Transcript Network Security

Network+ Guide to Networks,
Fourth Edition
Chapter 14
Network Security
Objectives
• Identify security risks in LANs and WANs and
design security policies that minimize risks
• Explain how physical security contributes to
network security
• Discuss hardware- and design-based security
techniques
• Use network operating system techniques to
provide basic security
Network+ Guide to Networks, 4e
2
Objectives (continued)
• Understand methods of encryption, such as SSL
and IPSec, that can secure data in storage and in
transit
• Describe how popular authentication protocols,
such as RADIUS, TACACS, Kerberos, PAP, CHAP,
and MS-CHAP, function
• Understand wireless security protocols, such as
WEP, WPA, and 802.11i
Network+ Guide to Networks, 4e
3
Security Audits
• Every organization should assess security risks by
conducting a security audit
– Thorough examination of each aspect of network to
determine how it might be compromised
– At least annually, preferably quarterly
• The more devastating a threat’s effects and the
more likely it is to happen, the more rigorously your
security measures should address it
• In-house or third-party audits
Network+ Guide to Networks, 4e
4
Security Risks
• Not all security breaches result from manipulation
of network technology
– Staff members purposely or inadvertently reveal
passwords
– Undeveloped security policies
• Malicious and determined intruders may “cascade”
their techniques
Network+ Guide to Networks, 4e
5
Risks Associated with People
• Human errors, ignorance, and omissions cause
majority of security breaches
• Risks associated with people:
– Social engineering or snooping to obtain passwords
– Incorrectly creating or configuring user IDs, groups,
and their associated rights on file server
– Overlooking security flaws in topology or hardware
configuration
– Overlooking security flaws in OS or application
configuration
– Lack of documentation and communication
Network+ Guide to Networks, 4e
6
Risks Associated with People
(continued)
• Risks associated with people (continued):
–
–
–
–
–
Dishonest or disgruntled employees
Unused computer or terminal left logged on
Easy-to-guess passwords
Leaving computer room doors open or unlocked
Discarding disks or backup tapes in public waste
containers
– Neglecting to remove access and file rights when
required
– Writing passwords on paper
Network+ Guide to Networks, 4e
7
Risks Associated with Transmission
and Hardware
• Risks inherent in network hardware and design:
– Transmissions can be intercepted
– Networks using leased public lines vulnerable to
eavesdropping
– Network hubs broadcast traffic over entire segment
– Unused hub, router, or server ports can be exploited
and accessed by hackers
– Not properly configuring routers to mask internal
subnets
Network+ Guide to Networks, 4e
8
Risks Associated with Transmission
and Hardware (continued)
• Risks inherent in network hardware and design
(continued):
– Modems attached to network devices may be
configured to accept incoming calls
– Dial-in access servers may not be carefully secured
and monitored
– Computers hosting very sensitive data may coexist
on the same subnet with computers open to public
– Passwords for switches, routers, and other devices
may not be sufficiently difficult to guess, changed
frequently, or may be left at default value
Network+ Guide to Networks, 4e
9
Risks Associated with Protocols
and Software
• Networked software only as secure as it is
configured to be
• Risks pertaining to networking protocols and
software:
– TCP/IP contains several security flaws
– Trust relationships between one server and another
may allow hackers to access entire network
– NOSs may contain “back doors” or security flaws
allowing unauthorized access to system
Network+ Guide to Networks, 4e
10
Risks Associated with Protocols and
Software (continued)
• Risks pertaining to networking protocols and
software (continued):
– If NOS allows server operators to exit to a command
prompt, intruders could run destructive commandline programs
– Administrators might accept the default security
options after installing an OS or application (often
not optimal)
– Transactions that take place between applications
may be open to interception
Network+ Guide to Networks, 4e
11
Risks Associated with Internet Access
• Common Internet-related security issues:
– Firewall may not be adequate protection, if not
configured properly
• IP spoofing
– When user Telnets or FTPs to site over Internet, user
ID and password transmitted in plain text
– Hackers may obtain information about user IDs from
newsgroups, mailing lists, forms filled out on Web
– Flashing
– Denial-of-service attack
Network+ Guide to Networks, 4e
12
An Effective Security Policy
• Security policy identifies security goals, risks, levels
of authority, designated security coordinator and
team members, responsibilities for team members,
responsibilities for each employee
– Specifies how to address security breaches
– Should not state exact hardware, software,
architecture, or protocols used to ensure security
• Nor how hardware or software will be installed and
configured
– Details change occasionally
Network+ Guide to Networks, 4e
13
Security Policy Goals
• Typical goals for security policies:
– Ensure authorized users have appropriate access to
resources
– Prevent unauthorized users from gaining access to
network, systems, programs, or data
– Protect sensitive data from unauthorized access
– Prevent accidental or intentional damage to
hardware or software
– Create environment in which network and systems
can withstand and recover from any type of threat
– Communicate each employee’s responsibilities
Network+ Guide to Networks, 4e
14
Security Policy Content
• After risks identified and responsibilities assigned,
policy’s outline should be generated
• Possible subheadings: Passwords; Software
installation; Confidential and sensitive data;
Network access; E-mail use; Internet use; Modem
use; Remote access; Connecting to remote
locations, Internet, and customers’ and vendors’
networks; Use of laptops and loaner machines;
Computer room access
Network+ Guide to Networks, 4e
15
Security Policy Content (continued)
• Explain to users what they can and cannot do and
how these measures protect network’s security
• Create separate section of policy that applies only
to users
• Define what “confidential” means to organization
Network+ Guide to Networks, 4e
16
Response Policy
• Security response team should regularly rehearse
defense strategy
• Suggestions for team roles:
–
–
–
–
Dispatcher
Manager
Technical support specialist
Public relations specialist
• After resolving a problem, team reviews what
happened, determines how it might have been
prevented, implements measures to prevent future
problems
Network+ Guide to Networks, 4e
17
Physical Security
• Restrict physical access to components
– Computer room, hubs, routers, switches, etc.
• Locks may be physical or electronic
– Electronic access badges
– Numeric key codes
– Bio-recognition access
• Closed-circuit TV systems
• Most important way to ensure physical security is
to plan for it
Network+ Guide to Networks, 4e
18
Physical Security (continued)
Figure 14-1: Badge access security system
Network+ Guide to Networks, 4e
19
Security in Network Design: Firewalls
• Selectively filter or block traffic between networks
– Hardware-based, software-based, or combination
• Packet-filtering firewall examines header of every
packet of data received
– Common filtering criteria:
•
•
•
•
•
•
IP addresses
Ports
Flags set in IP header
Transmissions that use UDP or ICMP
First packet in new data stream?
Inbound or outbound?
Network+ Guide to Networks, 4e
20
Security in Network Design: Firewalls
(continued)
• Factors when choosing a firewall:
–
–
–
–
–
–
–
Supports encryption?
Supports user authentication?
Allows central management?
Easily establishes rules for access?
Supports filtering at highest layers of OSI Model?
Provides logging, auditing, alerting capabilities?
Protects identity of internal LAN’s addresses?
• Cannot distinguish between user trying to breach
firewall and user authorized to do so
Network+ Guide to Networks, 4e
21
Proxy Servers
• Proxy service: software that acts as intermediary
between external and internal networks
– Screen all incoming and outgoing traffic
• Manage security at Application layer
• May be combined with Firewall for greater security
• Improve performance for users accessing
resources external to network by caching files
Network+ Guide to Networks, 4e
22
Proxy Servers (continued)
Figure 14-4: A proxy server used on a WAN
Network+ Guide to Networks, 4e
23
Remote Access
• Must remember that any entry point to a LAN or
WAN creates potential security risk
• Remote control:
– Can present serious security risks
– Most remote control software programs offer
features that increase security
– Desirable security features:
• User name and password requirement
• Ability of host system to call back
• Support for data encryption
Network+ Guide to Networks, 4e
24
Remote Access (continued)
• Remote control (continued):
– Desirable security features (continued):
• Ability to leave host system’s screen blank while
remote user works
• Ability to disable host system’s keyboard and mouse
• Ability to restart host system when remote user
disconnects
Network+ Guide to Networks, 4e
25
Remote Access (continued)
• Dial-up networking
– Effectively turns remote workstation into node on
network
– Secure remote access server package should
include at least:
• User name and password authentication
• Ability to log all dial-up connections, their sources, and
their connection times
• Ability to perform callbacks to users
• Centralized management of dial-up users and their
rights on network
Network+ Guide to Networks, 4e
26
Network Operating System Security
• Regardless of NOS, can implement basic security
by restricting what users authorized to do
– Limit public rights
– Administrators should group users according to
security levels
Network+ Guide to Networks, 4e
27
Logon Restrictions
• Additional restrictions that network administrators
can use to strengthen security of network:
–
–
–
–
Time of day
Total time logged on
Source address
Unsuccessful logon attempts
Network+ Guide to Networks, 4e
28
Passwords
• Tips for making and keeping passwords secure:
–
–
–
–
–
–
–
–
Always change system default passwords
Do not use familiar information
Do not use dictionary words
Make password longer than eight characters
Choose combination of letters and numbers
Do not write down or share passwords
Change password at least every 60 days
Do not reuse passwords
Network+ Guide to Networks, 4e
29
Encryption
• Use of algorithm to scramble data into format that
can be read only by reversing the algorithm
• Encryption provides following assurances:
– Data not modified after sender transmitted it and
before receiver picked it up
– Data can only be viewed by intended recipient
– All data received at intended destination truly issued
by stated sender and not forged by an intruder
Network+ Guide to Networks, 4e
30
Key Encryption
• Key: random string of characters
• Weaves key into original data’s bits to generate
unique data block
– Ciphertext
– Longer keys make it more difficult to decrypt
– Hackers may attempt to crack a key by using brute
force attack
• Keys randomly generated by encryption software
Network+ Guide to Networks, 4e
31
Key Encryption (continued)
Figure 14-5: Key encryption and decryption
Network+ Guide to Networks, 4e
32
Private Key Encryption
• Data encrypted using single key that only sender
and receiver know
• Data Encryption Standard (DES): 56-bit key
– Triple DES (3DES): weaves 56-bit key through data
three times
• Advanced Encryption Standard (AES): weaves
128-, 160-, 192-, or 256-bit keys through data
multiple times
– Used in military communication
• Sender must share key with recipient
Network+ Guide to Networks, 4e
33
Private Key Encryption (continued)
Figure 14-6: Private key encryption
Network+ Guide to Networks, 4e
34
Public Key Encryption
• Data encrypted using two keys:
– Private key
– Public key associated with user
• Public key server: publicly accessible host that
freely provides list of users’ public keys
• Key pair: combination of public key/private key
• Public keys more vulnerable than private keys
– Use longer keys
– RSA: most popular public key algorithm
• Digital certificate: password-protected, encrypted
file that holds identification information
Network+ Guide to Networks, 4e
35
Public Key Encryption (continued)
Figure 14-7: Public key encryption
Network+ Guide to Networks, 4e
36
PGP (Pretty Good Privacy)
• Typical e-mail communication is highly insecure
• PGP: public key encryption system that can verify
authenticity of an e-mail sender and encrypt e-mail
data in transmission
– Freely available
– Most popular tool for encrypting e-mail
– Can be used to encrypt data on storage devices or
with applications other than e-mail
Network+ Guide to Networks, 4e
37
SSL (Secure Sockets Layer)
• Method of encrypting TCP/IP transmissions en
route between client and server
– Public key encryption
• HTTPS (HTTP over Secure Sockets Layer): uses
TCP port 443, rather than port 80
• SSL session: association between client and server
defined by agreement on specific set of encryption
techniques
– Created by SSL handshake protocol
• IETF has attempted to standardize SSL with
Transport Layer Security (TLS)
Network+ Guide to Networks, 4e
38
SSH (Secure Shell)
• Provides remote connections to hosts
– With authentication and security for transmitting data
– Guards against unauthorized access to host, IP
spoofing, interception of data in transit, and DNS
spoofing
– Variety of encryption algorithms can be used
• To form secure connection, must be running on
client and server
• Must first generate public and private keys on client
workstation
– ssh keygen command
Network+ Guide to Networks, 4e
39
SCP (Secure CoPy) and
SFTP (Secure File Transfer Protocol)
• SCP: allows secure copying of files from one host
to another
– Replaces FTP
• SFTP: slightly different from SCP
– Used with proprietary version of SSH
– Does more than copy files
Network+ Guide to Networks, 4e
40
IPSec (Internet Protocol Security)
• Defines encryption, authentication, and key
management for TCP/IP transmissions
– Encrypts data by adding security information to
header of IP packets
– Operates at Network layer
• Accomplishes authentication in two phases:
– Key management: Internet Key Exchange (IKE)
– Encryption: authentication header (AH) or
Encapsulating Security Payload (ESP)
• Can be used with any type of TCP/IP transmission
Network+ Guide to Networks, 4e
41
Authentication Protocols:
RADIUS and TACACS
• Authentication protocols: rules that computers
follow to accomplish authentication
• RADIUS: provides centralized network
authentication and accounting for multiple users
– Runs over UDP
– Can operate as software application on remote
access server or on a RADIUS server
– Often used with dial-up networking connections
• Terminal Access Controller Access Control System
(TACACS): similar to RADIUS
Network+ Guide to Networks, 4e
42
Authentication Protocols: RADIUS and
TACACS (continued)
Figure 14-8: A RADIUS server providing centralized
authentication
Network+ Guide to Networks, 4e
43
PAP (Password Authentication
Protocol)
• Authentication protocol that works over PPP
– Simple, not very secure
– Does not protect against possibility of malicious
intruder attempting to guess user’s password through
brute force attack
Figure 14-9: Two-step authentication used in PAP
Network+ Guide to Networks, 4e
44
CHAP and MS-CHAP
• Challenge Handshake Authentication Protocol
(CHAP): operates over PPP
– Encrypts user names and passwords
– Three-way handshake
– Password never transmitted alone or as clear text
• Microsoft Challenge Authentication Protocol (MSCHAP): similar to CHAP
– Used on Windows systems
– MS-CHAPv2 uses stronger encryption
• Mutual authentication: both computers verify
credentials of the other
Network+ Guide to Networks, 4e
45
CHAP and MS-CHAP (continued)
Figure 14-10: Three-way handshake used in CHAP
Network+ Guide to Networks, 4e
46
EAP (Extensible Authentication
Protocol)
• Another extension to PPP protocol suite
– Does not perform encryption or authentication
– Requires authenticator to initiate authentication
process by asking connected computer to verify
itself
– Flexible: supported by most OSs and can be used
with any authentication method
– Works with biorecognition and wireless protocols
Network+ Guide to Networks, 4e
47
Kerberos
• Cross-platform authentication protocol
– Uses key encryption to verify identity of clients and
to securely exchange information
– Significant advantages over NOS authentication
• Does not automatically trust clients
• Requires client to prove identity through third party
– Key Distribution Center (KDC): server that issues
keys
– authentication service (AS): authenticates a principal
• Issues a ticket
Network+ Guide to Networks, 4e
48
Kerberos (continued)
• Purpose of Kerberos is to connect valid user with a
service
– User and service must register keys with
authentication service
– AS issues session key to both
• Randomly generated
– AS creates ticket allowing user to use service
• Contains key that can only be decrypted by service
– User’s computer creates time stamp for request
• Encrypts with session key (authenticator)
Network+ Guide to Networks, 4e
49
Wireless Network Security:
WEP (Wired Equivalent Privacy)
• Wireless transmissions susceptible to
eavesdropping
– War driving
• By default, 802.11 standard does not offer security
– Allows for optional encryption using WEP
• Uses keys to authenticate network clients and encrypt
data in transit
• Network key
• On Windows XP, network key can be saved as part of
wireless connection’s properties
• Current versions of WEP allow 28-bit network keys
Network+ Guide to Networks, 4e
50
IEEE 802.11i and
WPA (Wi-Fi Protected Access)
• Uses EAP with strong encryption scheme
– Dynamically assigns every transmission own key
– Logging on to wireless network more complex than
with WEP
– AP acts as proxy between remote access server and
station until station successfully authenticates
– Requires mutual authentication
– After authentication, remote access server instructs
AP to allow traffic from client into network
– Client and server agree on encryption key
Network+ Guide to Networks, 4e
51
IEEE 802.11i and WPA (continued)
• 802.11i specifies AES encryption method
– Mixes each packet in data stream with different key
• WPA: subset of 802.11i standard
– Main difference from 802.11i is that WPA specifies
RC4 encryption rather than AES
Network+ Guide to Networks, 4e
52
Summary
• Every organization should assess its security risks
by conducting a security audit at least annually
• One of the most common methods by which an
intruder gains access to a network is to simply ask
a user for his password
• There are many security risks that a network
administrator must guard against, including risks
associated with people, network transmission and
design, and network protocols and software
Network+ Guide to Networks, 4e
53
Summary (continued)
• A security policy identifies an organization’s
security goals, risks, levels of authority, designated
security coordinator and team members,
responsibilities for each team member and each
employee, and strategies for addressing security
breaches
• A firewall is a specialized device that selectively
filters or blocks traffic between networks
• A proxy service is a software application on a
network host that acts as an intermediary between
the external and internal networks, screening all
incoming and outgoing traffic
Network+ Guide to Networks, 4e
54
Summary (continued)
• Every NOS provides at least some security by
allowing you to limit users’ access to files and
directories on the network
• Choosing secure passwords is one of the easiest
and least expensive ways to guard against
unauthorized access
• Encryption is the use of an algorithm to scramble
data into a format that can be read only by
reversing the algorithm
• Key encryption comes in two forms: public and
private key encryption
Network+ Guide to Networks, 4e
55
Summary (continued)
• Popular methods of encryption include PGP, SSL,
SSH and OpenSSH, and IPSec
• Authentication protocols used with PPP
connections include RADIUS, TACACS, PAP,
CHAP, and MS-CHAP
• Because WEP uses the same key for all stations
attaching to an AP and for all transmissions, it is
not very secure
• In 802.11i, the EAP authentication method is
combined with AES encryption
Network+ Guide to Networks, 4e
56