Chapter 5: Securing the Network Infrastructure

1
Chapter 5 Securing the Network Infrastructure

• Security Guide to Network Security Fundamentals
• Second Edition

2
Objectives

• Work with the network cable plant
• Secure removable media
• Harden network devices
• Design network topologies

3
Working with the Network Cable Plant

• Cable plant physical infrastructure of a network
  (wire, connectors, and cables) used to carry data
  communication signals between equipment
• Three types of transmission media
• Coaxial cables
• Twisted-pair cables
• Fiber-optic cables

4
Coaxial Cables

• Coaxial cable was main type of copper cabling
  used in computer networks for many years
• Has a single copper wire at its center surrounded
  by insulation and shielding
• Called coaxial because it houses two (co) axes
  or shafts?the copper wire and the shielding
• Thick coaxial cable has a copper wire in center
  surrounded by a thick layer of insulation that is
  covered with braided metal shielding

5
Coaxial Cables (continued)

• Thin coaxial cable looks similar to the cable
  that carries a cable TV signal
• A braided copper mesh channel surrounds the
  insulation and everything is covered by an outer
  shield of insulation for the cable itself
• The copper mesh channel protects the core from
  interference
• BNC connectors connectors used on the ends of a
  thin coaxial cable

6
Coaxial Cables (continued)
7
Twisted-Pair Cables

• Standard for copper cabling used in computer
  networks today, replacing thin coaxial cable
• Composed of two insulated copper wires twisted
  around each other and bundled together with other
  pairs in a jacket

8
Twisted-Pair Cables (continued)

• Shielded twisted-pair (STP) cables have a foil
  shielding on the inside of the jacket to reduce
  interference
• Unshielded twisted-pair (UTP) cables do not have
  any shielding
• Twisted-pair cables have RJ-45 connectors

9
Fiber-Optic Cables

• Coaxial and twisted-pair cables have copper wire
  at the center that conducts an electrical signal
• Fiber-optic cable uses a very thin cylinder of
  glass (core) at its center instead of copper that
  transmit light impulses
• A glass tube (cladding) surrounds the core
• The core and cladding are protected by a jacket

10
Fiber-Optic Cables (continued)

• Classified by the diameter of the core and the
  diameter of the cladding
• Diameters are measured in microns, each is about
  1/25,000 of an inch or one-millionth of a meter
• Two types
• Single-mode fiber cables used when data must be
  transmitted over long distances
• Multimode cable supports many simultaneous light
  transmissions, generated by light-emitting diodes

11
Securing the Cable Plant

• Securing cabling outside the protected network is
  not the primary security issue for most
  organizations
• Focus is on protecting access to the cable plant
  in the internal network
• An attacker who can access the internal network
  directly through the cable plant has effectively
  bypassed the network security perimeter and can
  launch his attacks at will

12
Securing the Cable Plant (continued)

• The attacker can capture packets as they travel
  through the network by sniffing
• The hardware or software that performs such
  functions is called a sniffer
• Physical security
• First line of defense
• Protects the equipment and infrastructure itself
• Has one primary goal to prevent unauthorized
  users from reaching the equipment or cable plant
  in order to use, steal, or vandalize it

13
Securing Removable Media

• Securing critical information stored on a file
  server can be achieved through strong passwords,
  network security devices, antivirus software, and
  door locks
• An employee copying data to a floppy disk or CD
  and carrying it home poses two risks
• Storage media could be lost or stolen,
  compromising the information
• A worm or virus could be introduced to the media,
  potentially damaging the stored information and
  infecting the network

14
Magnetic Media

• Record information by changing the magnetic
  direction of particles on a platter
• Floppy disks were some of the first magnetic
  media developed
• The capacity of todays 3 1/2-inch disks are 14
  MB
• Hard drives contain several platters stacked in a
  closed unit, each platter having its own head or
  apparatus to read and write information
• Magnetic tape drives record information in a
  serial fashion

15
Optical Media

• Optical media use a principle for recording
  information different from magnetic media
• A high-intensity laser burns a tiny pit into the
  surface of an optical disc to record a one, but
  does nothing to record a zero
• Capacity of optical discs varies by type
• A Compact Disc-Recordable (CD-R) disc can record
  up to 650 MB of data
• Data cannot be changed once recorded

16
Optical Media (continued)

• A Compact Disc-Rewriteable (CD-RW) disc can be
  used to record data, erase it, and record again
• A Digital Versatile Disc (DVD) can store much
  larger amounts of data
• DVD formats include Digital Versatile
  Disc-Recordable (DVD-R), which can record once up
  to 395 GB on a single-sided disc and 79 GB on a
  double-sided disc

17
Electronic Media

• Electronic media use flash memory for storage
• Flash memory is a solid state storage
  device?everything is electronic, with no moving
  or mechanical parts
• SmartMedia cards range in capacity from 2 MB to
  128 MB
• The card itself is only 45 mm long, 37 mm wide,
  and less than 1 mm thick

18
Electronic Media (continued)

• CompactFlash card
• Consists of a small circuit board with flash
  memory chips and a dedicated controller chip
  encased in a shell
• Come in 33 mm and 55 mm thicknesses and store
  between 8MB and 192 MB of data
• USB memory stick is becoming very popular
• Can hold between 8 MB and 1 GB of memory

19
Keeping Removable Media Secure

• Protecting removable media involves making sure
  that antivirus and other security software are
  installed on all systems that may receive a
  removable media device, including employee home
  computers

20
Hardening Network Devices

• Each device that is connected to a network is a
  potential target of an attack and must be
  properly protected
• Network devices to be hardened categorized as
• Standard network devices
• Communication devices
• Network security devices

21
Hardening Standard Network Devices

• A standard network device is a typical piece of
  equipment that is found on almost every network,
  such as a workstation, server, switch, or router
• This equipment has basic security features that
  you can use to harden the devices

22
Workstations and Servers

• Workstation personal computer attached to a
  network (also called a client)
• Connected to a LAN and shares resources with
  other workstations and network equipment
• Can be used independently of the network and can
  have their own applications installed
• Server computer on a network dedicated to
  managing and controlling the network
• Basic steps to harden these systems are outlined
  on page 152

23
Switches and Routers

• Switch
• Most commonly used in Ethernet LANs
• Receives a packet from one network device and
  sends it to the destination device only
• Limits the collision domain (part of network on
  which multiple devices may attempt to send
  packets simultaneously)
• A switch is used within a single network
• Routers connect two or more single networks to
  form a larger network

24
Switches and Routers (continued)

• Switches and routers must also be protected
  against attacks
• Switches and routers can be managed using the
  Simple Network Management Protocol (SNMP), part
  of the TCP/IP protocol suite
• Software agents are loaded onto each network
  device to be managed

25
Switches and Routers (continued)

• Each agent monitors network traffic and stores
  that information in its management information
  base (MIB)
• A computer with SNMP management software (SNMP
  management station) communicates with software
  agents on each network device and collects the
  data stored in the MIBs
• Page 154 lists defensive controls that can be set
  for switches and routers

26
Hardening Communication Devices

• A second category of network devices are those
  that communicate over longer distances
• Include
• Modems
• Remote access servers
• Telecom/PBX Systems
• Mobile devices

27
Modems

• Most common communication device
• Broadband is increasing in popularity and can
  create network connection speeds of 15 Mbps and
  higher
• Two popular broadband technologies
• Digital Subscriber Line (DSL) transmits data at
  15 Mbps over regular telephone lines
• Another broadband technology uses the local cable
  television system

28
Modems (continued)

• A computer connects to a cable modem, which is
  connected to the coaxial cable that brings cable
  TV signals to the home
• Because cable connectivity is shared in a
  neighborhood, other users can use a sniffer to
  view traffic
• Another risk with DSL and cable modem connections
  is that broadband connections are charged at a
  set monthly rate, not by the minute of connect
  time

29
Remote Access Servers

• Set of technologies that allows a remote user to
  connect to a network through the Internet or a
  wide area network (WAN)
• Users run remote access client software and
  initiate a connection to a Remote Access Server
  (RAS), which authenticates users and passes
  service requests to the network

30
Remote Access Servers (continued)
31
Remote Access Servers (continued)

• Remote access clients can run almost all
  network-based applications without modification
• Possible because remote access technology
  supports both drive letters and universal naming
  convention (UNC) names
• Minimum security features are listed on page 158

32
Telecom/PBX Systems

• Term used to describe a Private Branch eXchange
• The definition of a PBX comes from the words that
  make up its name
• Private
• Branch
• eXchange

33
Mobile Devices

• As cellular phones and personal digital
  assistants (PDAs) have become increasingly
  popular, they have become the target of attackers
• Some defenses against attacks on these devices
  use real-time data encryption and passwords to
  protect the system so that an intruder cannot
  beam a virus through a wireless connection

34
Hardening Network Security Devices

• The final category of network devices includes
  those designed and used strictly to protect the
  network
• Include
• Firewalls
• Intrusion-detection systems
• Network monitoring and diagnostic devices

35
Firewalls

• Typically used to filter packets
• Designed to prevent malicious packets from
  entering the network or its computers (sometimes
  called a packet filter)
• Typically located outside the network security
  perimeter as first line of defense
• Can be software or hardware configurations

36
Firewalls (continued)

• Software firewall runs as a program on a local
  computer (sometimes known as a personal firewall)
• Enterprise firewalls are software firewalls
  designed to run on a dedicated device and protect
  a network instead of only one computer
• One disadvantage is that it is only as strong as
  the operating system of the computer

37
Firewalls (continued)

• Filter packets in one of two ways
• Stateless packet filtering permits or denies
  each packet based strictly on the rule base
• Stateful packet filtering records state of a
  connection between an internal computer and an
  external server makes decisions based on
  connection and rule base
• Can perform content filtering to block access to
  undesirable Web sites

38
Firewalls (continued)

• An application layer firewall can defend against
  worms better than other kinds of firewalls
• Reassembles and analyzes packet streams instead
  of examining individual packets

39
Intrusion-Detection Systems (IDSs)

• Devices that establish and maintain network
  security
• Active IDS (or reactive IDS) performs a specific
  function when it senses an attack, such as
  dropping packets or tracing the attack back to a
  source
• Installed on the server or, in some instances, on
  all computers on the network
• Passive IDS sends information about what
  happened, but does not take action

40
Intrusion-Detection Systems (IDSs) (continued)

• Host-based IDS monitors critical operating system
  files and computers processor activity and
  memory scans event logs for signs of suspicious
  activity
• Network-based IDS monitors all network traffic
  instead of only the activity on a computer
• Typically located just behind the firewall
• Other IDS systems are based on behavior
• Watch network activity and report abnormal
  behavior
• Result in many false alarms

41
Network Monitoring and Diagnostic Devices

• SNMP enables network administrators to
• Monitor network performance
• Find and solve network problems
• Plan for network growth
• Managed device
• Network device that contains an SNMP agent
• Collects and stores management information and
  makes it available to SNMP

42
Designing Network Topologies

• Topology physical layout of the network devices,
  how they are interconnected, and how they
  communicate
• Essential to establishing its security
• Although network topologies can be modified for
  security reasons, the network still must reflect
  the needs of the organization and users

43
Security Zones

• One of the keys to mapping the topology of a
  network is to separate secure users from
  outsiders through
• Demilitarized Zones (DMZs)
• Intranets
• Extranets

44
Demilitarized Zones (DMZs)

• Separate networks that sit outside the secure
  network perimeter
• Outside users can access the DMZ, but cannot
  enter the secure network
• For extra security, some networks use a DMZ with
  two firewalls
• The types of servers that should be located in
  the DMZ include
• Web servers E-mail servers
• Remote access servers FTP servers

45
Demilitarized Zones (DMZs) (continued)
46
Intranets

• Networks that use the same protocols as the
  public Internet, but are only accessible to
  trusted inside users
• Disadvantage is that it does not allow remote
  trusted users access to information

47
Extranets

• Sometimes called a cross between the Internet and
  an intranet
• Accessible to users that are not trusted internal
  users, but trusted external users
• Not accessible to the general public, but allows
  vendors and business partners to access a company
  Web site

48
Network Address Translation (NAT)

• You cannot attack what you do not see is the
  philosophy behind Network Address Translation
  (NAT) systems
• Hides the IP addresses of network devices from
  attackers
• Computers are assigned special IP addresses
  (known as private addresses)

49
Network Address Translation (NAT) (continued)

• These IP addresses are not assigned to any
  specific user or organization anyone can use
  them on their own private internal network
• Port address translation (PAT) is a variation of
  NAT
• Each packet is given the same IP address, but a
  different TCP port number

50
Honeypots

• Computers located in a DMZ loaded with software
  and data files that appear to be authentic
• Intended to trap or trick attackers
• Two-fold purpose
• To direct attackers attention away from real
  servers on the network
• To examine techniques used by attackers

51
Honeypots (continued)
52
Virtual LANs (VLANs)

• Segment a network with switches to divide the
  network into a hierarchy
• Core switches reside at the top of the hierarchy
  and carry traffic between switches
• Workgroup switches are connected directly to the
  devices on the network
• Core switches must work faster than workgroup
  switches because core switches must handle the
  traffic of several workgroup switches

53
Virtual LANs (VLANs) (continued)
54
Virtual LANs (VLANs) (continued)

• Segment a network by grouping similar users
  together
• Instead of segmenting by user, you can segment a
  network by separating devices into logical groups
  (known as creating a VLAN)

55
Summary

• Cable plant physical infrastructure (wire,
  connectors, and cables that carry data
  communication signals between equipment)
• Removable media used to store information
  include
• Magnetic storage (removable disks, hard drives)
• Optical storage (CD and DVD)
• Electronic storage (USB memory sticks, FlashCards)

56
Summary (continued)

• Network devices (workstations, servers, switches,
  and routers) should all be hardened to repel
  attackers
• A networks topology plays a critical role in
  resisting attackers
• Hiding the IP address of a network device can
  help disguise it so that an attacker cannot find
  it