ch 10 - infrastructure security
TRANSCRIPT
Lesson 10-Infrastructure Security
Background
In the CIA of security, the “A” for availability is often overlooked.
– A failure allows unauthorized users to access resources and data.
• This compromises integrity or confidentiality.
– Failure prevents authorized users from accessing resources and data.
• Data is not available.
Infrastructure includes:
– Devices
– Media
– Security Concerns for Transmission Media
– Removable Media
– Security Topologies
– Tunneling
– Clients
– Servers
Infrastructure Security
Infrastructure security begins with the actual design of the
infrastructure itself.
– Network components are an essential aspect of a total
computing environment. They rely upon:
• Routers, switches, and cables that connect the devices
• Firewalls and gateways that manage the communication
• Network design
• Protocols that are employed
The primary goal of network infrastructure security is to
allow all authorized use and deny all unauthorized use of
resources.
End-User Devices
Equipment that directly connects to a
network segment is termed a device (end
user and network).
End User Devices - hosts:
– Can exist without a network,
standalone.
– Physically connected to the network
media via (NIC).
– Each NIC carries a unique Media
Access Control (MAC) address.
– Different NICs are used for different
physical protocols.
Complete Network
A complete network computer solution consists of more than just client
computers and servers.
– Devices are needed to connect clients, servers, wireless, hand-held systems,
hubs, switches, routers, wireless access points, and VPN devices.
Workstation security can be increased by:
– Removing unnecessary protocols such as Telnet, NetBIOS, and IPX.
– Removing modems unless needed and authorized.
– Removing all unnecessary shares.
– Renaming the administrator account and adding a strong password.
– Removing unnecessary user accounts.
– Installing an antivirus program and keeping it up-to-date.
– Removing or disconnecting the floppy drive if not needed.
– Ensuring there is a firewall between the machine and the Internet.
– Keeping the OS patched and up-to-date.
LAN Devices
LANS consist of the following
devices:
Computers
Network interface cards
Peripheral devices
Networking media
Network devices
Commmon LAN technologies
include:
Ethernet
Token Ring
FDDI
Network Devices
Devices that connect end-user devices together to allow them to communicate.
• Layer 1 - A repeater and hub are network devices used to regenerate a signal.
• Layer 2 - Bridges and switches segment traffic for small collision domains using MAC addresses.
• Layer 3 - Routers have all the capabilities listed above and connect WANs using IP addresses
Layer 1 Network Devices
Layer 1 – Repeaters and Hubs
are both collision domains and
broadcast domains.
Layer 2 - Switch Administration
Switches are administered using the Simple Network Management
Protocol (SNMP).
– SNMP sends passwords across the network.
– Switches are shipped with default passwords and the passwords must
be changed at set up.
It is important to disable all access protocols other than a serial
line, or use Secure Shell (SSH).
– Using secure access methods limits the exposure to hackers and
malicious users.
– Maintaining secure network switches is more important than securing
individual boxes.
• The span of control to intercept data is much wider on a switch when
reprogrammed by a hacker.
Layer 2 Security - VLAN Overview
Virtual local area networks (VLANs) are a method of using a single switch and dividing it into multiple network segments. It has several characteristics:
– VLAN membership for users can be based on department or job function, regardless of where the users are located.
– Easily move workstations on the LAN
– Easily add workstations to the LAN – Easily change the LAN configuration – Easily control network traffic – Improve security – Increases network segregation.– Increases throughput and security .
Routers
Routers form the backbone of the Internet.
– They move traffic from network to network.
– They inspect packets from every communication as they move optimized traffic.
Routers examine each packet for destination addresses.
– They determine where to send a packet using algorithms and tables.
– They may examine the source address and determine whether to allow a packet
to pass. (Implements ACLs).
– Some routers act as quasi-application gateways, performing stateful packet
inspection and using contents as well as IP addresses to determine whether or
not to permit a packet to pass.
Routers
Layer 3 - Router Security
A security concern of routers is access to its internal functions.
– Physical control over a router is absolutely necessary.
– Ensure that administrative passwords are never passed.
• Secure mechanisms are used to access the router.
• Default passwords are reset to strong passwords.
The Security Policy
A security policy is a series of rules that define what traffic is
permissible and what traffic is to be blocked or denied.
– What am I protecting?
– From whom?
– What services does my company need to access over the network?
– Who gets access to what resources?
– Who administers the network?
A key to security policies for firewalls is the
principle of least access.
– Only allow the necessary access for a function, and block or deny all
unneeded functionality.
Firewalls
A firewall is a network device
—hardware, software, or a
combination.
It enforces a security policy
across its connections.
A corporate connection to the
Internet should pass through a
firewall to block all
unauthorized network traffic. Firewall usage
How Do Firewalls Work?
Firewalls enforce established security policies through
mechanisms, including:
– Network Address Translation (NAT) will create private addressing
scheme that can’t be reached by the internet
– Basic packet filtering - Can filter by Protocol type, IP address, TCP/UDP
port and Source routing information
– Stateful packet filtering monitors traffic
– ACLs are rules built according to organizational policy that defines who
can access portions of the network
– Application layer proxies prevent packets from traversing the firewall,
but allows data to travel a proxy device that decides what to do with it.
Stateful Packet Filtering
Stateful packets keeps record of the connections made with other computers via state table
Stateful monitoring enables a system to determine which sets of communications are permissible and which should be blocked.
Internet Connection Firewall makes use of a state table to track connections based on source and destination IP and blocks any connection that hasn’t been initiated – very simple and doesn’t allow the control you need
Wireless Access Point
Wireless devices bring additional security
concerns.
– Placing wireless devices behind a firewall
stops only physically connected traffic
from getting to the device.
It supports multiple concurrent devices
accessing the network.
Basic network security for connections
can be performed by forcing
authentication and verifying
authorization.
– WEP is designed to prevent wireless
sniffing of network traffic over the wireless
portion of the network.
Modem, DSL and Cable Modem
Modem is short for modulator/demodulator.
– Modems convert analog signals to digital and vice versa. DSL
– Direct connection between computer/network and the Internet Cable modem
– Connected to a shared segment; party line– Most have basic firewall capabilities to prevent files from being
viewed or downloaded– Most implement the Data Over Cable Service Interface
Specification (DOCSIS) for authentication and packet filtering Both cable modem and DSL services provide a continuous
connection, which brings up the question of IP address life for a client.– Most services have a Dynamic Host Configuration Protocol
(DHCP) to manage their address space.
RAS
Remote Access Service (RAS) allows connection between a client and a
server via a dial-up telephone connection.
When a user dials into a computer system, authentication and authorization
are performed through a series of remote access protocols.
– A call-back system may be employed.
RAS may also mean Remote Access Server, a term for a server designed to
permit remote users access to a network and to regulate their access.
Once connected to the RAS server, a client has all the benefits of a direct
network connection.
The RAS server treats its connected clients as extensions of the network.
– For security purposes, a RAS server should be placed in the DMZ and considered
insecure.
Telecom/PBX
Private branch exchanges (PBXs) are an extension of the
public telephone network into a business.
– PBXs are computer-based switching equipment designed to
connect telephones into the local phone system.
– They can be compromised from the outside and used by phone
hackers (phreakers) to make phone calls at the organization’s
expense.
They cause a problem when interconnected with data
systems by corporate connection or rogue modems
belonging to users.
Virtual Private Network (VPN)
Three main kinds:
Access VPN – remote access for telecommuters or branch offices to a corp intra/extranet.
Intranet VPN – links remote offices to corp intranet.
Extranet VPN – link business partners & outside users to corp extranet. Extranets refer to applications and services that are Intranet based, and use extended, secure access to external users or enterprises
VPN is an encrypted connection that appears dedicated.Data is encrypted at both endsOffers secure, reliable connectivity
IDS
IDS - the art of detecting inappropriate, incorrect, or anomalous activity
The two categories of (IDS) are:– Network-based systems – looks at
network traffic– Host-based systems – looks at
host traffic The two primary methods of
detection are:– Signature-based – Anomaly-based
Multiple IDSs are required for large networks as they can have multiple entries into the system
Problem - Remote access protocols employ encryption technology that would hide the contents of packets from IDS inspection.
Network Monitoring/Diagnostic
The Simple Network Management Protocol (SNMP) was
developed to perform management, monitoring, and fault
resolution across networks.
It enables a monitoring and control center to maintain,
configure, and repair network devices (switches, routers,
firewalls, IDSs, servers and remote access servers.)
– SNMP enables controllers at network operations centers (NOC)
to measure the actual performance of network devices and
make changes to the configuration and operation of devices.
Mobile Devices
Offer several challenges for
network administrators.
– When data is moved from one
network to another,
opportunity for malware
exists.
– Antivirus protection is
available.
– CAN-spam law of 2003.
– Third conviction using CAN-
spam law.
Media - Physical Layer
The base of communications between devices is the physical layer of the OSI model
Methods of Connection
– There are four common methods of connecting equipment at the physical layer:
• Coaxial cable
• Twisted-pair cable
• Fiber optics
• Wireless
The primary security concern is preventing physical access to a network devices, and secondly, preventing unfettered access to network connections.
Methods for unauthorized entry to a network
– Inserting a device on the network by attaching to the cable or adding a wireless device. Once attached, sniffing is easy.
Coax and Fiber
Coaxial cable is familiar as a method of
connecting televisions to VCRs or to
satellite or cable services.
– It has high bandwidth and shielding capabilities.
Fiber optic cable uses laser light to
connect devices over a thin glass wire.
The biggest advantage of fiber is its
bandwidth, with transmission capabilities
in the range of terabits per second.
Connection to fiber is difficult and
expensive.
A coax connector
A typical fiber optic fiber
UTP/STP
Twisted-pair wires use the same
technology used by the phone
company.
Twisted pairs come in two types,
– Shielded twisted-pair (STP) has a foil
shield to reduce electromagnetic
interference.
– Unshielded twisted-pair (UTP) relies on
the twist to eliminate interference.
There are three categories of twisted-
pairs currently in use:• Category 3 (Cat 3) minimum for voice and
10 Mbps Ethernet
• Category 5 (Cat 5) for 100 Mbps Fast
Ethernet
• Category 6 (Cat 6) for Gigabit Ethernet
Unguided Media
Unguided media covers all transmission media not guided by wire, fiber, or other constraints.
– Infrared (IR) is a band of electromagnetic energy just beyond the red end of the visible spectrum which cannot penetrate walls but instead bounces off them.
– Radio frequency (RF) waves use a variety of frequency bands with special characteristics.
– Microwave describes a specific portion of the RF spectrum that is used for communication as well as other tasks such as cooking. Microwave communications can penetrate reasonable amounts of building structure.
Security Topologies
Security-related topologies include
separating portions of the network by
use and function, strategically
designing points to monitor for IDS
systems, building in redundancy, and
adding fault-tolerant aspects.
Trade-offs between access and security
are handled through zones.
– The outermost layers provide basic
protection.
– The innermost layers provide the highest
level of protection.
Successive zones are guarded by
firewalls enforcing ever increasingly
strict security policies.
Accessibility is inversely related to the
level of protection.
The Big Picture
The outermost zone is the
Internet, a free area beyond
any specific controls.
Between the inner secure
corporate network and the
Internet is an area where
machines are considered at
risk, called the DMZ, after its
military counterpart, the
demilitarized zone, where
neither side has any specific
controls.
The demilitarized zone (DMZ) is a
buffer zone between the Internet, where
no controls exist, and the inner secure
network, where an organization has
security policies in place.
DMZ
To demarcate the zones and enforce separation, a firewall is used on each side of the DMZ. – The firewalls are specifically designed to prevent access across the DMZ – Any server directly accessed from the outside, untrusted Internet zone needs to be in the DMZ.
All network devices placed in the DMZ, should all be hardened.
If the outside user requests a resource from the trusted network, then this request follows the given scenario:
– A user from an untrusted network (the Internet) requests data via a Web page from a Web server in the DMZ.
– The Web server in the DMZ requests data from the application server, which can be in the DMZ or in the inner, trusted network.
– The application server requests the data from the database server in the trusted network.
– The database server returns the data to the requesting application server.
– The application server returns the data to the requesting Web server.
Internet, Intranet and Extranet
Internet should be considered to be untrusted.
– A firewall should exist at any connection between a trusted network and the Internet.
Intranet is a a collection of all LANs inside the firewall (campus network.)
Extranet is an extension of a selected portion of a company's intranet to external partners.
– This allows a business to share information with customers, suppliers, partners, and other trusted groups while using a common set of Internet protocols
– Extranets can use public networks and some form of security, typically VPN, is used to secure this channel.
Two methods exist to access outside information.
-Duplication onto servers in the DMZ-The use of extranets
Tunneling
Tunneling is a method of packaging packets so that they can traverse a network in a secure, confidential manner.
Tunneling encapsulates packets within packets, which enabling dissimilar protocols to coexist in a single communication stream, as in IP traffic routed over an ATM network.
On a VPN connection, an edge device on one network, usually a router, connects to another edge device on the other network. – Using IPsec protocols, these routers establish a secure, encrypted
path between them.
Tunneling across a public network
Network Address Translation (NAT)
NAT translates a public IP address into a private IP address.– This permits enterprises to use the nonroutable private IP address space
internally and reduce the number of external public IP addresses used across the Internet.
NAT translates the address when traffic passes the device, such as a firewall.
– Typically, a pool of external IP addresses is used by the NAT device, with the device keeping track of which internal address is using which external address at any given time.
Static NAT is where there is a 1:1 binding of external address to internal address used for devices required a fixed address (Web servers or e-mail servers.)
Dynamic NAT assigns multiple private address to a public address.
Layer 3 Switch
PWR
OK
WIC0ACT/CH0
ACT/CH1
WIC0ACT/CH0
ACT/CH1
ETHACT
COL VPN
Sniffer Servermonitoring/analysis
IDS
Router
Sniffer Servermonitoring/analysis
IDS
WorkGroup Switch
CISCO AIRONET 1200 I WIRELESS ACCESS POINT
Payroll
Wireless
Workgroup Server
AuthenticationServer
AuthenticationServer
ISDN Switch
Comm. Tower
Sniffer Servermonitoring/analysis
IDS
63.206.52.1/28
63.206.52.2/28
NAT
172.16.1.0/24 172.16.2.0/24
172.16.1.0/24
172.16.4.0/24
WWW 172.16.2.2/24 – 63.206.52.3/28SMTP/POP 172.16.2.3/24 – 63.206.52.4/28
DNS 172.16.2.4/24 – 63.206.52.4/28VPN 172.16.1.2/24 – 63.206.52.10/28
172.16.16.0/24
172.16.17.0/24172.16.18.0/24
172.16.5.0/24
172.16.6.0/24