Transcript Firewall Technologies MAC filtering

Protecting Your Network
Chapter 17
Objectives
• Discuss the common security threats in
network computing
• Describe the methods for securing user
accounts
• Explain how firewalls, NAT, port
filtering, and packet filtering protect
a network from threats
Overview
Introduction to Protecting
Your Network
• What are the threats to networks?
–
–
–
–
Hackers, etc.
Authorized users with good intentions
Natural disasters
A network threat is anything that can potentially
damage network data, machines, or users
• Explore tools and methods for protection
Three Parts to Chapter 17
• Common Threats
• Securing User Accounts
• Firewalls
Common Threats
• Summary of Common Threats
– System crashes/other hardware failures
– Administrative access-control weaknesses
– Malware, such as viruses and worms
– Social engineering
– Denial of Service attacks
– Physical intrusion
– Rogue access points
• System crash/hardware failure
– Types of failures
• Hard drives crash
• Servers lock up
• Power fails
– Redundancy in areas prone to failure
• Power backup system
• Data backups
• Hardware redundancy for fault tolerance
• Administrative access control
– Access control list
– Powerful administrative tools
– Need to keep tools secure
– “Super Accounts”
• Windows Administrator account
• Linux and Macintosh OS X root account
• Malware
– Code designed to do something bad
– Virus
• Has two jobs
– Replicate
»Makes copies of itself to disks
– Activate
»Does something bad
• Malware
– Worm
• Identical in function to a virus
• Replicates exclusively through networks
• Sends out copies of itself
• Malware
– Macro
• Any virus exploiting application macros to
replicate and activate
• Exists in any application that has built-in
macro language
– Microsoft Excel
– Microsoft Word
– And more…
• Malware
– Trojan
• Looks like something harmless
• Remote administration tool (RAT)
– Turns infected computer into a server
controlled by a remote user
– Captures keystrokes, passwords, files, credit
card information, etc.
– Does not replicate
• Malware
– Rootkit
• A Trojan that hides from all but the most
aggressive anti-malware tools
• Example
– Sony’s antipiracy scheme on music CDs
– Installed on computers as a rootkit
– Creates backdoor for hackers
• Malware
– Adware
• Monitors types of Web sites you frequent
• Uses information to generate targeted
advertisements
• Often uses pop-up windows for ads
• Not overtly evil
• Often uses deceptive practices
• Considered malware by most
• Malware
– Spyware
• Sends information about your system or
actions over the Internet
• May send keystrokes
• May send all contacts in your address book
• Dealing with Malware
– Anti-malware programs
• Should run on every computer
• Should also be on a network appliance
• Update regularly
– Training
• All users trained to look for suspicious code
• All users trained to not run suspicious code
– Procedures describe what to do if users
encounter malware
• Social Engineering
– Manipulating people to gain access
to a network
– Many ways to use people to gain
unauthorized information
– Telephone scam
– Physical entry
– Phishing
• Denial of Service (DoS)
– Attack that brings down a network
– Floods network with requests
– Smurf attack
• A DoS attack that sends broadcast PINGs
• Source IP changed to another system’s address
• Distributed Denial of Service (DDoS)
– More menacing than a simple Dos
– Uses multiple computers under the control
of a single operator
– DDoS operators use malware to control
computers used in the attack
• Zombie – one controlled computer
• Botnet – a group of controlled computers
• Prevention
– Your computer cannot be controlled until
someone installs malware on it
– Anti-malware, training, and procedures will
prevent your computer from becoming a
zombie
• Physical Intrusion
– Protect servers from physical intrusion
• Lock up servers and switches
– Server rooms with key-card locks
– Log of people entering server rooms
– Server in locked in closet at small site
• Never walk away from a server without
logging off
• Add a password-protected screensaver
Figure 17.1 Applying a password-protected
screensaver
• Protecting clients from physical intrusion
– Use screensaver passwords
– Use paper shredders
– Mind work area
• Do not leave passwords on or near desk
• If you must write down passwords, keep
in locked drawers
• Rogue Access Points
– Unauthorized WAPs
– Huge problem today
– Cheap, easy way to plug into a network
– Employees install them for convenience
– Rarely installed by bad guys
– Bad guys detect unsecured WAPs
– Sniffer will find WAPs with SSID
broadcasting turned off
Securing User Accounts
• Overview of Securing User Accounts
– Internal threats
• Unauthorized access
• Data destruction
• Other administrative problems
• Passwords
– Ultimate key to protecting the network
– Protect your passwords
– Make users choose good passwords
– Make users change passwords at
regular intervals
– Do not write passwords on anything!
Figure 17.2 Windows Server option for requiring a
user to change a password
• Alternatives to Entering Password
– Smart devices
• Credit cards
• USB keys, other small devices
– Biometric devices
• Fingerprint scanner
• Retina scanner
• Voice scanner
• Authentication Factor
– Something used to authenticate
• Ownership factor: something the user has
• Knowledge factor: something the user knows
• Inherent factor: a part of the user
– Two-factor authentication combines
factors
• Controlling User Accounts
– Contains user name and password
– Access to accounts restricted
– Least privilege approach = permission to
access only the resources a user needs
– Tight control is critical
– Disable unused accounts
• Controlling User Accounts with Groups
– Minimizes administrator’s burden
– Add user to one or more groups
– Assign permissions to groups
– Effective permissions
– Be careful of default groups
• Everyone
• Guest
• Users
Figure 17.3 Giving a group permissions for a
folder in Windows
Figure 17.4 Adding a user to a newly created group
• Diligence in Managing User Accounts
– Administrator often part of human
resources
– Create, disable, enable, and delete user
accounts based on employee status
– Keep up with employee changes
• Inheritance
– One set of permissions for a user
explicitly assigned to a folder
– Second set of explicit permissions to a
subfolder
– Inheritance determines user’s actual
permissions to subfolder and contents
Firewalls
• Introduction to Firewalls
– Firewalls protect a private network from
external threats
– They use a variety of methods
– Not necessarily a dedicated device
– Placement of firewalls
• Network-based at the edge of a network
– a.k.a. a hardware firewall
• Host-based in user’s computers
• Firewall Technologies
– Hiding IPs
• Network Address Translation (NAT)
• Built into most routers
– Port Filtering (a.k.a. port blocking)
• Restricts packets based on port numbers
– Packet Filtering (a.k.a. IP filtering)
• Blocks packets based on IP address
Figure 17.5 The netstat –n command showing
HTTP connections
Figure 17.6 Web-based port filtering interface
Figure 17.7 YaST configuration program
Figure 17.8 Blocking IP addresses
• Firewall Technologies
– Stateless filtering
• Only checks for IP address and port number
– Stateful filtering
• Examines packets as a stream
• Detects when a stream is disrupted or
packets corrupted
• Layer 7 application proxies
– Best stateful filters
– Slower and more expensive than stateless filters
• Firewall Technologies
– MAC filtering
• Similar to packet filtering
• Filters based on MAC address of client
• Can be defeated through MAC spoofing
• Personal Firewalls
– CompTIA calls these host-based firewalls
– Not necessary on dial-up connections
– Necessary on other Internet connections
• Turn off Windows File and Print Sharing
• Enable a personal firewall
– Use in addition to hardware firewall
– Windows Firewall, Zone Alarm Pro, etc.
– Windows ICS is only a NAT router
Figure 17.9 ZoneAlarm Pro
• Windows Firewall
– Works with or without ICS
– Included with Windows
– Default blocks all incoming IP packets
that attempt to initiate a session
– If needed, manually open ports
– OK for single machine or small network
– Honey Pot creates a fake attackable
network that records attempts to hack
Figure 17.10 Enabling Windows Firewall
Figure 17.11 Opening TCP/IP ports in Windows
Firewall
• Network Zones
– Each zone has a level of access to network
– Firewall sits between gateway router and
private network
– Demilitarized zone (DMZ)
• Lightly protected network between private
network and Internet
• Created by two routers
– Intranet – firewall-protected private network
Figure 17.12 A DMZ configuration
• Securing Remote Access
– More employees access network
from home
– Cost-effective for workers and employers
– Network security challenge
– Balance security with ease of access