Transcript Lecture8

Securing the Network
Infrastructure
Chapter 8
Security+ Guide to Network Security Fundamentals
Second Edition
Instructor By Sukchatri P.
Objectives
Work with the network cable plant
Secure removable media
Harden network devices
Design network topologies




2
Working with the Network Cable Plant
Cable plant: physical infrastructure of a network (wire,
connectors, and cables) used to carry data
communication signals between equipment
Three types of transmission media:
 Coaxial cables
 Twisted-pair cables
 Fiber-optic cables


3
Coaxial Cables




4
Coaxial cable was main type of copper cabling used in
computer networks for many years
Has a single copper wire at its center surrounded by
insulation and shielding
Called “coaxial” because it houses two (co) axes or
shafts―the copper wire and the shielding
Thick coaxial cable has a copper wire in center
surrounded by a thick layer of insulation that is
covered with braided metal shielding
Coaxial Cables (continued)




5
Thin coaxial cable looks similar to the cable that
carries a cable TV signal
A braided copper mesh channel surrounds the
insulation and everything is covered by an outer
shield of insulation for the cable itself
The copper mesh channel protects the core from
interference
BNC connectors: connectors used on the ends of a
thin coaxial cable
Coaxial Cables (continued)
6
Twisted-Pair Cables





7
Standard for copper cabling used in computer
networks today, replacing thin coaxial cable
Composed of two insulated copper wires twisted
around each other and bundled together with other
pairs in a jacket
Shielded twisted-pair (STP) cables have a foil
shielding on the inside of the jacket to reduce
interference
Unshielded twisted-pair (UTP) cables do not have any
shielding
Twisted-pair cables have RJ-45 connectors
Fiber-Optic Cables
Coaxial and twisted-pair cables have copper wire at the
center that conducts an electrical signal
Fiber-optic cable uses a very thin cylinder of glass (core)
at its center instead of copper that transmit light
impulses
A glass tube (cladding) surrounds the core
The core and cladding are protected by a jacket




8
Fiber-Optic Cables (continued)


9
Classified by the diameter of the core and the
diameter of the cladding
 Diameters are measured in microns, each is about
1/25,000 of an inch or one-millionth of a meter
Two types:
 Single-mode fiber cables: used when data must be
transmitted over long distances
 Multimode cable: supports many simultaneous light
transmissions, generated by light-emitting diodes
Securing the Cable Plant



Securing cabling outside the protected network is not the
primary security issue for most organizations
Focus is on protecting access to the cable plant in the
internal network
An attacker who can access the internal network directly
through the cable plant has effectively bypassed the
network security perimeter and can launch his attacks at
will
10
Securing the Cable Plant (continued)


11
The attacker can capture packets as they travel
through the network by sniffing
 The hardware or software that performs such
functions is called a sniffer
Physical security
 First line of defense
 Protects the equipment and infrastructure itself
 Has one primary goal: to prevent unauthorized
users from reaching the equipment or cable plant in
order to use, steal, or vandalize it
Securing Removable Media


12
Securing critical information stored on a file server
can be achieved through strong passwords, network
security devices, antivirus software, and door locks
An employee copying data to a floppy disk or CD and
carrying it home poses two risks:
 Storage media could be lost or stolen,
compromising the information
 A worm or virus could be introduced to the media,
potentially damaging the stored information and
infecting the network
Magnetic Media





13
Record information by changing the magnetic
direction of particles on a platter
Floppy disks were some of the first magnetic media
developed
The capacity of today’s 3 1/2-inch disks are 14 MB
Hard drives contain several platters stacked in a
closed unit, each platter having its own head or
apparatus to read and write information
Magnetic tape drives record information in a serial
fashion
Optical Media





14
Optical media use a principle for recording
information different from magnetic media
A high-intensity laser burns a tiny pit into the surface
of an optical disc to record a one, but does nothing to
record a zero
Capacity of optical discs varies by type
A Compact Disc-Recordable (CD-R) disc can record up
to 650 MB of data
Data cannot be changed once recorded
Optical Media (continued)


15
A Compact Disc-Rewriteable (CD-RW) disc can be
used to record data, erase it, and record again
A Digital Versatile Disc (DVD) can store much larger
amounts of data
 DVD formats include Digital Versatile DiscRecordable (DVD-R), which can record once up to
395 GB on a single-sided disc and 79 GB on a
double-sided disc
Electronic Media



Electronic media use flash memory for storage
 Flash memory is a solid state storage device―
everything is electronic, with no moving or mechanical
parts
SmartMedia cards range in capacity from 2 MB to 128 MB
The card itself is only 45 mm long, 37 mm wide, and less
than 1 mm thick
16
Electronic Media (continued)


CompactFlash card
 Consists of a small circuit board with flash memory
chips and a dedicated controller chip encased in a shell
 Come in 33 mm and 55 mm thicknesses and store
between 8MB and 192 MB of data
USB memory stick is becoming very popular
 Can hold between 8 MB and 1 GB of memory
17
Keeping Removable Media Secure

Protecting removable media involves making sure that
antivirus and other security software are installed on all
systems that may receive a removable media device,
including employee home computers
18
Hardening Network Devices


Each device that is connected to a network is a potential
target of an attack and must be properly protected
Network devices to be hardened categorized as:
 Standard network devices
 Communication devices
 Network security devices
19
Hardening Standard Network Devices


A standard network device is a typical piece of equipment
that is found on almost every network, such as a
workstation, server, switch, or router
This equipment has basic security features that you can
use to harden the devices
20
Workstations and Servers



21
Workstation: personal computer attached to a
network (also called a client)
 Connected to a LAN and shares resources with
other workstations and network equipment
 Can be used independently of the network and can
have their own applications installed
Server: computer on a network dedicated to
managing and controlling the network
Basic steps to harden these systems are outlined on
page 152
Switches and Routers



22
Switch
 Most commonly used in Ethernet LANs
 Receives a packet from one network device and
sends it to the destination device only
 Limits the collision domain (part of network on
which multiple devices may attempt to send packets
simultaneously)
A switch is used within a single network
Routers connect two or more single networks to form
a larger network
Switches and Routers (continued)



Switches and routers must also be protected against
attacks
Switches and routers can be managed using the Simple
Network Management Protocol (SNMP), part of the
TCP/IP protocol suite
Software agents are loaded onto each network device to
be managed
23
Switches and Routers (continued)



24
Each agent monitors network traffic and stores that
information in its management information base
(MIB)
A computer with SNMP management software (SNMP
management station) communicates with software
agents on each network device and collects the data
stored in the MIBs
Page 154 lists defensive controls that can be set for
switches and routers
Hardening Communication Devices


A second category of network devices are those that
communicate over longer distances
Include:
 Modems
 Remote access servers
 Telecom/PBX Systems
 Mobile devices
25
Modems



Most common communication device
Broadband is increasing in popularity and can create
network connection speeds of 15 Mbps and higher
Two popular broadband technologies:
 Digital Subscriber Line (DSL) transmits data at
15 Mbps over regular telephone lines
 Another broadband technology uses the local cable
television system
26
Modems (continued)



A computer connects to a cable modem, which is
connected to the coaxial cable that brings cable TV
signals to the home
Because cable connectivity is shared in a neighborhood,
other users can use a sniffer to view traffic
Another risk with DSL and cable modem connections is
that broadband connections are charged at a set monthly
rate, not by the minute of connect time
27
Remote Access Servers


Set of technologies that allows a remote user to connect
to a network through the Internet or a wide area network
(WAN)
Users run remote access client software and initiate a
connection to a Remote Access Server (RAS), which
authenticates users and passes service requests to the
network
28
Remote Access Servers (continued)
29
Remote Access Servers (continued)


Remote access clients can run almost all network-based
applications without modification
 Possible because remote access technology supports
both drive letters and universal naming convention
(UNC) names
Minimum security features are listed on page 158
30
Telecom/PBX Systems


Term used to describe a Private Branch eXchange
The definition of a PBX comes from the words that make
up its name:
 Private
 Branch
 eXchange
31
Mobile Devices


As cellular phones and personal digital assistants (PDAs)
have become increasingly popular, they have become the
target of attackers
Some defenses against attacks on these devices use realtime data encryption and passwords to protect the
system so that an intruder cannot “beam” a virus
through a wireless connection
32
Hardening Network Security Devices


The final category of network devices includes those
designed and used strictly to protect the network
Include:
 Firewalls
 Intrusion-detection systems
 Network monitoring and diagnostic devices
33
Firewalls





34
Typically used to filter packets
Designed to prevent malicious packets from entering the
network or its computers (sometimes called a packet filter)
Typically located outside the network security perimeter as
first line of defense
Can be software or hardware configurations
Software firewall runs as a program on a local computer
(sometimes known as a personal firewall)
 Enterprise firewalls are software firewalls designed to run on a
dedicated device and protect a network instead of only one
computer
 One disadvantage is that it is only as strong as the operating
system of the computer
Firewalls (continued)

Filter packets in one of two ways:




Can perform content filtering to block access to
undesirable Web sites
An application layer firewall can defend against worms
better than other kinds of firewalls

35
Stateless packet filtering: permits or denies each packet
based strictly on the rule base
Stateful packet filtering: records state of a connection
between an internal computer and an external server;
makes decisions based on connection and rule base
Reassembles and analyzes packet streams instead of
examining individual packets
Intrusion-Detection Systems (IDSs)



36
Devices that establish and maintain network security
Active IDS (or reactive IDS) performs a specific
function when it senses an attack, such as dropping
packets or tracing the attack back to a source
 Installed on the server or, in some instances, on all
computers on the network
Passive IDS sends information about what happened,
but does not take action
Intrusion-Detection Systems (IDSs) (continued)



37
Host-based IDS monitors critical operating system
files and computer’s processor activity and memory;
scans event logs for signs of suspicious activity
Network-based IDS monitors all network traffic
instead of only the activity on a computer
 Typically located just behind the firewall
Other IDS systems are based on behavior:
 Watch network activity and report abnormal
behavior
 Result in many false alarms


Network Monitoring and Diagnostic
Devices
SNMP enables network administrators to:
 Monitor network performance
 Find and solve network problems
 Plan for network growth
Managed device:
 Network device that contains an SNMP agent
 Collects and stores management information and
makes it available to SNMP
38
Designing Network Topologies



Topology: physical layout of the network devices, how
they are interconnected, and how they communicate
Essential to establishing its security
Although network topologies can be modified for security
reasons, the network still must reflect the needs of the
organization and users
39
Security Zones

One of the keys to mapping the topology of a network is
to separate secure users from outsiders through:
 Demilitarized Zones (DMZs)
 Intranets
 Extranets
40
Demilitarized Zones (DMZs)




Separate networks that sit outside the secure network
perimeter
Outside users can access the DMZ, but cannot enter the
secure network
For extra security, some networks use a DMZ with two
firewalls
The types of servers that should be located in the DMZ
include:
 Web servers
– E-mail servers
 Remote access servers – FTP servers
41
Demilitarized Zones (DMZs) (continued)
42
Intranets


Networks that use the same protocols as the public
Internet, but are only accessible to trusted inside users
Disadvantage is that it does not allow remote trusted
users access to information
43
Extranets



Sometimes called a cross between the Internet and an
intranet
Accessible to users that are not trusted internal users,
but trusted external users
Not accessible to the general public, but allows vendors
and business partners to access a company Web site
44
Network Address Translation (NAT)






45
“You cannot attack what you do not see” is the
philosophy behind Network Address Translation (NAT)
systems
Hides the IP addresses of network devices from attackers
Computers are assigned special IP addresses (known as
private addresses)
These IP addresses are not assigned to any specific user
or organization; anyone can use them on their own
private internal network
Port address translation (PAT) is a variation of NAT
Each packet is given the same IP address, but a different
TCP port number
Honeypots



Computers located in a DMZ loaded with software and
data files that appear to be authentic
Intended to trap or trick attackers
Two-fold purpose:
 To direct attacker’s attention away from real servers on
the network
 To examine techniques used by attackers
46
Honeypots (continued)
47
Virtual LANs (VLANs)




48
Segment a network with switches to divide the
network into a hierarchy
Core switches reside at the top of the hierarchy and
carry traffic between switches
Workgroup switches are connected directly to the
devices on the network
Core switches must work faster than workgroup
switches because core switches must handle the
traffic of several workgroup switches
Virtual LANs (VLANs) (continued)
49


Virtual LANs (VLANs) (continued)
Segment a network by grouping similar users together
Instead of segmenting by user, you can segment a
network by separating devices into logical groups (known
as creating a VLAN)
50
Summary


Cable plant: physical infrastructure (wire, connectors,
and cables that carry data communication signals
between equipment)
Removable media used to store information include:






51
Magnetic storage (removable disks, hard drives)
Optical storage (CD and DVD)
Electronic storage (USB memory sticks, FlashCards)
Network devices (workstations, servers, switches, and
routers) should all be hardened to repel attackers
A network’s topology plays a critical role in resisting
attackers
Hiding the IP address of a network device can help
disguise it so that an attacker cannot find it
End of Chapter
52