Transcript Network Architectures - Computing Sciences

Network Security Revisited
ITEC 370
George Vaughan
Franklin University
1
Sources for Slides
• Material in these slides comes primarily
from course text, Guide to Networking
Essentials,Tomsho, Tittel, Johnson (2007).
• Other sources are cited in line and listed in
reference section.
2
TCP/IP and OSI Models
TCP/IP and OSI Models (OSI-Model, n.d.) and (Tomsho, 2007)
TCP/IP
Layers
Application
PDU
Data
OSI Layers
7 Application
6
5
Transport
Segments 4
Network
Packets
3
Link
Frames
2
Function
Network process to application,
Initiates or accepts a request to transfer
data
Presentation Adds formatting, display, and
encryption of information
Session
Adds communication session control
information, Login/Logout
Transport
Adds End-to-end connections and
reliability, re-sequencing, flow control
Network
Path determination and logical
addressing (IP), translates MAC
address to logical address
LLC
Data
Adds error checking and physical
Link
addressing (MAC & LLC)
Devices - Apps
Browsers,
servers,
Gateways
Gateways
DNS,
Gateways
Gateways
Routers
Switches,
Bridges, NICs
Standards
HTTP, SNMP,
FTP, Telnet
ASCII, MPEG,
SSH, SSL
NetBIOS
TCP, UDP
IP, ICMP,
ARP, NetBEUI,
IPSec
802.3, 802.11,
FDDI
MAC
Bits
1 Physical
Media, signal and binary transmission, Hubs,
sends data as a bit stream
Repeaters
10Base-T, T1,
E1
3
VPN
Wikipedia-VPN
• VPN – Virtual Private Network
• A virtual (logical) private network running on top of a
public network (e.g. Internet).
• Useful for providing remote access without using
dedicated lines.
• 2 parts:
– ‘inside’ network which is trusted
– ‘outside’ part which is not trusted.
• VPN Server manages authentication
• When active, all access from client to outside must pass
through a firewall – makes client act as if it was in the
‘inside’ network.
4
VPN Advantages and Disadvantages
Tomsho, Tittel, Johnson (2007)
• Advantages:
– Significantly cheaper than leasing private lines.
– Usable almost anywhere in the world.
• Disadvantages
– Security risk if not properly configured
– May be slower than leased lines (but often ‘fast
enough’)
5
Transmission Using Leased Line
IP Header
Dest=M2
Switch/
Router 1
(R1)
LAN 1
Data
Switch/
Router 2
(R2)
WAN – Leased Line ($)
IP Header
Dest=M2
Data
IP Header
Dest=M2
Data
LAN 2
Trusted Area
Machine 1
(M1)
Machine 2
(M2)
6
Terminology
• Encapsulation:
– Act of placing a packet (header and data) inside the data section of
another packet.
– Similar to placing an envelope containing a letter inside another
envelope (which may have a different address).
– sometimes the encapsulating packet is of a different protocol.
• Encryption:
– The process of obscuring information
• Tunneling (Tunneling, 2005.):
– Also known as "port forwarding"
– the transmission of data intended for use only within a private network
through a public network in such a way that the routing nodes in the
public network are unaware that the transmission is part of a private
network.
7
Transmission Using VPN on Public Network
VPN Server/Firewall De-encapsulates and decrypts
original packet and sets destination = M2
IP Header
Dest=VPN1
IP Header
Dest=M2
Switch/
Router 1
(R1)
IP Header
Dest=M2
Data
Data
Data
Switch/ Router 2
(R2)
Tunnel
Public Internet
LAN 1
IP Header
Dest=VPN1
VPN Server
(VPN1)
Data
IP Header
Dest=M2
LAN 2
Data
IP Header
Dest=M2
Data
Trusted Area
Machine 1
(M1)
VPN
Client
Machine 1 encapsulates and encrypts original packet and
wraps inside new packet with destination = VPN1
Machine 2
(M2)
8
Examples of VPN Tunneling Protocols
• IPSec
– IP Security
• PPTP
– Point-to-Point Tunneling Protocol
• L2TP
– Layer 2 Tunneling Protocol
9
IPSec
Wikipedia-IPSec (n.d).
• IP Security
• A set of protocols operating at the Network layer (layer
3).
• Often used for LAN-to-LAN VPNs
• 2 Modes
– Transport Mode:
• Only payload in packet is encrypted (header is not)
• Host to Host communication
– Tunnel Mode:
• Entire IP packet is encrypted, including header
• Encapsulated in another packet for routing across internet.
• Network to Network communication
• Optional in IPv4, obligatory in IPv6
10
PPTP
Wikipedia-PPTP (n.d).
• Often used for Client-to-LAN VPNs.
• Establishes a regular PPP session with peer
– Uses Generic Routing Encapsulation protocol (GRE)
• Establishes a second TCP session which is
used to manage the GRE session
• First implemented by Cisco an later licensed to
Microsoft.
• Easy to configure.
• First VPN protocol supported by Microsoft Dialup Networking.
11
L2TP
• Often used for Client-to-LAN VPNs.
• An extension of PPTP (Microsoft) and LTF
(Cisco).
• Developed by Cisco
• Doesn’t require registered IP addresses
• Does not contain encryption.
• Often used in conjunction with IPSec.
12
Protecting Networks with Firewalls
Tomsho, Tittel, Johnson (2007)
• Firewall: HW device or SW program that inspects
packets going into or out of a network or computer, and
then discards/forwards them based on rules
– Protects against outside attempts to access
unauthorized resources, and against malicious
network packets intended to disable or cripple a
corporate network and its resources
– If placed between Internet and corporate network, can
restrict users’ access to Internet resources
• Firewalls can attempt to determine the context of a
packet (stateful packet inspection (SPI))
13
Types of Firewalls
Wikipedia-firewall (n.d.)
• Packet Filter Firewall:
– Stateless
– Rules are static
• Circuit Level Firewall:
– Stateful
– Can determine if packet is a new or part of an
existing connection.
• Application Layer Firewall:
– Also known as proxy based firewalls
14
Using a Router as a Firewall
Tomsho, Tittel, Johnson (2007)
• A firewall is just a router with specialized SW that
facilitates creating rules to permit or deny packets
• Many routers have capabilities similar to firewalls
– After a router is configured, by default, all packets are
permitted both into and out of the network
– Network administrator must create rules (access
control lists) that deny certain types of packets
• Typically, an administrator builds access control
lists so that all packets are denied, and then
creates rules that make exceptions
15
NAT
Wikipedia-NAT (n.d.)
• Network Address Translation (IP-masquerading)
• Router/Firewall replaces internal IP source address in IP
packet with its own IP address when sending packets
out.
• Router/Firewall reverses process for incoming packets.
• Useful for hiding the Identify of real IP addresses behind
the firewall
• Can be used for IP address reuse
–
–
–
–
multiple machines share same IP address
Common in home routers
ISP assigns single public IP address
Router maps to multiple private IP addresses
16
PAT
Wikipedia-NAT (n.d.)
•
•
•
A variation of NAT is PAT (Port address translation)
Port addresses can be used for multiplexing
Using ports, a single external IP address can map up to 65,000 internal
network addresses (as big as a class B network)
17
Using Network Address Translation to Improve Security
Tomsho, Tittel, Johnson (2007)
• A benefit of NAT is that the real address of an internal
network resource is hidden and inaccessible to the
outside world
– Because most networks use NAT with private IP
addresses, those devices configured with private
addresses can’t be accessed directly from outside the
network
– An external device can’t initiate a network
conversation with an internal device, thus limiting an
attacker’s options to cause mischief
18
Implementing Wireless Security
Tomsho, Tittel, Johnson (2007), Wikipedia
• Attackers who drive around looking for wireless LANs to intercept
are called wardrivers
• Wireless security methods
– SSID (not easy to guess and not broadcast)
• Service Set Identifier – identifies network
– Wired Equivalency Protocol (WEP)
• 1999 – Can be cracked in 2 minutes w available software
– Wi-Fi Protected Access (WPA)
• 2003 – Stronger than WEP. Not supported by all access points.
– 802.11i
• 2004 – same as WPA2, superset of WPA.
– MAC address filtering
• Access control list based on MAC address
• You should also set policies: limit AP signal access, change
encryption key regularly, etc.
19
References
Tomsho, Tittel, Johnson (2007). Guide to Networking Essentials. Boston:
Thompson Course Technology.
Odom, Knott (2006). Networking Basics: CCNA 1 Companion Guide.
Indianapolis: Cisco Press
Tunneling (2005). Tunniling. Retreived 03/26/2007 from
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213230,00.html
Wikipedia (n.d.). OSI Model. Retrieved 09/12/2006 from
http://en.wikipedia.org/wiki/OSI_Model
Wikipedia-IPSec (n.d). IPsec. Retrieved 01/30/2007 from:
http://en.wikipedia.org/wiki/Ipsec
Wikipedia-VPN (n.d.). Virtual Private Network. Retrieved 01/30/2007 from:
http://en.wikipedia.org/wiki/Vpn
Wikipedia-firewall (n.d.) Firewall (Networking).
Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Firewall
Wikipedia-NAT (n.d.) Network Address Translation. Retrieved 01/30/2007 from:
http://en.wikipedia.org/wiki/Network_address_translation
20