1/28/20101/28/2010Network Plus

Security Review

Identify and Describe Security RisksPeoplePhishingPasswordsTransmissionsMan in middlePacket sniffingPort scannersProtocolsNOS updatesInternet AccessSpywareBotsSocial media

Network Security TechnologyFirewallsRouter Access ListsStateless and StatefulIntruder Detection and PreventionProxy Servers

25Router Access Lists (contd.)ACL instructs routerPermit or deny traffic according to variables:Network layer protocol (IP, ICMP)Transport layer protocol (TCP, UDP)Source IP addressSource netmaskDestination IP addressDestination netmaskTCP, UDP port number

27Intrusion Detection and PreventionPort mirroringPort configured to send copy of all traffic to another port for monitoring purposesIDS (intrusion detection system)Logs potential problemsIPS (Intrusion Prevention SystemBlock potential problemsDenial-of-service, smurf attacks

DMZIn computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. An external attacker only has access to equipment in the DMZ, rather than any other part of the network.

Network+ Guide to Networks, 5th Edition40Proxy Servers (contd.)

Figure 12-5 A proxy server used on a WAN

EncryptionUse of keys to scramble data to prevent eavesdroppingSymmetric vs Asymmetric keysEncryption systems

51Public (Asymmetric) Key EncryptionData encrypted using two keysPrivate key: user knowsPublic key: anyone may requestPublic key serverFreely provides users public keysUses Certificate Authority to verify certificateAsymmetric encryptionRequires two different keysUsed with SSL and TLSUsed by HTTPS and SSH63IPSec (Internet Protocol Security)Defines encryption, authentication, key managementWorks at Network layer for TCP/IP transmissionsNative IPv6 standardDifference from other methodsEncrypts data by adding security information to all IP packet headersTransforms data packetsOperates at Network layer (Layer 3)Used by L2TP VPN connections

66IPSec (contd.)

Figure 12-9 Placement of a VPN concentrator on a WANNetwork Authentication Allow a user to login to a server or service without revealing the user password to packet sniffers.Requires some form of encryptionSecure Login Systems

67Authentication ProtocolsAuthenticationProcess of verifying a users credentialsGrant user access to secured resourcesAuthentication protocolsRules computers follow to accomplish authenticationSeveral authentication protocol typesRADIUS/TACACSPAPCHAPEAP and 802.1x (EAPoL)Used in WPA2 (802.11x)Kerberos81802.1x (EAPoL) (contd.)Figure 12-15 802.1x authentication process

Wireless Security Options

84Wireless Network SecurityWireless Susceptible to eavesdroppingWar drivingEffective for obtaining private informationForms of Wireless EncryptionWEP802.11iUses EAPoLWPA WPA2Based on 802.11iUses AES and CCMP encryptionWPA and WPA2WPA (Wi-Fi Protected Access)Subset of 802.11iSame authentication as 802.11iTKIP keysUses RC4 encryption rather than AESHas been crackedWPA2Follows 802.11iUses AES securityReplaces WPA2Uses CCMP Setting Wireless Security

Network+ Guide to Networks, 5th EditionNetwork+ Guide to Networks, 5th EditionThe End