Chap 9

prunelimitΔίκτυα και Επικοινωνίες

23 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

78 εμφανίσεις

Devices

Chapter 9

Learning Objectives


Understand the purpose of a network
firewall and the kinds of firewall
technology available on the market


Understand the role of routers, switches,
and other networking hardware in security


Determine when VPN or RAS technology
works to provide a secure network
connection

Firewalls


Hardware or software device that provides
means of securing a computer or network
from unwanted intrusion


Dedicated physical device that protects
network from intrusion


Software feature added to a router, switch, or
other device that prevents traffic to or from
part of a network

Management Cycle for

Firewall Protection

1.
Draft a written security policy

2.
Design the firewall to implement the policy

3.
Implement the design by installing selected
hardware and software

4.
Test the firewall

5.
Review new threats, requirements for
additional security, and updates to systems and
software; repeat process from first step

Drafting a Security Policy


What am I protecting?


From whom?


What services does my company need to
access over the network?


Who gets access to what resources?


Who administers the network?

Available Targets and

Who Is Aiming at Them


Common areas of attack


Web servers


Mail servers


FTP servers


Databases


Intruders


Sport hackers


Malicious hackers

Who Gets Access to Which
Resources?


List employees or groups of employees
along with files and file servers and
databases and database servers they need
to access


List which employees need remote access
to the network

Who Administers the Network?


Determine individual(s) and scope of
individual management control

Designing the Firewall

to Implement the Policy


Select appropriate technology to deploy the
firewall

What Do Firewalls Protect Against?


Denial of service (DoS)


Ping of death


Teardrop or Raindrop attacks


SYN flood


LAND attack


Brute force or smurf attacks


IP spoofing

How Do Firewalls Work?


Network address translation (NAT)


Basic packet filtering


Stateful packet inspection (SPI)


Access control lists (ACL)

Network Address Translation (NAT)


Only technique used by basic firewalls


Enables a LAN to use one set of IP addresses for
internal traffic and a second set for external
traffic


Each active connection requires a unique external
address for duration of communication


Port address translation (PAT)


Derivative of NAT


Supports thousands of simultaneous connections on a
single public IP address

Basic Packet Filtering


Firewall system examines each packet that enters
it and allows through only those packets that
match a predefined set of rules


Can be configured to screen information based on
many data fields:


Protocol type


IP address


TCP/UDP port


Source routing information

Stateful Packet Inspection (SPI)


Controls access to network by analyzing
incoming/outgoing packets and letting them pass
or not based on IP addresses of source and
destination


Examines a packet based on information in its header


Enhances security by allowing the filter to
distinguish on which side of firewall a connection
was initiated; essential to blocking IP spoofing
attaches

Access Control Lists (ACL)


Rules built according to organizational
policy that defines who can access portions
of the network


Access
-
list 101 permit tcp any 1.2.1.222 0.0.0.0 eq 80


Access
-
list 101 deny ip any 1.2.1.222 0.0.0.0

Routers


Network management device that sits
between network segments and routes
traffic from one network to another


Allows networks to communicate with one
another


Allows Internet to function


Act as digital traffic cop (with addition of
packet filtering)

How a Router Moves Information


Examines electronic envelope surrounding
a packet; compares address to list of
addresses contained in router’s lookup
tables


Determines which router to send the packet
to next, based on changing network
conditions

How a Router Moves Information

Beyond the Firewall


Demilitarized zone (DMZ)


Bastion hosts (potentially)

Demilitarized Zone


Area set aside for servers that are publicly
accessible or have lower security requirements


Sits between the Internet and internal network’s
line of defense


Stateful device fully protects other internal systems


Packet filter allows external traffic only to services
provided by DMZ servers


Allows a company to host its own Internet
services without sacrificing unauthorized access
to its private network

Bastion Hosts


Computers that reside in a DMZ and that host
Web, mail, DNS, and/or FTP services


Gateway between an inside network and an
outside network


Defends against attacks aimed at the inside
network; used as a security measure


Unnecessary programs, services, and protocols
are removed; unnecessary network ports are
disabled


Do not share authentication services with trusted
hosts within the network

Application Gateways


Also known as proxy servers


Monitor specific applications (FTP, HTTP,
Telnet)


Allow packets accessing those services to
go to only those computers that are
allowed


Good backup to packet filtering

Application Gateways


Security advantages


Information hiding


Robust authentication and logging


Simpler filtering rules


Disadvantage


Two steps are required to connect inbound or
outbound traffic; can increase processor
overhead

OSI Reference Model


Architecture that classifies most network
functions


Seven layers


Application


Presentation


Session


Transport


Network


Data
-
Link


Physical

The OSI Stack


Layers 4 and 5


Where TCP and UDP ports that control
communication sessions operate


Layer 3


Routes IP packets


Layer 2


Delivers data frames across LANs

Limitations of

Packet
-
Filtering Routers


ACL can become long, complicated, and
difficult to manage and comprehend


Throughput decreases as number of rules
being processed increases


Unable to determine specific content or
data of packets at layers 3 through 5

Switches


Provide same function as bridges (divide
collision domains), but employ application
-
specific integrated circuits (ASICs) that are
optimized for the task


Reduce collision domain to two nodes (switch
and host)


Main benefit over hubs


Separation of collision domains limits the possibility
of sniffing

Switches

Switch Security


ACLs


Virtual Local Area Networks (VLANs)

Virtual Local Area Network


Uses public wires to connect nodes


Broadcast domain within a switched network


Uses encryption and other security mechanisms
to ensure that


Only authorized users can access the network


Data cannot be intercepted


Clusters users in smaller groups


Increases security from hackers


Reduces possibility of broadcast storm

Security Problems with Switches


Common ways of switch hijacking


Try default passwords which may not have
been changed


Sniff network to get administrator password
via SNMP or Telnet

Securing a Switch


Isolate all management interfaces


Manage switch by physical connection to a
serial port or through secure shell (SSH) or
other encrypted method


Use separate switches or hubs for DMZs to
physically isolate them from the network
and prevent VLAN jumping

continued…

Securing a Switch


Put switch behind dedicated firewall
device


Maintain the switch; install latest version
of software and security patches


Read product documentation


Set strong passwords

Quick Quiz


The process by which a private IP address in a corporate
network is translated into a public address by a router or
firewall is called_____________


True or False: Advanced firewalls use stateful packet
inspection to improve security.


A computer providing public network services that resides
inside a corporate network but outside its firewall is called a
______.


True or False: IP packets are routed by layer 2 of the OSI
model.


A feature available in some switches that permit separating the
switch into multiple broadcast domains is called _________.

Wireless


Almost anyone can eavesdrop on a
network communication


Encryption is the only secure method of
communicating with wireless technology

Modems

DSL versus Cable Modem Security


DSL


Direct connection between computer/network and the
Internet


Cable modem


Connected to a shared segment; party line


Most have basic firewall capabilities to prevent files
from being viewed or downloaded


Most implement the Data Over Cable Service
Interface Specification (DOCSIS) for authentication
and packet filtering

Dynamic versus Static IP Addressing


Static IP addresses


Provide a fixed target for potential hackers


Dynamic IP addresses


Provide enhanced security


By changing IP addresses of client machines,
DHCP server makes them moving targets for
potential hackers


Assigned by the Dynamic Host Configuration
Protocol (DHCP)

Remote Access Service (RAS)


Provides a mechanism for one computer to
securely dial in to another computer


Treats modem as an extension of the
network


Includes encryption and logging


Accepts incoming calls


Should be placed in the DMZ

Security Problems with RAS


Behind physical firewall; potential for
network to be compromised


Most RAS systems offer encryption and
callback as features to enhance security

Telecom/Private Branch Exchange
(PBX)


PBX


Private phone system that offers features such
as voicemail, call forwarding, and conference
calling


Failure to secure a PBX can result in toll
fraud, theft of information, denial of service,
and enhanced susceptibility to legal liability

IP
-
Based PBX

PBX Security Concerns


Remote PBX management


Hoteling or job sharing


Many move codes are standardized and posted
on the Internet

Virtual Private Networks


Provide secure communication pathway or tunnel
through public networks (eg, Internet)


Lowest levels of TCP/IP are implemented using
existing TCP/IP connection


Encrypts either underlying data in a packet or the
entire packet itself before wrapping it in another
IP packet for delivery


Further enhances security by implementing
Internet Protocol Security (IPSec)

Intrusion Detection Systems (IDS)


Monitor networks and report on unauthorized
attempts to access any part of the system


Available from many vendors


Forms


Software (computer
-
based IDS)


Dedicated hardware devices (network
-
based IDS)


Types of detection


Anomaly
-
based detection


Signature
-
based detection

Computer
-
based IDS


Software applications (“agents”) are installed on
each protected computer


Make use of disk space, RAM, and CPU time to
analyze OS, applications, system audit trails


Compare these to a list of specific rules


Report discrepancies


Can be self
-
contained or remotely managed


Easy to upgrade software, but do not scale well

Network
-
based IDS


Monitors activity on a specific network
segment


Dedicated platforms with two components


Sensor


Passively analyzes network traffic


Management system


Displays alarm information from the sensor

Anomaly
-
based Detection


Builds statistical profiles of user activity and then
reacts to any activity that falls outside these
profiles


Often leads to large number of false positives


Users do not access computers/network in static,
predictable ways


Cost of building a sensor that could hold enough
memory to contain the entire profile and time to
process the profiles is prohibitively large

Signature
-
based Detection


Similar to antivirus program in its method of
detecting potential attacks


Vendors produce a list of signatures used by the
IDS to compare against activity on the network
or host


When a match is found, the IDS take some action
(eg, logging the event)


Can produce false positives; normal network
activity may be construed as malicious

Network Monitoring and Diagnostics


Essential steps in ensuring safety and
health of a network (along with IDS)


Can be either stand
-
alone or part of a
network
-
monitoring platform


HP’s OpenView


IBM’s Netview/AIX


Fidelia’s NetVigil


Aprisma’s Spectrum

Ensuring Workstation and

Server Security


Remove unnecessary protocols such as
NetBIOS or IPX


Remove unnecessary user accounts


Remove unnecessary shares


Rename the administrator account


Use strong passwords

Personal Firewall Software Packages


Offer application
-
level blocking, packet filtering,
and can put your computer into stealth mode by
turning off most if not all ports


Many products available, including:


Norton Firewall


ZoneAlarm


Black Ice Defender


Tiny Software’s Personal Firewall

Firewall Product Example

Antivirus Software Packages


Necessary even on a secure network


Many vendors, including:


McAffee


Norton


Computer Associates


Network Associates

Mobile Devices


Can open security
holes for any
computer with which
these devices
communicate

Chapter Summary


Virtual isolation of a computer or network
by implementing a firewall through
software and hardware techniques:


Routers


Switches


Modems


Various software packages designed to run on
servers, workstations, and PDAs

continued…

Chapter Summary


Virtual private networks (VPNs)


Private branch exchanges (PBX)


Remote Access Services (RAS)

Quick Quiz


The standard used to help secure cable modem
communications is called ____________


True or False: Static IP addressing is the most secure
form of addressing.


True or False: RAS should be placed in the DMZ.


A _____________ is used to provide a secure
communication channel through the public Internet


______________ based IDS uses statistical profiles.