Lesson 10-Infrastructure Security

Background

In the CIA of security, the “A” for availability is often overlooked.

– A failure allows unauthorized users to access resources and data.

• This compromises integrity or confidentiality.

– Failure prevents authorized users from accessing resources and data.

• Data is not available.

Infrastructure includes:

– Devices

– Media

– Security Concerns for Transmission Media

– Removable Media

– Security Topologies

– Tunneling

– Clients

– Servers

Infrastructure Security

Infrastructure security begins with the actual design of the

infrastructure itself.

– Network components are an essential aspect of a total

computing environment. They rely upon:

• Routers, switches, and cables that connect the devices

• Firewalls and gateways that manage the communication

• Network design

• Protocols that are employed

The primary goal of network infrastructure security is to

allow all authorized use and deny all unauthorized use of

resources.

End-User Devices

Equipment that directly connects to a

network segment is termed a device (end

user and network).

End User Devices - hosts:

– Can exist without a network,

standalone.

– Physically connected to the network

media via (NIC).

– Each NIC carries a unique Media

Access Control (MAC) address.

– Different NICs are used for different

physical protocols.

Complete Network

A complete network computer solution consists of more than just client

computers and servers.

– Devices are needed to connect clients, servers, wireless, hand-held systems,

hubs, switches, routers, wireless access points, and VPN devices.

Workstation security can be increased by:

– Removing unnecessary protocols such as Telnet, NetBIOS, and IPX.

– Removing modems unless needed and authorized.

– Removing all unnecessary shares.

– Renaming the administrator account and adding a strong password.

– Removing unnecessary user accounts.

– Installing an antivirus program and keeping it up-to-date.

– Removing or disconnecting the floppy drive if not needed.

– Ensuring there is a firewall between the machine and the Internet.

– Keeping the OS patched and up-to-date.

LAN Devices

LANS consist of the following

devices:

Computers

Network interface cards

Peripheral devices

Networking media

Network devices

Commmon LAN technologies

include:

Ethernet

Token Ring

FDDI

Network Devices

Devices that connect end-user devices together to allow them to communicate.

• Layer 1 - A repeater and hub are network devices used to regenerate a signal.

• Layer 2 - Bridges and switches segment traffic for small collision domains using MAC addresses.

• Layer 3 - Routers have all the capabilities listed above and connect WANs using IP addresses

Layer 1 Network Devices

Layer 1 – Repeaters and Hubs

are both collision domains and

broadcast domains.

Layer 2 - Switch Administration

Switches are administered using the Simple Network Management

Protocol (SNMP).

– SNMP sends passwords across the network.

– Switches are shipped with default passwords and the passwords must

be changed at set up.

It is important to disable all access protocols other than a serial

line, or use Secure Shell (SSH).

– Using secure access methods limits the exposure to hackers and

malicious users.

– Maintaining secure network switches is more important than securing

individual boxes.

• The span of control to intercept data is much wider on a switch when

reprogrammed by a hacker.

Layer 2 Security - VLAN Overview

Virtual local area networks (VLANs) are a method of using a single switch and dividing it into multiple network segments. It has several characteristics:

– VLAN membership for users can be based on department or job function, regardless of where the users are located.

– Easily move workstations on the LAN

– Easily add workstations to the LAN – Easily change the LAN configuration – Easily control network traffic – Improve security – Increases network segregation.– Increases throughput and security .

Routers

Routers form the backbone of the Internet.

– They move traffic from network to network.

– They inspect packets from every communication as they move optimized traffic.

Routers examine each packet for destination addresses.

– They determine where to send a packet using algorithms and tables.

– They may examine the source address and determine whether to allow a packet

to pass. (Implements ACLs).

– Some routers act as quasi-application gateways, performing stateful packet

inspection and using contents as well as IP addresses to determine whether or

not to permit a packet to pass.

Routers

Layer 3 - Router Security

A security concern of routers is access to its internal functions.

– Physical control over a router is absolutely necessary.

– Ensure that administrative passwords are never passed.

• Secure mechanisms are used to access the router.

• Default passwords are reset to strong passwords.

The Security Policy

A security policy is a series of rules that define what traffic is

permissible and what traffic is to be blocked or denied.

– What am I protecting?

– From whom?

– What services does my company need to access over the network?

– Who gets access to what resources?

– Who administers the network?

A key to security policies for firewalls is the

principle of least access.

– Only allow the necessary access for a function, and block or deny all

unneeded functionality.

Firewalls

A firewall is a network device

—hardware, software, or a

combination.

It enforces a security policy

across its connections.

A corporate connection to the

Internet should pass through a

firewall to block all

unauthorized network traffic. Firewall usage

How Do Firewalls Work?

Firewalls enforce established security policies through

mechanisms, including:

– Network Address Translation (NAT) will create private addressing

scheme that can’t be reached by the internet

– Basic packet filtering - Can filter by Protocol type, IP address, TCP/UDP

port and Source routing information

– Stateful packet filtering monitors traffic

– ACLs are rules built according to organizational policy that defines who

can access portions of the network

– Application layer proxies prevent packets from traversing the firewall,

but allows data to travel a proxy device that decides what to do with it.

Stateful Packet Filtering

Stateful packets keeps record of the connections made with other computers via state table

Stateful monitoring enables a system to determine which sets of communications are permissible and which should be blocked.

Internet Connection Firewall makes use of a state table to track connections based on source and destination IP and blocks any connection that hasn’t been initiated – very simple and doesn’t allow the control you need

Wireless Access Point

Wireless devices bring additional security

concerns.

– Placing wireless devices behind a firewall

stops only physically connected traffic

from getting to the device.

It supports multiple concurrent devices

accessing the network.

Basic network security for connections

can be performed by forcing

authentication and verifying

authorization.

– WEP is designed to prevent wireless

sniffing of network traffic over the wireless

portion of the network.

Modem, DSL and Cable Modem

Modem is short for modulator/demodulator.

– Modems convert analog signals to digital and vice versa. DSL

– Direct connection between computer/network and the Internet Cable modem

– Connected to a shared segment; party line– Most have basic firewall capabilities to prevent files from being

viewed or downloaded– Most implement the Data Over Cable Service Interface

Specification (DOCSIS) for authentication and packet filtering Both cable modem and DSL services provide a continuous

connection, which brings up the question of IP address life for a client.– Most services have a Dynamic Host Configuration Protocol

(DHCP) to manage their address space.

RAS

Remote Access Service (RAS) allows connection between a client and a

server via a dial-up telephone connection.

When a user dials into a computer system, authentication and authorization

are performed through a series of remote access protocols.

– A call-back system may be employed.

RAS may also mean Remote Access Server, a term for a server designed to

permit remote users access to a network and to regulate their access.

Once connected to the RAS server, a client has all the benefits of a direct

network connection.

The RAS server treats its connected clients as extensions of the network.

– For security purposes, a RAS server should be placed in the DMZ and considered

insecure.

Telecom/PBX

Private branch exchanges (PBXs) are an extension of the

public telephone network into a business.

– PBXs are computer-based switching equipment designed to

connect telephones into the local phone system.

– They can be compromised from the outside and used by phone

hackers (phreakers) to make phone calls at the organization’s

expense.

They cause a problem when interconnected with data

systems by corporate connection or rogue modems

belonging to users.

Virtual Private Network (VPN)

Three main kinds:

Access VPN – remote access for telecommuters or branch offices to a corp intra/extranet.

Intranet VPN – links remote offices to corp intranet.

Extranet VPN – link business partners & outside users to corp extranet. Extranets refer to applications and services that are Intranet based, and use extended, secure access to external users or enterprises

VPN is an encrypted connection that appears dedicated.Data is encrypted at both endsOffers secure, reliable connectivity

IDS

IDS - the art of detecting inappropriate, incorrect, or anomalous activity

The two categories of (IDS) are:– Network-based systems – looks at

network traffic– Host-based systems – looks at

host traffic The two primary methods of

detection are:– Signature-based – Anomaly-based

Multiple IDSs are required for large networks as they can have multiple entries into the system

Problem - Remote access protocols employ encryption technology that would hide the contents of packets from IDS inspection.

Network Monitoring/Diagnostic

The Simple Network Management Protocol (SNMP) was

developed to perform management, monitoring, and fault

resolution across networks.

It enables a monitoring and control center to maintain,

configure, and repair network devices (switches, routers,

firewalls, IDSs, servers and remote access servers.)

– SNMP enables controllers at network operations centers (NOC)

to measure the actual performance of network devices and

make changes to the configuration and operation of devices.

Mobile Devices

Offer several challenges for

network administrators.

– When data is moved from one

network to another,

opportunity for malware

exists.

– Antivirus protection is

available.

– CAN-spam law of 2003.

– Third conviction using CAN-

spam law.

Media - Physical Layer

The base of communications between devices is the physical layer of the OSI model

Methods of Connection

– There are four common methods of connecting equipment at the physical layer:

• Coaxial cable

• Twisted-pair cable

• Fiber optics

• Wireless

The primary security concern is preventing physical access to a network devices, and secondly, preventing unfettered access to network connections.

Methods for unauthorized entry to a network

– Inserting a device on the network by attaching to the cable or adding a wireless device. Once attached, sniffing is easy.

Coax and Fiber

Coaxial cable is familiar as a method of

connecting televisions to VCRs or to

satellite or cable services.

– It has high bandwidth and shielding capabilities.

Fiber optic cable uses laser light to

connect devices over a thin glass wire.

The biggest advantage of fiber is its

bandwidth, with transmission capabilities

in the range of terabits per second.

Connection to fiber is difficult and

expensive.

A coax connector

A typical fiber optic fiber

UTP/STP

Twisted-pair wires use the same

technology used by the phone

company.

Twisted pairs come in two types,

– Shielded twisted-pair (STP) has a foil

shield to reduce electromagnetic

interference.

– Unshielded twisted-pair (UTP) relies on

the twist to eliminate interference.

There are three categories of twisted-

pairs currently in use:• Category 3 (Cat 3) minimum for voice and

10 Mbps Ethernet

• Category 5 (Cat 5) for 100 Mbps Fast

Ethernet

• Category 6 (Cat 6) for Gigabit Ethernet

Unguided Media

Unguided media covers all transmission media not guided by wire, fiber, or other constraints.

– Infrared (IR) is a band of electromagnetic energy just beyond the red end of the visible spectrum which cannot penetrate walls but instead bounces off them.

– Radio frequency (RF) waves use a variety of frequency bands with special characteristics.

– Microwave describes a specific portion of the RF spectrum that is used for communication as well as other tasks such as cooking. Microwave communications can penetrate reasonable amounts of building structure.

Security Topologies

Security-related topologies include

separating portions of the network by

use and function, strategically

designing points to monitor for IDS

systems, building in redundancy, and

adding fault-tolerant aspects.

Trade-offs between access and security

are handled through zones.

– The outermost layers provide basic

protection.

– The innermost layers provide the highest

level of protection.

Successive zones are guarded by

firewalls enforcing ever increasingly

strict security policies.

Accessibility is inversely related to the

level of protection.

The Big Picture

The outermost zone is the

Internet, a free area beyond

any specific controls.

Between the inner secure

corporate network and the

Internet is an area where

machines are considered at

risk, called the DMZ, after its

military counterpart, the

demilitarized zone, where

neither side has any specific

controls.

The demilitarized zone (DMZ) is a

buffer zone between the Internet, where

no controls exist, and the inner secure

network, where an organization has

security policies in place.

DMZ

To demarcate the zones and enforce separation, a firewall is used on each side of the DMZ. – The firewalls are specifically designed to prevent access across the DMZ – Any server directly accessed from the outside, untrusted Internet zone needs to be in the DMZ.

All network devices placed in the DMZ, should all be hardened.

If the outside user requests a resource from the trusted network, then this request follows the given scenario:

– A user from an untrusted network (the Internet) requests data via a Web page from a Web server in the DMZ.

– The Web server in the DMZ requests data from the application server, which can be in the DMZ or in the inner, trusted network.

– The application server requests the data from the database server in the trusted network.

– The database server returns the data to the requesting application server.

– The application server returns the data to the requesting Web server.

Internet, Intranet and Extranet

Internet should be considered to be untrusted.

– A firewall should exist at any connection between a trusted network and the Internet.

Intranet is a a collection of all LANs inside the firewall (campus network.)

Extranet is an extension of a selected portion of a company's intranet to external partners.

– This allows a business to share information with customers, suppliers, partners, and other trusted groups while using a common set of Internet protocols

– Extranets can use public networks and some form of security, typically VPN, is used to secure this channel.

Two methods exist to access outside information.

-Duplication onto servers in the DMZ-The use of extranets

Tunneling

Tunneling is a method of packaging packets so that they can traverse a network in a secure, confidential manner.

Tunneling encapsulates packets within packets, which enabling dissimilar protocols to coexist in a single communication stream, as in IP traffic routed over an ATM network.

On a VPN connection, an edge device on one network, usually a router, connects to another edge device on the other network. – Using IPsec protocols, these routers establish a secure, encrypted

path between them.

Tunneling across a public network

Network Address Translation (NAT)

NAT translates a public IP address into a private IP address.– This permits enterprises to use the nonroutable private IP address space

internally and reduce the number of external public IP addresses used across the Internet.

NAT translates the address when traffic passes the device, such as a firewall.

– Typically, a pool of external IP addresses is used by the NAT device, with the device keeping track of which internal address is using which external address at any given time.

Static NAT is where there is a 1:1 binding of external address to internal address used for devices required a fixed address (Web servers or e-mail servers.)

Dynamic NAT assigns multiple private address to a public address.

Layer 3 Switch

PWR

OK

WIC0ACT/CH0

ACT/CH1

WIC0ACT/CH0

ACT/CH1

ETHACT

COL VPN

Sniffer Servermonitoring/analysis

IDS

Router

Sniffer Servermonitoring/analysis

IDS

WorkGroup Switch

CISCO AIRONET 1200 I WIRELESS ACCESS POINT

Payroll

Wireless

Workgroup Server

AuthenticationServer

AuthenticationServer

ISDN Switch

Comm. Tower

Sniffer Servermonitoring/analysis

IDS

63.206.52.1/28

63.206.52.2/28

NAT

172.16.1.0/24 172.16.2.0/24

172.16.1.0/24

172.16.4.0/24

WWW 172.16.2.2/24 – 63.206.52.3/28SMTP/POP 172.16.2.3/24 – 63.206.52.4/28

DNS 172.16.2.4/24 – 63.206.52.4/28VPN 172.16.1.2/24 – 63.206.52.10/28

172.16.16.0/24

172.16.17.0/24172.16.18.0/24

172.16.5.0/24

172.16.6.0/24