
    firewalls, virus/worm/spyware protection, and
    wireless security
  • VPNs are an important aspect of network security
  • Secure remote access to private network (via
    Internet)

51
Summary (continued)
  • Firewalls filter packets and permit or deny
    packets based on a set of defined rules
  • Malware can be viruses, worms, Trojans, and
    rootkits
  • Wireless security involves attention to
    configuring SSID correctly and configuring/using
    wireless security protocols, such as WEP, WPA, or
    802.11i
  • Tools that crackers use to compromise a network
    can be used to determine whether a network is
    secure
  • DoS attacks are used to disrupt network operation
Write a Comment
User Comments (0)
About PowerShow.com