part06 infrastructure security

3/7/2012

1

IT Falcuty – DaLat University

March - 2012

Network Defenses

Phan Thi Thanh Nga

Contents

A Defense-in-Depth Approach

Integrated Network Security Hardware

Protocol Analyzers

Applying Network Security Devices

Crafting a Security Network

2


Security through Network Design

Network segmentation/ Subnetting

Virtual LAN (VLAN)

Demilitarized Zone (DMZ)

Security through Network Technologies

Network Address Translation (NAT)

Network Access Control (NAC)

Phan Thi Thanh Nga3


Subnetting

Instead of just having networks and hosts,

using subnetting, networks can essentially be

divided into three parts: network, subnet, and

host

Each network can contain several subnets

and each subnet connected through different

routers can contain multiple hosts

Phan Thi Thanh Nga4


Phan Thi Thanh Nga5


Advantages of subnetting

Phan Thi Thanh Nga6

3/7/2012

2


Subnetting: improve network security

Networks can be subnetted so that each

department, remote office, campus building,

floor in a building, or group of users can have

its own subnet address

Network administrators can utilize network

security tools to make it easier to regulate

who has access in and out of a particular

subnetwork

Phan Thi Thanh Nga7



Wireless subnetworks, research and

development subnetworks, finance

subnetworks, human resource subnetworks,

and subnetworks that face the Internet can all

be separate

The source of potential security issues can

be quickly addressed

Phan Thi Thanh Nga8



It allows network administrators to hide the

internal network layout

This can make it more difficult for attackers

to target their attacks.

Phan Thi Thanh Nga9


Virtual LAN (VLAN)

ln most network environments, networks are

divided or segmented by using switches to

divide the network into a hierarchy.

Core switches reside at the top of the

hierarchy and carry traffic between switches,

while workgroup switches are connected

directly to the devices on the network

Phan Thi Thanh Nga10




Virtual LAN (VLAN)

Grouping by user can sometimes be difficult

because all users may not be in the same

location and served by the same switch.

Segment a network by separating devices

into logical groups. This is known as creating

a virtual LAN (VLAN)

VLANS can be isolated so that sensitive data

is transmitted only to members of the VLAN


3/7/2012

3


Virtual LAN (VLAN)

VLANS can also be victims of attacks

Because a VLAN is heavily dependent upon

the switch for correctly directing packets,




Devices that provide services to outside users

are most vulnerable to attack

If attackers are able to penetrate the security

of these servers,they may be able to access

devices on the internal LAN .

An additional level of security would be to

isolate these services in their own network.




A demilitarized zone (DMZ) is a separate

network that sits outside the secure network

perimeter

Outside users can access the DM Z but

cannot enter the secure network





Demilitarized Zone (DMZ): DMZ with

single firewall

A single firewall with three network interfaces

is used: the link to the lnternet, the DMZ, and

the secure internal LAN

this makes the firewall device a single point

of failure for the network

the firewall device also take care of all of the

traffic to both the DMZ and internal network




3/7/2012

4


Network Address Translation (NAT)

“You cannot attack what you cannot see” is

the security philosophy behind systems using

network address translation (NAT).

NAT hides the IP addresses of network

devices from attackers.



An attacker who captures the packet on the

lnternet cannot determine the actual IP address

of the sender

Without that address, it is more difficult to

identify and attack a computer



Network Access Control (NAC)

NAC examines the current state of a system

or network device before it is allowed to

connect to the network

Any device that does not meet a specified set

of criteria, such as having the most current

antivirus signature or the software firewall

properly enabled is only allowed to connect to

a ''quarantine'' network where the security

deficiencies are corrected





NAC process

The cient performs a self-assessment using a

System Health Agent (SHA) to determine its

current security posture

The assessment, known as a Statement of

Hea1th (SoH), is sent to a server called the

Health Registration Authority (HRA). This

server enforces the security policies of the

network. It also integrates with other external

authorities such as antivirus and patch

management servers in order to retrieve

current configuration informationPhan Thi Thanh Nga23


NAC process

If the client is approved by the HRA it is

issued a Health Certificate.

The HeaIth Certificate is then presented to the

network servers to verify that the client's

security condition has been approved.

If the client is not approved, it is connected to

a quarantine VLAN where the deficien-cies

are corrected, and then the computer is

allowed to connect to the network


3/7/2012

5


NAC

NAC can be an effective tool for identifying

and correcting systems that do not have

adequate security installed and preventing

these devices from infecting others.

Phan Thi Thanh Nga25 Phan Thi Thanh Nga

Contents



Protocol Analyzers



26


Firewall

Proxy Server

Honey pots

Network Intrusion Detection Systems

(NIDS)

Host and Network Intrusion Prevention

Systems (HIPS/NIPS)



Firewall

A firewall is a hardware or software

component designed to protect one network

from another

Often, firewalls are deployed between a

private trusted network and a public untrusted

network (such as the Internet) or between two

networks that belong to the same organization

but are from different departments



Firewall

Firewalls manage traffic using filters.

A filter is just a rule. If a packet meets the

identification criteria of a rule, then the action

of that rule is applied. If a packet doesn’t meet

the criteria of rule, then no action from that

rule is applied, and the next rule is checked.



There are three basic types of

firewalls, plus an additional form

(stateful inspection) that combines the

features of the first three

Packet filter

Circuit-level gateway

Application-level gateway

Stateful inspection firewall


3/7/2012

6

Firewall

Packet filter

A packet filter firewall filters traffic based on

basic identification items found in a network

packet’s header

Packet-filtering firewalls operate at the

Network layer (layer 3) of the OSI model


Firewall

Circuit-level gateway

A circuit-level gateway firewall filters traffic by

monitoring the activity within a session

between an internal trusted host and an

external untrusted host.

This monitoring occurs at the Session layer

(layer 5) of the OSI model


Firewall

Application-level gateway

Filters traffic based on user access, group

membership, the application or service used,

or even the type of resources being

transmitted.

This type of firewall operates at the

Application layer (layer 7) of the OSI model.


Firewall

Stateful inspection firewall

Combines features of the three basic firewall

types and includes the ability to understand

the context of communications across multiple

packets and across multiple layers.


Firewall



Proxy

A proxy server is a computer system (or an

application program) that intercepts internal

user requests and then processes that

request on behalf of the user.

Similar to NAT, the goal of a proxy server is to

hide the IP address of client systems inside

the secure network.


3/7/2012

7


Reverse proxy

A reverse proxy does not serve clients but

instead routes incoming requests to the

correct server.

Requests for services are sent to the reverse

proxy that then forwards it to the server.

To the outside user the IP address of the

reverse proxy is the final IP address for

requesring services

Only the reverse proxy can access the

internal servers.





Honeypot

A honeypot is a computer typically located in

a DMZ

Loaded with software and data files that

appear to be authentic, yet they are actually

imitations of real data files.

Intended to trap or trick attackers




Honeypot

There are three primary purposes of a

honeypot:

Deflect attention

• direct an attacker's attention away from legitimate

servers

• encourages attackers to spend their time and

energy on the decoy server

Early warnings of new attacks

Examine attacker techniques



Network Intrusion Detection Systems

(NIDS)

Attempts to identify inappropriate activity

(same functionality as a burglar alarm system)

Host lntrusion Detection Systems (HIDS)

attempt to monitor and possibly prevent

attempts to attack a local system

A network intrusion detection system (NIDS)

watches for attempts to penetrate a network


3/7/2012

8




Host and Network Intrusion Prevention

Systems (HIPS/NIPS)

finds malicious traffic deals with it immediately

block all incoming traffic on a specific port

HIPS: monitoring and intercepting requests in

order to prevent attacks.

NIPS: work to protect the entire network and

all devices that are connected to it.


Phan Thi Thanh Nga

Contents



Protocol Analyzers



45

Protocol Analyzers

There are three ways in which an

intrusion detection system or intrusion

prevention system can detect a

potential intrusion.

detect statistical anomalies.

examine network traffic and look for well-

known patterns of attack, much like antivirus

scanning.

• the pattern lcgi-bin/pbf? usually indicates that an

attacker is attempting to access a vulnerable script

on a W eb server.


Protocol Analyzers

Use protocol analyzer technology.

• Protocol analyzers can fully decode application-

layer network protocols

• Once these protocols are decoded, the different

parts of the protocol can be analyzed for any

suspicious behavior.


Contents



Protocol Analyzers



48

3/7/2012

9


lnformation can be protected either by

using software that runs on the device

that is being protected or by a separate

hardware device.

Software-only defenses are more often

limited to home computers

Most organizations use security

hardware appliances.



Dedicated security appliances:

provide a single security service, such as

firewall or antivirus protection

more easily scale as needs increase.

Multipurpose security appliances:

Provide multiple security functions, such as:

Antispam and antiphishing, Antivirus and

antispyware, Bandwidth optimization, Content

filtering, Encryption, Firewall, lnstant

messaging control, lntrusion protection

system, Web filtering



Recent trend:

Combine or integrate multipurpose security

appliances with a traditional network device

such as a switch or router to create integrated

network security hardware.

Advantage: these network devices already

process every packet that flows across the

network.


Contents



Protocol Analyzers



52


Defense in depth increases security by

raising the cost of an attack.

This system places multiple barriers

between an attacker and your business

critical information resources: the

deeper an attacker tries to go, the

harder it gets



Defense-in-

Depth

Security Model

Perimeter

Internal

Hosts

Applications

Data


3/7/2012

10

Network Defenses

Network Segmentation

Access Points

Routers and Switches

Firewalls

Content Filtering

IDS / IPS

Remote Access

Event Management

Vulnerability Management


Network Segmentation


Network Access / Entry Points

Entry points into the network

infrastructure

Classify the access points

Develop a security risk profile for each

access point

Each access point presents a threat for

unauthorized and malicious access to

the network infrastructure.


Network Access Points


Routers and Switches

Typically responsible for transporting

data to all areas of the network

Sometimes overlooked as being able to

provide a defense layer

Capable of providing an efficient and

effective security role in a Defense-in-

Depth strategy


Simple Router & Switch Network


3/7/2012

11

Firewalls

First defenses thought of when working on a

Defense-in-Depth strategy

Provide granular access controls for a

network infrastructure

Firewall Types:

Packet filtering

Proxy based

Stateful Inspection

Continuing to increase their role by

performing application layer defenses on the

network


Firewalls


Content Filtering

Protection of application and data content

being delivered across the network

Content filtering looks for:

Virus

File attachments

SPAM

Erroneous Web Surfing

Proprietary / Intellectual Property

Commonly used network protocols:

SMTP, HTTP, FTP, and instant messaging


Content Filtering


IDS / IPS

Detect malicious network traffic and

unauthorized computer usage

Detection Strategies

Signature-based

Anomaly-based

Heuristic-based

Behavioral-based

View of traffic from a single point

Similar technologies are applied at the

host and network layers Phan Thi Thanh Nga65

IDS / IPS


3/7/2012

12

Remote Access

Identify all remote access points into

the network infrastructure.

Driven by the need to promote

business productivity

Expanding the perimeter

Requires strict access controls and

continuous activity monitor


Remote Access


Security Event Management

The collection and correlation events

on all devices attached to the network

infrastructure.

Provides insight into events which

would go unnoticed at other individual

defense layers

Provide automated alerts of suspicious

activity


Security Event Management



Continuous process of assessing and

evaluating the network infrastructure

Multiple views / perspectives

Integration with Patch Management and

ticketing systems

Configuration & maintenance validation




3/7/2012

13

Additional Defenses

Connecting the Hosts & Network

Security Policies

Network Admission Control (NAC)

Authentication Services

Data Encryption

Patch Management

Application Layer Gateway


References

James Michael Stewart, Security+ Fass

Pass, Sybex, 2004

Mark Ciampa, Security+ Guide to Network

Security Fundamentals, Third Edition

Jason A. Wessel, Network Security: A

Defense-in-Depth Approach, AVP Security

Services, CADRE – Information Security

CEH v7, Module 16


part06 infrastructure security

Technology

security network security

network design security

network security subnetting

network security networks

network technologiessecurity

network designsubnetting

network administrators

separate network