Transcript Chapter 14 Network Security - Northern Arizona University

Chapter 14
Network Security
14.1 - Developing a Network Security Policy
14.2 - Threats to Network Security
14.3 - Implementing Security Measures
14.4 - Appling Patches and Upgrades
14.5 - Firewalls
Developing a Network Security Policy
Accessing Security Needs
•
•
•
•
There must always be a delicate
balance between security and
accessibility.
The more accessible a network is,
the less secure it is.
When it comes to a computer
network, how much security is
enough?
There are several factors to
consider:
– The type of business in which
the company engages
– The type of data stored on the
network
– The management philosophy
of the organization
Acceptable Use Policy
• The first step in creating a security policy for a
company network is to define an Acceptable Use
Policy (AUP).
• An AUP tells the users what is acceptable and
allowed on the company network.
• To view some examples of AUPs, visit these
websites:
Username and Password Standards
• Usually the system administrator will define the naming convention for
the usernames on a network.
• A common example is the first initial of the person's first name and
then the entire last name.
• A complex username naming convention is not as important as
having a complex password standard.
• When assigning passwords, the level of password control should
match the level of protection required.
Rules for Network Access
• A system administrator who assigns the proper
permissions on the share drives and directories
defines the rules for network access.
• By assigning the proper security permissions on the
network, the system administrator should know who
has access to specific directories.
• Proper maintenance by the system administrator will
be required to examine auditing logs of attempts that
have been made to access the network shares.
Policy for Disposal of Materials
• Hardware, software, and data should never just be
thrown away.
• There are strict regulations that should be followed to
control the disposal of computer components.
• The system administrator is responsible for
developing a policy based on environmental and
safety guidelines for hardware that no longer works.
• To view some examples of the disposal of materials
policies visit these websites:
Virus Protection Standards
• Place proper filters and access lists on all the
incoming gateways to protect the network from
unwanted access.
• To prevent viruses, e-mail policies also need to be
developed that state what may be sent and received.
• These websites provide sample e-mail policy
standards:
Online Security Resources
• Web-based resources offer critical information and
powerful tools that can be used to protect a network.
Some of the best online security resources are the NOS
manufacturer websites
• To view examples of the online
security resources visit these
websites:
Server Room Security
• To protect computing
resources, make sure that
there is a locked door and
four walls between the
server and the rest of the
area.
• There are a variety of ways
to permit or deny access to
that area after it has been
secured.
• The lock and key is a tried
and true method for
physically securing the
server environment.
• This method works great if
there are a limited number of
people who need access.
Server Room Security
• Using a combination locking mechanism is similar to a lock and
key. The advantages to this method:
– Keys no longer have to be distributed
– Key control lists no longer have to be maintained
– Combinations can also be reset when needed
• The one drawback to this model is that it is very easy to share a
combination with someone not authorized.
• Card readers are the most common of the access control
mechanisms.
• They work by reading a magnetic signature off an access card or
token.
• A biometrics based access control system uses measurable
physical characteristics to authenticate users into an environment
(fingerprints, retinal patterns, or speech).
Anti-Theft Devices
for Server Hardware
• A common security measures is the locking mechanism
included as part of the server itself.
• Most high end servers enable the case to be locked, and in
many cases to lock the drives into the server chassis.
• Almost all rack systems include locking front and back doors.
• Removable media drive locks are locking devices.
– These devices fit over the floppy drive, zip drive, and CDROM drive to prevent unauthorized access.
• Some servers are shipped with holes in the cases, which are
predrilled for a padlock.
• Alarms are the final add-on, and best suited for the shared
office environment.
Securing Removable Media
• Security of removable media includes the following:
– Removable disks, floppy, Zip, Jaz, LS120, CD-RW
– Removable hard drives
– Backup media, tapes
• Several methods are used to ensure the security of
removable media:
–
–
–
–
Lock the media in an office
Place the media in a locked cabinet with strict key control
Place the media in a safe, or a fire-resistant safe
Engage a third-party firm to store the tapes in their secure
facility
Threats to Network Security
Overview: Internal/External Security
• The Internet essentially
works by following rules
that are open to the public.
• If one studies the rules
enough, one is bound to
find loopholes and
weaknesses that can be
exploited.
• The number of individuals,
organizations, and
institutions connected to
the Internet are growing.
• Connecting to the Internet
opens the door to network
intruders.
Outside Threats
• Several outside sources can cause attacks:
• Hackers - the true hacker desires to dissect systems
and programs to see how they work.
• Crackers - those that break in to computer systems to
tamper with, steal, or destroy data.
• Virus - it causes some unexpected and usually
undesirable event.
• Worms - a self-replicating virus that does not alter files
but resides in active memory and duplicates itself.
• Trojan horse - is a program that presents itself as
another program to obtain information
Denial of Service (DoS)
• A DoS attack occurs when the targeted system cannot
service legitimate network requests effectively.
• As a result, the system has become overloaded by
illegitimate messages.
• DoS attacks originate from one host or a group of
hosts.
• When the attack comes from a coordinated group of
hosts, such attacks are called Distributed DoS
(DDoS).
• A common DoS attack is to overload a target system
by sending more data than it can handle.
Denial of Service (DoS)
• There are several specific
types of DoS attacks:
– A buffer overflow attack is
designed to overwhelm the
software running on the
target system.
– The so-called ping of death
is a well known buffer
overflow DoS attack.
– The TCP synchronization
(SYN) attack exploits the
TCP protocol three-way
handshake.
• The attacker sends a large
volume of TCP
synchronization requests
(SYN requests).
Distributed Denial of Service (DDoS)
• Before the hacker can attack the
ultimate target, a "fleet" of
"zombies" (unsecure host with a
permanent Internet connection)
must be coordinated for the
attack.
• The hacker takes advantage of
the zombie's lack of security.
• The hacker breaks in to the
system either directly or through
an e-mail virus.
• The goal of the break in or virus
is to install software on the
zombie system.
• The hacker uses the zombies to
launch a DDoS attack on the
ultimate target.
Well Known Exploits
• Each combination of NOS and
application software contains it’s
own unique set of vulnerabilities
and weaknesses.
• Threats to network security
comes from individuals with
sophisticated tools.
• Some of these individuals are
often called "script kiddies".
• Script kiddy is a negative term
used to describe immature
individuals that use scripts,
software programs, or
techniques created by other,
more skilled crackers.
Trojan Horse Programs
• A Trojan horse is a program that
presents itself as another program
to obtain information. For
example, there is a Trojan horse
that emulates the system login
screen.
• When users type in their account
name and password, the information
is stored or transmitted to the
originator of the Trojan
horse. The username and password
Inside Threats
• Corporate espionage is the most
sophisticated type of internal
security threat.
• Employees can be approached
by competing companies.
• There are freelance corporate
spies who take assignments on a
contract basis.
• Internal security breaches can
also be the result of rebellious
users who disagree with security
policies.
• While not accidental, these
breaches are not designed to
cause harm.
Implementing Security Measures
File Encryption
• File encryption is a way of
encrypting data stored on a
computer disk so that it is
unreadable to anyone but the
creator of the data.
• Windows 2000 includes a file
encryption function.
• Windows 9x and Windows NT
do not.
• Third party encryption programs
are available for OSs:
– PC Guardian, Deltacrypt,
Winzap
IP Security
• IPSec secures data at the
packet level.
• It works at the network layer of
the OSI model.
• The Authentication Header
(AH) enables verification of
the sender identity.
• Encapsulating Security
Payload (ESP) ensures the
confidentiality of the data
itself.
• IPSec can operate in either
the transport mode or the
tunnel mode.
Secure Sockets Layer (SSL)
• SSL was developed by
Netscape to provide
security for its web
browser.
• It uses public and
private key encryption.
• SSL operates at the
application layer and
must be supported by
the user application.
E-mail Security
• E-mail users think they have
the same expectation of
privacy when sending e-mail
as they do when sending a
letter through the postal
service.
• A more accurate expectation
would be to assume that the email is like a postcard that can
be read by anyone who
handles it during its journey
from sender to recipient.
• They often travel through
dozens of nodes or servers on
their way from sender to
recipient.
Public/Private Key Encryption
• One key is published and is widely available.
• The other key is private and known only to the user.
• Both keys are required to complete the secure
communication.
• This type of encryption, is also referred to as
asymmetric encryption.
• With this type of encryption, each user has both a
public and a private key, called a key pair.
Appling Patches and Upgrades
Finding Patches and Upgrades
• Patches are fixes to existing software code.
• A NOS manufacturer typically provides security
patches.
• Microsoft now includes the option to use software called
Windows Update with its operating systems.
Selecting Patches and Upgrades
• Software makers recommend installing software security
patches immediately.
• This is done to reduce exposure to known vulnerabilities.
• Software venders release security updates as soon as they
are available.
• Understanding the effect on the system will help determine
if an update, fix, or patch is necessary.
Applying Patches and Upgrades
• Periodically, NOS vendors issue updates to their network
operating systems. These updates have various names:
– Microsoft Service Packs
– IBM Fixpacs
– Novell Patches
• These updates usually fix bugs or close security holes that
have been found in the released version of the OS.
• Download the updates from the network operating system
vendor’s website.
Firewalls
Introduction to Firewalls and Proxies
• A proxy is software that
interacts with outside
networks on behalf of a
client host.
• Typically, client hosts on a
secure LAN request a web
page from a server running
proxy services.
• The proxy server then goes
out on the Internet to
retrieve the web page.
• The web page is then copied
to the proxy server, this is
referred to as caching.
Introduction to Firewalls and Proxies
• Administrators use Network
Address Translation (NAT) to
alter the source address of
packets originating from a
secure LAN.
• This allows secure LANs to be
addressed using private IP
addresses.
• Private IP addresses are not
routed on the Internet.
• An outside hacker cannot
directly reach a computer with a
private address.
• Some experts make a
distinction between NAT and a
firewall. Others look at NAT as
part of a comprehensive firewall
solution.
Packet Filtering
• The most basic firewall
solution is an IP packet filter.
• To configure a packet filter, a
network administrator must
define the rules that describe
how to handle specified
packets.
• The most basic firewall
solution is an IP packet filter.
• To configure a packet filter, a
network administrator must
define the rules that describe
how to handle specified
packets.
Packet Filtering
• Both TCP and UDP use port numbers to address specific
applications running on a host.
• Both TCP and UDP use port numbers to address specific
applications running on a host.
• Firewall software must guess at what connectionless traffic
is invited and what connectionless traffic is not.
• The most comprehensive form of packet filtering examines
layer 3 and 4 headers and the layer 7 application data as
well.
• Layer 7 firewalls look for patterns in the payload of the
packet.
• This is done in an effort to determine what application is
being used, such as HTTP, FTP, and so on.
Firewall Placement
• A boundary router connects
the enterprise LAN to its
ISP or the Internet.
• The boundary router should
only allow HTTP, FTP, mail,
and DNS related traffic to
the DMZ.
• The DMZ is designed to
keep the inside network
clean.
• The NOS servers in the
DMZ should be tightly
configured.
Common Firewall Solutions
• The PIX Firewall 515 uses TFTP
for image download and upgrade.
• It has a low profile design, 128,000
simultaneous sessions, and 170
Mbps thru-put.
• The PIX Firewall 520 uses a 3.5inch floppy disk drive to load the
image and upgrade.
• It has an enterprise chassis
design, 256,000 simultaneous
sessions, and 240 Mbps thru-put.
• The PIX Firewall is secure right out
of the box.
• Default settings allow all
connections from the inside
interface access to the outside
interface.
Common Firewall Solutions
• The Cisco IOS Firewall
Feature Set provides
stateful packet filtering.
• Another firewall solution is
a UNIX host.
• The UNIX host serves as
a router, running packet
filtering software such as
ipfw, and/or NAT.
• Home users have a
variety of firewall options
available as well.
Using an NOS as a Firewall
• In high-traffic environments, a specialized packet
filtering and NAT solution is recommended.
• A device such as a router or firewall appliance is
designed to switch packets and manipulate them
quickly.
• A NOS running on ordinary hardware may be able to
do the job.
• However, it is not without adding latency and overhead
on the server.
• In low traffic environments, such as small offices and
home networks, a NOS firewall solution is a good
choice.