Security+ Guide to Network Security Fundamentals, Fourth Edition

sweetlipscasteΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

58 εμφανίσεις

Security+ Guide to Network
Security Fundamentals,

Fourth Edition

Chapter 6

Network Security

Objectives


List the different types of network security devices
and explain how they can be used


Define network address translation and network
access control


Explain how to enhance security through network
design

Security+ Guide to Network Security
Fundamentals, Fourth Edition

2

Security Through Network Devices


Not all applications designed, written with security
in mind


Network must provide protection


Networks with weak security invite attackers


Aspects of building a secure network


Network devices


Network technologies


Design of the network itself

Security+ Guide to Network Security
Fundamentals, Fourth Edition

3

Standard Network Devices


Security features found in network hardware


Provide basic level of security


Open systems interconnection (OSI) model


Network devices classified based on function


Standards released in 1978, revised in 1983, still
used today


Illustrates:


How network device prepares data for delivery


How data is handled once received


Security+ Guide to Network Security
Fundamentals, Fourth Edition

4

Standard Network Devices (cont’d.)


OSI model breaks networking steps into seven
layers


Each layer has different networking tasks


Each layer cooperates with adjacent layers


Security+ Guide to Network Security
Fundamentals, Fourth Edition

5

Security+ Guide to Network Security
Fundamentals, Fourth Edition

6

Table 6
-
1 OSI reference model

Standard Network Devices (cont’d.)


Hubs


Connect multiple Ethernet devices together:


To function as a single network segment


Use twisted
-
pair copper or fiber
-
optic cables


Work at Layer 1 of the OSI model


Do not read data passing through them


Ignorant of data source and destination


Rarely used today because of inherent security
vulnerability

Security+ Guide to Network Security
Fundamentals, Fourth Edition

7

Standard Network Devices (cont’d.)


Switches


Network switch connects network segments


Operate at Data Link Layer (Layer 2)


Determine which device is connected to each port


Can forward frames sent to that specific device


Or broadcast to all devices


Use MAC address to identify devices


Provide better security than hubs

Security+ Guide to Network Security
Fundamentals, Fourth Edition

8

Standard Network Devices (cont’d.)


Network administrator should be able to monitor
network traffic


Helps identify and troubleshoot network problems


Traffic monitoring methods


Port mirroring


Network tap (test access point)


Separate device installed between two network
devices


Security+ Guide to Network Security
Fundamentals, Fourth Edition

9

Security+ Guide to Network Security
Fundamentals, Fourth Edition

10

Figure 6
-
1 Port mirroring

© Cengage Learning 2012

Security+ Guide to Network Security
Fundamentals, Fourth Edition

11

Figure 6
-
2 Network tap

© Cengage Learning 2012

Security+ Guide to Network Security
Fundamentals, Fourth Edition

12

Table 6
-
2 Protecting the switch

Standard Network Devices (cont’d.)


Routers


Forward packets across computer networks


Operate at Network Layer (Layer 3)


Can be set to filter out specific types of network
traffic


Load balancers


Help evenly distribute work across a network


Allocate requests among multiple devices

Security+ Guide to Network Security
Fundamentals, Fourth Edition

13

Standard Network Devices (cont’d.)


Advantages of load
-
balancing technology


Reduces probability of overloading a single server


Optimizes bandwidth of network computers


Reduces network downtime


Load balancing is achieved through software or
hardware device (load balancer)

Security+ Guide to Network Security
Fundamentals, Fourth Edition

14

Standard Network Devices (cont’d.)


Security advantages of load balancing


Can stop attacks directed at a server or application


Can detect and prevent denial
-
of
-
service attacks


Some can deny attackers information about the
network


Hide HTTP error pages


Remove server identification headers from HTTP
responses


Security+ Guide to Network Security
Fundamentals, Fourth Edition

15

Network Security Hardware


Specifically designed security hardware devices


Greater protection than standard networking devices


Firewalls


Hardware
-
based network firewall inspects packets


Can either accept or deny packet entry


Usually located outside network security perimeter

Security+ Guide to Network Security
Fundamentals, Fourth Edition

16

Security+ Guide to Network Security
Fundamentals, Fourth Edition

17

Figure 6
-
3 Firewall location

© Cengage Learning 2012

Network Security Hardware (cont’d.)


Firewall actions on a packet


Allow (let packet pass through)


Block (drop packet)


Prompt (ask what action to take)


Rule
-
based firewall settings


Set of individual instructions to control actions


Settings
-
based firewall


Allows administrator to create parameters

Security+ Guide to Network Security
Fundamentals, Fourth Edition

18

Security+ Guide to Network Security
Fundamentals, Fourth Edition

19

Table 6
-
3 Rule for Web page transmission

Network Security Hardware (cont’d.)


Methods of firewall packet filtering


Stateless packet filtering


Inspects incoming packet and permits or denies based
on conditions set by administrator


Stateful packet filtering


Keeps record of state of connection


Makes decisions based on connection and conditions


Security+ Guide to Network Security
Fundamentals, Fourth Edition

20

Network Security Hardware (cont’d.)


Web application firewall


Looks deeply into packets that carry HTTP traffic


Web browsers


FTP


Telnet


Can block specific sites or specific known attacks


Can block XSS and SQL injection attacks


Security+ Guide to Network Security
Fundamentals, Fourth Edition

21

Network Security Hardware (cont’d.)


Proxies


Devices that substitute for primary devices


Proxy server


Computer or application that intercepts and
processes user requests


If a previous request has been fulfilled:


Copy of the Web page may reside in proxy server’s
cache


If not, proxy server requests item from external Web
server using its own IP address

Security+ Guide to Network Security
Fundamentals, Fourth Edition

22

Security+ Guide to Network Security
Fundamentals, Fourth Edition

23

Figure 6
-
4 Proxy server

© Cengage Learning 2012

Security+ Guide to Network Security
Fundamentals, Fourth Edition

24

Figure 6
-
5 Configuring access to proxy servers

© Cengage Learning 2012

Network Security Hardware (cont’d.)


Proxy server advantages


Increased speed (requests served from the cache)


Reduced costs (cache reduces bandwidth required)


Improved management


Block specific Web pages or sites


Stronger security


Intercept malware


Hide client system’s IP address from the open Internet

Security+ Guide to Network Security
Fundamentals, Fourth Edition

25

Network Security Hardware (cont’d.)


Reverse proxy


Does not serve clients


Routes incoming requests to correct server


Reverse proxy’s IP address is visible to outside
users


Internal server’s IP address hidden

Security+ Guide to Network Security
Fundamentals, Fourth Edition

26

Security+ Guide to Network Security
Fundamentals, Fourth Edition

27

Figure 6
-
6 Reverse proxy

© Cengage Learning 2012

Network Security Hardware (cont’d.)


Spam filters


Enterprise
-
wide spam filters block spam before it
reaches the host


Email systems use two protocols


Simple Mail Transfer Protocol (SMTP)


Handles outgoing mail


Post Office Protocol (POP)


Handles incoming mail

Security+ Guide to Network Security
Fundamentals, Fourth Edition

28

Network Security Hardware (cont’d.)


Spam filters installed with the SMTP server


Filter configured to listen on port 25


Pass non
-
spam e
-
mail to SMTP server listening on
another port


Method prevents SMTP server from notifying
spammer of failed message delivery

Security+ Guide to Network Security
Fundamentals, Fourth Edition

29

Security+ Guide to Network Security
Fundamentals, Fourth Edition

30

Figure 6
-
7 Spam filter with SMTP server

© Cengage Learning 2012

Network Security Hardware (cont’d.)


Spam filters installed on the POP3 server


All spam must first pass through SMTP server and
be delivered to user’s mailbox


Can result in increased costs


Storage, transmission, backup, deletion


Third
-
party entity contracted to filter spam


All email directed to third
-
party’s remote spam filter


E
-
mail cleansed before being redirected to
organization

Security+ Guide to Network Security
Fundamentals, Fourth Edition

31

Security+ Guide to Network Security
Fundamentals, Fourth Edition

32

Figure 6
-
8 Spam filter on POP3 server

© Cengage Learning 2012

Network Security Hardware (cont’d.)


Virtual private network (VPN)


Uses unsecured network as if it were secure


All data transmitted between remote device and
network is encrypted


Types of VPNs


Remote
-
access


User to LAN connection


Site
-
to
-
site


Multiple sites can connect to other sites over the
Internet

Security+ Guide to Network Security
Fundamentals, Fourth Edition

33

Network Security Hardware (cont’d.)


Endpoints


Used in communicating VPN transmissions


May be software on local computer


May be VPN concentrator (hardware device)


May be integrated into another networking device


VPNs can be software
-
based or hardware
-
based


Hardware
-
based generally have better security


Software
-
based have more flexibility in managing
network traffic

Security+ Guide to Network Security
Fundamentals, Fourth Edition

34

Network Security Hardware (cont’d.)


Internet content filters


Monitor Internet traffic


Block access to preselected Web sites and files


Unapproved sites identified by URL or matching
keywords

Security+ Guide to Network Security
Fundamentals, Fourth Edition

35

Security+ Guide to Network Security
Fundamentals, Fourth Edition

36

Table 6
-
4 Internet content filter features

Network Security Hardware (cont’d.)


Web security gateways


Can block malicious content in real time


Block content through application level filtering


Examples of blocked Web traffic


ActiveX objects


Adware, spyware


Peer to peer file sharing


Script exploits

Security+ Guide to Network Security
Fundamentals, Fourth Edition

37

Network Security Hardware (cont’d.)


Passive and active security can be used in a
network


Active measures provide higher level of security


Passive measures


Firewall


Internet content filter


Intrusion detection system (IDS)


Active security measure


Can detect attack as it occurs

Security+ Guide to Network Security
Fundamentals, Fourth Edition

38

Network Security Hardware (cont’d.)


Monitoring methodologies


Anomaly
-
based monitoring


Compares current detected behavior with baseline


Signature
-
based monitoring


Looks for well
-
known attack signature patterns


Behavior
-
based monitoring


Detects abnormal actions by processes or programs


Alerts user who decides whether to allow or block
activity


Heuristic monitoring


Uses experience
-
based techniques

Security+ Guide to Network Security
Fundamentals, Fourth Edition

39

Security+ Guide to Network Security
Fundamentals, Fourth Edition

40

Table 6
-
5 Methodology comparisons to trap port
-
scanning application

Network Security Hardware (cont’d.)


Host intrusion detection system (HIDS)


Software
-
based application that can detect attack as
it occurs


Installed on each system needing protection


Monitors system calls and file system access


Can recognize unauthorized Registry modification


Monitors all input and output communications


Detects anomalous activity

Security+ Guide to Network Security
Fundamentals, Fourth Edition

41

Network Security Hardware (cont’d.)


Disadvantages of HIDS


Cannot monitor network traffic that does not reach
local system


All log data is stored locally


Resource
-
intensive and can slow system

Security+ Guide to Network Security
Fundamentals, Fourth Edition

42

Network Security Hardware (cont’d.)


Network intrusion detection system (NIDS)


Watches for attacks on the network


NIDS sensors installed on firewalls and routers:


Gather information and report back to central device


Passive NIDS will sound an alarm


Active NIDS will sound alarm and take action


Actions may include filtering out intruder’s IP address
or terminating TCP session

Security+ Guide to Network Security
Fundamentals, Fourth Edition

43

Security+ Guide to Network Security
Fundamentals, Fourth Edition

44

Table 6
-
6 NIDS evaluation techniques

Network Security Hardware (cont’d.)


Network intrusion prevention system (NIPS)


Similar to active NIDS


Monitors network traffic to immediately block a
malicious attack


NIPS sensors located in line on firewall itself

Security+ Guide to Network Security
Fundamentals, Fourth Edition

45

Network Security Hardware (cont’d.)


All
-
in
-
one network security appliances


One integrated device replaces multiple security
devices


Recent trend:


Combining multipurpose security appliances with
traditional device such as a router


Advantage of approach


Network devices already process all packets


Switch that contains anti
-
malware software can
inspect all packets

Security+ Guide to Network Security
Fundamentals, Fourth Edition

46

Security Through Network
Technologies


Internet routers
normally drop packet with a private
address


Network address translation (NAT)


Allows private IP addresses to be used on the public
Internet


Replaces private IP address with public address


Port address translation (PAT)


Variation of NAT


Outgoing packets given same IP address but different
TCP port number

Security+ Guide to Network Security
Fundamentals, Fourth Edition

47

Security+ Guide to Network Security
Fundamentals, Fourth Edition

48

Table 6
-
7 Private IP addresses

Figure 6
-
9 Network address translation (NAT)

© Cengage Learning 2012

Security Through Network
Technologies (cont’d.)


Advantages of NAT


Masks IP addresses of internal devices


Allows multiple devices to share smaller number of
public IP addresses


Network access control


Examines current state of system or network device:


Before allowing network connection


Device must meet set of criteria


If not met, NAC allows connection to quarantine
network until deficiencies corrected

Security+ Guide to Network Security
Fundamentals, Fourth Edition

49

Security+ Guide to Network Security
Fundamentals, Fourth Edition

50

Figure 6
-
10 Network access control framework

© Cengage Learning 2012

Security Through Network Design
Elements


Elements of a secure network design


Demilitarized zones


Subnetting


Virtual LANs


Remote access

Security+ Guide to Network Security
Fundamentals, Fourth Edition

51

Demilitarized Zone (DMZ)


Separate network located outside secure network
perimeter


Untrusted outside users can access DMZ but not
secure network

Security+ Guide to Network Security
Fundamentals, Fourth Edition

52

Security+ Guide to Network Security
Fundamentals, Fourth Edition

53

Figure 6
-
11 DMZ with one firewall

© Cengage Learning 2012

Security+ Guide to Network Security
Fundamentals, Fourth Edition

54

Figure 6
-
12 DMZ with two firewalls

© Cengage Learning 2012

Subnetting


IP address may be split anywhere within its 32 bits


Network can be divided into three parts


Network


Subnet


Host


Each network can contain several subnets


Each subnet can contain multiple hosts

Security+ Guide to Network Security
Fundamentals, Fourth Edition

55

Subnetting (cont’d.)


Improves network security by isolating groups of
hosts


Allows administrators to hide internal network
layout

Security+ Guide to Network Security
Fundamentals, Fourth Edition

56

Security+ Guide to Network Security
Fundamentals, Fourth Edition

57

Table 6
-
8 Advantages of subnetting

Security+ Guide to Network Security
Fundamentals, Fourth Edition

58

Figure 6
-
13 Subnets

© Cengage Learning 2012

Virtual LANs (VLAN)



Allow scattered users to be logically grouped
together:


Even if attached to different switches


Can isolate sensitive data to VLAN members


Communication on a VLAN


If connected to same switch, switch handles packet
transfer


Special “tagging” protocol used for communicating
between switches

Security+ Guide to Network Security
Fundamentals, Fourth Edition

59

Remote Access


Working away from the office commonplace today


Telecommuters


Traveling sales representatives


Traveling workers


Strong security for remote workers must be
maintained


Transmissions are routed through networks not
managed by the organization


Provides same functionality as local users


Through VPN or dial
-
up connection

Security+ Guide to Network Security
Fundamentals, Fourth Edition

60

Summary


Standard network security devices provide a
degree of security


Hubs, switches, router, load balancer


Hardware devices specifically designed for security
give higher protection level


Hardware
-
based firewall, Web application firewall


Proxy server intercepts and processes user
requests


Virtual private network uses unsecured public
network and encryption to provide security


Security+ Guide to Network Security
Fundamentals, Fourth Edition

61

Summary (cont’d.)


Intrusion detection system designed to detect
attack as it occurs


Network technologies can help secure a network


Network address translation


Network access control


Methods for designing a secure network


Demilitarized zones


Virtual LANs


Security+ Guide to Network Security
Fundamentals, Fourth Edition

62