Transcript Chapter 12
Chapter 12: LAN Security
Security Overview
• Security is not just protecting against hackers, but ensuring
that your organization’s data retains its integrity.
• Ensuring integrity means that the organization’s data is not
corrupted, inappropriately accessed, modified, or deleted.
• When considering security, you must consider all threats to
your organization’s network.
• Be reasonable in your actions. Don’t spend $10,000
protecting a $500 resource.
Threat Overview
Computer Viruses. Can infect all computers on a LAN very
quickly. Often arrive via e-mail, but also can enter the network via
infected files brought in from user’s infected home computer.
Viruses require user intervention to replicate.
Computer Worms. Similar to viruses except that they do not
require user intervention and can replicate automatically.
Hacker/Attacker. An unauthorized user who attempts to exploit a
weakness in LAN security. Hackers can be bored 13-year-olds or
professionals attempting to steal company secrets.
Threat Overview
Systems Administrators. Have access to everything on the network
and can accidentally do damage to the network. Strong auditing
policies that report on administrator activities are important.
End users. Can deliberately or unintentionally damage equipment or
data. Might install unauthorized programs.
Environment. Flood, earthquake, fire, tsunami. What happens to
your organization’s data if the building catches fire?
Security Policies
• The more secure something is, the more inconvenient it is to
access. When securing company assets, you must also consider the
needs of the everyday user. Users will not want to type in five
passwords to open their e-mail.
• Determine the value and vulnerability of your organization’s IT
assets. A server hosting the company’s intranet is less valuable
than the server hosting the company’s accounting database. A
server protected by a firewalled network and strong passwords is
vulnerable if it is housed underneath your cubicle desk where
anyone can open it and walk away with the hard disk drive after
hours.
Security Policies
• Spend money wisely. Don’t spend $10,000 dollars protecting a
$500 asset.
• Ensure that users are aware of the network rules. It is more difficult
to discipline an employee for surfing pornographic Web sites if
there is no organizational policy on Web browsing. Have them sign
some form of acceptable use policy as part of indoctrination when
they are hired.
• Store usage policy on the company intranet server where it can be
easily accessed.
Firewalls
• A firewall is a system designed to prevent unauthorized access to
internal network systems.
• Packet filter firewalls filter traffic at either Layer 3 or Layer 4 of
the OSI model.
For example: You could allow
HTTP traffic from a particular
range of IP addresses and deny
HTTP traffic from all others.
Alternatively, you could block
all traffic from a particular IP
address range.
Firewalls
• When a firewall blocks traffic, it can either drop or reject a packet.
Rejecting a packet sends information back to the sender. As this
can provide information about your firewall it is safest to simply
drop the packets.
• Stateful inspection firewall examines all aspects of the data
including packet header information, fragmentation, and arrival
and departure time. Requires
more processing power than
packet filter firewalls.
Hardware vs. Software Firewalls
• Hardware firewalls are purpose built appliances that are built
specifically to function as firewalls.
• Often very fast as their design is optimized for the firewall
function.
• Do not integrate well with other network resources. Limited
reporting functionality.
• Software firewalls run on top of a server operating system such as
Windows or Linux.
Hardware vs. Software Firewalls
• Can be expensive as you must pay for the computer, operating
system, and firewall software.
• Can integrate well with other network resources. Can have
extensive reporting functionality.
For example: Microsoft ISA Server 2004 is integrated with Active
Directory and can restrict traffic based on user group membership
and provide administrators with user-based security statistics.
DMZ
• A DMZ (also known as a Screened Subnet) is a special network
that sits between an internal and an external firewall.
• Firewalls are configured so that traffic from the external network
can only reach the DMZ network. Traffic from the internal
network can only reach the DMZ network. Traffic can not pass
directly from Internal network to external network.
• Two firewall approach means that if host on DMZ is compromised,
network is still protected.
• DMZ can also be
implemented using a
single server with 3
network cards. Less
secure than two
firewall approach.
Physical Security
• Important network devices, such as servers and switches need to be
behind lock and key.
• Always assume that if someone can physically get to the computer,
they can retrieve any data off it. Even if that requires a screwdriver
to remove the hard disk drive.
• Use smart cards to log access to the server room and limit access.
Almost all administration duties can be performed remotely over
the network, so it should be rare for people to enter the network
room.
• Ensure that your server room is air conditioned. Servers that
overheat can crash.
• Use a sophisticated fire protection system for the server room.
Spending money on a halon system is better than spending money
replacing servers destroyed by the sprinkler system accidentally
going off.
Wireless Networks
• Wireless networks, though convenient, are inherently insecure.
• Wireless network transmissions can allow your network to be
accessed via the company car park.
• WEP is one solution,
though even a long WEP
key can be cracked given
a few hours.
• Consider using IPSec to
more robustly encrypt
network transmissions.
• Place the wireless
network users behind a
firewall.
Password Security
• Password security requires having passwords that are difficult for
another user to guess.
• Passwords should be changed regularly. Enforce a password
history so that users cannot use prior passwords. Ensure that a
minimum of 24 hours passes before a user can change their
password, otherwise they will change it several times to get back to
their original password.
• Your password policy should not be so onerous that users paste
notes to their monitor to remember their latest password.
Password Security
• Passwords should be complex and involve numbers, mixed case,
and special characters such as !@#$%^&*.
• Be careful about resetting user passwords over the phone. A
common infiltration technique is to visit a person’s desk when
they are away from the day and ring the help desk from their
extension complaining that they are the person and that they
have forgotten their password. The help desk tech, seeing that
the extension matches the user, resets the password and the
infiltrator gains access.
Backing Up Data
• Backups should be taken every day.
• Backup media should be stored in a safe location, away from
the server room. Backup media contains all your
organization’s files. Why hack a server when you can get all
of the organization’s data from a backup tape sitting on the
shelf in the Administrator’s cubicle?
• Full backups back up all files.
• Differential backup back up all files since the last full
backup.
• Incremental backups back up all files since the last full or
incremental backup.
Audit Policy
• Auditing is a way of keeping records of events.
• You can audit almost everything, but you should not because then
searching for unusual events may be like searching for a needle in
a haystack.
• Audit failures as successes are common. Repeated failed logons
indicate that something suspicious might be happening. Repeated
successful logons are quite normal.
• Audit account management activity. You should have a record of
which members of the administrative team are creating accounts
and changing passwords. Some administrators create backdoor
administrative accounts if they suspect that they are about to be
fired.
• Store auditing records in a safe location where they can’t be
modified by someone trying to hide their tracks.
Summary
• Security is not just protecting against hackers, but ensuring that
your organization’s data retains its integrity.
• Ensuring integrity means that the organization’s data is not
corrupted, inappropriately accessed, modified, or deleted.
• Be reasonable in your actions. Don’t spend $10,000 protecting a
$500 resource.
• Important network devices, such as servers and switches need to be
behind lock and key. Always assume that if someone can
physically get to the computer, they can retrieve any data off it.
Summary
• Use smart cards to log access to the server room and limit access.
Almost all administration duties can be performed remotely over
the network, so it should be rare for people to enter the server
room.
• Hardware firewalls are purpose built appliances that are built
specifically to function as firewalls.
• Software firewalls run on top of a server operating system such as
Windows or Linux.
Discussion Questions
Why should you be careful about resetting user passwords
over the phone?
What steps can you take to secure your wireless network
against unauthorized access?
Where should you keep your backup media?
What is the difference between an incremental and a
differential backup?
How does a DMZ work?