Transcript lessonLesson 10: Network Access Security

Network Access Security
Lesson 10
Objectives
Exam Objective Matrix
Technology Skill Covered
Exam Objective
Exam Objective Number
Firewalls
Given a scenario, install and configure
routers and switches.
• Interface configurations
• MAC filtering
• Traffic filtering
Explain the purpose and features of various
network appliances.
• Proxy server
• Content filter
Explain the methods of network access
security.
• ACL
• MAC filtering
• IP filtering
• Port filtering
2.1
4.1
5.2
Objectives
Exam Objective Matrix
Technology Skill Covered
Tunneling and Encryption
Exam Objective
Exam Objective Number
Given a scenario, install and configure a
basic firewall.
• Types:
• Software and hardware firewalls
• Port security
• Stateful inspection vs. packet filtering
• Firewall rules:
• ACL
• DMZ
Categorize different types of network security
appliances and methods.
• IDS and IPS:
• Network-based
• Host-based
• Methods:
• Honey pots
• Honey nets
Explain the purpose and features of various
network appliances.
• Load balancer
• Proxy server
• Content filter
• VPN concentrator
5.5
5.6
4.1
Objectives
Exam Objective Matrix
Technology Skill Covered
Exam Objective
Exam Objective Number
Explain the methods of network access
security.
• Tunneling and encryption:
• SSL VPN
• VPN
• L2TP
• PPTP
• IPSec
• ISAKMP
• TLS
• TLS1.2
• Site-to-site and client-to-site
• Remote access:
• RAS
• RDP
• PPPoE
• PPP
• ICA
• SSH
5.2
Objectives
Exam Objective Matrix
Technology Skill Covered
Exam Objective
Exam Objective Number
Wireless Authentication and Encryption
Given a scenario, implement appropriate
wireless security measures.
• Encryption protocols:
• WEP
• WPA
• WPA2
• WPA Enterprise
5.1
Best Practices
Explain common threats, vulnerabilities, and
mitigation techniques.
• Mitigation techniques:
• Training and awareness
• Patch management
• Policies and procedures
5.4
Firewalls
• A network firewall:
– Prevents a hacker or other security threats
from entering the network
– Limits ability of hackers or other security
threats from spreading through the network
Network-based Firewalls
• Reside on the network
• Are usually hardware in nature but
augmented with additional software
• Many are built into or on top of routers
• Two common configurations
– Single firewall: Uses only one firewall
– Dual firewall: Uses two firewalls
– Area between dual firewalls is Demilitarized
Zone (DMZ)
Single Firewall Configuration
Dual Firewall Configuration
Server Placement with a DMZ
Proxy Server
• Used as intermediary between networks and
servers
– Purpose built device, or
– Application running on a server
• Upon receipt of signal
– Evaluate and decide to pass it on
– Interpret and attempt to service (cache)
– Conceal identity of person requesting
– Alter requests to avoid restrictions
Network Intrusion Detection System/Network
Intrusion Prevention System (NIDS/NIPS)
• Software designed to look for evidence of
intruder activity and stop it once detected
• Works like IDS and IPS (Lesson 9)
• Differences from IDS/IPS
– Where software located; NIDS/NIPS on a
network
– Used for both incoming and outgoing
communications
Possible NIDS Placement Locations
Host-based Firewalls
• Software packages that run on a computer
platform
– Evaluate packets, determine if malicious
– Host-Based Intrusion Detection System (HIDS);
Host-Based Intrusion Prevention System (HIPS)
– System Intrusion Detection Software (SIDS);
System Intrusion Prevention System (SIPS)
Common Features of a Firewall
• Application layer versus network layer
– Stateful versus stateless
• Scanning services
• Content filters
• Signature identification
• Zones
Application Layer Versus Network Layer
• Application layer firewalls work with protocols
and services located on the TCP/IP protocol
stack
– Designed to target one or two protocols
• Network firewalls work on the network layer
of the TCP/IP protocol stack
– Primarily target packet communications
– Stateful versus stateless
Network Layer Firewalls (Continued)
• Stateful
– Network must track connections through
router
– Router needs to continually know state of
every connection
• Stateless
– Treat each packet separately
– Faster speed, lower costs
– Easier to hijack
Scanning Services
• Ability of firewall to scan packets and
protocols for specific threats
– Scan http traffic for spyware or viruses
– Scan e-mail for spam
Content Filters
• Evaluates incoming data against predefined
guidelines
– Blocks spam due to content
– Blocks websites containing specific words
– Parental controls
Signature Identification
• A process using signatures or definitions to
identify threats
– Threat is compared to signature database
– Identified threats are sent to the
administrator for action
• Only works against known threats
– Sofware updates crucial
Zones
• Creates firewall on a router based groups of
interfaces
• Three rules that always apply
– Interfaces sharing same zone always talk to
each other
– Interfaces in one zone cannot interface with
another zone unless explicit written rules
allow it
– Interfaces not part of a zone cannot talk to
those that are part of a zone
Zone-based Firewall
Filtering
• Access control lists (ACLs)
– List of rules or policies programmed into a
router, or other device, to control what is able
to gain access to a network
• MAC filtering
• IP filtering
• Port filtering
• Port security
Honey Pots
• Are network security tools
– Provide hacker with a decoy target to attack
rather than the protected network
– Distracted hacker can be identified and
neutralized
– Method employed to attack decoy is used to
strengthen real network security (research
laboratory)
– Honey net is two or more honey pots
Tunneling and Encryption Concepts
• Site-to-site and client-to-site
– Site-to-site: Two different remote networks
connected
– Client-to-site: Single computer connected to
remote network
• Secure Sockets Layer (SSL)
– Secures connection between client and
server
Tunneling and Encryption Concepts (Cont.)
• Transport Layer Security (TLS)
– TLS Record Protocol
•Provides security and encryption
– TLS Handshake Protocol
•Authenticates and negotiates algorithm
• Internet Security Association and Key
Management Protocol (ISAKMP)
– Establishes Security Associations and
cryptographic keys
Point-to-Point Protocol (PPP)
• Method to encapsulate multi-protocol
datagrams
– Transports multiple protocols
• Link Control Protocol (LCP)
– Establishes, configures, and tests
connections
• Network Control Protocol (NCP)
– Establishes and configures different
protocols
Tunneling
• Process of establishing a connection through
a public network that looks like a point-topoint connection
– Carrier protocol
– Encapsulating protocol
– Passenger protocol
How Tunneling Works
Encryption
• Algorithm (cipher) process used to encode
header or entire network communication
packet
– Plaintext is not encrypted
• Layer 2 Tunneling Protocol (L2TP)
• Point-to-Point Tunneling Protocol (PPTP)
• Layer 2 Forwarding (L2F)
• Internet Protocol Security (IPSec)
• Generic Routing Encapsulation (GRE)
L2TP, PPTP, and L2F
• L2TP
– Designed to create a tunnel across a public
packet switched network
• PPTP
– Provides flow and congestion encapsulation
service for PPP
• L2F
– Designed so PPP can be tunneled over the
Internet and used in VPNs
Internet Protocol Security (IPSec)
• Suite of protocols designed to provide
security options to IP
– Internet Key Exchange (IKE)
– Authentication Header (AH)
– Encapsulating Security Payload (ESP)
• Works in two modes
– Transport
– Tunnel
Different Types of Network Communications
• VPN tunnel mode can be used for
network-to-network, network-to-host, and
host-to-host
communications
Generic Routing Encapsulation (GRE)
• Encapsulates arbitrary Network layer
protocol over any other arbitrary Network
layer protocol
• Most commonly used protocol is IP
Virtual Private Network (VPN)
• Connects client computer outside local
network to an Enterprise LAN
– Specific form of network tunneling
• Secure Sockets Layer (SSL) VPN
• Allows VPN sessions to be set up from within a
browser
• VPN concentrator
• Concentrates multiple VPN connections into a
single device
Remote Access
• Allows remote end users to access a network
and its information as if the users were directly
connected to that network
• Remote Access Services (RAS)
• Point-to-Point Protocol over Ethernet (PPPoe)
• Remote Desktop Protocol (RDP)
• Virtual Network Computing (VNC)
• Independent Computing Architecture (ICA)
• Secure Shell (SSH)
Remote Access Services (RAS)
• All the technology, hardware, and software
used to make remote access to a network
– Authentication of user attempting to gain
access to network
– Limiting user access to permitted resources
– Verifying communications between remote
user and local network are not being
eavesdropped on by hackers
Point-to-Point Protocol over Ethernet (PPPoe)
• A method that allows PPP to be used in an
Ethernet environment
• Most commonly used in connection with DSL
• Discovery stage
– PPP seeks to discover the MAC address of
the client and server computers on the
network
– PPPoE session identification number created
and a link established
Point-to-Point Protocol over Ethernet
Discovery Stage
Remote Desktop Protocol (RDP)
• Proprietary protocol from Microsoft to create
graphical interface between computers
• Controls several features
– 32-bit or lower color support; 128-bit
encryption; network level authentication
– Audio, file system, printer, and port
redirection; shared clipboard
– Terminal Services gateway; support for TLS;
multiple monitor support
Virtual Network Computing (VNC)
• Allows remote access to a desktop
computer; similar to Microsoft's RDP
– Open source
– Works with any graphical user interface (GUI)
– Pixel-based
– Three components: VNC server, VNC client
(VNC viewer), and VNC communications
protocols
Independent Computing Architecture (ICA)
• Proprietary protocol which lays down specific
rules for passing data between client and
server
• Runs application on server while allowing
remote client access
• Supports Windows, OS/X, various UNIX
platforms, and various Linux platforms
Secure Shell Protocol (SSH)
• Updated and more secure version of TELNET
• Used to remotely configure devices
• Allows remote control of a device via
command line commands
• Makes effort to encrypt commands and/or
configuration instructions
Wireless Authentication and Encryption
• Wi-Fi Protected Access (WPA)
• Wired Equivalent Privacy (WEP)
• Remote Authentication Dial-In User Service
(RADIUS)
• Temporal Key Integrity Protocol (TKIP)
Wi-Fi Protected Access (WPA)
• A specification or certification
– Not a security protocol
– Replaces WEP
• WPA created as security placeholding
standard
• WPA2 includes mandatory requirements of
IEEE 802.11i
• Enterprise versions of WPA and WPA2
available
Wired Equivalent Privacy (WEP)
• Aspired to make wireless communications as
secure and private as wired communications
• Includes streamed cipher RC4 and 32-CRC
(Cyclical Redundancy Check)
• Authentication components
– Open System
– Shared Key
Remote Authentication Dial-In User Service
(RADIUS)
• Authenticator allows user onto a wireless
network
– Authentication Server in IEEE 802.1x wireless
networks
• Authorizer controls where user can go on a
network
How 802.1X Works
Temporal Key Integrity Protocol (TKIP)
• Suite of algorithms designed to add
additional security on top of that provided by
WEP
• Increases strength and capability
– Encrypts individual packets
– Time stamps when packets sent
– Employs a sequence counter
– Stronger Cyclical Redundancy Check
Best Practices—Policies and Procedures
• Creating a network security policy
• Password policies
• Access policies
• Reporting problems
Best Practices—User Training
• Single most important tool to ensure policies
are understood and implemented
– New employee orientation
– Ongoing training procedures
• Education and inclusion develops support
for sustainable policies
Best Practices—Patches and Upgrades
• Patches and upgrades are created when
products are found to have bugs or security
glitches
• Implement policies about how and when
patches and updates are implemented
– What policies should contain
– Procedures to roll it out to production
systems
– Procedure to roll back an update or patch
Summary
• Firewalls protect networks and limit damage from
hackers
• Network-based firewalls contain hardware and
software; many be single- or dual-configured
• Proxy servers are intermediary devices or
applications between networks and servers
• NIDS/NIPS look for evidence of intruder activity
and stop it once detected
• Host-based firewalls evaluate packets to determine
if they're malicious
Summary (Continued)
• Common features of a firewall include application
layers versus network layers, scanning services,
content filters, signature identification, and zones
• Access control lists (ACLs); MAC, IP, and port
filtering; and port security are filtering methods to
control what is able to gain access to a network
• Honey pots are hacker distraction security tools
• Tunneling and encryption concepts connect,
secure, authenticate, and encrypt networks and
protocols
Summary (Continued)
• Internet Protocol Security (IPSec) is a suite of
protocols designed to provide security options to IP
including Internet Key Exchange (IKE),
Authentication Header (AH), and Encapsulating
Security Payload (ESP)
• Generic Routing Encapsulation (GRE)
encapsulates arbitrary Network layer protocol over
any other arbitrary Network layer protocol
• Virtual Private Network (VPN); connects client
computer to an Enterprise LAN with Secure
Sockets Layer (SSL) VPN, and VPN concentrator
Summary (Continued)
• Remote access allows remote end users to access
a network as if directly connected to that network
using Remote Access Services (RAS), Point-to-Point
Protocol over Ethernet (PPPoe), Remote Desktop
Protocol (RDP), Virtual Network Computing (VNC),
Independent Computing Architecture (ICA), and
Secure Shell (SSH)
Summary (Continued)
• Temporal Key Integration Protocol (TKIP) is a suite
of algorithms designed to add additional security
on top of that provided by WEP
• Best practices employ procedures to create a
secure network with password, access, user, and
patch/update policies; user training; and a system
for reporting problems