Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network
Security Fundamentals,

Fourth Edition

Chapter 6

Network Security

Objectives

•
List the different types of network security devices
and explain how they can be used

•
Define network address translation and network
access control

•
Explain how to enhance security through network
design

Security+ Guide to Network Security
Fundamentals, Fourth Edition

2

Security Through Network Devices

•
Not all applications designed, written with security
in mind

–
Network must provide protection

•
Networks with weak security invite attackers

•
Aspects of building a secure network

–
Network devices

–
Network technologies

–
Design of the network itself

Security+ Guide to Network Security
Fundamentals, Fourth Edition

3

Standard Network Devices

•
Security features found in network hardware

–
Provide basic level of security

•
Open systems interconnection (OSI) model

–
Network devices classified based on function

–
Standards released in 1978, revised in 1983, still
used today

–
Illustrates:

•
How network device prepares data for delivery

•
How data is handled once received


Security+ Guide to Network Security
Fundamentals, Fourth Edition

4

Standard Network Devices (cont’d.)

•
OSI model breaks networking steps into seven
layers

–
Each layer has different networking tasks

–
Each layer cooperates with adjacent layers


Security+ Guide to Network Security
Fundamentals, Fourth Edition

5

Security+ Guide to Network Security
Fundamentals, Fourth Edition

6

Table 6
-
1 OSI reference model

Standard Network Devices (cont’d.)

•
Hubs

–
Connect multiple Ethernet devices together:

•
To function as a single network segment

–
Use twisted
-
pair copper or fiber
-
optic cables

–
Work at Layer 1 of the OSI model

–
Do not read data passing through them

–
Ignorant of data source and destination

–
Rarely used today because of inherent security
vulnerability

Security+ Guide to Network Security
Fundamentals, Fourth Edition

7

Standard Network Devices (cont’d.)

•
Switches

–
Network switch connects network segments

–
Operate at Data Link Layer (Layer 2)

–
Determine which device is connected to each port

–
Can forward frames sent to that specific device

•
Or broadcast to all devices

–
Use MAC address to identify devices

–
Provide better security than hubs

Security+ Guide to Network Security
Fundamentals, Fourth Edition

8

Standard Network Devices (cont’d.)

•
Network administrator should be able to monitor
network traffic

–
Helps identify and troubleshoot network problems

•
Traffic monitoring methods

–
Port mirroring

–
Network tap (test access point)

•
Separate device installed between two network
devices


Security+ Guide to Network Security
Fundamentals, Fourth Edition

9

Security+ Guide to Network Security
Fundamentals, Fourth Edition

10

Figure 6
-
1 Port mirroring

© Cengage Learning 2012

Security+ Guide to Network Security
Fundamentals, Fourth Edition

11

Figure 6
-
2 Network tap

© Cengage Learning 2012

Security+ Guide to Network Security
Fundamentals, Fourth Edition

12

Table 6
-
2 Protecting the switch

Standard Network Devices (cont’d.)

•
Routers

–
Forward packets across computer networks

–
Operate at Network Layer (Layer 3)

–
Can be set to filter out specific types of network
traffic

•
Load balancers

–
Help evenly distribute work across a network

–
Allocate requests among multiple devices

Security+ Guide to Network Security
Fundamentals, Fourth Edition

13

Standard Network Devices (cont’d.)

•
Advantages of load
-
balancing technology

–
Reduces probability of overloading a single server

–
Optimizes bandwidth of network computers

–
Reduces network downtime

•
Load balancing is achieved through software or
hardware device (load balancer)

Security+ Guide to Network Security
Fundamentals, Fourth Edition

14

Standard Network Devices (cont’d.)

•
Security advantages of load balancing

–
Can stop attacks directed at a server or application

–
Can detect and prevent denial
-
of
-
service attacks

–
Some can deny attackers information about the
network

•
Hide HTTP error pages

•
Remove server identification headers from HTTP
responses


Security+ Guide to Network Security
Fundamentals, Fourth Edition

15

Network Security Hardware

•
Specifically designed security hardware devices

–
Greater protection than standard networking devices

•
Firewalls

–
Hardware
-
based network firewall inspects packets

–
Can either accept or deny packet entry

–
Usually located outside network security perimeter

Security+ Guide to Network Security
Fundamentals, Fourth Edition

16

Security+ Guide to Network Security
Fundamentals, Fourth Edition

17

Figure 6
-
3 Firewall location

© Cengage Learning 2012

Network Security Hardware (cont’d.)

•
Firewall actions on a packet

–
Allow (let packet pass through)

–
Block (drop packet)

–
Prompt (ask what action to take)

•
Rule
-
based firewall settings

–
Set of individual instructions to control actions

•
Settings
-
based firewall

–
Allows administrator to create parameters

Security+ Guide to Network Security
Fundamentals, Fourth Edition

18

Security+ Guide to Network Security
Fundamentals, Fourth Edition

19

Table 6
-
3 Rule for Web page transmission

Network Security Hardware (cont’d.)

•
Methods of firewall packet filtering

–
Stateless packet filtering

•
Inspects incoming packet and permits or denies based
on conditions set by administrator

–
Stateful packet filtering

•
Keeps record of state of connection

•
Makes decisions based on connection and conditions


Security+ Guide to Network Security
Fundamentals, Fourth Edition

20

Network Security Hardware (cont’d.)

•
Web application firewall

–
Looks deeply into packets that carry HTTP traffic

•
Web browsers

•
FTP

•
Telnet

–
Can block specific sites or specific known attacks

–
Can block XSS and SQL injection attacks


Security+ Guide to Network Security
Fundamentals, Fourth Edition

21

Network Security Hardware (cont’d.)

•
Proxies

–
Devices that substitute for primary devices

•
Proxy server

–
Computer or application that intercepts and
processes user requests

–
If a previous request has been fulfilled:

•
Copy of the Web page may reside in proxy server’s
cache

–
If not, proxy server requests item from external Web
server using its own IP address

Security+ Guide to Network Security
Fundamentals, Fourth Edition

22

Security+ Guide to Network Security
Fundamentals, Fourth Edition

23

Figure 6
-
4 Proxy server

© Cengage Learning 2012

Security+ Guide to Network Security
Fundamentals, Fourth Edition

24

Figure 6
-
5 Configuring access to proxy servers

© Cengage Learning 2012

Network Security Hardware (cont’d.)

•
Proxy server advantages

–
Increased speed (requests served from the cache)

–
Reduced costs (cache reduces bandwidth required)

–
Improved management

•
Block specific Web pages or sites

–
Stronger security

•
Intercept malware

•
Hide client system’s IP address from the open Internet

Security+ Guide to Network Security
Fundamentals, Fourth Edition

25

Network Security Hardware (cont’d.)

•
Reverse proxy

–
Does not serve clients

–
Routes incoming requests to correct server

–
Reverse proxy’s IP address is visible to outside
users

•
Internal server’s IP address hidden

Security+ Guide to Network Security
Fundamentals, Fourth Edition

26

Security+ Guide to Network Security
Fundamentals, Fourth Edition

27

Figure 6
-
6 Reverse proxy

© Cengage Learning 2012

Network Security Hardware (cont’d.)

•
Spam filters

–
Enterprise
-
wide spam filters block spam before it
reaches the host

•
Email systems use two protocols

–
Simple Mail Transfer Protocol (SMTP)

•
Handles outgoing mail

–
Post Office Protocol (POP)

•
Handles incoming mail

Security+ Guide to Network Security
Fundamentals, Fourth Edition

28

Network Security Hardware (cont’d.)

•
Spam filters installed with the SMTP server

–
Filter configured to listen on port 25

–
Pass non
-
spam e
-
mail to SMTP server listening on
another port

–
Method prevents SMTP server from notifying
spammer of failed message delivery

Security+ Guide to Network Security
Fundamentals, Fourth Edition

29

Security+ Guide to Network Security
Fundamentals, Fourth Edition

30

Figure 6
-
7 Spam filter with SMTP server

© Cengage Learning 2012

Network Security Hardware (cont’d.)

•
Spam filters installed on the POP3 server

–
All spam must first pass through SMTP server and
be delivered to user’s mailbox

–
Can result in increased costs

•
Storage, transmission, backup, deletion

•
Third
-
party entity contracted to filter spam

–
All email directed to third
-
party’s remote spam filter

–
E
-
mail cleansed before being redirected to
organization

Security+ Guide to Network Security
Fundamentals, Fourth Edition

31

Security+ Guide to Network Security
Fundamentals, Fourth Edition

32

Figure 6
-
8 Spam filter on POP3 server

© Cengage Learning 2012

Network Security Hardware (cont’d.)

•
Virtual private network (VPN)

–
Uses unsecured network as if it were secure

–
All data transmitted between remote device and
network is encrypted

•
Types of VPNs

–
Remote
-
access

•
User to LAN connection

–
Site
-
to
-
site

•
Multiple sites can connect to other sites over the
Internet

Security+ Guide to Network Security
Fundamentals, Fourth Edition

33

Network Security Hardware (cont’d.)

•
Endpoints

–
Used in communicating VPN transmissions

–
May be software on local computer

–
May be VPN concentrator (hardware device)

–
May be integrated into another networking device

•
VPNs can be software
-
based or hardware
-
based

–
Hardware
-
based generally have better security

–
Software
-
based have more flexibility in managing
network traffic

Security+ Guide to Network Security
Fundamentals, Fourth Edition

34

Network Security Hardware (cont’d.)

•
Internet content filters

–
Monitor Internet traffic

–
Block access to preselected Web sites and files

–
Unapproved sites identified by URL or matching
keywords

Security+ Guide to Network Security
Fundamentals, Fourth Edition

35

Security+ Guide to Network Security
Fundamentals, Fourth Edition

36

Table 6
-
4 Internet content filter features

Network Security Hardware (cont’d.)

•
Web security gateways

–
Can block malicious content in real time

–
Block content through application level filtering

•
Examples of blocked Web traffic

–
ActiveX objects

–
Adware, spyware

–
Peer to peer file sharing

–
Script exploits

Security+ Guide to Network Security
Fundamentals, Fourth Edition

37

Network Security Hardware (cont’d.)

•
Passive and active security can be used in a
network

–
Active measures provide higher level of security

•
Passive measures

–
Firewall

–
Internet content filter

•
Intrusion detection system (IDS)

–
Active security measure

–
Can detect attack as it occurs

Security+ Guide to Network Security
Fundamentals, Fourth Edition

38

Network Security Hardware (cont’d.)

•
Monitoring methodologies

–
Anomaly
-
based monitoring

•
Compares current detected behavior with baseline

–
Signature
-
based monitoring

•
Looks for well
-
known attack signature patterns

–
Behavior
-
based monitoring

•
Detects abnormal actions by processes or programs

•
Alerts user who decides whether to allow or block
activity

–
Heuristic monitoring

•
Uses experience
-
based techniques

Security+ Guide to Network Security
Fundamentals, Fourth Edition

39

Security+ Guide to Network Security
Fundamentals, Fourth Edition

40

Table 6
-
5 Methodology comparisons to trap port
-
scanning application

Network Security Hardware (cont’d.)

•
Host intrusion detection system (HIDS)

–
Software
-
based application that can detect attack as
it occurs

–
Installed on each system needing protection

–
Monitors system calls and file system access

–
Can recognize unauthorized Registry modification

–
Monitors all input and output communications

•
Detects anomalous activity

Security+ Guide to Network Security
Fundamentals, Fourth Edition

41

Network Security Hardware (cont’d.)

•
Disadvantages of HIDS

–
Cannot monitor network traffic that does not reach
local system

–
All log data is stored locally

–
Resource
-
intensive and can slow system

Security+ Guide to Network Security
Fundamentals, Fourth Edition

42

Network Security Hardware (cont’d.)

•
Network intrusion detection system (NIDS)

–
Watches for attacks on the network

–
NIDS sensors installed on firewalls and routers:

•
Gather information and report back to central device

–
Passive NIDS will sound an alarm

–
Active NIDS will sound alarm and take action

•
Actions may include filtering out intruder’s IP address
or terminating TCP session

Security+ Guide to Network Security
Fundamentals, Fourth Edition

43

Security+ Guide to Network Security
Fundamentals, Fourth Edition

44

Table 6
-
6 NIDS evaluation techniques

Network Security Hardware (cont’d.)

•
Network intrusion prevention system (NIPS)

–
Similar to active NIDS

–
Monitors network traffic to immediately block a
malicious attack

–
NIPS sensors located in line on firewall itself

Security+ Guide to Network Security
Fundamentals, Fourth Edition

45

Network Security Hardware (cont’d.)

•
All
-
in
-
one network security appliances

–
One integrated device replaces multiple security
devices

•
Recent trend:

–
Combining multipurpose security appliances with
traditional device such as a router

–
Advantage of approach

•
Network devices already process all packets

•
Switch that contains anti
-
malware software can
inspect all packets

Security+ Guide to Network Security
Fundamentals, Fourth Edition

46

Security Through Network
Technologies

•
Internet routers
normally drop packet with a private
address

•
Network address translation (NAT)

–
Allows private IP addresses to be used on the public
Internet

–
Replaces private IP address with public address

•
Port address translation (PAT)

–
Variation of NAT

•
Outgoing packets given same IP address but different
TCP port number

Security+ Guide to Network Security
Fundamentals, Fourth Edition

47

Security+ Guide to Network Security
Fundamentals, Fourth Edition

48

Table 6
-
7 Private IP addresses

Figure 6
-
9 Network address translation (NAT)

© Cengage Learning 2012

Security Through Network
Technologies (cont’d.)

•
Advantages of NAT

–
Masks IP addresses of internal devices

–
Allows multiple devices to share smaller number of
public IP addresses

•
Network access control

–
Examines current state of system or network device:

•
Before allowing network connection

–
Device must meet set of criteria

•
If not met, NAC allows connection to quarantine
network until deficiencies corrected

Security+ Guide to Network Security
Fundamentals, Fourth Edition

49

Security+ Guide to Network Security
Fundamentals, Fourth Edition

50

Figure 6
-
10 Network access control framework

© Cengage Learning 2012

Security Through Network Design
Elements

•
Elements of a secure network design

–
Demilitarized zones

–
Subnetting

–
Virtual LANs

–
Remote access

Security+ Guide to Network Security
Fundamentals, Fourth Edition

51

Demilitarized Zone (DMZ)

•
Separate network located outside secure network
perimeter

•
Untrusted outside users can access DMZ but not
secure network

Security+ Guide to Network Security
Fundamentals, Fourth Edition

52

Security+ Guide to Network Security
Fundamentals, Fourth Edition

53

Figure 6
-
11 DMZ with one firewall

© Cengage Learning 2012

Security+ Guide to Network Security
Fundamentals, Fourth Edition

54

Figure 6
-
12 DMZ with two firewalls

© Cengage Learning 2012

Subnetting

•
IP address may be split anywhere within its 32 bits

•
Network can be divided into three parts

–
Network

–
Subnet

–
Host

•
Each network can contain several subnets

•
Each subnet can contain multiple hosts

Security+ Guide to Network Security
Fundamentals, Fourth Edition

55

Subnetting (cont’d.)

•
Improves network security by isolating groups of
hosts

•
Allows administrators to hide internal network
layout

Security+ Guide to Network Security
Fundamentals, Fourth Edition

56

Security+ Guide to Network Security
Fundamentals, Fourth Edition

57

Table 6
-
8 Advantages of subnetting

Security+ Guide to Network Security
Fundamentals, Fourth Edition

58

Figure 6
-
13 Subnets

© Cengage Learning 2012

Virtual LANs (VLAN)


•
Allow scattered users to be logically grouped
together:

–
Even if attached to different switches

•
Can isolate sensitive data to VLAN members

•
Communication on a VLAN

–
If connected to same switch, switch handles packet
transfer

–
Special “tagging” protocol used for communicating
between switches

Security+ Guide to Network Security
Fundamentals, Fourth Edition

59

Remote Access

•
Working away from the office commonplace today

–
Telecommuters

–
Traveling sales representatives

–
Traveling workers

•
Strong security for remote workers must be
maintained

–
Transmissions are routed through networks not
managed by the organization

•
Provides same functionality as local users

–
Through VPN or dial
-
up connection

Security+ Guide to Network Security
Fundamentals, Fourth Edition

60

Summary

•
Standard network security devices provide a
degree of security

–
Hubs, switches, router, load balancer

•
Hardware devices specifically designed for security
give higher protection level

–
Hardware
-
based firewall, Web application firewall

•
Proxy server intercepts and processes user
requests

•
Virtual private network uses unsecured public
network and encryption to provide security


Security+ Guide to Network Security
Fundamentals, Fourth Edition

61

Summary (cont’d.)

•
Intrusion detection system designed to detect
attack as it occurs

•
Network technologies can help secure a network

–
Network address translation

–
Network access control

•
Methods for designing a secure network

–
Demilitarized zones

–
Virtual LANs


Security+ Guide to Network Security
Fundamentals, Fourth Edition

62