Transcript Network Assets

ITEC 275
Computer Networks – Switching, Routing, and
WANs
Week 8
Robert D’Andrea
Summer 2016
Agenda
–
–
–
–
–
–
–
–
–
Review most troubling midterm exam questions
Learning Activities
Security
Threats and Risks
Security Policy
IP Sec
Security Mechanisms
Wireless Security
SNMP
Network Security Design
The 12 Step Program
1.
2.
3.
4.
5.
6.
Identify network assets
Analyze security risks
Analyze security requirements and
tradeoffs
Develop a security plan
Define a security policy
Develop procedures for applying
security policies
The 12 Step Program (continued)
7.
8.
9.
10.
11.
12.
Develop a technical implementation strategy
Achieve buy-in from users, managers, and
technical staff
Train users, managers, and technical staff
Implement the technical strategy and security
procedures
Test the security and update it if any problems
are found
Maintain security
Network Assets
Network Assets
An enterprise's assets may be broadly
divided into two categories: physical assets
which include buildings, machinery, financial
assets and infrastructure. Hardware, such as,
routers, internetworking devices, cabling, and
switches are all necessary devices needed to
conduct a business.
Network Assets
Network Assets
Network Assets
The second category of assets, intangible
assets which range from human capital and knowhow to ideas, brands, designs and other intangible
fruits of a company's creative and innovative
capacity. Traditionally, physical assets were the
bulk of the value of a company, and were
considered to be largely responsible for
determining the competitiveness of an enterprise
in the market place. In recent years, the situation
has changed significantly.
Network Assets
Network Assets
Network Assets
Network Assets
Increasingly, and largely as a result of the
information technologies revolution and the
growth of the service economy, companies are
realizing that intangible assets are often
becoming more valuable than their physical
assets.
Network Assets
Network Assets
In countries such as Finland, the UK and
the US, investment in intangibles matches or
actually outstrips investment in tangibles.
Today, many knowledge-based companies
possess relatively little tangible capital. For
example, in early 2009 physical assets only
made up about 5% of Google’s total worth.
Network Assets
Network Assets
Software(Operating systems,
applications, and data).
Less Obvious Network Assets
Intellectual property is the collective
wisdom of your employees or customers is vast
and waiting to be tapped. Bloomfire is a
knowledge base built to capture, archive, and
grow the knowledge that already exists within
or about your organization.
Network Assets
Network Assets
Bloomfire develops software that allows
companies to share information on a webbased application platform. The software application,
launched in 2012, allows users to create team
communities where people can post questions and
answers, and add or create new content. The content can
be uploaded in the form of videos, photos or text
documents. The social platform allows users to
"follow", "share", and "like" other users' content; it also
has screen-recording capabilities. The software aims to
increase accessibility to information within a
company. The application can be accessed from a
device connected to the Internet, such as
a PC, laptop, tablet computer, or smartphone.
Network Assets
Trade secrets is any confidential business
information which provides an enterprise a competitive
edge, may be considered a trade secret. Trade secrets
encompass manufacturing, industrial, and commercial
secrets. The unauthorized use of such information by
persons other than the holder is regarded as an unfair
practice and a violation of the trade secret.
A company’s reputation is essential to its survival.
The trust and confidence of the consumer can have a
direct and profound effect on a company's bottom .
Security Risks
•
Hacked network devices
– Data can be intercepted, analyzed,
altered, or deleted
– User passwords can be compromised
– Device configurations can be reconfigured
Security Risks
•
•
•
Reconnaissance attacks (are used to
initially gather information about a target
network or system. At first glance, seem
harmless).
Denial-of-service (DoS) attacks are
increasing
Hospital data is encrypted (frozen) in such
a way the data cannot be accessed unless a
ransom is paid.
Security Risks (DoS)
Security Tradeoffs
•
Tradeoffs must be made between security
goals and other goals:
– Affordability
– Usability
– Performance
– Availability
– Manageability
The cost of protecting yourself against a threat should
be less than the cost of recovering if the threat were to
strike you.
A Security Plan
•
•
High-level documents that
proposes what an organization is
going to do to meet security
requirements. This is a corporate
level decision.
Specifies time, people, and other
resources that will be required to
develop a security policy and
achieve implementation of the
policy
A Security Plan
•
Should reference the network
topology and include a list of
network services that will be
provided. The list should
specify who provides the
services, who has access to the
services, how access is
provided, and who administers
the services.
A Security Policy
•
Informs users, managers, and
technical staff of their
obligations for protecting
technology and information
assets. Normally, this is an
agreement employees sign as a
part of their tenure.
A Security Policy
•
Per RFC 2196, “The Site Security
Handbook,” a security policy is a
– “Formal statement of the rules by which people
who are given access to an organization’s
technology and information assets must abide.”
•
The policy should address
– Access, accountability, authentication, privacy,
and computer technology purchasing guidelines
Security Mechanisms
•
•
•
•
•
Physical security ( Limited access to
resources )
Authentication (Who is requesting
network services)
Authorization (Who can access network
resources)
Accounting (Auditing – collecting data)
Data encryption (a process of scrambling
data to protect it’s integrity)
Security Mechanisms
•
Packet filters (can be set up on
routers, firewalls, and servers
to accept or deny packets from
a particular address or service)
• Firewalls (a device that enforces
security policies at the boundary
between two or more networks).
Traditionally, firewalls are best suited for small
businesses needs.
Security Mechanisms
• Detect and prevent denial of service (DoS) attacks with
TCP Intercept, Context-Based Access Control (CBAC),
and rate-limiting techniques
• Use Network-Based Application Recognition (NBAR) to
detect and filter unwanted and malicious traffic
• Use router authentication to prevent spoofing and routing
attacks
• Activate basic Cisco IOS filtering features like standard,
extended, timed, lock-and-key, and reflexive ACLs to
block various types of security threats and attacks, such
as spoofing, DoS, Trojan horses, and worms
• Use black hole routing, policy routing, and Reverse Path
Forwarding (RPF) to protect against spoofing attacks
Security Mechanisms
What is black hole routing?
Black holes refer to places in the network
where incoming or outgoing traffic is silently
discarded (or "dropped"), without informing the
source that the data did not reach its intended
recipient.
Security Mechanisms
• Apply stateful filtering of traffic with CBAC, including
dynamic port mapping
• Use Authentication Proxy (AP) for user authentication
• Perform address translation with NAT, PAT, load distribution,
and other methods
• Implement stateful NAT (SNAT) for redundancy
• Use Intrusion Detection System (IDS) to protect against basic
types of attacks
• Obtain how to instructions on basic logging and learn to easily
interpret results
• Apply IP Sec to provide secure connectivity for site-to-site
and remote access connections
• Read about many, many more features of the IOS firewall for
mastery of router security
Security Mechanisms
The Cisco IOS firewall offers you the featurerich functionality that you've come to expect from
best-of-breed firewalls: address translation,
authentication, encryption, stateful filtering, failover,
URL content filtering, ACLs, NBAR, and many
others. Cisco Router Firewall Security teaches you
how to use the Cisco IOS firewall to enhance the
security of your perimeter routers and, along the way,
take advantage of the flexibility and scalability that is
part of the Cisco IOS Software package.
Security Mechanisms
•
Intrusion Detection Systems (IDS)
(detects malicious events and
notifies an administrator using
email, paging, or logging of the
occurrences).
• Intrusion Prevention Systems (IPS)
(blocks traffic by adding rules to a firewall or
by being configured to inspect traffic as it
enters a firewall).
Encryption for Confidentiality and
Integrity
• Public/Private key encryption
- Asymmetric key system
- All devices use the public key to encrypt
data to be sent.
- Receiving devices decrypt the data using a
private key
• Digital signature
- Encrypt part of your document with a private key
- Receiver decrypts document using your public
key
Encryption for Confidentiality and
Integrity
After encrypting your document with
your private key, you can encrypt the document
with another public key (IRS). The IRS decrypts
their documents twice.
Encryption for Confidentiality and
Integrity
Encryption for Confidentiality and
Integrity
Encryption for Confidentiality and Integrity
Figure 8-1. Public/Private Key System for Ensuring Data Confidentiality
Figure 8-2. Public/Private Key System for Sending a Digital Signature
Modularizing Security Design
Cisco supports reputation filtering and
global correlation services, so that an ISP can
keep-up-to-date on global security trends and
more accurately deny traffic from networks
known to be currently associated with botnets,
spam, and other malware.
Modularizing Security Design
•
Security defense in depth
– Network security should be multilayered with
many different techniques used to protect the
network.
Modularizing Security Design
• Belt-and-suspenders approach
– Don’t get caught with your pants down. Each
mechanism should have a backup mechanism.
The belt and suspender ensure security of the
pants (system) staying up. Use a dedicated firewall to
limit access to resources and a packet-filtering router
that adds another line of defense ( multilayer of
defense).
Modularizing Security Design
•
Secure all components of a modular design:
–
–
–
–
–
–
–
Internet connections
Public servers and e-commerce servers
Remote access networks and VPNs
Network services and network management
Server farms
User services
Wireless networks
•
•
•
•
•
Securing Internet Connections
Physical security
Firewalls and packet filters
Audit logs, authentication, authorization
Well-defined exit and entry points
Routing protocols that support authentication
Internet routers should be backed up with
additional filters to prevent DoS (Denial of
Service) and other attacks. In turn, these filters
should be backed up additional filters placed on
firewall devices. Monitor Internet
Cisco SAFE
•
Cisco SAFE Security Reference Model
addresses security in every module of a modular
network architecture.
Securing Public Servers
•
•
•
Place servers in a DMZ that is protected via
firewalls
Run a firewall on the server itself
Enable DoS (denial of service) protection
– Limit the number of connections per timeframe
•
•
Use reliable operating systems with the latest
security patches
Maintain modularity
– Front-end Web server doesn’t also run other
services
Security Topologies
Enterprise
Network
DMZ
Web, File, DNS, Mail Servers
Internet
Security Topologies
Internet
Firewall
DMZ
Web, File, DNS, Mail Servers
Enterprise Network
•
•
•
•
•
Securing Remote-Access and Virtual
Private Networks (VPN)
Physical security
Firewalls
Authentication, authorization, and auditing
Encryption
One-time passwords
•
Securing Remote-Access and Virtual
Private Networks
Security protocols
– Remote users and routers should authenticate with
CHAP
– Authentication, authorization, and accounting is
RADIUS. The database includes authentication and
configuration information. Specifies types of services a
user is permitted to implement (PPP, FTP, Telnet).
– IPsec is an IETF standard that provides confidentiality,
data integrity, and authentication between participating
peers at the IP layer, IPsec provides a secure path
between remote users and a VPN concentrator, and
between remote sites and a VPN site-to-site gateway.
Securing Remote-Access and Virtual
Private Networks
Virtual Private Network (VPN) provides what?
It provides a secure connection using the public
network. VPN is based on a client server technology.
VPN is simple to set up, simply enter the destination
IP address and your user name and password.
The telephone system in the 1950s proved to be
inadequate to with stand a nuclear attack. If on
average 15 central offices (CO) were targeted,
communications would be totally lost.
Securing Remote-Access and Virtual
Private Networks
The military wanted a system that was self
healing. If a failure occurred at a point (Man-in-themiddle) in the network, the communications path
would be rerouted. The Man-in-the-middle is a hacker
that listens and copies all data passing through a
router.
Securing Remote-Access and Virtual
Private Networks
What makes VPN so exceptional?
1.Creates a tunnel. VPN uses a tunneling protocol
2.Encrypts the content
3.If the tunnel is penetrated, it is detected.
Immediately, the tunnel is shut down and a new
circuit is established on the Internet.
A hacker sitting on a router is trying to penetraate the
tunnel to record/listen to the traffic.
Securing Remote-Access and Virtual
Private Networks
VPN
Microsoft and Cisco have their own VPN client
server software. The softwares used to establish the
services of VPN must be compatible with each other.
Cisco’s VPN client with not communicate with
Microsoft VPN server software. OpenVPN is an
open-source software application that
implements virtual private network (VPN) techniques
for creating secure point-to-point or site-to-site
connections in routed or bridged configurations and
remote access facilities.
Securing Remote-Access and Virtual
Private Networks
VPN
Securing Network Services
•
•
Treat each network device (routers, switches,
and so on) as a high-value host and harden it
against possible intrusions
Require login IDs and passwords for accessing
devices
– Require extra authorization for risky configuration
commands
•
•
Use SSH (Secure Shell) rather than telnet or
login
Change the welcome banner to be less
welcoming
Securing Network Services
Securing Network Services
•
•
•
Routing protocols should be selected that
support authentication, including RIPv2,
OSPF, EIGRP, and BGP4.
Static and default routes are good choices
because they eliminate the need to accept
routing updates.
Execute minimal necessary services and
establish trust in only authenticated
partners.
Securing Server Farms
•
•
•
•
•
•
Deploy network and host IDSs to monitor
server subnets and individual servers
Configure filters that limit connectivity from
the server in case the server is compromised
Fix known security bugs in server operating
systems
Require authentication and authorization for
server access and management
Limit root password to a few people
Avoid guest accounts
Securing User Services
•
•
Specify which applications are allowed to
run on networked PCs in the security policy
Require personal firewalls and antivirus
software on networked PCs
– Implement written procedures that specify how
the software is installed and kept current
•
•
Encourage users to log out when leaving
their desks
Consider using IEEE 802.1X port-based
security on switches
•
Securing Wireless Networks
Place wireless LANs (WLANs) in their own
subnet or VLAN
– Simplifies addressing and makes it easier to
configure packet filters
•
•
Require all wireless (and wired) laptops to run
personal firewall and antivirus software
Disable beacons that broadcast the SSID, and
require MAC address authentication
– Except in cases where the WLAN is used by
visitors
Securing Wireless Networks
What is the SSID?
An SSID (Service Set Identifier) is the public name of a
wireless local area network (WLAN), which serves to differentiate it
from other wireless networks in the area. For Google Fiber, the SSID
is the network name you specify when you configure your Wi-Fi
network. Any wireless devices that connect to your network must use
this SSID.
By default, your Network Box broadcasts a beacon signal,
announcing its presence to the world by providing the SSID.
Broadcasting the SSID displays the name of your network in the list of
available networks when nearby users try to connect their wireless
devices.
Securing Wireless Networks
• IEEE802.11 Specifies Two Forms of Authentication
- Open key the client is always authenticated, used for
guest access.
- Shared key authentication, a WEP (Wired Equivalent
Privacy) static key must be properly configured in both
the client and the access point.
Man-in-the-middle is another form of eavesdropping
WLAN Security Options
• Wired Equivalent Privacy (WEP) vulnerable to passive
attacks and inductive key derivations. If the key is
determined, it must be changed on the access point and
every client.
• IEEE 802.11i
• Wi-Fi Protected Access (WPA)
• IEEE 802.1X Extensible Authentication Protocol (EAP)
– Lightweight EAP or LEAP (Cisco)
– Protected EAP (PEAP)
• Virtual Private Networks (VPNs)
• Any other acronyms we can think of?)
• Service Set Identifier (SSID)
Wired Equivalent Privacy (WEP)
•
•
Defined by IEEE 802.11
Users must possess the appropriate WEP
key that is also configured on the access
point
– 64 or 128-bit key (or passphrase)
•
•
WEP encrypts the data using the RC4
stream cipher method
Infamous for being crackible
WEP Alternatives
•
•
Vendor enhancements to WEP
Temporal Key Integrity Protocol (TKIP)
– Every frame has a new and unique WEP key
•
•
•
Advanced Encryption Standard (AES)
IEEE 802.11i (implemented as WEP2)
Wi-Fi Protected Access (WPA) from the
Wi-Fi Alliance
Extensible Authentication Protocol (EAP)
•
With 802.1X and EAP, devices take on one of
three roles:
– The supplicant resides on the wireless LAN client
– The authenticator resides on the access point
- An authentication server resides on a RADIUS
server
EAP authenticates users.
802.11 authenticates device based (wireless LAN
devices)
•
•
•
•
EAP (Continued)
An EAP supplicant on the client obtains
credentials from the user, which could be a user
ID and password
The credentials are passed by the authenticator to
the server and a session key is developed
Periodically the client must re-authenticate to
maintain network connectivity
Re-authentication generates a new, dynamic WEP
key
Cisco’s Lightweight EAP (LEAP)
•
Standard EAP plus mutual authentication
– The user and the access point must authenticate
•
•
Used on Cisco and other vendors’ products
Mutual authentication means the client
authenticates the server and the server
authenticates the client.
Other EAPs
• EAP-Transport Layer Security (EAP-TLS) was developed by
Microsoft
– Requires certificates for clients and servers.
• Protected EAP (PEAP) is supported by Cisco, Microsoft, and
RSA Security
– Uses a certificate for the client to authenticate the RADIUS
server
– The server uses a username and password to authenticate the
client
• EAP-MD5 has no key management features or dynamic key
generation
– Uses challenge text like basic WEP authentication
– Authentication is handled by RADIUS server
VPN Software on Wireless Clients
• VPN is the safest way to do wireless networking for
corporations
• Wireless client requires VPN software
• Connects to VPN concentrator at HQ
• Creates a tunnel for sending all traffic
• VPN security provides:
– User authentication
– Strong encryption of data
– Data integrity
Network Management
•
•
•
Helps an organization achieve availability,
performance, and security goals
Helps an organization measure how well
design goals are being met and adjust
network parameters if they are not being
met
Facilitates scalability
– Helps an organization analyze current network
behavior, apply upgrades appropriately, and
troubleshoot any problems with upgrades
Network Management Design
•
•
•
•
Consider scalability, traffic patterns, data
formats, cost/benefit tradeoffs
Determine which resources should be
monitored
Determine metrics for measuring
performance
Determine which and how much data to
collect
Proactive Network Management
•
•
•
•
Plan to check the health of the network
during normal operation, not just when
there are problems
Recognize potential problems as they
develop
Optimize performance
Plan upgrades appropriately
Network Management Processes
According to the ISO
1.
2.
3.
4.
5.
Fault management
Configuration management
Accounting management
Performance management
Security management
Fault Management
•
•
•
Detect, isolate, diagnose, and correct problems
Report status to end users and managers
Track trends related to problems
Configuration Management
•
•
•
Keep track of network devices and their
configurations
Maintain an inventory of network assets
Log versions of operating systems and
applications
Accounting Management
•
•
•
Keep track of network usage by departments
or individuals
Facilitate usage-based billing
Find users who use more resources than they
should
Performance Management
•
•
•
•
•
•
Monitor end-to-end performance
Also monitor component performance
(individual links and devices)
Test reachability
Measure response times
Measure traffic flow and volume
Record route changes
Security Management
•
•
•
•
Maintain and distribute user names and
passwords
Generate, distribute, and store encryption keys
Analyze router, switch, and server
configurations for compliance with security
policies and procedures
Collect, store, and examine security audit logs
Network Management Components
•
•
•
A managed device is a network node that
collects and stores management
information
An agent is network-management software
that resides in a managed device
A network-management system (NMS)
runs applications to display management
data, monitor and control managed devices,
and communicate with agents
Network Management Architecture
NMS
Agent
Agent
Agent
Management
Database
Management
Database
Management
Database
Managed
Devices
Architecture Concerns
•
In-band versus out-of-band monitoring
– In-band is easier to develop, but results in
management data being impacted by network
problems
•
Centralized versus distributed monitoring
– Centralized management is simpler to develop
and maintain, but may require huge amounts of
information to travel back to a centralized
network operations center (NOC)
Simple Network Management Protocol
(SNMP)
•
•
•
Most popular network management protocol
SNMPv3 should gradually supplant
(substitute) versions 1 and 2 because it offers
better authentication and better control of the
set command.
SNMP works with Management Information
Bases (MIBs).
Simple Network Management Protocol
(SNMP)
What is a MIB?
A MIB (Management Information Base) is a text
file which has been written using the ASN.1 (Abstract
Syntax Notation) format. This text file is human readable
but is special in that it can be compiled by a computer
program
called a MIB compiler, and then will result
in creation of objects called OIDS (Object Identifiers),
that can be understood by a network management station
using the SNMP (Simple Network Management
Protocol) method of communication.
Simple Network Management Protocol
(SNMP)
What is a MIB?
Simple Network Management Protocol
(SNMP)
Why is this important?
SNMP MIBs are crucial in order to manage your
network and understand the underlying objects which are
being retrieved from SNMP Agents.
Remote Monitoring (RMON)
•
Developed by the IETF in the early 1990s
to address shortcomings in standard MIBs
– Provides information on data link and physical
layer parameters
– Nine groups of data for Ethernet
– The statistics group tracks packets, octets,
packet-size distribution, broadcasts, collisions,
dropped packets, fragments, CRC and
alignment errors, jabbers, and undersized and
oversized packets
Cisco Tools
• Cisco Discovery Protocol
– With the show cdp neighbors detail command, you can
display detailed information about neighboring routers
and switches, including which protocols are enabled,
network addresses for enabled protocols, the number and
types of interfaces, the type of platform and its
capabilities, and the version of Cisco IOS Software
running on the neighbor.
• NetFlow Accounting
– An integral part of Cisco IOS Software that collects and
measures data as it enters router or switch interfaces
Summary
•
Use a top-down approach
– Chapter 2 talks about identifying assets and risks
and developing security requirements
– Chapter 5 talks about logical design for security
(secure topologies)
– Chapter 8 talks about the security plan, policy, and
procedures
– Chapter 8 also covers security mechanisms and
selecting the right mechanisms for the different
components of a modular network design
Summary
•
•
•
•
Determine which resources to monitor, which
data about these resources to collect, and how
to interpret that data
Develop processes that address performance,
fault, configuration, security, and accounting
management
Develop a network management architecture
Select management protocols and tools
Review Questions
•
•
•
•
How does a security plan differ from a security
policy?
Why is it important to achieve buy-in from users,
managers, and technical staff for the security
policy?
What are some methods for keeping hackers
from viewing and changing router and switch
configuration information?
How can a network manager secure a wireless
network?
Review Questions
•
•
•
•
Why is network management design important?
Define the five types of network management
processes according to the ISO.
What are some advantages and disadvantages of
using in-band network management versus out-ofband network management?
What are some advantages and disadvantages of
using centralized network management versus
distributed network management?
•
•
•
•
•
•
•
This Week’s Outcomes
Review midterm exam questions
Security
Threats and Risks
Security Policy
Security Mechanisms
Wireless Security
SNMP
Due this week
•
4-2-2 – Cisco Networking Practical Experience
– Basic Routing and LAN Switching Configuration
Next week
•
•
Read Chapter 8in Top-Down Network Design
– Concept questions 5
Q&A
•
Questions, comments, concerns?