Transcript Chapter 14

Network+ Guide to Networks, Fourth Edition
Chapter 14
Network Security
Objectives
• Identify security risks in LANs and WANs and
design security policies that minimize risks
• Explain how physical security contributes to
network security
• Discuss hardware- and design-based security
techniques
• Use network operating system techniques to provide
basic security
Objectives (continued)
• Understand methods of encryption, such as SSL and
IPSec, that can secure data in storage and in transit
• Describe how popular authentication protocols, such
as RADIUS, TACACS, Kerberos, PAP, CHAP, and
MS-CHAP, function
• Understand wireless security protocols, such as
WEP, WPA, and 802.11i
Security Audits
• Every organization should assess security risks by
conducting a security audit
– Thorough examination of each aspect of network to
determine how it might be compromised
– At least annually, preferably quarterly
• The more devastating a threat’s effects and the more
likely it is to happen, the more rigorously your
security measures should address it
• In-house or third-party audits
Security Risks
• Not all security breaches result from manipulation of
network technology
– Staff members purposely or inadvertently reveal
passwords
– Undeveloped security policies
• Malicious and determined intruders may “cascade”
their techniques
Risks Associated with People
• Human errors, ignorance, and omissions cause
majority of security breaches
• Risks associated with people:
– Social engineering or snooping to obtain passwords
– Incorrectly creating or configuring user IDs, groups, and
their associated rights on file server
– Overlooking security flaws in topology or hardware
configuration
– Overlooking security flaws in OS or application
configuration
– Lack of documentation and communication
Risks Associated with People
• Risks associated with people (continued):
–
–
–
–
–
Dishonest or disgruntled employees
Unused computer or terminal left logged on
Easy-to-guess passwords
Leaving computer room doors open or unlocked
Discarding disks or backup tapes in public waste
containers
– Neglecting to remove access and file rights when required
– Writing passwords on paper
Risks Associated with Transmission and Hardware
• Risks inherent in network hardware and design:
– Transmissions can be intercepted
– Networks using leased public lines vulnerable to
eavesdropping
– Network hubs broadcast traffic over entire segment
– Unused hub, router, or server ports can be exploited and
accessed by hackers
– Not properly configuring routers to mask internal subnets
Risks Associated with Transmission and Hardware
• Risks inherent in network hardware and design
(continued):
– Modems attached to network devices may be configured
to accept incoming calls
– Dial-in access servers may not be carefully secured and
monitored
– Computers hosting very sensitive data may coexist on the
same subnet with computers open to public
– Passwords for switches, routers, and other devices may
not be sufficiently difficult to guess, changed frequently,
or may be left at default value
Risks Associated with Protocols and Software
• Networked software only as secure as it is
configured to be
• Risks pertaining to networking protocols and
software:
– TCP/IP contains several security flaws
– Trust relationships between one server and another may
allow hackers to access entire network
– NOSs may contain “back doors” or security flaws
allowing unauthorized access to system
Risks Associated with Protocols and Software
• Risks pertaining to networking protocols and
software (continued):
– If NOS allows server operators to exit to a command
prompt, intruders could run destructive command-line
programs
– Administrators might accept the default security options
after installing an OS or application (often not optimal)
– Transactions that take place between applications may be
open to interception
Risks Associated with Internet Access
• Common Internet-related security issues:
– Firewall may not be adequate protection, if not configured
properly
• IP spoofing
– When user Telnets or FTPs to site over Internet, user ID
and password transmitted in plain text
– Hackers may obtain information about user IDs from
newsgroups, mailing lists, forms filled out on Web
– Flashing
– Denial-of-service attack
An Effective Security Policy
• Security policy identifies security goals, risks, levels
of authority, designated security coordinator and
team members, responsibilities for team members,
responsibilities for each employee
– Specifies how to address security breaches
– Should not state exact hardware, software, architecture, or
protocols used to ensure security
• Nor how hardware or software will be installed and configured
– Details change occasionally
Security Policy Goals
• Typical goals for security policies:
– Ensure authorized users have appropriate access to
resources
– Prevent unauthorized users from gaining access to
network, systems, programs, or data
– Protect sensitive data from unauthorized access
– Prevent accidental or intentional damage to hardware or
software
– Create environment in which network and systems can
withstand and recover from any type of threat
– Communicate each employee’s responsibilities
Security Policy Content
• After risks identified and responsibilities assigned,
policy’s outline should be generated
• Possible subheadings: Passwords; Software
installation; Confidential and sensitive data;
Network access; E-mail use; Internet use; Modem
use; Remote access; Connecting to remote locations,
Internet, and customers’ and vendors’ networks; Use
of laptops and loaner machines; Computer room
access
Security Policy Content
• Explain to users what they can and cannot do and
how these measures protect network’s security
• Create separate section of policy that applies only to
users
• Define what “confidential” means to organization
Response Policy
• Security response team should regularly rehearse
defense strategy
• Suggestions for team roles:
–
–
–
–
Dispatcher
Manager
Technical support specialist
Public relations specialist
• After resolving a problem, team reviews what
happened, determines how it might have been
prevented, implements measures to prevent future
problems
Physical Security
• Restrict physical access to components
– Computer room, hubs, routers, switches, etc.
• Locks may be physical or electronic
– Electronic access badges
– Numeric key codes
– Bio-recognition access
• Closed-circuit TV systems
• Most important way to ensure physical security is to
plan for it
Physical Security
Figure 14-1: Badge access security system
Security in Network Design: Firewalls
• Selectively filter or block traffic between networks
– Hardware-based, software-based, or combination
• Packet-filtering firewall examines header of every
packet of data received
– Common filtering criteria:
•
•
•
•
•
•
IP addresses
Ports
Flags set in IP header
Transmissions that use UDP or ICMP
First packet in new data stream?
Inbound or outbound?
Security in Network Design: Firewalls
• Factors when choosing a firewall:
–
–
–
–
–
–
–
Supports encryption?
Supports user authentication?
Allows central management?
Easily establishes rules for access?
Supports filtering at highest layers of OSI Model?
Provides logging, auditing, alerting capabilities?
Protects identity of internal LAN’s addresses?
• Cannot distinguish between user trying to breach
firewall and user authorized to do so
Proxy Servers
• Proxy service: software that acts as intermediary
between external and internal networks
– Screen all incoming and outgoing traffic
• Manage security at Application layer
• May be combined with Firewall for greater security
• Improve performance for users accessing resources
external to network by caching files
Proxy Servers
Figure 14-4: A proxy server used on a WAN
Remote Access
• Must remember that any entry point to a LAN or
WAN creates potential security risk
• Remote control:
– Can present serious security risks
– Most remote control software programs offer features that
increase security
– Desirable security features:
• User name and password requirement
• Ability of host system to call back
• Support for data encryption
Remote Access
• Remote control (continued):
– Desirable security features (continued):
• Ability to leave host system’s screen blank while remote user
works
• Ability to disable host system’s keyboard and mouse
• Ability to restart host system when remote user disconnects
Remote Access
• Dial-up networking
– Effectively turns remote workstation into node on network
– Secure remote access server package should include at
least:
• User name and password authentication
• Ability to log all dial-up connections, their sources, and their
connection times
• Ability to perform callbacks to users
• Centralized management of dial-up users and their rights on
network
Network Operating System Security
• Regardless of NOS, can implement basic security by
restricting what users authorized to do
– Limit public rights
– Administrators should group users according to security
levels
Logon Restrictions
• Additional restrictions that network administrators
can use to strengthen security of network:
–
–
–
–
Time of day
Total time logged on
Source address
Unsuccessful logon attempts
Passwords
• Tips for making and keeping passwords secure:
–
–
–
–
–
–
–
–
Always change system default passwords
Do not use familiar information
Do not use dictionary words
Make password longer than eight characters
Choose combination of letters and numbers
Do not write down or share passwords
Change password at least every 60 days
Do not reuse passwords
Encryption
• Use of algorithm to scramble data into format that
can be read only by reversing the algorithm
• Encryption provides following assurances:
– Data not modified after sender transmitted it and before
receiver picked it up
– Data can only be viewed by intended recipient
– All data received at intended destination truly issued by
stated sender and not forged by an intruder
Key Encryption
• Key: random string of characters
• Weaves key into original data’s bits to generate
unique data block
– Ciphertext
– Longer keys make it more difficult to decrypt
– Hackers may attempt to crack a key by using brute force
attack
• Keys randomly generated by encryption software
Key Encryption
Figure 14-5: Key encryption and decryption
Private Key Encryption
• Data encrypted using single key that only sender and
receiver know
• Data Encryption Standard (DES): 56-bit key
– Triple DES (3DES): weaves 56-bit key through data three
times
• Advanced Encryption Standard (AES): weaves 128-,
160-, 192-, or 256-bit keys through data multiple
times
– Used in military communication
• Sender must share key with recipient
Private Key Encryption (continued)
Figure 14-6: Private key encryption
Public Key Encryption
• Data encrypted using two keys:
– Private key
– Public key associated with user
• Public key server: publicly accessible host that
freely provides list of users’ public keys
• Key pair: combination of public key/private key
• Public keys more vulnerable than private keys
– Use longer keys
– RSA: most popular public key algorithm
• Digital certificate: password-protected, encrypted
file that holds identification information
Public Key Encryption
Figure 14-7: Public key encryption
PGP (Pretty Good Privacy)
• Typical e-mail communication is highly insecure
• PGP: public key encryption system that can verify
authenticity of an e-mail sender and encrypt e-mail
data in transmission
– Freely available
– Most popular tool for encrypting e-mail
– Can be used to encrypt data on storage devices or with
applications other than e-mail
SSL (Secure Sockets Layer)
• Method of encrypting TCP/IP transmissions en route
between client and server
– Public key encryption
• HTTPS (HTTP over Secure Sockets Layer): uses
TCP port 443, rather than port 80
• SSL session: association between client and server
defined by agreement on specific set of encryption
techniques
– Created by SSL handshake protocol
• IETF has attempted to standardize SSL with
Transport Layer Security (TLS)
SSH (Secure Shell)
• Provides remote connections to hosts
– With authentication and security for transmitting data
– Guards against unauthorized access to host, IP spoofing,
interception of data in transit, and DNS spoofing
– Variety of encryption algorithms can be used
• To form secure connection, must be running on
client and server
• Must first generate public and private keys on client
workstation
– ssh keygen command
SCP (Secure CoPy) and
SFTP (Secure File Transfer Protocol)
• SCP: allows secure copying of files from one host to
another
– Replaces FTP
• SFTP: slightly different from SCP
– Used with proprietary version of SSH
– Does more than copy files
IPSec (Internet Protocol Security)
• Defines encryption, authentication, and key
management for TCP/IP transmissions
– Encrypts data by adding security information to header of
IP packets
– Operates at Network layer
• Accomplishes authentication in two phases:
– Key management: Internet Key Exchange (IKE)
– Encryption: authentication header (AH) or Encapsulating
Security Payload (ESP)
• Can be used with any type of TCP/IP transmission
Authentication Protocols:
RADIUS and TACACS
• Authentication protocols: rules that computers
follow to accomplish authentication
• RADIUS: provides centralized network
authentication and accounting for multiple users
– Runs over UDP
– Can operate as software application on remote access
server or on a RADIUS server
– Often used with dial-up networking connections
• Terminal Access Controller Access Control System
(TACACS): similar to RADIUS
Authentication Protocols: RADIUS and
TACACS (continued)
Figure 14-8: A RADIUS server providing centralized
authentication
PAP (Password Authentication Protocol)
• Authentication protocol that works over PPP
– Simple, not very secure
– Does not protect against possibility of malicious intruder
attempting to guess user’s password through brute force
attack
Figure 14-9: Two-step authentication used in PAP
CHAP and MS-CHAP
• Challenge Handshake Authentication Protocol
(CHAP): operates over PPP
– Encrypts user names and passwords
– Three-way handshake
– Password never transmitted alone or as clear text
• Microsoft Challenge Authentication Protocol (MSCHAP): similar to CHAP
– Used on Windows systems
– MS-CHAPv2 uses stronger encryption
• Mutual authentication: both computers verify credentials of the
other
CHAP and MS-CHAP (continued)
Figure 14-10: Three-way handshake used in CHAP
EAP (Extensible Authentication Protocol)
• Another extension to PPP protocol suite
– Does not perform encryption or authentication
– Requires authenticator to initiate authentication process by
asking connected computer to verify itself
– Flexible: supported by most OSs and can be used with any
authentication method
– Works with biorecognition and wireless protocols
Kerberos
• Cross-platform authentication protocol
– Uses key encryption to verify identity of clients and to
securely exchange information
– Significant advantages over NOS authentication
• Does not automatically trust clients
• Requires client to prove identity through third party
– Key Distribution Center (KDC): server that issues keys
– authentication service (AS): authenticates a principal
• Issues a ticket
Kerberos (continued)
• Purpose of Kerberos is to connect valid user with a
service
– User and service must register keys with authentication
service
– AS issues session key to both
• Randomly generated
– AS creates ticket allowing user to use service
• Contains key that can only be decrypted by service
– User’s computer creates time stamp for request
• Encrypts with session key (authenticator)
Wireless Network Security:
WEP (Wired Equivalent Privacy)
• Wireless transmissions susceptible to eavesdropping
– War driving
• By default, 802.11 standard does not offer security
– Allows for optional encryption using WEP
• Uses keys to authenticate network clients and encrypt data in
transit
• Network key
• On Windows XP, network key can be saved as part of wireless
connection’s properties
• Current versions of WEP allow 28-bit network keys
IEEE 802.11i and
WPA (Wi-Fi Protected Access)
• Uses EAP with strong encryption scheme
– Dynamically assigns every transmission own key
– Logging on to wireless network more complex than with
WEP
– AP acts as proxy between remote access server and station
until station successfully authenticates
– Requires mutual authentication
– After authentication, remote access server instructs AP to
allow traffic from client into network
– Client and server agree on encryption key
IEEE 802.11i and WPA (continued)
• 802.11i specifies AES encryption method
– Mixes each packet in data stream with different key
• WPA: subset of 802.11i standard
– Main difference from 802.11i is that WPA specifies RC4
encryption rather than AES
Summary
• Every organization should assess its security risks by
conducting a security audit at least annually
• One of the most common methods by which an
intruder gains access to a network is to simply ask a
user for his password
• There are many security risks that a network
administrator must guard against, including risks
associated with people, network transmission and
design, and network protocols and software
Summary (continued)
• A security policy identifies an organization’s
security goals, risks, levels of authority, designated
security coordinator and team members,
responsibilities for each team member and each
employee, and strategies for addressing security
breaches
• A firewall is a specialized device that selectively
filters or blocks traffic between networks
• A proxy service is a software application on a
network host that acts as an intermediary between
the external and internal networks, screening all
incoming and outgoing traffic
Summary (continued)
• Every NOS provides at least some security by
allowing you to limit users’ access to files and
directories on the network
• Choosing secure passwords is one of the easiest and
least expensive ways to guard against unauthorized
access
• Encryption is the use of an algorithm to scramble
data into a format that can be read only by reversing
the algorithm
• Key encryption comes in two forms: public and
private key encryption
Summary (continued)
• Popular methods of encryption include PGP, SSL,
SSH and OpenSSH, and IPSec
• Authentication protocols used with PPP connections
include RADIUS, TACACS, PAP, CHAP, and MSCHAP
• Because WEP uses the same key for all stations
attaching to an AP and for all transmissions, it is not
very secure
• In 802.11i, the EAP authentication method is
combined with AES encryption