Security Network Architecture

About This Presentation

Title:

Security Network Architecture

Description:

Security Network Architecture & Design – PowerPoint PPT presentation

Number of Views:387

Avg rating:3.0/5.0

Slides: 148

Provided by: ced122

Category:

more less

Transcript and Presenter's Notes

Title: Security Network Architecture

1

Security Network Architecture Design

2
Domain Objectives

Discuss the concepts of network security
Understand security risks
Provide the business context for network security

3
Information Security TRIAD
4
Domain Agenda

Basic Concepts
OSI Framework

5
Network Telecommunications

Network Security
Network Structures
Transmission Methods
Transport Formats
Security Measures
Network Security is the cornerstone for business
operations

6
Network Models

Models
OSI Reference Model
TCP/IP Model

7
OSI Reference Model

Layer 1 Physical Layer
Layer 2 Data Link Layer
Layer 3 Network Layer
Layer 4 Transport Layer
Layer 5 Session Layer
Layer 6 Presentation Layer
Layer 7 Application Layer

8
OSI Reference Model

Encapsulation
Layering

9
OSI Model Layer 1 Physical Layer

Bits are converted into signals
All signal processing
Physical Topologies

Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
10
OSI Model Layer 2 Data Link Layer

Connects layer 1 and 3
Converts information
Transmits frames to devices
Link Layer encryption

Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Physical Layer
Physical Layer
11
OSI Model Layer 3 Network Layer

Moves information between two hosts that are not
physically connected
Uses logical addressing
Internet Protocol (IP)

Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Physical Layer
Physical Layer
12
OSI Model Layer 4 Transport Layer

End-to-end Transport between Peer Hosts
Connection Oriented and Connectionless Protocols

Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Physical Layer
Physical Layer
13
OSI Model Layer 5 Session Layer

Manages logical persistent connection
Three Modes
Full Duplex
Half Duplex
Simplex

Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Physical Layer
Physical Layer
14
OSI Model Layer 6 Presentation Layer

Ensures a common format to data
Services for encryption and compression

Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Physical Layer
Physical Layer
15
OSI Model Layer 7 Application Layer

The application layer is not the application
Performs communication between peer applications
Least control of network security

Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Physical Layer
Physical Layer
16
TCP/IP Model

Originated by the U.S. Department of Defense
Functions like the OSI Model
Supports the TCP/IP Protocol
Application layer is unique

17
TCP/IP Model
18
TCP/IP Protocol Stack
Application
TCP, UDP
IP, IGMP, ICMP
ARP, Hardware Interface, PPP
Network Connection
19
Network Security and Risks

Network is the key asset in many organizations
Network Attacks

20
Network-based Attacks

Network as a Channel for Attacks
Network as the Target of Attack

21
Network as a Bastion of Defense

Security controls built around social,
organizational, procedural and technical
activities
Based on the organization's security policy

22
Network Security Objectives and Attacks

Business Risk versus Security Solutions
Attacks Scenarios
Network Entry Point - in Both Directions
Outside-in
Inside-out

23
Methodology of an Attack

Attack Trees
Path of Least Resistance

Methodology of an Attack
2
3
4
1
Target Acquisition
Target Analysis
Target Access
Target Appropriation
24
Target Acquisition
1

Attacks start by intelligence gathering
Means of intelligence gathering
Countermeasures
Limit information on a network
Distract an attacker

25
Target Analysis
2

Analyze identified target for security weaknesses
Tools available
Target analysis

26
Target Access
3

Obtain access to the system
Manage user privileges
Monitor access

27
Target Appropriation
4

Escalate privileges
Attacker may seek sustained control of the system
Countermeasures against privilege escalation

28
Network Security Tools

Tools automate processes
Network security is more than just technical
implementations

29
Network Scanners

Discovery Scanning
Compliance Scanning
Vulnerability Scanning

30
Domain Agenda

Basic Concepts
OSI Framework
Layer 1 Physical Layer

31
Layer 1 Physical Layer

Basic Concepts
Communications Technology
Network Topology
Technology and Implementation

32
Communication Technology

Analog and Digital Communications
Digital communication brings quantitative and
qualitative enhancements

33
Analog Communication

Analog signals use electronic properties
Transmitted on wires or with wireless devices

34
Digital Communication

Uses two electronic states
Can be transmitted over most media
Integrity of digital communication less difficult

35
Layer 1 Physical Layer

Basic Concepts
Communications Technology
Network Topology
Technology and Implementation

36
Network Topology

Even small networks are complex
Network topology and layout affects scalability
and security
Wireless networks have a topology

37
Bus

LAN with a central cable to which all nodes
connect
Advantages
Scalable
Permits node failure
Disadvantages
Bus failure

38
Tree

Devices connect to a branch on the network
Advantages
Scalable
Permits node failure
Disadvantages
Failures will split the network

39
Ring

Closed-loop Topology
Advantages
Deterministic
Disadvantages
Single Point of Failure

40
Mesh

All nodes are connected with each other
Advantages
Redundancy
Disadvantages
Expensive
Complex
Scalability

41
Star

All of the nodes connected to a central device
Advantages
Permits node/cable failure
Scalable
Disadvantages
Single point of failure

42
Security Perimeter

The first line of defense between trusted and
un-trusted networks
No direct physical connection between trusted and
untrusted networks

Security perimeter most widely used
implementation of network partitioning

43
Layer 1 Physical Layer

Basic Concepts
Communications Technology
Network Topology
Technology and Implementation

44
Technology and Implementation

Physical networks employ a wide variety of
cabling technologies and components
Wireless networks use frequency ranges and
encryption/authentication

45
Cable

Cable Selection Considerations
Throughput
Distance between Devices
Data Sensitivity
Environment

Cable
Twisted Pair
Coaxial Cable
Fiber Optics
Patch Panels
Modems
46
Twisted Pair

One of the Simplest and Cheapest Cabling
Technologies
Unshielded (UTP) or Shielded (STP)

47
Unshielded Twisted Pair (UTP)
Category Transmission Rate Use
Category 1 lt 1 Mbps Analog voice and basic interface rate (BRI) in Integrated Services Digital Network (ISDN)
Category 2 lt 4Mbps 4 Mbps IBM Token Ring LAN
Category 3 16 Mbps 10Base-T Ethernet
Category 4 20 Mbps 16 Mbps Token Ring
Category 5 100 Mbps 100 Base-TX and Asynchronous Transfer Mode (ATM)
Category 5e 1000 Mbps 1000 Base-T Ethernet
Category 6 1000 Mbps 1000 Base-T Ethernet
48
Coaxial Cable (Coax)

Conducting wire is thicker than twisted pair
Bandwidth
Length
Expensive and physically stiff

49
Fiber Optics

Three Components
Light Source
Optical Fiber Cable
Light Detector
Advantages
Disadvantages

50
Patch Panels

Provides physical cross-connect point for devices
Alternative to directly connecting devices
Centralized management

51
Modem

Converts a digital signal to analog
Provides little security
Unauthorized modems

52
Wireless Transmission Technologies

Include WLANs, Bluetooth and Mobile Telephony

53
Wireless Transmission Technologies
54
Wireless Multiplexing Technologies
Technology Principle Objective
Direct Sequence Spread Spectrum (DSSS) Spread transmission over a wider frequency band Signal less susceptible to noise
Frequency Hopping Spread Spectrum (FHSS) Spread signal over rapidly changing frequencies Interference at one frequency will only have short term effect
Orthogonal Frequency Division Multiplexing (OFDM) Signal is subdivided into sub frequencies bands Split high bandwidth transmission into low BW transmissions
55
Other Multiplexing Technologies
Technology Principle Objective
Frequency Division Multiple Access (FDMA) Divide Frequency into sub bands Open several low bandwidth channels
Time Division Multiple Access (TDMA) Split transmission by time slices Multiplexing between participants
Code Division Multiple Access (CDMA) Multiplex several signals into one signal Multiplexing is performed on a digital level
56
Mobile Telephony

Mobile telephony is undergoing a rapid
development
Most common mobile phone technology is still GSM

Global Service for Mobile Communications (GSM)
Mobile Telephony
57
Domain Agenda

Basic Concepts
OSI Framework
Layer 2 Data Link Layer

58
Layer 2 Data Link Layer

Concerned with sending frames to the next link
Determines network transmission format

59
Synchronous/Asynchronous Communications

Synchronous
Timing mechanism synchronizes data transmission
Robust Error Checking
Practical for High-speed, High-volume Data
Asynchronous
Clocking mechanism is not used
Surrounds each byte with bits that mark the
beginning and end of transmission

60
Unicast, Multicast, and Broadcast Transmissions

Multicasts
Broadcasts
Do not use reliable sessions
Unicast

61
Circuit-switched vs. Packet-switched Networks

Circuit-switched
Dedicated circuit between endpoints
Endpoints have exclusive use of the circuit and
its bandwidth
Packet-switched
Data is divided into packets and transmitted on a
shared network
Each packet can be independently routed on the
network

62
Switched vs. Permanent Virtual Circuits

Permanent Virtual Circuits
Switched Virtual Circuits

63
Carrier Sense Multiple Access

Only one device may transmit at a time
There are two variations
Carrier Sense Multiple Access with Collision
Avoidance (CSMA/CA)
Carrier Sense Multiple Access with Collision
Detection (CSMA/CD)

64
Polling

Slave device needs permission from a master
device
Used mostly in Mainframe Protocols
Optional Function of the IEEE 802.11 Standard

65
Token Passing

Special frame circulates through the ring
Device must possess the token to transmit
Token passing is used in Token Ring (IEEE 802.5)
and FDDI

66
Ethernet (IEEE 802.3)

Most Popular LAN Architecture
Supports bus, star, and point-to-point topologies
Currently supports speeds up to 1000Mbps

67
Hubs and Repeaters

Hubs
Used to implement a physical star topology
All devices can read and potentially modify the
traffic of other devices
Repeaters
Allows longer distances

68
Bridges

Layer 2 Devices that filter traffic between
segments based on MAC addresses
Can connect LANs with unlike media types
Simple bridges do not reformat frames

69
Switches

Multi-port devices to connect LAN hosts
Forwards frames only to the specified MAC address
Becoming more sophisticated

70
Wireless Local Area Networks

Allows mobile users to remain connected
Extends LANs beyond physical boundaries

71
Access Points

Access Point Placement
Do not count on hiding Access Points
Rogue Access Points

72
Authentication

Paramount to the Security of Wireless LANs
Open Systems Authentication
Shared Key Authentication
MAC Address Filtering
Extensible Authentication Protocol

73
Wireless Encryption

Wired Equivalent Privacy (WEP)
WiFi Protected Access (WPA)
WiFi Protected Access 2 (WPA2)

74
Wireless Encryption
802.1x Dynamic WEP Wi-Fi Protected Access Wi-Fi Protected Access 2
Access Control 802.1X 802.1X or Pre-Shared Key 802.1X or Pre-Shared Key
Authentication EAP methods EAP methods or Pre-Shared Key EAP methods or Pre-Shared Key
Encryption WEP TKIP (RC4) CCMP (AES Counter Mode)
Integrity None Michael MIC CCMP (AES CBC-MAC)
75
Wireless Standards

IEEE 802.11b
IEEE 802.11a
IEEE 802.11g
Bluetooth

76
Address Resolution Protocol (ARP) / RARP

ARP
RARP (Reverse ARP)

77
Password Authentication Protocol (PAP)

Identification and Authentication of Remote
Entity
Uses a clear text, reusable (static) password
Supported by most network devices

78
Challenge Handshake Authentication Protocol (CHAP)

Periodically re-validates users
Standard password database is unencrypted
Password is sent as a one-way hash

79
Domain Agenda

Basic Concepts
OSI Framework
Layer 3 Network Layer

80
Layer 3 Network Layer

Architectures Classified by Scale (size)
TCP/IP at the Network Layer

81
Local Area Network (LAN)

LANs service a relatively small area
Most LANs have connectivity to other networks
VLANs are software based LAN segments implemented
by switching technology

82
Wide Area Network (WAN) Description

A WAN is a network connecting local networks or
access points
Connections are often shared and tunneled through
other connections

83
Public Switched Telephone Network (PSTN)

PSTN is a circuit switched network
The PSTN may be subject to attacks

84
Integrated Services Digital Network (ISDN)

Uses two types of channels
Comes in two varieties

B (Bearer) Channel 64kBit/s
D (Delta) Channel 16kBit/s
BRI (Basic Rate Interface) 2B1D 144kBit/s
PRI (Primary Rate Interface) North America 23B1D 1.55MBit/s (T1)
PRI Europe and Australia 30B1D 2MBit/s (E1)
85
T Carrier
Channel Multiplex Ratio Bandwidth
T1 1xT1 1.544 Mbps
T2 4xT1 6.312 Mbps
T3 7xT2 28xT1 44.736 Mbps
T4 6xT3 168xT2 274.176 Mbps
86
E Carrier
Channel Multiplex Ratio Bandwidth
E1 1xE1 2.048 Mbps
E2 4xE1 8.848 Mbps
E3 4xE2 16xE1 34.304 Mbps
E4 4xE3 64xE2 139.264 Mbps
87
Digital Subscriber Lines (DSL)

Uses CAT-3 cables and the local loop
Asymmetric Digital Subscriber Line (ADSL)
Rate-adaptive DSL (RADSL)
Symmetric Digital Subscriber Line (SDSL)
Very High Bit-rate DSL (VDSL)

88
Cable Modem

PC Ethernet NIC connects to a cable modem
The modem and head-end exchange cryptographic
keys
Cable modems increase the requirement to observe
good security practices

89
X.25

Protocol developed for unreliable networks
Has a strong focus on error correction
Users and hosts connect through a packet-switched
network

90
Frame Relay

FR network cloud of switches
FR customers share resources
Customers are charged for used bandwidth only

91
Asynchronous Transfer Mode (ATM)

ATM is a connection-oriented protocol
Uses virtual circuits
Guarantees QoS but not the delivery of cells

92
Multi-Protocol Label Switching (MPLS)

Permits traffic engineering
Provides quality of service (QoS) and defense
against network attacks
Operates at Layer 2 and 3

93
Broadband Wireless

WiMAX allows the implementation of wireless
Metropolitan Area Networks (MANs)
Improved access when a base station and user are
not in line of sight
Security is based on AES and EAP

94
Wireless Optics

Two laser transceivers communicate at speeds
comparable to SONET
Wireless optics transmissions are hard to
intercept
Wireless optics can be unreliable during
inclement weather

95
Global Area Network (GAN)

Intranet
Extranet
Granting access to external organizations
Internet

96
TCP/IP at the Network Layer

TCP/IP protocol suite is the de-facto standard
Need to provide private communications services
over public networks

97
Internet Protocol (IP)

Internet Protocol (IP) is responsible for sending
packets over a network
Unreliable Protocol
IP will subdivide packets
IPv4 Address Structure

98
Internet Protocol (IP)

Internet Protocol Address Structure

Class Range of First Octet Number of Octets for Network Number Number of Hosts in Network
A 1-127 1 16777216
B 128-191 2 65536
C 192-223 3 256
D 224-239 Multicast Multicast
E 240-255 Reserved Reserved
99
Risks and Attacks

Key shortcoming in IP is its lack of
authentication
Shortcomings in implementation

100
IP Fragmentation Attacks

Teardrop Attack
Overlapping Fragment Attacks

101
IP Addressing Spoofing

Packets are sent with a bogus source address
SYN Flood
Takes advantage of a protocol flaw

102
Source Routing Exploitation

IP allows the sender to specify the path
Attacker can abuse source routing
Could allow an external attacker access to an
internal network

103
Smurf and Fraggle Attacks

Smurf attack mis-uses the ICMP Echo Request
Fraggle attack uses UDP instead of ICMP
Ping of Death

104
IPv6

A larger IP address field
Improved security
A more concise IP packet header
Improved quality of service

105
Routers

Routers forward packets to other networks
Routers can be used to interconnect different
technologies

106
Firewalls

Enforce administrative security policies
Separate trusted networks from untrusted networks
Firewalls should be placed between security
domains

107
Firewalls

Filtering
Filtering by Address
Filtering by Service
Static Packet Filtering
Stateful Inspection or Dynamic Packet Filtering
Personal Firewalls

108
Network Address Translation / Port Address
Translation
Network and Port Address Translation
Source IP 199.53.72.2 Destination IP
206.121.73.5 Source Port 1058 Destination Port
- 80
Source IP 192.168.1.50 Destination IP
206.121.73.5 Source Port 1037 Destination Port
- 80
109
Proxy Firewalls

Circuit Level Proxy
Application Level Proxy

110
Firewalls
Firewall Type OSI Model Layer Characteristics
Packet Filtering Network layer Routers using ACLs dictate acceptable access to a network Looks at destination and source addresses, ports and services requested
Application-level Proxy Application layer Deconstructs packets and makes granular access control decisions Requires one proxy per service
111
Firewalls
Firewall Type OSI Model Layer Characteristics
Circuit-level Proxy Session layer Deconstructs packets Protects wider range of protocols and services than app-level proxy, but not as detailed as a level of control
Stateful Network layer Keeps track of each conversation using a state table Looks at state and context of packets
112
Network Partitioning