Chapter 2: Attackers and Their Attacks
Download
Report
Transcript Chapter 2: Attackers and Their Attacks
Chapter 5: Securing the
Network Infrastructure
Security+ Guide to Network
Security Fundamentals
Second Edition
Objectives
Work with the network cable plant
Secure removable media
Harden network devices
Design network topologies
Network Cable Plant
Cable plant: physical infrastructure of
a network (wire, connectors, and
cables) used to carry data
communication signals between
equipment
Three types of transmission media:
•
•
•
Coaxial cables
Twisted-pair cables
Fiber-optic cables
Coaxial Cables
Coaxial cable was main type of copper
cabling used in computer networks for
many years
Has a single copper wire at its center
surrounded by insulation and shielding
Called “coaxial” because it houses two
(co) axes or shafts―the copper wire
and the shielding
There were two types of coax Ethernet
installations: Thicknet and Thinnet
Thicknet and Thinnet
Thicknet, also known as 10Base5 was
the first coax Ethernet installation.
•
•
The 10 stands for 10Mbps, the Base is for
baseband signaling and the 5 is 500m
signal propagation or max. cable run
Thicknet used “vampire taps” to add
transceivers.
Thinnet, also known as 10Base2 was
the second coax Ethernet Installation.
•
The 2 in 10Base2 stands for the 185m
max. cable run rounded up to 2
Coaxial Cables (continued)
Thin coaxial cable looks similar to the
cable that carries a cable TV signal
A braided copper mesh channel
surrounds the insulation and everything
is covered by an outer shield of
insulation for the cable itself
The copper mesh protects the core from
interference
BNC connectors: connectors used on
the ends of a thin coaxial cable
http://en.wikipedia.org/wiki/BNC_connector
Coaxial Cables (continued)
Twisted-Pair Cables
Standard for copper cabling used in
computer networks today, replacing thin
coaxial cable
Composed of two insulated copper wires
twisted around each other and bundled
together with other pairs in a jacket
Twisted-Pair Cables (continued)
Shielded twisted-pair (STP) cables
have a foil shielding on the inside of
the jacket to reduce interference
Unshielded twisted-pair (UTP) cables
do not have any shielding
Twisted-pair cables have RJ-45
connectors
Fiber-Optic Cables
Coaxial and twisted-pair cables have copper
wire at the center that conducts an electrical
signal
Fiber-optic cable uses a very thin cylinder of
glass (core) at its center instead of copper
that transmit light impulses
A glass tube (cladding) surrounds the core
The core and cladding are protected by a
jacket
http://en.wikipedia.org/wiki/Fiber_optic
http://www.jimhayes.com/lennielw/fiber.html
Fiber-Optic Cables (continued)
Classified by the diameter of the core
and the diameter of the cladding
•
Diameters are measured in microns, each
is about 1/25,000 of an inch or onemillionth of a meter (125 microns)
Two types:
•
•
Single-mode: used when data must be
transmitted over long distances and has a
core of about 9 microns and uses lasers as
its light source
Multimode: supports many simultaneous
light transmissions, generated by lightemitting diodes with a core of 62.5 microns
Securing the Cable Plant
Securing cabling outside the protected
network is not the primary security
issue for most organizations
Focus is on protecting access to the
cable plant in the internal network
An attacker who can access the internal
network directly through the cable plant
has effectively bypassed the network
security perimeter and can launch his
attacks at will
Securing the Cable Plant
The attacker can capture packets as
they travel through the network by
sniffing
•
The hardware or software that performs
such functions is called a sniffer
Physical security
•
•
•
First line of defense
Protects the equipment and infrastructure
itself
Has one primary goal: to prevent
unauthorized users from reaching the
equipment or cable plant in order to use,
steal, or vandalize it
Securing Removable Media
Securing critical information stored on a
file server can be achieved through
strong passwords, network security
devices, antivirus software, and door
locks
An employee copying data to a floppy
disk or CD and carrying it home poses
two risks:
•
•
Storage media could be lost or stolen,
compromising the information
A worm or virus could be introduced to the
media, potentially damaging the stored
information and infecting the network
Magnetic Media
Record information by changing the magnetic
direction of particles on a platter
Floppy disks were some of the first magnetic
media developed
The capacity of today’s 3 1/2-inch disks are 14
MB
Hard drives contain several platters stacked in
a closed unit, each platter having its own head
or apparatus to read and write information
Magnetic tape drives record information in a
serial fashion
Optical Media
Optical media use a principle for
recording information different from
magnetic media
A high-intensity laser burns a tiny pit
into the surface of an optical disc to
record a one, but does nothing to
record a zero
Capacity of optical discs varies by type
A Compact Disc-Recordable (CD-R) disc
can record up to 650 MB of data
•
A DVD can record from 4GB to 16GB
Data cannot be changed once recorded
Electronic Media
Electronic media use flash memory for
storage
•
Flash memory is a solid state storage
device―
everything is electronic, with no moving or
mechanical parts
SmartMedia cards range in capacity
from 2 MB to 128 MB
The card itself is only 45 mm long, 37
mm wide, and less than 1 mm thick
Electronic Media (continued)
CompactFlash card
•
•
Consists of a small circuit board with flash
memory chips and a dedicated controller
chip encased in a shell
Come in 33 mm and 55 mm thicknesses
and store between 8MB and 192 MB of
data
USB memory stick is becoming very
popular
•
•
Can hold between 8 MB and 1 GB of
memory
USB hard drives range from 5GB to 40GB
and above.
Keeping Removable Media Secure
Protecting removable media involves
making sure that antivirus and other
security software are installed on all
systems that may receive a removable
media device, including employee
home computers
Hardening Network Devices
Each device that is connected to a
network is a potential target of an
attack and must be properly protected
Network devices to be hardened
categorized as:
•
•
•
Standard network devices
Communication devices
Network security devices
Hardening Standard Network Devices
A standard network device is a typical
piece of equipment that is found on
almost every network, such as a
workstation, server, switch, or router
This equipment has basic security
features that you can use to harden
the devices
Workstations and Servers
Workstation: personal computer
attached to a network (also called a
client)
•
•
Connected to a LAN and shares resources
with other workstations and network
equipment
Can be used independently of the network
and can have their own applications
installed
Server: computer on a network
dedicated to managing and controlling
network services.
•
Examples are file servers, print servers and
Domain Controllers.
Switches and Routers
Switch
•
•
•
Most commonly used in Ethernet LANs
Receives a packet from one network device
and sends it to the destination device only
Limits the collision domain (part of network
on which multiple devices may attempt to
send packets simultaneously)
A switch is used within a single network
Routers connect two or more single
networks to form a larger network
Switches and Routers
Switches and routers must also be
protected against attacks
Switches and routers can be managed
using the Simple Network
Management Protocol (SNMP), part of
the TCP/IP protocol suite
Software agents are loaded onto each
network device to be managed
Switches and Routers - SNMP
Each agent monitors network traffic and
stores that information in its
management information base (MIB)
A computer with SNMP management
software (SNMP management station)
communicates with software agents on
each network device and collects the
data stored in the MIBs
Remote Access Servers
Set of technologies that allows a
remote user to connect to a network
through the Internet or a wide area
network (WAN)
Users run remote access client
software and initiate a connection to a
Remote Access Server (RAS), which
authenticates users and passes service
requests to the network
Remote Access Servers
Remote Access Servers
Remote access clients can run almost
all network-based applications without
modification
•
Possible because remote access
technology supports both drive letters and
universal naming convention (UNC) names
VPNs
VPN stands for Virtual Private Network
VPNs come in two flavors:
•
•
Site-to-site VPNs securely connect two or
more distant locations over the public
Internet.
•
Site-to-site (also called LAN-to-LAN)
Remote acess
IPSec and IKE are the two protocols that provide
authentication, encryption and integrity checking.
Remote access VPNs allow mobile users the
ability to securely connect from home or on
the road to the business network.
•
Remote access VPNs also use IPSec and IKE but
can also use SSL connections via their web
browser.
Hardening Network Security Devices
The final category of network devices
includes those designed and used
strictly to protect the network
Include:
•
•
•
Firewalls
Intrusion-detection systems
Network monitoring and diagnostic
devices
Firewalls
Typically used to filter packets
Designed to prevent malicious packets
from entering the network or its
computers (sometimes called a packet
filter)
Typically located outside the network
security perimeter as first line of
defense
Can be software or hardware
configurations
Firewalls (continued)
Software firewall runs as a program on
a local computer (sometimes known
as a personal firewall)
•
•
Enterprise firewalls are software firewalls
designed to run on a dedicated device and
protect a network instead of only one
computer
One disadvantage is that it is only as
strong as the operating system of the
computer
Firewalls (continued)
Filter packets in one of two ways:
•
•
Stateless packet filtering: permits or denies
each packet based strictly on the rule base
Stateful packet filtering: records state of a
connection between an internal computer
and an external server; makes decisions
based on connection and rule base
Can perform content filtering to block
access to undesirable Web sites
Firewalls (continued)
An application layer firewall can
defend against worms better than
other kinds of firewalls
•
Reassembles and analyzes packet streams
instead of examining individual packets
Intrusion-Detection Systems (IDS)
Devices that establish and maintain
network security
Active IDS (or reactive IDS) performs a
specific function when it senses an
attack, such as dropping packets or
tracing the attack back to a source
•
Installed on the server or, in some
instances, on all computers on the network
Passive IDS sends information about
what happened, but does not take
action
Intrusion-Detection Systems (IDS)
Host-based IDS monitors critical operating
system files and computer’s processor activity
and memory; scans event logs for signs of
suspicious activity
Network-based IDS monitors all network
traffic instead of only the activity on a
computer
•
Typically located just behind the firewall
Other IDS systems are based on behavior:
•
•
Watch network activity and report abnormal behavior
May result in false alarms (false positives)
http://www.sans.org/resources/idfaq/
http://www.securityfocus.com/infocus/1670
Network Monitoring and Diagnostic
Devices
SNMP enables network administrators
to:
•
•
•
Monitor network performance
Find and solve network problems
Plan for network growth
Managed device:
•
•
Network device that contains an SNMP
agent
Collects and stores management
information and makes it available to
SNMP
Designing Network Topologies
Topology: physical layout of the
network devices, how they are
interconnected, and how they
communicate
Essential to establishing its security
Although network topologies can be
modified for security reasons, the
network still must reflect the needs of
the organization and users
Security Zones
One of the keys to mapping the
topology of a network is to separate
secure users from outsiders through:
•
•
•
Demilitarized Zones (DMZs)
Intranets
Extranets
Demilitarized Zones (DMZs)
Separate networks that sit outside the
secure network perimeter
Outside users can access the DMZ, but
cannot enter the secure network
The types of servers that should be
located in the DMZ include:
•
•
•
•
Web servers
E-mail servers
Remote access servers
FTP servers
Demilitarized Zone (DMZ)
Network Address Translation (NAT)
“You cannot attack what you do not see” is
the philosophy behind Network Address
Translation (NAT) systems
Hides the IP addresses of network devices
from attackers
Computers are assigned special IP addresses
(known as private addresses)
RFC 1918 addresses
•
•
•
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
Network Address Translation (NAT)
These IP addresses are not assigned
to any specific user or organization;
anyone can use them on their own
private internal network
Port address translation (PAT) is a
variation of NAT
Each packet is given the same IP
address, but a different TCP port
number
Honeypots
Computers located in a DMZ loaded
with software and data files that
appear to be authentic
Intended to trap or trick attackers
Two-fold purpose:
•
•
To direct attacker’s attention away from
real servers on the network
To examine techniques used by attackers
Honeypots (continued)
Virtual LANs (VLANs)
Segment a network with switches to
divide the network into a hierarchy
Core switches reside at the top of the
hierarchy and carry traffic between
switches
Workgroup switches are connected
directly to the devices on the network
Core switches must work faster than
workgroup switches because core
switches must handle the traffic of
several workgroup switches
Virtual LANs (VLANs)
Virtual LANs (VLANs)
Segment a network by grouping
similar users together
Instead of segmenting by user, you
can segment a network by separating
devices into logical groups (known as
creating a VLAN)
Summary
Cable plant: physical infrastructure
(wire, connectors, and cables that
carry data communication signals
between equipment)
Removable media used to store
information include:
•
•
•
Magnetic storage (removable disks, hard
drives)
Optical storage (CD and DVD)
Electronic storage (USB memory sticks,
FlashCards)
Summary (continued)
Network devices (workstations,
servers, switches, and routers) should
all be hardened to repel attackers
A network’s topology plays a critical
role in resisting attackers
Hiding the IP address of a network
device can help disguise it so that an
attacker cannot find it