chapter fifteen networksecurity. objectives identify security risks in lans and wans explain how...
Post on 21-Dec-2015
220 views
TRANSCRIPT
Chapter FifteenChapter FifteenNetworkNetwork
SecuritySecurity
ObjectivesObjectives
Identify security risks in LANs and WANsIdentify security risks in LANs and WANs
Explain how physical security contributes Explain how physical security contributes to network securityto network security
Discuss hardware- and design-based Discuss hardware- and design-based security techniquessecurity techniques
ObjectivesObjectives
Use network operating system techniques Use network operating system techniques to provide basic securityto provide basic security
Implement enhanced security through Implement enhanced security through specialized softwarespecialized software
Describe the elements of an effective Describe the elements of an effective security policysecurity policy
TerminologyTerminology
A A hackerhacker is someone who masters the inner is someone who masters the inner workings of operating systems and utilities in an workings of operating systems and utilities in an effort to better understand themeffort to better understand them
A A cracker cracker is someone who uses his or her is someone who uses his or her knowledge of operating systems and utilities to knowledge of operating systems and utilities to intentionally damage or destroy data or systemsintentionally damage or destroy data or systems
In general, In general, rootroot refers to a highly privileged user ID refers to a highly privileged user ID that has all rights to create, delete, modify, move, that has all rights to create, delete, modify, move, read, write, or execute files on a systemread, write, or execute files on a system
A A firewallfirewall is a specialized device that selectively is a specialized device that selectively filters or blocks traffic between networksfilters or blocks traffic between networks
Security AuditsSecurity Audits
Assessment of an organization’s security Assessment of an organization’s security risksrisks
Regular security audits should be Regular security audits should be performed at least annually and preferably performed at least annually and preferably quarterlyquarterly
You should also conduct a security audit You should also conduct a security audit after making any significant changes to after making any significant changes to your networkyour network
Security RisksSecurity Risks
Social engineeringSocial engineering Manipulating relationships to circumvent network Manipulating relationships to circumvent network
security measures and gain access to a systemsecurity measures and gain access to a system
Some risks associated with people:Some risks associated with people: Intruders or attackers using social engineering or Intruders or attackers using social engineering or
snooping to obtain passwordssnooping to obtain passwords An administrator incorrectly creating or An administrator incorrectly creating or
configuring user IDs, groups, and their associated configuring user IDs, groups, and their associated rights on a file serverrights on a file server
Security RisksSecurity Risks
Some risks associated with people (cont.):Some risks associated with people (cont.): Network administrators overlooking security flaws Network administrators overlooking security flaws
in topology or hardware configurationin topology or hardware configuration Network administrators overlooking security flaws Network administrators overlooking security flaws
in operating system or application configurationin operating system or application configuration Lack of proper documentation and Lack of proper documentation and
communication of security policiescommunication of security policies Dishonest or disgruntled employees abusing their Dishonest or disgruntled employees abusing their
file and access rightsfile and access rights An unusual computer or terminal being left logged An unusual computer or terminal being left logged
into the networkinto the network
Security RisksSecurity Risks
Some risks associated with people (cont.):Some risks associated with people (cont.): Users or administration choosing easy-to-guess Users or administration choosing easy-to-guess
passwordspasswords Authorized staff leaving computer room doors Authorized staff leaving computer room doors
open or unlockedopen or unlocked Staff discarding disks or backup tapes in public Staff discarding disks or backup tapes in public
waste containerswaste containers Administrators neglecting to remove access files Administrators neglecting to remove access files
and rights for former employees and rights for former employees Users leaving passwords out in open spacesUsers leaving passwords out in open spaces
Risks Associated with Hardware and Risks Associated with Hardware and Network DesignNetwork Design
Inherent risks in network hardware and Inherent risks in network hardware and design:design: Wireless transmission can typically be interceptedWireless transmission can typically be intercepted Networks that use leased lines are vulnerable to Networks that use leased lines are vulnerable to
eavesdroppingeavesdropping Network hubs broadcast traffic over the entire Network hubs broadcast traffic over the entire
segmentsegment If they are not disabled, unused hubs, routers, or If they are not disabled, unused hubs, routers, or
server ports can be exploited and accessed by server ports can be exploited and accessed by crackerscrackers
Risks Associated with Hardware and Risks Associated with Hardware and Network DesignNetwork Design
Inherent risks in network hardware and design Inherent risks in network hardware and design (cont.):(cont.): If routers are not properly configured to mask internal If routers are not properly configured to mask internal
subnets, users on outside networks can read the subnets, users on outside networks can read the private addressesprivate addresses
Modems attached to network devices may be Modems attached to network devices may be configured to accept incoming callsconfigured to accept incoming calls
Dial-in access servers used by telecommuting or Dial-in access servers used by telecommuting or remote staff may not be carefully secured and remote staff may not be carefully secured and monitoredmonitored
Computers hosting very sensitive data may coexist on Computers hosting very sensitive data may coexist on the same subnet with computers open to the general the same subnet with computers open to the general publicpublic
Risks Associated with Protocols Risks Associated with Protocols and Softwareand Software
Some risks pertaining to networking Some risks pertaining to networking protocols and software:protocols and software: TCP/IP contains several security flawsTCP/IP contains several security flaws Trust relationships between one server and Trust relationships between one server and
another may allow a cracker to access the another may allow a cracker to access the entire network because of a single flawentire network because of a single flaw
Network operating system software typically Network operating system software typically contains “backdoors” or security flawscontains “backdoors” or security flaws
Risks Associated with Protocols Risks Associated with Protocols and Softwareand Software
Some risks pertaining to networking protocols Some risks pertaining to networking protocols and software (cont.):and software (cont.): If the network operating system allows server If the network operating system allows server
operators to exit to a command prompt, intruders operators to exit to a command prompt, intruders could run destructive command-line programscould run destructive command-line programs
Administrators might accept the default security Administrators might accept the default security options after installing an operating system or options after installing an operating system or applicationapplication
Transactions that take place between Transactions that take place between applications may be left open to interceptionapplications may be left open to interception
Risks Associated with Internet Risks Associated with Internet AccessAccess
Common Internet-related security breaches:Common Internet-related security breaches: IP spoofingIP spoofing
Outsiders obtain internal IP addresses, then use those Outsiders obtain internal IP addresses, then use those addresses to pretend that they have authority to access addresses to pretend that they have authority to access your internal network from the Internetyour internal network from the Internet
When a user Telnets or FTPs to your site over When a user Telnets or FTPs to your site over the Internet, his or her user ID and password will the Internet, his or her user ID and password will be transmitted in plain textbe transmitted in plain text
Crackers may obtain information about your user Crackers may obtain information about your user ID from newsgroups, mailing lists, or forms filled ID from newsgroups, mailing lists, or forms filled out on the Webout on the Web
Risks Associated with Internet Risks Associated with Internet AccessAccess
Common Internet-related security breaches Common Internet-related security breaches (cont.):(cont.): FlashingFlashing
Internet user send commands to another Internet user’s Internet user send commands to another Internet user’s machine that cause the screen to fill with garbage machine that cause the screen to fill with garbage characterscharacters
Denial-of-service attackDenial-of-service attackOccurs when a system becomes unable to function Occurs when a system becomes unable to function because it has been deluged with messages or because it has been deluged with messages or otherwise disruptedotherwise disrupted
Addressing Risks Associated with Addressing Risks Associated with PeoplePeople
An effective security policyAn effective security policy Typical goals for security policies:Typical goals for security policies:
Ensuring that authorized users have appropriate Ensuring that authorized users have appropriate access to the resources they needaccess to the resources they need
Preventing unauthorized users from gaining Preventing unauthorized users from gaining access to the network, systems, programs, or dataaccess to the network, systems, programs, or data
Protecting sensitive data from unauthorized accessProtecting sensitive data from unauthorized access
Addressing Risks Associated with Addressing Risks Associated with PeoplePeople
Typical goals for security policies (cont.):Typical goals for security policies (cont.): Preventing accidental damage to hardware or Preventing accidental damage to hardware or
softwaresoftware Preventing intentional damage to hardware or Preventing intentional damage to hardware or
softwaresoftware Creating an environment where the network and Creating an environment where the network and
systems can withstand and quickly recover from systems can withstand and quickly recover from any type of threatany type of threat
Communicating each employee’s responsibilities Communicating each employee’s responsibilities with respect to maintaining data integrity and with respect to maintaining data integrity and system securitysystem security
Security Policy ContentSecurity Policy Content
After risks are identified and responsibilities After risks are identified and responsibilities for managing them are assigned, the policy’s for managing them are assigned, the policy’s outline should be generated with those risks outline should be generated with those risks in mindin mind
The security policy should explain clearly to The security policy should explain clearly to users:users: What they can and cannot doWhat they can and cannot do How these measures protect the network’s How these measures protect the network’s
securitysecurity
Response PolicyResponse Policy
Suggestions for team rolesSuggestions for team roles DispatcherDispatcher ManagerManager Technical support specialistTechnical support specialist Public relations specialistPublic relations specialist
PasswordsPasswords
Tips for making and keeping passwords Tips for making and keeping passwords secure:secure: Do not use the familiar types of passwordsDo not use the familiar types of passwords Do not use any word that might appear in a Do not use any word that might appear in a
dictionarydictionary Make passwords longer than six charactersMake passwords longer than six characters
PasswordsPasswords
Tips for making and keeping passwords Tips for making and keeping passwords secure (cont.):secure (cont.): Choose a combination of letters and numbersChoose a combination of letters and numbers Do not write down your password or share it Do not write down your password or share it
with otherswith others Change your password at least every 90 daysChange your password at least every 90 days
Physical SecurityPhysical Security
FIGURE 15-1 Badge access security system
Physical SecurityPhysical Security
Bio-recognition accessBio-recognition access Device scans an individual’s unique physical Device scans an individual’s unique physical
characteristicscharacteristics
Relevant questions in assessing physical Relevant questions in assessing physical security:security: Which rooms contain critical systems or data and Which rooms contain critical systems or data and
need to be secured?need to be secured? Through what means might intruders gain access to Through what means might intruders gain access to
the facility, computer room, telecommunications room, the facility, computer room, telecommunications room, wiring closet, or data storage areas?wiring closet, or data storage areas?
Physical SecurityPhysical Security
Relevant questions in assessing physical Relevant questions in assessing physical security (cont.):security (cont.): How and to what extent are authorized personnel How and to what extent are authorized personnel
granted entry?granted entry? Are employees instructed to ensure security after Are employees instructed to ensure security after
entering or leaving secured areas?entering or leaving secured areas? Are authentication methods difficult to forge or Are authentication methods difficult to forge or
circumvent?circumvent?
Physical SecurityPhysical Security
Relevant questions in assessing physical Relevant questions in assessing physical security (cont.):security (cont.): Do supervisors or security personnel make Do supervisors or security personnel make
periodic physical security checks?periodic physical security checks? Are all combinations, codes, or other access Are all combinations, codes, or other access
means to computer facilities protected at all means to computer facilities protected at all times?times?
Does a plan exist for documenting and Does a plan exist for documenting and responding to physical security breaches?responding to physical security breaches?
Addressing Risks Associated with Addressing Risks Associated with Hardware and DesignHardware and Design
FirewallFirewall Specialized device that selectively filters or blocks Specialized device that selectively filters or blocks
traffic between networkstraffic between networks
Figure 15-2: Placement of a firewall between a private network and the Internet
FirewallsFirewalls
Packet filtering firewallPacket filtering firewall Router that operates at the Data Link and Transport layers of the Router that operates at the Data Link and Transport layers of the
OSI ModelOSI Model Also called Also called screening firewallsscreening firewalls
Figure 15-3: Packet filtering firewall
FirewallsFirewalls
Criteria that a firewall might use to accept Criteria that a firewall might use to accept or deny data:or deny data: Source and destination IP addressesSource and destination IP addresses Source and destination portsSource and destination ports TCP, UDP, or ICMP protocolsTCP, UDP, or ICMP protocols
FirewallsFirewalls
Criteria that a firewall might use to accept Criteria that a firewall might use to accept or deny data (cont.):or deny data (cont.): Packet’s status as the first packet in a new Packet’s status as the first packet in a new
data stream or a subsequent packetdata stream or a subsequent packet Packet’s status as inbound or outbound to or Packet’s status as inbound or outbound to or
from your private networkfrom your private network Packet’s status as originating from or being Packet’s status as originating from or being
destined for an application on your private destined for an application on your private networknetwork
FirewallsFirewalls
Proxy serviceProxy service Software application on a network host that Software application on a network host that
acts as an intermediary between external and acts as an intermediary between external and internal networksinternal networks
Network host that runs the proxy service is Network host that runs the proxy service is known as a known as a proxy serverproxy server, or gateway, or gateway
FirewallsFirewalls
Figure 15-4: Proxy server used on a WAN
FirewallsFirewalls
Questions to ask when choosing a firewall:Questions to ask when choosing a firewall: Does the firewall support encryption?Does the firewall support encryption? Does the firewall support authentication?Does the firewall support authentication? Does the firewall allow you to manage it Does the firewall allow you to manage it
centrally and through a standard interface?centrally and through a standard interface?
FirewallsFirewalls
Questions to ask when choosing a firewall Questions to ask when choosing a firewall (cont.):(cont.): How easily can you establish rules for access to and How easily can you establish rules for access to and
from the firewall?from the firewall? Does the firewall support filtering at the highest layers Does the firewall support filtering at the highest layers
of the OSI Model?of the OSI Model? Does the firewall provide logging and auditing Does the firewall provide logging and auditing
capabilities, or alert you to intrusions?capabilities, or alert you to intrusions? Does the firewall protect the identity of your internal Does the firewall protect the identity of your internal
LAN’s addresses from the outside world?LAN’s addresses from the outside world?
Remote AccessRemote Access
Remote accessRemote access Capability for traveling employees, Capability for traveling employees,
telecommuters, or distant vendors to access telecommuters, or distant vendors to access an organization’s private LAN or WAN through an organization’s private LAN or WAN through specialized remote access serversspecialized remote access servers
Remote ControlRemote Control
Important security features for a remote Important security features for a remote control program:control program: Login ID and password requirements for Login ID and password requirements for
gaining access to the host systemgaining access to the host system Ability for the host system to call backAbility for the host system to call back Support for data encryption on transmissions Support for data encryption on transmissions
between the remote user and the systembetween the remote user and the system
Remote ControlRemote Control
Important security features for a remote Important security features for a remote control program (cont.):control program (cont.): Ability to leave the host system’s screen blank Ability to leave the host system’s screen blank
while a remote user works on itwhile a remote user works on it The ability to disable the host system’s The ability to disable the host system’s
keyboard and mousekeyboard and mouse Ability to restart the host system when a Ability to restart the host system when a
remote user disconnects from the systemremote user disconnects from the system
Dial-Up NetworkingDial-Up Networking
Recommended features for a secure Recommended features for a secure remote access server package:remote access server package: Login ID and password authenticationLogin ID and password authentication Ability to log all dial-up connections, their Ability to log all dial-up connections, their
resources, and their connection timesresources, and their connection times Ability to perform callbacks to users who Ability to perform callbacks to users who
initiate connectionsinitiate connections Centralized management of dial-up users and Centralized management of dial-up users and
their rights on the networktheir rights on the network
Remote Authentication Dial-In User Remote Authentication Dial-In User Service (RADIUS)Service (RADIUS)
Terminal Access Controller Access Control System (TACACS)Terminal Access Controller Access Control System (TACACS) Centralized authentication system for remote access servers that is Centralized authentication system for remote access servers that is
similar to RADIUSsimilar to RADIUS
Figure 15-5: RADIUS server providing central
authentication
Addressing Risks Associated Addressing Risks Associated with Protocols and Softwarewith Protocols and Software
Restriction that network administrators can use Restriction that network administrators can use to strengthen the security of their networksto strengthen the security of their networks Some users may be valid only during specific hoursSome users may be valid only during specific hours Some user IDs may be restricted to a specific number Some user IDs may be restricted to a specific number
of hours per day of logged-in timeof hours per day of logged-in time You can specify that user IDs can log in only from You can specify that user IDs can log in only from
certain workstation or certain areas of the networkcertain workstation or certain areas of the network Set a limit on how many unsuccessful login attempts Set a limit on how many unsuccessful login attempts
from a single user the server will accept before from a single user the server will accept before blocking that ID from even attempting to log onblocking that ID from even attempting to log on
EncryptionEncryption
Use of an algorithm to scramble data into a Use of an algorithm to scramble data into a format that can be read only by reversing the format that can be read only by reversing the algorithmalgorithmIn order to protect data, encryption provides the In order to protect data, encryption provides the following assurances:following assurances: Data were not modified after the sender transmitted Data were not modified after the sender transmitted
them and before receiver picked them upthem and before receiver picked them up Data can only be viewed by their intended recipient Data can only be viewed by their intended recipient
(or at their intended destination)(or at their intended destination) All of the data received at intended destination were All of the data received at intended destination were
truly issued by the stated sender and not forged by an truly issued by the stated sender and not forged by an intruderintruder
EncryptionEncryption
The most popular kind of encryption weaves The most popular kind of encryption weaves a a keykey (random string of characters) into the (random string of characters) into the original data’s bits to generate a unique data original data’s bits to generate a unique data blockblock The scrambled data block is known as The scrambled data block is known as cipher cipher
texttext The longer the key, the less easily the cipher text The longer the key, the less easily the cipher text
can be decrypted by an unauthorized systemcan be decrypted by an unauthorized system
EncryptionEncryption
Figure 15-6: Key encryption and decryption
EncryptionEncryption
Private key encryptionPrivate key encryption Data are encrypted using a single that only Data are encrypted using a single that only
the sender and receiver knowthe sender and receiver know Also known as Also known as symmetric encryptionsymmetric encryption The most popular private key encryption is the The most popular private key encryption is the
data encryption standard (DES)data encryption standard (DES)
EncryptionEncryption
Figure 15-17: Private key encryption
EncryptionEncryption
Public key encryptionPublic key encryption Data are encrypted using two keysData are encrypted using two keys Also know as Also know as asymmetric encryptionasymmetric encryption
Public-key serverPublic-key server Freely provides provides a list of users’ public Freely provides provides a list of users’ public
keyskeys
Combination of public key and private key is Combination of public key and private key is known as known as key pairkey pair
EncryptionEncryption
Digital certificatesDigital certificates Password-Password-
protected and protected and encrypted file encrypted file holding an holding an individual’s individual’s identification identification informationinformation
Figure 15-8: Public key encryption
EncryptionEncryption
Figure 15-8: Public key encryption
KerberosKerberos
Cross-platform authentication protocol using key Cross-platform authentication protocol using key encryption to verify identity of clients and to securely encryption to verify identity of clients and to securely exchange information once a client logs onto a systemexchange information once a client logs onto a system
The server issuing keys to clients during initial client The server issuing keys to clients during initial client authentication is known as a authentication is known as a key distribution key distribution center (KDC)center (KDC)
In order to authenticate a client, KDC runs an In order to authenticate a client, KDC runs an authentication service (AS)authentication service (AS) An AS issues a An AS issues a ticketticket (temporary set of credentials) (temporary set of credentials)
A kerberos client, or user, is known as a A kerberos client, or user, is known as a principalprincipal
KerberosKerberos
Session keySession key Issues to both client and service by authentication Issues to both client and service by authentication
service that uniquely identifies their sessionservice that uniquely identifies their session
AuthenticatorAuthenticator User’s timestamp encrypted with the session keyUser’s timestamp encrypted with the session key
Ticket granting service (TGS)Ticket granting service (TGS) Application separate from AS that also runs on the Application separate from AS that also runs on the
KDCKDC TGS issues client a ticket TGS issues client a ticket granting ticket (TGT)granting ticket (TGT)
PGP and SSLPGP and SSL
Pretty Good Privacy (PGP)Pretty Good Privacy (PGP) Public key encryption system that verifies Public key encryption system that verifies
authenticity of an e-mail sender and encrypts authenticity of an e-mail sender and encrypts e-mail data in transmissione-mail data in transmission
Secure Sockets Layer (SSL)Secure Sockets Layer (SSL) Method of encrypting TCP/IP transmissions Method of encrypting TCP/IP transmissions
en route between client and server using en route between client and server using public key encryption technologypublic key encryption technology
SSLSSL
HTTPHTTP URL prefix indicating a Web page requires its data URL prefix indicating a Web page requires its data
to be exchanged between client and server using to be exchanged between client and server using SSL encryptionSSL encryption
SSL sessionSSL session Association between the client and server identified Association between the client and server identified
by an agreement on a specific set of encryption by an agreement on a specific set of encryption techniquestechniques
Handshake protocolHandshake protocol Perhaps the most significant protocol within SSLPerhaps the most significant protocol within SSL
SSLSSL
Client_helloClient_hello Message issued from the client to the serverMessage issued from the client to the server
Server_helloServer_hello Message issues from the server to the clientMessage issues from the server to the client
Transport Layer Security (TLS)Transport Layer Security (TLS) Version of SSL being standardized by the Version of SSL being standardized by the
IETFIETF
Internet Protocol Security Internet Protocol Security (IPSec)(IPSec)
Defines encryption, authentication, and Defines encryption, authentication, and key management for TCP/IP key management for TCP/IP transmissionstransmissions
IPSec accomplishes authentication in two IPSec accomplishes authentication in two phases:phases: Key managementKey management Key encryptionKey encryption
Internet Protocol Security Internet Protocol Security (IPSec)(IPSec)
Key managementKey management IPSec relies on Internet Key Exchange (IKE) IPSec relies on Internet Key Exchange (IKE)
for its key managementfor its key management
In IPSec, two type of encryption may be In IPSec, two type of encryption may be used:used: Authentication header (AH)Authentication header (AH) Encapsulation security payload (ESP)Encapsulation security payload (ESP)
Virtual Private Networks (VPNs)Virtual Private Networks (VPNs)
Point-to-Point Protocol (PPTP)Point-to-Point Protocol (PPTP) Expands on IPP by encapsulating it so that Expands on IPP by encapsulating it so that
any type of PPP data can traverse the Internet any type of PPP data can traverse the Internet masked as pure IP transmissionsmasked as pure IP transmissions
TunnelingTunnelingProcess of encapsulating one protocol to make it Process of encapsulating one protocol to make it appear as another type of protocolappear as another type of protocol
Virtual Private Networks (VPNs)Virtual Private Networks (VPNs)
Layer 2 Forwarding (L2F)Layer 2 Forwarding (L2F) Similar to PPTPSimilar to PPTP
Layer 2 Tunneling ProtocolLayer 2 Tunneling Protocol Enhanced version of L2FEnhanced version of L2F Will gradually replace PPTP and L2FWill gradually replace PPTP and L2F
Chapter SummaryChapter Summary
A hacker is someone who masters the inner workings of A hacker is someone who masters the inner workings of operating systems and utilities in an effort to better operating systems and utilities in an effort to better understand themunderstand them
The root is a highly privileged user ID that has all rights The root is a highly privileged user ID that has all rights on a systemon a system
Authentication is the process of verifying a user’s validity Authentication is the process of verifying a user’s validity and authority on a systemand authority on a system
Every organization should conduct a security audit at Every organization should conduct a security audit at least annually and preferably quarterlyleast annually and preferably quarterly
The first step in securing your network should be to The first step in securing your network should be to devise and implement an enterprise-wide security policydevise and implement an enterprise-wide security policy
Chapter SummaryChapter Summary
A firewall is a specialized device that selectively filters or A firewall is a specialized device that selectively filters or blocks traffic between networksblocks traffic between networks
A more sophisticated security technique is necessary to A more sophisticated security technique is necessary to perform user authenticationperform user authentication
Remote control systems enable a user to connect to a Remote control systems enable a user to connect to a host system on a network from a distance and use that host system on a network from a distance and use that system’s resourcessystem’s resources
Encryption is the use of an algorithm to scramble data into Encryption is the use of an algorithm to scramble data into a format that can be read only by reversing the algorithma format that can be read only by reversing the algorithm
Virtual private networks (VPNs) are private networks that Virtual private networks (VPNs) are private networks that use public channels to connect clients and serversuse public channels to connect clients and servers