Transcript Chap 9 - IUP Personal Websites

Devices
Chapter 9
Learning Objectives



Understand the purpose of a network
firewall and the kinds of firewall
technology available on the market
Understand the role of routers, switches,
and other networking hardware in security
Determine when VPN or RAS technology
works to provide a secure network
connection
Firewalls

Hardware or software device that provides
means of securing a computer or network
from unwanted intrusion


Dedicated physical device that protects
network from intrusion
Software feature added to a router, switch, or
other device that prevents traffic to or from
part of a network
Management Cycle for
Firewall Protection
1. Draft a written security policy
2. Design the firewall to implement the policy
3. Implement the design by installing selected
hardware and software
4. Test the firewall
5. Review new threats, requirements for
additional security, and updates to systems and
software; repeat process from first step
Drafting a Security Policy





What am I protecting?
From whom?
What services does my company need to
access over the network?
Who gets access to what resources?
Who administers the network?
Available Targets and
Who Is Aiming at Them

Common areas of attack





Web servers
Mail servers
FTP servers
Databases
Intruders


Sport hackers
Malicious hackers
Who Gets Access to Which
Resources?


List employees or groups of employees
along with files and file servers and
databases and database servers they need
to access
List which employees need remote access
to the network
Who Administers the Network?

Determine individual(s) and scope of
individual management control
Designing the Firewall
to Implement the Policy

Select appropriate technology to deploy the
firewall
What Do Firewalls Protect Against?







Denial of service (DoS)
Ping of death
Teardrop or Raindrop attacks
SYN flood
LAND attack
Brute force or smurf attacks
IP spoofing
How Do Firewalls Work?




Network address translation (NAT)
Basic packet filtering
Stateful packet inspection (SPI)
Access control lists (ACL)
Network Address Translation (NAT)




Only technique used by basic firewalls
Enables a LAN to use one set of IP addresses for
internal traffic and a second set for external
traffic
Each active connection requires a unique external
address for duration of communication
Port address translation (PAT)


Derivative of NAT
Supports thousands of simultaneous connections on a
single public IP address
Basic Packet Filtering


Firewall system examines each packet that enters
it and allows through only those packets that
match a predefined set of rules
Can be configured to screen information based on
many data fields:




Protocol type
IP address
TCP/UDP port
Source routing information
Stateful Packet Inspection (SPI)

Controls access to network by analyzing
incoming/outgoing packets and letting them pass
or not based on IP addresses of source and
destination


Examines a packet based on information in its header
Enhances security by allowing the filter to
distinguish on which side of firewall a connection
was initiated; essential to blocking IP spoofing
attaches
Access Control Lists (ACL)

Rules built according to organizational
policy that defines who can access portions
of the network


Access-list 101 permit tcp any 1.2.1.222 0.0.0.0 eq 80
Access-list 101 deny ip any 1.2.1.222 0.0.0.0
Routers




Network management device that sits
between network segments and routes
traffic from one network to another
Allows networks to communicate with one
another
Allows Internet to function
Act as digital traffic cop (with addition of
packet filtering)
How a Router Moves Information


Examines electronic envelope surrounding
a packet; compares address to list of
addresses contained in router’s lookup
tables
Determines which router to send the packet
to next, based on changing network
conditions
How a Router Moves Information
Beyond the Firewall


Demilitarized zone (DMZ)
Bastion hosts (potentially)
Demilitarized Zone


Area set aside for servers that are publicly
accessible or have lower security requirements
Sits between the Internet and internal network’s
line of defense



Stateful device fully protects other internal systems
Packet filter allows external traffic only to services
provided by DMZ servers
Allows a company to host its own Internet
services without sacrificing unauthorized access
to its private network
Bastion Hosts





Computers that reside in a DMZ and that host
Web, mail, DNS, and/or FTP services
Gateway between an inside network and an
outside network
Defends against attacks aimed at the inside
network; used as a security measure
Unnecessary programs, services, and protocols
are removed; unnecessary network ports are
disabled
Do not share authentication services with trusted
hosts within the network
Application Gateways




Also known as proxy servers
Monitor specific applications (FTP, HTTP,
Telnet)
Allow packets accessing those services to
go to only those computers that are
allowed
Good backup to packet filtering
Application Gateways

Security advantages




Information hiding
Robust authentication and logging
Simpler filtering rules
Disadvantage

Two steps are required to connect inbound or
outbound traffic; can increase processor
overhead
OSI Reference Model


Architecture that classifies most network
functions
Seven layers







Application
Presentation
Session
Transport
Network
Data-Link
Physical
The OSI Stack

Layers 4 and 5


Layer 3


Where TCP and UDP ports that control
communication sessions operate
Routes IP packets
Layer 2

Delivers data frames across LANs
Limitations of
Packet-Filtering Routers



ACL can become long, complicated, and
difficult to manage and comprehend
Throughput decreases as number of rules
being processed increases
Unable to determine specific content or
data of packets at layers 3 through 5
Switches



Provide same function as bridges (divide
collision domains), but employ applicationspecific integrated circuits (ASICs) that are
optimized for the task
Reduce collision domain to two nodes (switch
and host)
Main benefit over hubs

Separation of collision domains limits the possibility
of sniffing
Switches
Switch Security


ACLs
Virtual Local Area Networks (VLANs)
Virtual Local Area Network



Uses public wires to connect nodes
Broadcast domain within a switched network
Uses encryption and other security mechanisms
to ensure that



Only authorized users can access the network
Data cannot be intercepted
Clusters users in smaller groups


Increases security from hackers
Reduces possibility of broadcast storm
Security Problems with Switches

Common ways of switch hijacking


Try default passwords which may not have
been changed
Sniff network to get administrator password
via SNMP or Telnet
Securing a Switch



Isolate all management interfaces
Manage switch by physical connection to a
serial port or through secure shell (SSH) or
other encrypted method
Use separate switches or hubs for DMZs to
physically isolate them from the network
and prevent VLAN jumping
continued…
Securing a Switch




Put switch behind dedicated firewall
device
Maintain the switch; install latest version
of software and security patches
Read product documentation
Set strong passwords
Quick Quiz





The process by which a private IP address in a corporate
network is translated into a public address by a router or
firewall is called_____________
True or False: Advanced firewalls use stateful packet
inspection to improve security.
A computer providing public network services that resides
inside a corporate network but outside its firewall is called a
______.
True or False: IP packets are routed by layer 2 of the OSI
model.
A feature available in some switches that permit separating the
switch into multiple broadcast domains is called _________.
Wireless


Almost anyone can eavesdrop on a
network communication
Encryption is the only secure method of
communicating with wireless technology
Modems
DSL versus Cable Modem Security

DSL


Direct connection between computer/network and the
Internet
Cable modem



Connected to a shared segment; party line
Most have basic firewall capabilities to prevent files
from being viewed or downloaded
Most implement the Data Over Cable Service
Interface Specification (DOCSIS) for authentication
and packet filtering
Dynamic versus Static IP Addressing

Static IP addresses


Provide a fixed target for potential hackers
Dynamic IP addresses



Provide enhanced security
By changing IP addresses of client machines,
DHCP server makes them moving targets for
potential hackers
Assigned by the Dynamic Host Configuration
Protocol (DHCP)
Remote Access Service (RAS)





Provides a mechanism for one computer to
securely dial in to another computer
Treats modem as an extension of the
network
Includes encryption and logging
Accepts incoming calls
Should be placed in the DMZ
Security Problems with RAS


Behind physical firewall; potential for
network to be compromised
Most RAS systems offer encryption and
callback as features to enhance security
Telecom/Private Branch Exchange
(PBX)

PBX


Private phone system that offers features such
as voicemail, call forwarding, and conference
calling
Failure to secure a PBX can result in toll
fraud, theft of information, denial of service,
and enhanced susceptibility to legal liability
IP-Based PBX
PBX Security Concerns


Remote PBX management
Hoteling or job sharing

Many move codes are standardized and posted
on the Internet
Virtual Private Networks




Provide secure communication pathway or tunnel
through public networks (eg, Internet)
Lowest levels of TCP/IP are implemented using
existing TCP/IP connection
Encrypts either underlying data in a packet or the
entire packet itself before wrapping it in another
IP packet for delivery
Further enhances security by implementing
Internet Protocol Security (IPSec)
Intrusion Detection Systems (IDS)



Monitor networks and report on unauthorized
attempts to access any part of the system
Available from many vendors
Forms



Software (computer-based IDS)
Dedicated hardware devices (network-based IDS)
Types of detection


Anomaly-based detection
Signature-based detection
Computer-based IDS

Software applications (“agents”) are installed on
each protected computer





Make use of disk space, RAM, and CPU time to
analyze OS, applications, system audit trails
Compare these to a list of specific rules
Report discrepancies
Can be self-contained or remotely managed
Easy to upgrade software, but do not scale well
Network-based IDS


Monitors activity on a specific network
segment
Dedicated platforms with two components

Sensor


Passively analyzes network traffic
Management system

Displays alarm information from the sensor
Anomaly-based Detection


Builds statistical profiles of user activity and then
reacts to any activity that falls outside these
profiles
Often leads to large number of false positives


Users do not access computers/network in static,
predictable ways
Cost of building a sensor that could hold enough
memory to contain the entire profile and time to
process the profiles is prohibitively large
Signature-based Detection




Similar to antivirus program in its method of
detecting potential attacks
Vendors produce a list of signatures used by the
IDS to compare against activity on the network
or host
When a match is found, the IDS take some action
(eg, logging the event)
Can produce false positives; normal network
activity may be construed as malicious
Network Monitoring and Diagnostics


Essential steps in ensuring safety and
health of a network (along with IDS)
Can be either stand-alone or part of a
network-monitoring platform




HP’s OpenView
IBM’s Netview/AIX
Fidelia’s NetVigil
Aprisma’s Spectrum
Ensuring Workstation and
Server Security





Remove unnecessary protocols such as
NetBIOS or IPX
Remove unnecessary user accounts
Remove unnecessary shares
Rename the administrator account
Use strong passwords
Personal Firewall Software Packages


Offer application-level blocking, packet filtering,
and can put your computer into stealth mode by
turning off most if not all ports
Many products available, including:




Norton Firewall
ZoneAlarm
Black Ice Defender
Tiny Software’s Personal Firewall
Firewall Product Example
Antivirus Software Packages


Necessary even on a secure network
Many vendors, including:




McAffee
Norton
Computer Associates
Network Associates
Mobile Devices

Can open security
holes for any
computer with which
these devices
communicate
Chapter Summary

Virtual isolation of a computer or network
by implementing a firewall through
software and hardware techniques:




Routers
Switches
Modems
Various software packages designed to run on
servers, workstations, and PDAs
continued…
Chapter Summary



Virtual private networks (VPNs)
Private branch exchanges (PBX)
Remote Access Services (RAS)
Quick Quiz





The standard used to help secure cable modem
communications is called ____________
True or False: Static IP addressing is the most secure
form of addressing.
True or False: RAS should be placed in the DMZ.
A _____________ is used to provide a secure
communication channel through the public Internet
______________ based IDS uses statistical profiles.