Security Awareness: Applying Practical Security in Your World
Download
Report
Transcript Security Awareness: Applying Practical Security in Your World
Security Awareness: Applying
Practical Security in Your
World
Chapter 5: Network Security
Objectives
Give an overview of how networks work
List and describe three types of network attacks
Explain how network defenses can be used to
enhance a network security perimeter
Tell how a wireless local area network (WLAN)
functions and list some of its security features
Security Awareness: Applying Practical Security in Your World
2
Network Security
Computer networks in organizations are prime
targets for hackers.
Computer networks are also found in homes
The growth of home networks has resulted in more
attacks
Security Awareness: Applying Practical Security in Your World
3
How Networks Work
Personal computers Isolated from other
computers
(See Figure 5-1)
Function limited to the hardware, software, and
data on that one computer
Computer network Interconnected computers
and devices
(See Figure 5-2)
Sharing increases functionality, reduces costs, and
increases accuracy
Security Awareness: Applying Practical Security in Your World
4
How Networks Work (continued)
Security Awareness: Applying Practical Security in Your World
5
How Networks Work (continued)
Security Awareness: Applying Practical Security in Your World
6
Types of Networks
Local area network (LAN) A network of
computers located relatively close to each other
Wide area network (WAN) A network of
computers geographically dispersed
Security Awareness: Applying Practical Security in Your World
7
Types of Networks (continued)
Security Awareness: Applying Practical Security in Your World
8
Transmitting Data
Protocols Sets of rules used by sending and
receiving devices to transmit data
Both sender and receiver must use same set of rules
Transmission Control Protocol/Internet Protocol
(TCP/IP) Most common protocol in use
IP Address Unique number assigned to each
device on a TCP/IP network that identifies it
from all other devices
Data is divided into smaller units called packets for
transmission through a network
(See Figure 5-4)
Security Awareness: Applying Practical Security in Your World
9
Figure 5-4
Security Awareness: Applying Practical Security in Your World
10
Devices on a Network
Different types of equipment perform different
functions
Many devices are responsible for sending packets
through the LAN or across a WAN
Router Directs packets “toward” their destination
Network perimeter Line of defense around a
network made up of products, procedures and people
(See Figure 5-5)
Security Awareness: Applying Practical Security in Your World
11
Devices on a Network (continued)
Security Awareness: Applying Practical Security in Your World
12
Network Attacks
Hackers attack network perimeters in different
ways
Attacks include:
Denial of Service (DoS)
Man-in-the-Middle
Spoofing
Security Awareness: Applying Practical Security in Your World
13
Denial of Service (DoS)
Normal conditions Computers contact a server
with a request
Denial of Service (DoS) Server is flooded with
requests, making it unavailable to legitimate users
(See Figure 5-6)
Attacking computers programmed not to reply to
the server’s response
Server “holds the line open” for each request
(See Figure 5-7) and eventually runs out of
resources as more requests are received
Security Awareness: Applying Practical Security in Your World
14
Denial of Service (DoS)
(continued)
Security Awareness: Applying Practical Security in Your World
15
Denial of Service (DoS)
(continued)
Security Awareness: Applying Practical Security in Your World
16
Distributed Denial of Service
(DDoS)
Distributed Denial of Service (DDoS) Variant
of a DoS that uses many computers to attack a
target
Hacker finds a handler
Special software is loaded on the handler and it
searches for zombies
Software is loaded on the zombies without the user’s
knowledge
Eventually that hacker instructs all zombies to flood
a particular server
Security Awareness: Applying Practical Security in Your World
17
Man-in-the-Middle
Man-in-the-Middle Two computers are tricked
into thinking they are communicating with each
other when there is actually a hidden third party
between them
(See Figure 5-8)
Communications can be monitored or modified
Security Awareness: Applying Practical Security in Your World
18
Man-in-the-Middle (continued)
Security Awareness: Applying Practical Security in Your World
19
Spoofing
Spoofing Pretending to be the legitimate owner
IP Address Spoofing False IP address inserted into
packets
ARP Spoofing ARP table changed to redirect packets
(See Figure 5-10)
ARP table Address Resolution Protocol table
stores list of MAC addresses and corresponding IP
addresses
(See Figure 5-9)
MAC Address* Media Access Control address is
the hardware address of the Network Interface
Card (NIC)
Security Awareness: Applying Practical Security in Your World
20
Spoofing (continued)
Security Awareness: Applying Practical Security in Your World
21
Spoofing (continued)
Security Awareness: Applying Practical Security in Your World
22
Network Defenses
Three groups of networks defenses:
Devices
Configurations
Countermeasures
Security Awareness: Applying Practical Security in Your World
23
Devices
Firewalls Designed to prevent malicious packets
from entering
Typically outside the security perimeter
(See Figure 5-11)
Software based Runs as a local program to protect
one computer (personal firewall) or as a program on a
separate computer (network firewall) to protect the
network
Hardware based separate devices that protect the
entire network (network firewalls)
Security Awareness: Applying Practical Security in Your World
24
Devices (continued)
Security Awareness: Applying Practical Security in Your World
25
Devices (continued)
Firewall rule base AKA Access control list
(ACL) Establishes what action the firewall
should take when it receives a packet
Allow
Block
Prompt
Should reflect the organization's security policy
Security Awareness: Applying Practical Security in Your World
26
Devices (continued)
Stateless packet filtering Allows or denies
packets based strictly on the rule base
Stateful packet filtering Keeps a record of the
state of a connection
Makes decisions based on the rule base and the
connection
Security Awareness: Applying Practical Security in Your World
27
Devices (continued)
Intrusion Detection System (IDS) Examines
the activity on a network
Goal is to detect intrusions and take action
Two types of IDS:
Host-based IDS Installed on a server or other
computers (sometimes all)
Monitors traffic to and from that particular computer
Network-based IDS Located behind the firewall
and monitors all network traffic
(See Figure 5-12)
Security Awareness: Applying Practical Security in Your World
28
Devices (continued)
Security Awareness: Applying Practical Security in Your World
29
Devices (continued)
Network Address Translation (NAT) Systems
Hides the IP address of network devices
Located just behind the firewall
(See Figure 5-13)
NAT device uses an alias IP address in place of the
sending machine’s real one
(See Figure 5-14)
“You cannot attack what you can’t see”
Security Awareness: Applying Practical Security in Your World
30
Devices (continued)
Security Awareness: Applying Practical Security in Your World
31
Devices (continued)
Security Awareness: Applying Practical Security in Your World
32
Devices (continued)
Proxy Server Operates similar to NAT, but also
examines packets to look for malicious content
Replaces the protected computer’s IP address with
the proxy server’s address
Protected computers never have a direct connection
outside the network
The proxy server intercepts requests
(See Figure 5-15)
Acts “on behalf of” the requesting client
Security Awareness: Applying Practical Security in Your World
33
Devices (continued)
Security Awareness: Applying Practical Security in Your World
34
Network Design
The key to effective network design is a single
point of entry into a network Difficult to
maintain
Employees or others may bypass security by
installing unauthorized entry points
(See Figure 5-16)
Common design tools:
Demilitarized Zones (DMZ)
Virtual Private Networks (VPNs)
Security Awareness: Applying Practical Security in Your World
35
Network Design (continued)
Security Awareness: Applying Practical Security in Your World
36
Network Design (continued)
Demilitarized Zones (DMZ) Another network
that sits outside the secure network perimeter
Outside users can access the DMZ, but not the
secure network
(See Figure 5-17)
Some DMZs use two firewalls
(See Figure 5-18)
This prevents outside users from even accessing the
internal firewall Provides an additional layer of
security
Security Awareness: Applying Practical Security in Your World
37
Network Design (continued)
Security Awareness: Applying Practical Security in Your World
38
Network Design (continued)
Security Awareness: Applying Practical Security in Your World
39
Network Design (continued)
Virtual Private Networks (VPNs) A secure
network connection over a public network
(See Figure 5-19)
Allows mobile users to securely access information
Sets up a unique connection called a tunnel
Security Awareness: Applying Practical Security in Your World
40
Network Design (continued)
Security Awareness: Applying Practical Security in Your World
41
Network Design (continued)
Advantages of VPNs:
Low cost
Flexibility
Security
Standards
Security Awareness: Applying Practical Security in Your World
42
Network Design (continued)
Honeypots Computer located in a DMZ and
loaded with files and software that appear to be
authentic, but are actually imitations
(See Figure 5-21)
Intentionally configured with security holes
Goals:
Direct attacker’s attention away from real targets
Examine the techniques used by hackers
Security Awareness: Applying Practical Security in Your World
43
Network Design (continued)
Security Awareness: Applying Practical Security in Your World
44
Components of a WLAN
Wireless network interface card (WNIC) Card
inserted into the wireless device that sends and
receives signals from the access point
Access point (AP) Acts as the base station and
is connected to the wired network
Multiple access points allow ease of roaming
(See Figure 5-22)
Security Awareness: Applying Practical Security in Your World
45
Components of a WLAN
(continued)
Security Awareness: Applying Practical Security in Your World
46
Security in a WLAN
WLANs include a different set of security issues
Steps to secure:
Turn off broadcast information
MAC address filtering
WEP encryption
Password protect the access point
Physically secure the access point
Use enhanced WLAN security standards whenever
possible
Security Awareness: Applying Practical Security in Your World
47
Summary
A computer network allows users to share
hardware, programs and data.
Two types of computer networks are:
Local area network (LAN) computers all close
together
Wide area network (WAN) Computers
geographically dispersed
On most networks, each computer or device
must be assigned a unique address called the IP
address.
Security Awareness: Applying Practical Security in Your World
48
Summary (continued)
Hackers attacks network perimeters in several
ways:
Denial of Service (DoS)
Distributed Denial of Service (DDoS)
Man-in-the-Middle
Spoofing
Security Awareness: Applying Practical Security in Your World
49
Summary (continued)
There are devices that can be installed to make
the network perimeter more secure.
Firewalls
Hardware or software based
Intrusion-detection system (IDS)
Host-based or network-based
Network Address Translation (NAT)
Proxy server
Security Awareness: Applying Practical Security in Your World
50
Summary (continued)
Network security can be enhanced by its design.
Single point of entry is best, but hard to maintain
Technologies frequently used to enhance secure
network design:
Demilitarized zones (DMZ)
Virtual private networks (VPNs)
Honeypots
Security Awareness: Applying Practical Security in Your World
51
Summary (continued)
Wireless local area networks are becoming
increasingly common.
Two basic components:
Wireless network interface card (WNIC)
Access point (AP)
Securing a WLAN requires additional steps beyond
those required for a wired network.
Security Awareness: Applying Practical Security in Your World
52