Network Security

1
Network Security

• ITEC 370
• George Vaughan
• Franklin University

2
Sources for Slides

• Material in these slides comes primarily from
  course text, Guide to Networking
  Essentials,Tomsho, Tittel, Johnson (2007).
• Other sources are cited in line and listed in
  reference section.

3
TCP/IP and OSI Models
4
Developing a Network Security Policy Tomsho,
Tittel, Johnson (2007)

• A network security policy describes the rules
  governing access to a companys information
  resources, the enforcement of those rules, and
  the steps taken if rules are breached
• Should also describe the permissible use of those
  resources after theyre accessed
• Should be easy for ordinary users to understand
  and reasonably easy to comply with
• Should be enforceable
• Should clearly state the objective of each policy
  so that everyone understands its purpose

5
Determining Elements of a Network Security
Policy Tomsho, Tittel, Johnson (2007)

• Elements (minimum for most networks)
• Privacy policy
• Acceptable use policy
• Authentication policy
• Internet use policy
• Access policy
• Auditing policy
• Data protection
• Security policy should protect organization
  legally
• Security policy should be continual work in
  progress

6
Understanding Levels of Security Tomsho,
Tittel, Johnson (2007)

• Security doesnt come without a cost
• Before deciding on a level of security, answer
• What must be protected?
• From whom should data be protected?
• What costs are associated with security being
  breached and data being lost or stolen?
• How likely is it that a threat will actually
  occur?
• Are the costs to implement security and train
  users to use a secure network outweighed by the
  need to provide an efficient, user-friendly
  environment?
• Levels highly restrictive, moderately
  restrictive, open

7
Highly Restrictive Security Policies Tomsho,
Tittel, Johnson (2007)

• Include features such as
• Data encryption, complex password requirements,
  detailed auditing and monitoring of computer and
  network access, intricate authentication methods,
  and policies that govern use of the
  Internet/e-mail
• Might require third-party hardware and software
• High implementation expense
• High design and configuration costs for SW and HW
• Staffing to support the security policies
• Lost productivity (high learning curve for users)
• Used when cost of a security breach is high

8
Moderately Restrictive Security Policies Tomsho,
Tittel, Johnson (2007)

• Most organizations can opt for this type of
  policy
• Requires passwords, but not overly complex ones
• Auditing detects unauthorized logon attempts,
  network resource misuse, and attacker activity
• Most NOSs contain authentication, monitoring, and
  auditing features to implement the required
  policies
• Infrastructure can be secured with moderately
  priced off-the-shelf HW and SW (firewalls, ACLs)
• Costs are primarily in initial configuration and
  support

9
Open Security Policies Tomsho, Tittel, Johnson
(2007)

• Policy might have simple or no passwords,
  unrestricted access to resources, and probably no
  monitoring and auditing
• Makes sense for a small company with the primary
  goal of making access to network resources easy
• Internet access should probably not be possible
  via the company LAN
• If Internet access is available company-wide, a
  more restrictive policy is probably warranted
• Sensitive data, if it exists, might be kept on
  individual workstations that are backed up
  regularly and are physically inaccessible to
  other employees

10
Common Elements of Security Policies Tomsho,
Tittel, Johnson (2007)

• Virus protection for servers and desktop
  computers is a must
• There should be policies aimed at preventing
  viruses from being downloaded or spread
• Backup procedures for all data that cant be
  easily reproduced should be in place, and a
  disaster recovery procedure must be devised
• Security is aimed not only at preventing improper
  use of or access to network resources, but also
  at safeguarding the companys information

11
Securing Physical Access to the Network Tomsho,
Tittel, Johnson (2007)

• If theres physical access to equipment, there is
  no security
• A computer left alone with a user logged on is
  particularly vulnerable
• If an administrator account is logged on, a
  person can even give his/her account
  administrator control
• If no user is logged on
• People could log on to the computer with their
  own accounts and access files to which they
  wouldnt normally have access
• Computer could be restarted and booted from
  removable media, bypassing the normal OS security
• Computer or HDs could be stolen and later cracked

12
Physical Security Best Practices Tomsho, Tittel,
Johnson (2007)

• When planning your network, ensure that rooms are
  available to house servers and equipment
• Rooms should have locks and be suitable for the
  equipment being housed
• If a suitable room isnt available, locking
  cabinets, freestanding or wall mounted, can be
  purchased to house servers and equipment in
  public areas
• Wiring from workstations to wiring cabinets
  should be inaccessible to eavesdropping equipment
• Physical security plan should include procedures
  for recovery from natural disasters (e.g., fire
  or flood)

13
Physical Security of Servers Tomsho, Tittel,
Johnson (2007)

• May be stashed away in lockable wiring closet
  along with switch to which the server is
  connected
• Often require more tightly controlled
  environmental conditions than patch panels, hubs,
  and switches
• Server rooms should be equipped with power thats
  preferably on a circuit separate from other
  devices
• If you must put servers accessible to people who
  should not have physical access to them, use
  locking cabinets
• You can purchase rack-mountable servers
• Make sure there is sufficient cooling.

14
Security of Internetworking Devices Tomsho,
Tittel, Johnson (2007)

• Routers and switches contain critical
  configuration information and perform essential
  network tasks
• Internetworking devices, such as hubs, switches,
  and routers, should be given as much attention in
  terms of physical security as servers
• A room with a lock is the best place for these
  devices
• Wall-mounted enclosure with a lock is second best
• Some cabinets come with a built-in fan or have a
  mounting hole for a fan
• They also come with convenient channels for
  wiring
• Make sure there is sufficient cooling.

15
Securing Access to Data Tomsho, Tittel, Johnson
(2007)

• Facets
• Authentication and authorization
• Encryption/decryption
• Virtual Private Networks (VPNs)
• Firewalls
• Virus and worm protection
• Spyware protection
• Wireless security

16
Authentication and Authorization

• Authentication Forcing a party to prove their
  true identity
• Login process, certificates, shared keys
• Applies to both clients and servers
• Authorization
• Only applies after party has been authenticated
• Access Control (file permissions, Access Control
  Lists, etc.)

17
Implementing Secure Authentication and
Authorization Tomsho, Tittel, Johnson (2007)

• Administrators must control who has access to the
  network (authentication) and what logged on users
  can do to the network (authorization)
• NOSs have tools to specify options and
  restrictions on how/when users can log on to
  network
• Password complexity requirements
• Logon hours
• Logon locations
• Remote logons, among others
• File system access controls and user permission
  settings determine what a user can access on a
  network and what actions a user can perform

18
Configuring Password Requirements in a Windows
Environment Tomsho, Tittel, Johnson (2007)

• Specify if passwords are required for all users,
  how many characters a password must be, and
  whether they should meet certain complexity
  requirements
• XP allows passwords up to 128 characters
• Minimum of five to eight characters is typical
• If minimum length is 0, blank passwords are
  allowed
• Other options include Maximum/Minimum password
  age, and Enforce password history
• When a user fails to enter a correct password, a
  policy can be set to lock the user account

19
Configuring Password Requirements in a Linux
Environment Tomsho, Tittel, Johnson (2007)

• Linux password configuration can be done globally
  or on a user-by-user basis
• Options in a standard Linux Fedora Core 4 include
  maximum/minimum password age, and number of days
  warning a user has before password expires
• Linux system must be using shadow passwords, a
  secure method of storing user passwords
• Options can be set by editing /etc/login.defs
• Use Pluggable Authentication Modules (PAM) to set
  other options like account lockout, password
  history, and complexity tests

20
Reviewing Password Dos and Donts Tomsho,
Tittel, Johnson (2007)

• Use a combination of uppercase letters, lowercase
  letters, and numbers
• Include one or more special characters
• Try using a phrase, e.g., NetW_at_rk1ng !s C00l
• Dont use passwords based on your logon name,
  family members names, or even your pets name
• Dont use common dictionary words unless they are
  part of a phrase
• Dont make your password so complex that you
  forget it or need to write it down somewhere

21
Authorizing Access to Files and Folders Tomsho,
Tittel, Johnson (2007)

• Windows OSs have two options for file security
• Sharing permissions are applied to folders (and
  only folders) shared over the network
• Dont apply to files/folders if user is logged on
  locally
• These are the only file security options
  available in a FAT or FAT32 file system
• NTFS permissions allow administrators to assign
  permissions to files as well as folders
• Apply to file access by a locally logged-on user
  too
• Enable administrators to assign permissions to
  user accounts and group accounts
• Six standard permissions are available for folders

22
Authorizing Access to Files and Folders
(continued) Tomsho, Tittel, Johnson (2007)
23
Authorizing Access to Files and Folders
(continued) Tomsho, Tittel, Johnson (2007)
24
Securing Data with Encryption Tomsho, Tittel,
Johnson (2007)

• Use encryption to safeguard data as it travels
  across the Internet and within the company
  network
• Prevents somebody using eavesdropping technology,
  such as a packet sniffer, from capturing packets
  and using the data for malicious purposes
• Data on disks can be secured with encryption

25
Using IPSec to Secure Network Data Tomsho,
Tittel, Johnson (2007)

• The most popular method for encrypting data as it
  travels network media is to use an extension to
  the IP protocol called IP Security (IPSec)
• Establishes an association between two
  communicating devices
• Association is formed by two devices
  authenticating their identities via a preshared
  key, Kerberos authentication, or digital
  certificates
• After the communicating parties are
  authenticated, encrypted communication can
  commence

26
IPSec Wikipedia-IPSec (n.d).

• IP Security
• A set of protocols operating at the Network layer
  (layer 3).
• 2 Modes
• Transport Mode
• Only payload in packet is encrypted (header is
  not)
• Host to Host communication
• Tunnel Mode
• Entire IP packet is encrypted, including header
• Encapsulated in another packet for routing across
  internet.
• Network to Network communication

27
Securing Data on Disk

• Windows allows data to be encrypted at the folder
  level
• Can optional include subfolders
• Based on owner of file
• Groups of users can be defined
• Linux allows data to be encrypted
• GPG (GNU Privacy Guard) from FSF.
• GPG is available for Windows also

28
VPN Wikipedia-VPN

• VPN Virtual Private Network
• A virtual (logical) private network running on
  top of a public network (e.g. Internet).
• Useful for providing remote access without using
  dedicated lines.
• 2 parts inside network which is trusted and
  outside part which is not trusted.
• VPN Server manages authentication
• When active, all access from client to outside
  must pass through a firewall makes client act
  as if it was in the inside network.

29
Securing Communication with Virtual Private
Networks Tomsho, Tittel, Johnson (2007)
30
VPN Benefits Tomsho, Tittel, Johnson (2007)

• Advantages of using VPNs
• Installing several modems on an RRAS server so
  that users can dial up the server directly isnt
  necessary instead, users can dial up any ISP
• RRAS Windows Routing and Remote Access Server.
• Remote users can usually access an RRAS server by
  making only a local phone call, as long as they
  can access a local ISP
• When broadband Internet connectivity is available
  (e.g., DSL, cable modem), remote users can
  connect to the corporate network at high speed,
  making remote computing sessions more productive
• Additionally, VPNs save costs

31
Protecting Networks with Firewalls Tomsho,
Tittel, Johnson (2007)

• Firewall HW device or SW program that inspects
  packets going into or out of a network or
  computer, and then discards/forwards them based
  on rules
• Protects against outside attempts to access
  unauthorized resources, and against malicious
  network packets intended to disable or cripple a
  corporate network and its resources
• If placed between Internet and corporate network,
  can restrict users access to Internet resources
• Firewalls can attempt to determine the context of
  a packet (stateful packet inspection (SPI))

32
Types of Firewalls Wikipedia-firewall (n.d.)

• Packet Filter Firewall
• Stateless
• Rules are static
• Circuit Level Firewall
• Stateful
• Can determine if packet is a new or part of an
  existing connection.
• Application Layer Firewall
• Also known as proxy based firewalls

33
Using a Router as a Firewall Tomsho, Tittel,
Johnson (2007)

• A firewall is just a router with specialized SW
  that facilitates creating rules to permit or deny
  packets
• Many routers have capabilities similar to
  firewalls
• After a router is configured, by default, all
  packets are permitted both into and out of the
  network
• Network administrator must create rules (access
  control lists) that deny certain types of packets
• Typically, an administrator builds access control
  lists so that all packets are denied, and then
  creates rules that make exceptions

34
Using Intrusion Detection Systems Tomsho,
Tittel, Johnson (2007)

• An IDS usually works with a firewall or router
  with access control lists
• A firewall protects a network from potential
  break-ins or DoS attacks, but an IDS must detect
  an attempted security breach and notify the
  network administrator
• May be able to take countermeasures if an attack
  is in progress
• Invaluable tool to help administrators know how
  often their network is under attack and devise
  security policies aimed at thwarting threats
  before they have a chance to succeed
• Too many false positives will result in the IDS
  being ignored

35
NAT Wikipedia-NAT (n.d.)

• Network Address Translation (IP-masquerading)
• Router/Firewall replaces internal IP source
  address in IP packet with its own IP address when
  send packets out.
• Router/Firewall reverses process for incoming
  packets.
• Useful for hiding the Identify of real IP
  addresses behind the firewall
• Can be used for IP address reuse
• multiple machines share same IP address
• Common in home routers
• ISP assigns single public IP address
• Router maps to multiple private IP addresses
• TCP and UDP port numbers used for de-multiplexing

36
Using Network Address Translation to Improve
Security Tomsho, Tittel, Johnson (2007)

• A benefit of NAT is that the real address of an
  internal network resource is hidden and
  inaccessible to the outside world
• Because most networks use NAT with private IP
  addresses, those devices configured with private
  addresses cant be accessed directly from outside
  the network
• An external device cant initiate a network
  conversation with an internal device, thus
  limiting an attackers options to cause mischief

37
Protecting a Network from Worms, Viruses, and
Rootkits Tomsho, Tittel, Johnson (2007)

• Malware is SW designed to cause harm/disruption
  to a computer system or perform activities on a
  computer without the consent of its owner
• A virus spreads by replicating itself into other
  programs or documents
• A worm is similar to a virus, but it doesnt
  attach itself to another program
• A backdoor is a program installed on a computer
  that permits access to the computer, bypassing
  the normal authentication process
• To help prevent spread of malware, every computer
  should have virus-scanning software running

38
Protecting a Network from Worms, Viruses, and
Rootkits (continued) Tomsho, Tittel, Johnson
(2007)

• A Trojan Horse program appears to be something
  useful, but in reality contains some type of
  malware
• Rootkits are a form of Trojan programs that can
  monitor traffic to and from a computer, monitor
  keystrokes, and capture passwords
• Used to hide files, programs form O.S.
• Sony added rootkits to audio CDs to prevent
  copying
• The hoax virus is one of the worst kinds of
  viruses
• The flood of e-mail from people actually falling
  for the hoax is the virus!
• Malware protection can be expensive however, the
  loss of data and productivity that can occur when
  a network becomes infected is much more costly
• Phishing social engineering
• E.g. fake (web) services used to collect
  sensitive data

39
Protecting a Network from Spyware and Spam
Tomsho, Tittel, Johnson (2007)

• Spyware monitors/controls part of a computer at
  the expense of users privacy and to the gain of
  a third party
• Is not usually self-replicating
• Many anti-spyware programs are available, and
  some are bundled with popular antivirus programs
• Spam is simply unsolicited e-mail
• Theft of e-mail storage space, network bandwidth,
  and peoples time
• Detection and prevention is an uphill battle
• For every rule or filter anti-spam software
  places on an e-mail account, spammers find a way
  around them

40
Implementing Wireless Security Tomsho, Tittel,
Johnson (2007), Wikipedia

• Attackers who drive around looking for wireless
  LANs to intercept are called wardrivers
• Wireless security methods
• SSID (not easy to guess and not broadcast)
• Service Set Identifier identifies network
• Wired Equivalency Protocol (WEP)
• 1999 Can be cracked in 2 minutes w available
  software
• Wi-Fi Protected Access (WPA)
• 2003 Stronger than WEP. Not supported by all
  access points.
• 802.11i
• 2004 same as WPA2, superset of WPA.
• MAC address filtering
• Access control list based on MAC address
• You should also set policies limit AP signal
  access, change encryption key regularly, etc.

41
Using a Crackers Tools to Stop Network Attacks
Tomsho, Tittel, Johnson (2007)

• If you want to design a good, solid network
  infrastructure, hire a security consultant who
  knows the tools of the crackers trade
• A cracker (black hat) is someone who attempts to
  compromise a network or computer system for the
  purposes of personal gain or to cause harm
• The term hacker has had a number of meanings
  throughout the years
• White hats often use the term penetration tester
  for their consulting services

42
Discovering Network Resources Tomsho, Tittel,
Johnson (2007)

• Attackers use command-line utilities such as
  Ping, Traceroute, Finger, and Nslookup to get
  information about the network configuration and
  resources
• Other tools used
• Ping scanner automated method for pinging a
  range of IP addresses
• Port scanner determines which TCP and UDP ports
  are available on a particular computer or device
• Protocol analyzers are also useful for resource
  discovery because they allow you to capture
  packets and determine which protocols services
  are running

43
Disabling Network Resources Tomsho, Tittel,
Johnson (2007)

• A denial-of-service (DoS) attack is an attackers
  attempt to tie up network bandwidth or network
  services so that it renders those resources
  useless to legitimate users
• Packet storms typically use the UDP protocol
  because its not connection oriented
• Half-open SYN attacks use TCPs handshake to tie
  up a server with invalid TCP sessions, thereby
  preventing real sessions from being created
• In a ping flood, a program sends a large number
  of ping packets to a host

44
References

• Tomsho, Tittel, Johnson (2007). Guide to
  Networking Essentials. Boston Thompson Course
  Technology.
• Odom, Knott (2006). Networking Basics CCNA 1
  Companion Guide. Indianapolis Cisco Press
• Wikipedia (n.d.). OSI Model. Retrieved 09/12/2006
  from
• http//en.wikipedia.org/wiki/OSI_Model
• Wikipedia-IPSec (n.d). IPsec. Retrieved
  01/30/2007 from
• http//en.wikipedia.org/wiki/Ipsec
• Wikipedia-VPN (n.d.). Virtual Private Network.
  Retrieved 01/30/2007 from http//en.wikipedia.org
  /wiki/Vpn
• Wikipedia-firewall (n.d.) Firewall (Networking).
• Retrieved 01/30/2007 from http//en.wikipedia.org
  /wiki/Firewall
• Wikipedia-NAT (n.d.) Network Address Translation.
  Retrieved 01/30/2007 from http//en.wikipedia.org
  /wiki/Network_address_translation