Transcript NetworkSecurity - Computing Sciences

Network Security
ITEC 370
George Vaughan
Franklin University
1
Sources for Slides
• Material in these slides comes primarily
from course text, Guide to Networking
Essentials,Tomsho, Tittel, Johnson (2007).
• Other sources are cited in line and listed in
reference section.
2
TCP/IP and OSI Models
TCP/IP and OSI Models (OSI-Model, n.d.) and (Tomsho, 2007)
TCP/IP
Layers
Application
PDU
Data
OSI Layers
7 Application
6
5
Transport
Segments 4
Network
Packets
3
Link
Frames
2
Function
Network process to application,
Initiates or accepts a request to transfer
data
Presentation Adds formatting, display, and
encryption of information
Session
Adds communication session control
information, Login/Logout
Transport
Adds End-to-end connections and
reliability, re-sequencing, flow control
Network
Path determination and logical
addressing (IP), translates MAC
address to logical address
LLC
Data
Adds error checking and physical
Link
addressing (MAC & LLC)
Devices - Apps
Browsers,
servers,
Gateways
Gateways
DNS,
Gateways
Gateways
Routers
Switches,
Bridges, NICs
Standards
HTTP, SNMP,
FTP, Telnet
ASCII, MPEG,
SSH, SSL
NetBIOS
TCP, UDP
IP, ICMP,
ARP, NetBEUI,
IPSec
802.3, 802.11,
FDDI
MAC
Bits
1 Physical
Media, signal and binary transmission, Hubs,
sends data as a bit stream
Repeaters
10Base-T, T1,
E1
3
Developing a Network Security Policy
Tomsho, Tittel, Johnson (2007)
• A network security policy describes the rules governing
access to a company’s information resources, the
enforcement of those rules, and the steps taken if rules
are breached
– Should also describe the permissible use of those
resources after they’re accessed
– Should be easy for ordinary users to understand and
reasonably easy to comply with
– Should be enforceable
– Should clearly state the objective of each policy so
that everyone understands its purpose
4
Determining Elements of a Network Security Policy
Tomsho, Tittel, Johnson (2007)
• Elements (minimum for most networks)
– Privacy policy
– Acceptable use policy
– Authentication policy
– Internet use policy
– Access policy
– Auditing policy
– Data protection
• Security policy should protect organization legally
• Security policy should be continual work in progress
5
Understanding Levels of Security
Tomsho, Tittel, Johnson (2007)
• Security doesn’t come without a cost
• Before deciding on a level of security, answer:
– What must be protected?
– From whom should data be protected?
– What costs are associated with security being
breached and data being lost or stolen?
– How likely is it that a threat will actually occur?
– Are the costs to implement security and train users to
use a secure network outweighed by the need to
provide an efficient, user-friendly environment?
• Levels: highly restrictive, moderately restrictive, open
6
Highly Restrictive Security Policies
Tomsho, Tittel, Johnson (2007)
• Include features such as:
– Data encryption, complex password requirements,
detailed auditing and monitoring of computer and
network access, intricate authentication methods, and
policies that govern use of the Internet/e-mail
• Might require third-party hardware and software
• High implementation expense
– High design and configuration costs for SW and HW
– Staffing to support the security policies
– Lost productivity (high learning curve for users)
• Used when cost of a security breach is high
7
Moderately Restrictive Security Policies
Tomsho, Tittel, Johnson (2007)
• Most organizations can opt for this type of policy
• Requires passwords, but not overly complex ones
• Auditing detects unauthorized logon attempts, network
resource misuse, and attacker activity
– Most NOSs contain authentication, monitoring, and
auditing features to implement the required policies
• Infrastructure can be secured with moderately priced offthe-shelf HW and SW (firewalls, ACLs)
• Costs are primarily in initial configuration and support
8
Open Security Policies
Tomsho, Tittel, Johnson (2007)
• Policy might have simple or no passwords, unrestricted
access to resources, and probably no monitoring and
auditing
• Makes sense for a small company with the primary goal
of making access to network resources easy
• Internet access should probably not be possible via the
company LAN
– If Internet access is available company-wide, a more
restrictive policy is probably warranted
• Sensitive data, if it exists, might be kept on individual
workstations that are backed up regularly and are
physically inaccessible to other employees
9
Common Elements of Security Policies
Tomsho, Tittel, Johnson (2007)
• Virus protection for servers and desktop computers is a
must
• There should be policies aimed at preventing viruses
from being downloaded or spread
• Backup procedures for all data that can’t be easily
reproduced should be in place, and a disaster recovery
procedure must be devised
• Security is aimed not only at preventing improper use of
or access to network resources, but also at safeguarding
the company’s information
10
Securing Physical Access to the Network
Tomsho, Tittel, Johnson (2007)
• If there’s physical access to equipment, there is no security
– A computer left alone with a user logged on is particularly
vulnerable
• If an administrator account is logged on, a person can
even give his/her account administrator control
– If no user is logged on
• People could log on to the computer with their own
accounts and access files to which they wouldn’t
normally have access
• Computer could be restarted and booted from
removable media, bypassing the normal OS security
• Computer or HDs could be stolen and later cracked
11
Physical Security Best Practices
Tomsho, Tittel, Johnson (2007)
• When planning your network, ensure that rooms are
available to house servers and equipment
– Rooms should have locks and be suitable for the
equipment being housed
• If a suitable room isn’t available, locking cabinets,
freestanding or wall mounted, can be purchased to
house servers and equipment in public areas
• Wiring from workstations to wiring cabinets should be
inaccessible to eavesdropping equipment
• Physical security plan should include procedures for
recovery from natural disasters (e.g., fire or flood)
12
Physical Security of Servers
Tomsho, Tittel, Johnson (2007)
• May be stashed away in lockable wiring closet along with
switch to which the server is connected
• Often require more tightly controlled environmental
conditions than patch panels, hubs, and switches
• Server rooms should be equipped with power that’s
preferably on a circuit separate from other devices
• If you must put servers accessible to people who should
not have physical access to them, use locking cabinets
– You can purchase rack-mountable servers
• Make sure there is sufficient cooling.
13
Security of Internetworking Devices
Tomsho, Tittel, Johnson (2007)
• Routers and switches contain critical configuration
information and perform essential network tasks
– Internetworking devices, such as hubs, switches, and
routers, should be given as much attention in terms of
physical security as servers
• A room with a lock is the best place for these devices
• Wall-mounted enclosure with a lock is second best
– Some cabinets come with a built-in fan or have a
mounting hole for a fan
– They also come with convenient channels for wiring
• Make sure there is sufficient cooling.
14
Securing Access to Data
Tomsho, Tittel, Johnson (2007)
• Facets
– Authentication and authorization
– Encryption/decryption
– Virtual Private Networks (VPNs)
– Firewalls
– Virus and worm protection
– Spyware protection
– Wireless security
15
Authentication and Authorization
• Authentication – Forcing a party to prove
their true identity
– Login process, certificates, shared keys
– Applies to both clients and servers
• Authorization:
– Only applies after party has been
authenticated
– Access Control (file permissions, Access
Control Lists, etc.)
16
Implementing Secure Authentication and Authorization
Tomsho, Tittel, Johnson (2007)
• Administrators must control who has access to the
network (authentication) and what logged on users can
do to the network (authorization)
– NOSs have tools to specify options and restrictions
on how/when users can log on to network
• Password complexity requirements
• Logon hours
• Logon locations
• Remote logons, among others
– File system access controls and user permission
settings determine what a user can access on a
network and what actions a user can perform
17
Configuring Password Requirements in a Windows Environment
Tomsho, Tittel, Johnson (2007)
• Specify if passwords are required for all users, how
many characters a password must be, and whether they
should meet certain complexity requirements
• XP allows passwords up to 128 characters
– Minimum of five to eight characters is typical
– If minimum length is 0, blank passwords are allowed
• Other options include Maximum/Minimum password age,
and Enforce password history
• When a user fails to enter a correct password, a policy
can be set to lock the user account
18
Configuring Password Requirements in a Linux Environment
Tomsho, Tittel, Johnson (2007)
• Linux password configuration can be done globally or on
a user-by-user basis
• Options in a standard Linux Fedora Core 4 include
maximum/minimum password age, and number of days’
warning a user has before password expires
– Linux system must be using shadow passwords, a
secure method of storing user passwords
– Options can be set by editing /etc/login.defs
• Use Pluggable Authentication Modules (PAM) to set
other options like account lockout, password history, and
complexity tests
19
Reviewing Password Dos and Don’ts
Tomsho, Tittel, Johnson (2007)
• Use a combination of uppercase letters, lowercase
letters, and numbers
• Include one or more special characters
• Try using a phrase, e.g., NetW@rk1ng !s C00l
• Don’t use passwords based on your logon name, family
members’ names, or even your pet’s name
• Don’t use common dictionary words unless they are part
of a phrase
• Don’t make your password so complex that you forget it
or need to write it down somewhere
20
Authorizing Access to Files and Folders
Tomsho, Tittel, Johnson (2007)
• Windows OSs have two options for file security
– Sharing permissions are applied to folders (and only
folders) shared over the network
• Don’t apply to files/folders if user is logged on
locally
• These are the only file security options available in
a FAT or FAT32 file system
– NTFS permissions allow administrators to assign
permissions to files as well as folders
• Apply to file access by a locally logged-on user too
• Enable administrators to assign permissions to
user accounts and group accounts
• Six standard permissions are available for folders 21
Authorizing Access to Files and Folders (continued)
Tomsho, Tittel, Johnson (2007)
22
Authorizing Access to Files and Folders (continued)
Tomsho, Tittel, Johnson (2007)
23
Securing Data with Encryption
Tomsho, Tittel, Johnson (2007)
• Use encryption to safeguard data as it travels across
the Internet and within the company network
– Prevents somebody using eavesdropping technology,
such as a packet sniffer, from capturing packets and
using the data for malicious purposes
• Data on disks can be secured with encryption
24
Using IPSec to Secure Network Data
Tomsho, Tittel, Johnson (2007)
• The most popular method for encrypting data as it
travels network media is to use an extension to the IP
protocol called IP Security (IPSec)
– Establishes an association between two
communicating devices
• Association is formed by two devices
authenticating their identities via a preshared key,
Kerberos authentication, or digital certificates
– After the communicating parties are authenticated,
encrypted communication can commence
25
IPSec
Wikipedia-IPSec (n.d).
• IP Security
• A set of protocols operating at the Network layer
(layer 3).
• 2 Modes
– Transport Mode:
• Only payload in packet is encrypted (header is not)
• Host to Host communication
– Tunnel Mode:
• Entire IP packet is encrypted, including header
• Encapsulated in another packet for routing across internet.
• Network to Network communication
26
Securing Data on Disk
• Windows allows data to be encrypted at
the folder level
– Can optional include subfolders
– Based on owner of file
– Groups of users can be defined
• Linux allows data to be encrypted:
– GPG (GNU Privacy Guard) from FSF.
– GPG is available for Windows also
27
VPN
Wikipedia-VPN
• VPN – Virtual Private Network
• A virtual (logical) private network running on top of a
public network (e.g. Internet).
• Useful for providing remote access without using
dedicated lines.
• 2 parts: ‘inside’ network which is trusted and ‘outside’
part which is not trusted.
• VPN Server manages authentication
• When active, all access from client to outside must pass
through a firewall – makes client act as if it was in the
‘inside’ network.
28
Securing Communication with Virtual Private Networks
Tomsho, Tittel, Johnson (2007)
29
VPN Benefits
Tomsho, Tittel, Johnson (2007)
• Advantages of using VPNs
– Installing several modems on an RRAS server so that users can
dial up the server directly isn’t necessary; instead, users can dial
up any ISP
– RRAS = Windows Routing and Remote Access Server.
– Remote users can usually access an RRAS server by making
only a local phone call, as long as they can access a local ISP
– When broadband Internet connectivity is available (e.g., DSL,
cable modem), remote users can connect to the corporate
network at high speed, making remote computing sessions more
productive
• Additionally, VPNs save costs
30
Protecting Networks with Firewalls
Tomsho, Tittel, Johnson (2007)
• Firewall: HW device or SW program that inspects
packets going into or out of a network or computer, and
then discards/forwards them based on rules
– Protects against outside attempts to access
unauthorized resources, and against malicious
network packets intended to disable or cripple a
corporate network and its resources
– If placed between Internet and corporate network, can
restrict users’ access to Internet resources
• Firewalls can attempt to determine the context of a
packet (stateful packet inspection (SPI))
31
Types of Firewalls
Wikipedia-firewall (n.d.)
• Packet Filter Firewall:
– Stateless
– Rules are static
• Circuit Level Firewall:
– Stateful
– Can determine if packet is a new or part of an
existing connection.
• Application Layer Firewall:
– Also known as proxy based firewalls
32
Using a Router as a Firewall
Tomsho, Tittel, Johnson (2007)
• A firewall is just a router with specialized SW that
facilitates creating rules to permit or deny packets
• Many routers have capabilities similar to firewalls
– After a router is configured, by default, all packets are
permitted both into and out of the network
– Network administrator must create rules (access
control lists) that deny certain types of packets
• Typically, an administrator builds access control
lists so that all packets are denied, and then
creates rules that make exceptions
33
Using Intrusion Detection Systems
Tomsho, Tittel, Johnson (2007)
• An IDS usually works with a firewall or router with access control
lists
– A firewall protects a network from potential break-ins or DoS
attacks, but an IDS must detect an attempted security breach
and notify the network administrator
– May be able to take countermeasures if an attack is in progress
– Invaluable tool to help administrators know how often their
network is under attack and devise security policies aimed at
thwarting threats before they have a chance to succeed
– Too many false positives will result in the IDS being ignored
34
NAT
Wikipedia-NAT (n.d.)
• Network Address Translation (IP-masquerading)
• Router/Firewall replaces internal IP source address in IP
packet with its own IP address when send packets out.
• Router/Firewall reverses process for incoming packets.
• Useful for hiding the Identify of real IP addresses behind
the firewall
• Can be used for IP address reuse
–
–
–
–
–
multiple machines share same IP address
Common in home routers
ISP assigns single public IP address
Router maps to multiple private IP addresses
TCP and UDP port numbers used for de-multiplexing
35
Using Network Address Translation to Improve Security
Tomsho, Tittel, Johnson (2007)
• A benefit of NAT is that the real address of an internal
network resource is hidden and inaccessible to the
outside world
– Because most networks use NAT with private IP
addresses, those devices configured with private
addresses can’t be accessed directly from outside the
network
– An external device can’t initiate a network
conversation with an internal device, thus limiting an
attacker’s options to cause mischief
36
Protecting a Network from Worms, Viruses, and Rootkits
Tomsho, Tittel, Johnson (2007)
• Malware is SW designed to cause harm/disruption to a
computer system or perform activities on a computer
without the consent of its owner
– A virus spreads by replicating itself into other
programs or documents
– A worm is similar to a virus, but it doesn’t attach itself
to another program
– A backdoor is a program installed on a computer that
permits access to the computer, bypassing the normal
authentication process
– To help prevent spread of malware, every computer
should have virus-scanning software running
37
Protecting a Network from Worms, Viruses, and Rootkits (continued)
Tomsho, Tittel, Johnson (2007)
• A Trojan Horse program appears to be something useful, but in
reality contains some type of malware
• Rootkits are a form of Trojan programs that can monitor traffic to
and from a computer, monitor keystrokes, and capture passwords
– Used to hide files, programs form O.S.
– Sony added rootkits to audio CDs to prevent copying
• The hoax virus is one of the worst kinds of viruses
– The flood of e-mail from people actually falling for the hoax is
the virus!
• Malware protection can be expensive; however, the loss of data
and productivity that can occur when a network becomes infected is
much more costly
• Phishing – social engineering
– E.g. fake (web) services used to collect sensitive data
38
Protecting a Network from Spyware and Spam
Tomsho, Tittel, Johnson (2007)
• Spyware: monitors/controls part of a computer at the
expense of user’s privacy and to the gain of a third party
– Is not usually self-replicating
– Many anti-spyware programs are available, and some
are bundled with popular antivirus programs
• Spam is simply unsolicited e-mail
– Theft of e-mail storage space, network bandwidth,
and people’s time
– Detection and prevention is an uphill battle
• For every rule or filter anti-spam software places
on an e-mail account, spammers find a way
around them
39
Implementing Wireless Security
Tomsho, Tittel, Johnson (2007), Wikipedia
• Attackers who drive around looking for wireless LANs to intercept
are called wardrivers
• Wireless security methods
– SSID (not easy to guess and not broadcast)
• Service Set Identifier – identifies network
– Wired Equivalency Protocol (WEP)
• 1999 – Can be cracked in 2 minutes w available software
– Wi-Fi Protected Access (WPA)
• 2003 – Stronger than WEP. Not supported by all access points.
– 802.11i
• 2004 – same as WPA2, superset of WPA.
– MAC address filtering
• Access control list based on MAC address
• You should also set policies: limit AP signal access, change
encryption key regularly, etc.
40
Using a Cracker’s Tools to Stop Network Attacks
Tomsho, Tittel, Johnson (2007)
• If you want to design a good, solid network
infrastructure, hire a security consultant who knows the
tools of the cracker’s trade
– A cracker (black hat) is someone who attempts to
compromise a network or computer system for the
purposes of personal gain or to cause harm
– The term hacker has had a number of meanings
throughout the years
– White hats often use the term penetration tester for
their consulting services
41
Discovering Network Resources
Tomsho, Tittel, Johnson (2007)
• Attackers use command-line utilities such as Ping,
Traceroute, Finger, and Nslookup to get information about the
network configuration and resources
– Other tools used
• Ping scanner: automated method for pinging a range
of IP addresses
• Port scanner: determines which TCP and UDP ports
are available on a particular computer or device
• Protocol analyzers are also useful for resource
discovery because they allow you to capture packets
and determine which protocol’s services are running
42
Disabling Network Resources
Tomsho, Tittel, Johnson (2007)
• A denial-of-service (DoS) attack is an attacker’s
attempt to tie up network bandwidth or network services
so that it renders those resources useless to legitimate
users
– Packet storms typically use the UDP protocol
because it’s not connection oriented
– Half-open SYN attacks use TCP’s handshake to tie
up a server with invalid TCP sessions, thereby
preventing real sessions from being created
– In a ping flood, a program sends a large number of
ping packets to a host
43
References
Tomsho, Tittel, Johnson (2007). Guide to Networking Essentials. Boston:
Thompson Course Technology.
Odom, Knott (2006). Networking Basics: CCNA 1 Companion Guide.
Indianapolis: Cisco Press
Wikipedia (n.d.). OSI Model. Retrieved 09/12/2006 from
http://en.wikipedia.org/wiki/OSI_Model
Wikipedia-IPSec (n.d). IPsec. Retrieved 01/30/2007 from:
http://en.wikipedia.org/wiki/Ipsec
Wikipedia-VPN (n.d.). Virtual Private Network. Retrieved 01/30/2007
from: http://en.wikipedia.org/wiki/Vpn
Wikipedia-firewall (n.d.) Firewall (Networking).
Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Firewall
Wikipedia-NAT (n.d.) Network Address Translation. Retrieved 01/30/2007
from: http://en.wikipedia.org/wiki/Network_address_translation
44