Security+ Guide to Network
Security Fundamentals,
Fourth Edition
Chapter 6
Network Security
Objectives
•
List the different types of network security devices
and explain how they can be used
•
Define network address translation and network
access control
•
Explain how to enhance security through network
design
Security+ Guide to Network Security
Fundamentals, Fourth Edition
2
Security Through Network Devices
•
Not all applications designed, written with security
in mind
–
Network must provide protection
•
Networks with weak security invite attackers
•
Aspects of building a secure network
–
Network devices
–
Network technologies
–
Design of the network itself
Security+ Guide to Network Security
Fundamentals, Fourth Edition
3
Standard Network Devices
•
Security features found in network hardware
–
Provide basic level of security
•
Open systems interconnection (OSI) model
–
Network devices classified based on function
–
Standards released in 1978, revised in 1983, still
used today
–
Illustrates:
•
How network device prepares data for delivery
•
How data is handled once received
Security+ Guide to Network Security
Fundamentals, Fourth Edition
4
Standard Network Devices (cont’d.)
•
OSI model breaks networking steps into seven
layers
–
Each layer has different networking tasks
–
Each layer cooperates with adjacent layers
Security+ Guide to Network Security
Fundamentals, Fourth Edition
5
Security+ Guide to Network Security
Fundamentals, Fourth Edition
6
Table 6
-
1 OSI reference model
Standard Network Devices (cont’d.)
•
Hubs
–
Connect multiple Ethernet devices together:
•
To function as a single network segment
–
Use twisted
-
pair copper or fiber
-
optic cables
–
Work at Layer 1 of the OSI model
–
Do not read data passing through them
–
Ignorant of data source and destination
–
Rarely used today because of inherent security
vulnerability
Security+ Guide to Network Security
Fundamentals, Fourth Edition
7
Standard Network Devices (cont’d.)
•
Switches
–
Network switch connects network segments
–
Operate at Data Link Layer (Layer 2)
–
Determine which device is connected to each port
–
Can forward frames sent to that specific device
•
Or broadcast to all devices
–
Use MAC address to identify devices
–
Provide better security than hubs
Security+ Guide to Network Security
Fundamentals, Fourth Edition
8
Standard Network Devices (cont’d.)
•
Network administrator should be able to monitor
network traffic
–
Helps identify and troubleshoot network problems
•
Traffic monitoring methods
–
Port mirroring
–
Network tap (test access point)
•
Separate device installed between two network
devices
Security+ Guide to Network Security
Fundamentals, Fourth Edition
9
Security+ Guide to Network Security
Fundamentals, Fourth Edition
10
Figure 6
-
1 Port mirroring
© Cengage Learning 2012
Security+ Guide to Network Security
Fundamentals, Fourth Edition
11
Figure 6
-
2 Network tap
© Cengage Learning 2012
Security+ Guide to Network Security
Fundamentals, Fourth Edition
12
Table 6
-
2 Protecting the switch
Standard Network Devices (cont’d.)
•
Routers
–
Forward packets across computer networks
–
Operate at Network Layer (Layer 3)
–
Can be set to filter out specific types of network
traffic
•
Load balancers
–
Help evenly distribute work across a network
–
Allocate requests among multiple devices
Security+ Guide to Network Security
Fundamentals, Fourth Edition
13
Standard Network Devices (cont’d.)
•
Advantages of load
-
balancing technology
–
Reduces probability of overloading a single server
–
Optimizes bandwidth of network computers
–
Reduces network downtime
•
Load balancing is achieved through software or
hardware device (load balancer)
Security+ Guide to Network Security
Fundamentals, Fourth Edition
14
Standard Network Devices (cont’d.)
•
Security advantages of load balancing
–
Can stop attacks directed at a server or application
–
Can detect and prevent denial
-
of
-
service attacks
–
Some can deny attackers information about the
network
•
Hide HTTP error pages
•
Remove server identification headers from HTTP
responses
Security+ Guide to Network Security
Fundamentals, Fourth Edition
15
Network Security Hardware
•
Specifically designed security hardware devices
–
Greater protection than standard networking devices
•
Firewalls
–
Hardware
-
based network firewall inspects packets
–
Can either accept or deny packet entry
–
Usually located outside network security perimeter
Security+ Guide to Network Security
Fundamentals, Fourth Edition
16
Security+ Guide to Network Security
Fundamentals, Fourth Edition
17
Figure 6
-
3 Firewall location
© Cengage Learning 2012
Network Security Hardware (cont’d.)
•
Firewall actions on a packet
–
Allow (let packet pass through)
–
Block (drop packet)
–
Prompt (ask what action to take)
•
Rule
-
based firewall settings
–
Set of individual instructions to control actions
•
Settings
-
based firewall
–
Allows administrator to create parameters
Security+ Guide to Network Security
Fundamentals, Fourth Edition
18
Security+ Guide to Network Security
Fundamentals, Fourth Edition
19
Table 6
-
3 Rule for Web page transmission
Network Security Hardware (cont’d.)
•
Methods of firewall packet filtering
–
Stateless packet filtering
•
Inspects incoming packet and permits or denies based
on conditions set by administrator
–
Stateful packet filtering
•
Keeps record of state of connection
•
Makes decisions based on connection and conditions
Security+ Guide to Network Security
Fundamentals, Fourth Edition
20
Network Security Hardware (cont’d.)
•
Web application firewall
–
Looks deeply into packets that carry HTTP traffic
•
Web browsers
•
FTP
•
Telnet
–
Can block specific sites or specific known attacks
–
Can block XSS and SQL injection attacks
Security+ Guide to Network Security
Fundamentals, Fourth Edition
21
Network Security Hardware (cont’d.)
•
Proxies
–
Devices that substitute for primary devices
•
Proxy server
–
Computer or application that intercepts and
processes user requests
–
If a previous request has been fulfilled:
•
Copy of the Web page may reside in proxy server’s
cache
–
If not, proxy server requests item from external Web
server using its own IP address
Security+ Guide to Network Security
Fundamentals, Fourth Edition
22
Security+ Guide to Network Security
Fundamentals, Fourth Edition
23
Figure 6
-
4 Proxy server
© Cengage Learning 2012
Security+ Guide to Network Security
Fundamentals, Fourth Edition
24
Figure 6
-
5 Configuring access to proxy servers
© Cengage Learning 2012
Network Security Hardware (cont’d.)
•
Proxy server advantages
–
Increased speed (requests served from the cache)
–
Reduced costs (cache reduces bandwidth required)
–
Improved management
•
Block specific Web pages or sites
–
Stronger security
•
Intercept malware
•
Hide client system’s IP address from the open Internet
Security+ Guide to Network Security
Fundamentals, Fourth Edition
25
Network Security Hardware (cont’d.)
•
Reverse proxy
–
Does not serve clients
–
Routes incoming requests to correct server
–
Reverse proxy’s IP address is visible to outside
users
•
Internal server’s IP address hidden
Security+ Guide to Network Security
Fundamentals, Fourth Edition
26
Security+ Guide to Network Security
Fundamentals, Fourth Edition
27
Figure 6
-
6 Reverse proxy
© Cengage Learning 2012
Network Security Hardware (cont’d.)
•
Spam filters
–
Enterprise
-
wide spam filters block spam before it
reaches the host
•
Email systems use two protocols
–
Simple Mail Transfer Protocol (SMTP)
•
Handles outgoing mail
–
Post Office Protocol (POP)
•
Handles incoming mail
Security+ Guide to Network Security
Fundamentals, Fourth Edition
28
Network Security Hardware (cont’d.)
•
Spam filters installed with the SMTP server
–
Filter configured to listen on port 25
–
Pass non
-
spam e
-
mail to SMTP server listening on
another port
–
Method prevents SMTP server from notifying
spammer of failed message delivery
Security+ Guide to Network Security
Fundamentals, Fourth Edition
29
Security+ Guide to Network Security
Fundamentals, Fourth Edition
30
Figure 6
-
7 Spam filter with SMTP server
© Cengage Learning 2012
Network Security Hardware (cont’d.)
•
Spam filters installed on the POP3 server
–
All spam must first pass through SMTP server and
be delivered to user’s mailbox
–
Can result in increased costs
•
Storage, transmission, backup, deletion
•
Third
-
party entity contracted to filter spam
–
All email directed to third
-
party’s remote spam filter
–
E
-
mail cleansed before being redirected to
organization
Security+ Guide to Network Security
Fundamentals, Fourth Edition
31
Security+ Guide to Network Security
Fundamentals, Fourth Edition
32
Figure 6
-
8 Spam filter on POP3 server
© Cengage Learning 2012
Network Security Hardware (cont’d.)
•
Virtual private network (VPN)
–
Uses unsecured network as if it were secure
–
All data transmitted between remote device and
network is encrypted
•
Types of VPNs
–
Remote
-
access
•
User to LAN connection
–
Site
-
to
-
site
•
Multiple sites can connect to other sites over the
Internet
Security+ Guide to Network Security
Fundamentals, Fourth Edition
33
Network Security Hardware (cont’d.)
•
Endpoints
–
Used in communicating VPN transmissions
–
May be software on local computer
–
May be VPN concentrator (hardware device)
–
May be integrated into another networking device
•
VPNs can be software
-
based or hardware
-
based
–
Hardware
-
based generally have better security
–
Software
-
based have more flexibility in managing
network traffic
Security+ Guide to Network Security
Fundamentals, Fourth Edition
34
Network Security Hardware (cont’d.)
•
Internet content filters
–
Monitor Internet traffic
–
Block access to preselected Web sites and files
–
Unapproved sites identified by URL or matching
keywords
Security+ Guide to Network Security
Fundamentals, Fourth Edition
35
Security+ Guide to Network Security
Fundamentals, Fourth Edition
36
Table 6
-
4 Internet content filter features
Network Security Hardware (cont’d.)
•
Web security gateways
–
Can block malicious content in real time
–
Block content through application level filtering
•
Examples of blocked Web traffic
–
ActiveX objects
–
Adware, spyware
–
Peer to peer file sharing
–
Script exploits
Security+ Guide to Network Security
Fundamentals, Fourth Edition
37
Network Security Hardware (cont’d.)
•
Passive and active security can be used in a
network
–
Active measures provide higher level of security
•
Passive measures
–
Firewall
–
Internet content filter
•
Intrusion detection system (IDS)
–
Active security measure
–
Can detect attack as it occurs
Security+ Guide to Network Security
Fundamentals, Fourth Edition
38
Network Security Hardware (cont’d.)
•
Monitoring methodologies
–
Anomaly
-
based monitoring
•
Compares current detected behavior with baseline
–
Signature
-
based monitoring
•
Looks for well
-
known attack signature patterns
–
Behavior
-
based monitoring
•
Detects abnormal actions by processes or programs
•
Alerts user who decides whether to allow or block
activity
–
Heuristic monitoring
•
Uses experience
-
based techniques
Security+ Guide to Network Security
Fundamentals, Fourth Edition
39
Security+ Guide to Network Security
Fundamentals, Fourth Edition
40
Table 6
-
5 Methodology comparisons to trap port
-
scanning application
Network Security Hardware (cont’d.)
•
Host intrusion detection system (HIDS)
–
Software
-
based application that can detect attack as
it occurs
–
Installed on each system needing protection
–
Monitors system calls and file system access
–
Can recognize unauthorized Registry modification
–
Monitors all input and output communications
•
Detects anomalous activity
Security+ Guide to Network Security
Fundamentals, Fourth Edition
41
Network Security Hardware (cont’d.)
•
Disadvantages of HIDS
–
Cannot monitor network traffic that does not reach
local system
–
All log data is stored locally
–
Resource
-
intensive and can slow system
Security+ Guide to Network Security
Fundamentals, Fourth Edition
42
Network Security Hardware (cont’d.)
•
Network intrusion detection system (NIDS)
–
Watches for attacks on the network
–
NIDS sensors installed on firewalls and routers:
•
Gather information and report back to central device
–
Passive NIDS will sound an alarm
–
Active NIDS will sound alarm and take action
•
Actions may include filtering out intruder’s IP address
or terminating TCP session
Security+ Guide to Network Security
Fundamentals, Fourth Edition
43
Security+ Guide to Network Security
Fundamentals, Fourth Edition
44
Table 6
-
6 NIDS evaluation techniques
Network Security Hardware (cont’d.)
•
Network intrusion prevention system (NIPS)
–
Similar to active NIDS
–
Monitors network traffic to immediately block a
malicious attack
–
NIPS sensors located in line on firewall itself
Security+ Guide to Network Security
Fundamentals, Fourth Edition
45
Network Security Hardware (cont’d.)
•
All
-
in
-
one network security appliances
–
One integrated device replaces multiple security
devices
•
Recent trend:
–
Combining multipurpose security appliances with
traditional device such as a router
–
Advantage of approach
•
Network devices already process all packets
•
Switch that contains anti
-
malware software can
inspect all packets
Security+ Guide to Network Security
Fundamentals, Fourth Edition
46
Security Through Network
Technologies
•
Internet routers
normally drop packet with a private
address
•
Network address translation (NAT)
–
Allows private IP addresses to be used on the public
Internet
–
Replaces private IP address with public address
•
Port address translation (PAT)
–
Variation of NAT
•
Outgoing packets given same IP address but different
TCP port number
Security+ Guide to Network Security
Fundamentals, Fourth Edition
47
Security+ Guide to Network Security
Fundamentals, Fourth Edition
48
Table 6
-
7 Private IP addresses
Figure 6
-
9 Network address translation (NAT)
© Cengage Learning 2012
Security Through Network
Technologies (cont’d.)
•
Advantages of NAT
–
Masks IP addresses of internal devices
–
Allows multiple devices to share smaller number of
public IP addresses
•
Network access control
–
Examines current state of system or network device:
•
Before allowing network connection
–
Device must meet set of criteria
•
If not met, NAC allows connection to quarantine
network until deficiencies corrected
Security+ Guide to Network Security
Fundamentals, Fourth Edition
49
Security+ Guide to Network Security
Fundamentals, Fourth Edition
50
Figure 6
-
10 Network access control framework
© Cengage Learning 2012
Security Through Network Design
Elements
•
Elements of a secure network design
–
Demilitarized zones
–
Subnetting
–
Virtual LANs
–
Remote access
Security+ Guide to Network Security
Fundamentals, Fourth Edition
51
Demilitarized Zone (DMZ)
•
Separate network located outside secure network
perimeter
•
Untrusted outside users can access DMZ but not
secure network
Security+ Guide to Network Security
Fundamentals, Fourth Edition
52
Security+ Guide to Network Security
Fundamentals, Fourth Edition
53
Figure 6
-
11 DMZ with one firewall
© Cengage Learning 2012
Security+ Guide to Network Security
Fundamentals, Fourth Edition
54
Figure 6
-
12 DMZ with two firewalls
© Cengage Learning 2012
Subnetting
•
IP address may be split anywhere within its 32 bits
•
Network can be divided into three parts
–
Network
–
Subnet
–
Host
•
Each network can contain several subnets
•
Each subnet can contain multiple hosts
Security+ Guide to Network Security
Fundamentals, Fourth Edition
55
Subnetting (cont’d.)
•
Improves network security by isolating groups of
hosts
•
Allows administrators to hide internal network
layout
Security+ Guide to Network Security
Fundamentals, Fourth Edition
56
Security+ Guide to Network Security
Fundamentals, Fourth Edition
57
Table 6
-
8 Advantages of subnetting
Security+ Guide to Network Security
Fundamentals, Fourth Edition
58
Figure 6
-
13 Subnets
© Cengage Learning 2012
Virtual LANs (VLAN)
•
Allow scattered users to be logically grouped
together:
–
Even if attached to different switches
•
Can isolate sensitive data to VLAN members
•
Communication on a VLAN
–
If connected to same switch, switch handles packet
transfer
–
Special “tagging” protocol used for communicating
between switches
Security+ Guide to Network Security
Fundamentals, Fourth Edition
59
Remote Access
•
Working away from the office commonplace today
–
Telecommuters
–
Traveling sales representatives
–
Traveling workers
•
Strong security for remote workers must be
maintained
–
Transmissions are routed through networks not
managed by the organization
•
Provides same functionality as local users
–
Through VPN or dial
-
up connection
Security+ Guide to Network Security
Fundamentals, Fourth Edition
60
Summary
•
Standard network security devices provide a
degree of security
–
Hubs, switches, router, load balancer
•
Hardware devices specifically designed for security
give higher protection level
–
Hardware
-
based firewall, Web application firewall
•
Proxy server intercepts and processes user
requests
•
Virtual private network uses unsecured public
network and encryption to provide security
Security+ Guide to Network Security
Fundamentals, Fourth Edition
61
Summary (cont’d.)
•
Intrusion detection system designed to detect
attack as it occurs
•
Network technologies can help secure a network
–
Network address translation
–
Network access control
•
Methods for designing a secure network
–
Demilitarized zones
–
Virtual LANs
Security+ Guide to Network Security
Fundamentals, Fourth Edition
62
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο