net_work_securityx

ahemcurrentNetworking and Communications

Nov 21, 2013 (3 years and 11 months ago)

99 views

University of Palestine



College Name



College of Engineering




Specialist


General


Course No
-

Serial Report No

IGGU 1101


01

Report Title Name

Net work security



Prepared By




NeMeR BaSaM AbO YoUseF 120090113

Supervised By


Miss
.

yasmin al bobo

Report Prepared Date

21.
April
.2010

Organization Address

P.O.Box: 1219, Al Zahra City, Gaza, Palestine,

Tel: +972 8 2837733 Fax: +972 8 2837766 Email:
info@up.edu.ps





ميحرلا نمحرلا للها مسب


"
ً
املع يندز يبر لقو"




: هط ةروس
111



ميظعلا للها قدص








Dedication







Network Security

1

Overview

................................
................................
................................
...

1

1.1

Overview

................................
................................
..........................

1

1.2

General framework

................................
................................
..........

2

1.3

Stateful Packet Inspection

................................
...............................

3

1.4

Trusted Systems and Bastion Hosts

................................
......................

4

1.5

Network Security Topology

................................
..............................

5

1.6

Virtual Local
-
Area Networks (VLAN)

................................
................

7

2

Management
Framework

................................
................................
.........

9

2.1

Policies

................................
................................
............................

9

2.2

Resources

................................
................................
........................

9

2.3

Chain of Responsibility

................................
................................
....

9

3

Network Design

................................
................................
......................

10

3.1

Partitioning the Network

................................
................................
.

10

3.2

Firewalls
................................
................................
.........................

10

3.3

Measures to Protect Data, Communications and Systems

............

11

3.4

Mobile and Remote Working

................................
..........................

11

3.5

Wireless Networks

................................
................................
.........

11

4

Content Protection

................................
................................
.................

12

4
.1

Virus Scanning

................................
................................
...............

12

4
.2

Content Fi
ltering

................................
................................
............

16

5

Security Incident Response

................................
................................
..

17

5
.1

Reporting Process

................................
................................
.........

13

5
.
2

Content and Privacy Incidents

................................
.......................

13

5
.
3

Network Monitoring

................................
................................
........

19

5
.
4

Information Dissemination

................................
.............................

19

6

References

................................
................................
..............................

19

Appendix A: Glossary

................................
................................
......................

20

Appendix B: Internet Services

in a School Network

................................
......

20




1.1

Overview


0
.

LANs, WANs, WLANs are known as edge
networks
-


.
May be contained within businesses or homes




.
Needs to be protected from the rest of the Internet
!

Why firewall?
-

Encryption?
-

.
Cannot stop malicious packets from getting into an edge
network

-
Authentication?

.
Can determine whether an incoming IP packet comes
from a trusted user

.
However, not all host computers have resources to run
authentication algorithms

Host
computers managed by different users with different
skill levels.
-




-
1
.
2
General Framework








1.3

Stateful Packet Inspection

-
Application
-
level extension of stateful packet filtering

-
Support scanning packet payloads

-
Will drop packets that do not match the expected
connection state or data type for protocol





1
.4

Trusted Systems and Bastion Hosts

-
Application gateways are placed between the external
and the internal networks


.
Exposed to attacks from the
external network

Need to have strong security protections
-


.
Trusted operating system



.
Bastion hosts






1.5

Network Security Topology

Firewalls divide networks into three areas:
-


.
Distrusted region


.
Semi
-
trusted region


.
Trusted region



1.6

Virtual Local
-
Area Networks (VLAN)

-
A technology for creating several independent logical LANs
over the same physical network

VLANs can be created using software
-

-
VLAN switches: A VLAN switch can be configured to
several logical
groupings of switch ports for creating
independent VLANs:



2.

Management Framework


2.1
Policies

Policy on the purpose of the education network is beyond the scope of this document.
However, that policy will determine the services and facilities required

and will affect
the acceptable use policy for the network, which in turn has an impact on the security
policy.

To permit some concrete proposals to be presented, a sample set of network applications
and services is set out in Appendix B, together with rec
ommendations as to how they can
most easily be provided in a secure fashion. It is believed that these are sufficient to meet
most of the needs of school staff and of daytime and other students, mainly while they are
on school premises.

2.2 Resources

Sufficient resources must be made available on a continuing basis to safely develop,
maintain and manage the network and services provided. Schools must ensure that
they are able to make informed decisions on the safety and educational issues
presented by
computers and networks. School managers must therefore ensure they
have access to sufficient advice and assistance for all aspects of network operation,
security and use. It is likely that in most cases Local Authorities or Regional
Broadband Consortia wil
l be the main source of support.

In most school environments the resource most likely to be scarce is staff effort
dedicated to the network; it may be possible to delegate or outsource much technical
effort to commercial or local government suppliers at re
asonable cost, but there is no
alternative to informed oversight by local management of safety and educational
matters. Planned, regular and ongoing investment in user awareness, system
administration and security monitoring reduces both the likelihood tha
t a security
incident will occur and the disruptive impact of any such event.

2.3
Chain of Responsibility

Where some or all network services are outsourced, it is essential to establish as part
of the agreement how security issues are to be resolved. One
fundamental process is
to identify and maintain contacts in the parties to the agreement who are to cooperate
as necessary. These contacts will need to cooperate on security matters to discuss and
agree policies and processes and to disseminate information

on new security threats
and actions to be taken.

Beyond that it is desirable (but more difficult) to set out specific undertakings; an RBC or
Service Provider may expect a school to trace abuse to an individual user and to discipline
them appropriately, a

school may expect an RBC or Service Provider to block traffic to or
from a particular external network, a school approached by the police may expect an RBC or
Service Provider to provide certain information on a confidential basis, and so on. Good
workin
g relationships, established through frequent and open contact, are the best way to
achieve responsible and effective processes

3 Network Design


The design of the networks concerned must:



support the services and applications that schools need, and



make i
t possible to implement the above security and use policies.

The following sections cover aspects of network design from a security standpoint. A
more detailed discussion of network design is set out in the Network Design
document.


1.3 Partitioning the Ne
twork

All except the smallest networks will be divided by a combination of network devices
(such as routers, switches and
firewall
s) and administrative procedures into distinct
parts. The intention is to separate the network into areas in such a way that s
ystems,
users and information within any one area have a similar level of trust and risk.

In many schools, for instance, staff computers will be considered less likely to be the
source of abuse than those available to students. Staff computers may therefo
re have
a more open policy on acceptable content and may be allowed access to local
services, Web sites or other Internet services not available to students.

If a school network includes Web servers or other systems intended to be reached from the
Internet
, the risk that they will be interfered with is significant. Part of the benefit to a
school of outsourcing the operation of such servers is to transfer risk to the provider
concerned. If such systems are implemented at all, they should normally be placed
in their
own part of the school network and trusted very little by the rest of the network.


3.2 Firewalls

All host systems (client or server computers) on the network must be protected against hostile
traffic from the Internet and from other parts of the network by at least one firewall or other
network control device implementing a default
-
deny policy (see be
low). The location of these
devices should be chosen to implement the partitioning mentioned above.

In most cases it should not be necessary for a school to partition their network by deploying
an internal firewall. It should be possible for the LA or othe
r provider to operate the firewall
function separating the school network from the Internet.

All network traffic represents a risk. The services permitted through each firewall and the
systems to which traffic is allowed to flow must therefore be agreed us
ing a risk assessment
and change management process (see sections 2.1.2 and 2.1.4), with all changes approved and
recorded so that they can be reversed if required.

.

Firewalls need to be adequately sized for the traffic they handle and also, in the case o
f
firewalls within LA/RBC networks, for the very large number of simultaneous network
connections made over the network. Firewall rule
-
sets will need to be reviewed to ensure
consistency and efficiency.

Where firewalls are implemented at school level as
well as RBC/LA level, care is required to
ensure reasonable agreement on the rule set. LAs should provide guidance to their schools on
how to achieve this.

Reference:

http://safety.ngfl.gov.uk/schools/document.php3?D=d68



3.3

Measures to Protect Data, Communications and Systems

Additional technical and policy measures must be used to protect sensitive
information, communications and systems. Depending on the type of in
formation this
may involve, for example, encryption, virtual private networks or manual processes
for transferring data from systems that cannot safely be connected to the network.
Web services that require users to enter passwords or other sensitive infor
mation must
use SSL.

3.4 Mobile and Remote Working

Providing facilities for access from other networks, for example through remote working
options, represents a serious risk, as security will then depend on factors such as home
computers and public networ
ks, that are outside the control of the school or its service
providers.


3.5 Wireless Networks

Wireless networks offer great flexibility in use, but also many opportunities for
misuse. They should not be viewed as a simple extension of a wired network, in either
performance or security terms. Wireless access points, if required, must be connected
to

a dedicated network segment, separated from the rest of the school network and
Internet by a
firewall

configured only to allow essential traffic. Additional
authentication measures are required to ensure that only known users and computers
can connect to
the wireless network, and encryption must be used to protect the
authentication process and any other sensitive data that may pass over the network.
Current wireless encryption standards have problems


WEP encryption can be
relatively easily broken and th
e WPA/802.11i approach is not yet standardised across
different manufacturers


so these should not be relied upon as the only form of
protection. Schools that use wireless networks must make their users aware of these
additional issues and train them in g
ood practice for using such networks safely. More
details of the security issues in installing and using wireless networks can be found in
UKERNA’s Factsheet.

References:

http://www.bgfl.o
rg/services/editsupp/wireless.htm

http://www.ja.net/documents/factsheets/wireless
-
security.pdf

http://www.securityfocus.c
om/infocus/1732


http://www.securityfocus.com/infocus/1735

4 Content Protection

4.1 Virus Scanning

Security policies at LA/RBC and school level must make clear the requirement for
virus scanning.

Al
l end
-
user systems must run anti
-
virus software, with definition files regularly
updated, automatically if possible. Disabling this protection should be seen as a
serious disciplinary matter. External e
-
mail both entering and leaving the network
should be
checked by up
-
to
-
date anti
-
virus software, preferably at the mail server.
Internal mail should be checked in transit. Mail servers, fileservers and other
application servers must be scanned regularly to find infected files or messages that
may have arrived

by other routes.

School management must recognise that maintaining anti
-
virus measures requires
considerable resource and determination. Frequently ICT support staff are
overwhelmed by the magnitude of the task or their efforts are defeated by systems that
move around the

school and are taken home. Scanning tools that detect
vulnerabilities across the network should be used on a regular basis.

References:

?D=d52
http://safety.ngfl.gov.uk/schools/document.php3


4.2 Content Filtering

Security policies at LA/RBC and school level must make clear the requirements for
content filtering. Schools will need to distinguish carefully between the educational
policy for content filtering, decided by management, and t
he configuration of
software to implement the policy, undertaken by technical staff.

It should be noted that there is a considerable responsibility placed on both
management and technical staff in ensuring pupil safety and security. Management of
filterin
g systems takes time and requires appropriate procedures in the security policy
to ensure that breaches of policy can be effectively dealt with.

Two major areas in which the content of network traffic presents a specific risk and
should normally be filtere
d are Web browsing and e
-
mail. It may be practicable
locally to identify and suppress some Unsolicited Bulk E
-
mail (a common source of
undesirable content) but much effective suppression is on the basis only of the source
of the messages. Commercial produc
ts and services are available for filtering e
-
mail
and selectively blocking access to Web locations; these are more appropriate to Local
Authorities and service providers and many schools will outsource the activity. Note
that if filters are to be effectiv
e, other routes of access by users to content must be
blocked, for example it must not be possible to view an external web page without
passing through the filter.

Where user activity is monitored, care is required to ensure human rights are not
breached.

One essential action is to ensure all users are aware of any monitoring
processes in place (see also section 6.2).

http://safety.ngfl.gov.uk/schools/document.php3?D=d55
Reference:



5 S
ecurity Incident Response

Incidents may be identified by users within the school, by other Internet users or by
network staff (either in the school or in one of its Local Authority or commercial
service providers).

Some incidents may involve Law
Enforcement agencies, and schools should have a
policy for handling interactions with them. In many cases it will be appropriate for the
Local Authority to take some part.


5.1

Reporting Process

5.1.1

Internal Users

There should be clear guidelines for all users on how to recognise a security incident and
how and where to report it. No blame must attach to making a report, even if it turns out to
be incorrect. Many reports include personal data, and a confidential met
hod for reporting
may be necessary. The school must decide to what extent it will handle reports locally and
under what circumstances the incident will be passed to the Local Authority or other service
provider.

5.1.2External Bodies

The school must decide
together with its Local Authority and other service providers the
route by which a person outside the school should report abuse or other security events
they believe are attributable to the school. There are several mechanisms in common use
for deciding w
here to send such reports, and all parties need to agree who will respond and
how those who may receive the reports should forward them to the designated places.


5.2Content and Privacy Incidents

Schools must encourage staff and pupils to report when there

has been inappropriate use of
the network, for example accessing inappropriate material, or where personal data is being
misused, perhaps in e
-
mail or chat room exchanges. The appropriate response will depend
on the nature of each report, but is likely to

involve school and local authority working
together. Service providers may also be involved to trace the origin of material or
communications. In most cases it will be appropriate for the local authority to lead the
investigation, with schools dealing wit
h any local effects. Schools must be prepared to
cooperate to preserve information from their systems (whether or not it is likely to be used
as formal evidence) and must have procedures in place and agreed with their local authority.



5.3Network Monitori
ng

Systems and policies must be in place to permit routine monitoring of the quantity and
type of traffic on the network. This information may indicate security incidents, which
should be handled as described above, as well as other operational issues. The

policy
must make clear what information is to be gathered, who should have full or limited
access to it, how it will be protected against loss or damage and when and how it will
be disposed of. Much of the information will be subject to Data Protection an
d other
legislation so users should be made aware that monitoring is occurring.

Monitoring should also include logging of anomalous events such as packets from
unexpected sources, failed attempts to authenticate or attempts to view a Web page
that is not m
eant to be accessible. Intrusion detection systems may help to automate
some of this monitoring and give early warning of problems, but their output still
needs time, skill and judgement to interpret. Legitimate activity and routine events
may also be logg
ed. In general, for this information to be of any use some person or
process must examine it and make a judgement on its significance. It is possible to
some extent to automate the process so that only exceptions and summaries are
presented to a person, bu
t these still need to be interpreted by a skilled person. The
monitoring activity may be outsourced, if confidentiality issues can be resolved, or the
information may merely be accumulated so that it is available if a security event is
detected in some oth
er way.

Monitoring is essential to achieve a satisfactory level of security and managers must
be prepared to devote sufficient staff and equipment resources to it.

and

/services/netsight/index.html
http://www.ja.net
References:
http://www.ja.net/documents/factsheets/unusual_traffic.pdf



5.4 Information Dissemination

As well as reactive procedures to be followed once an in
cident has occurred, schools and
local authorities need to anticipate new threats and take steps to prevent them causing
incidents. Local Authorities and Regional Broadband Consortia must help schools to counter
new technical and non
-
technical threats to t
heir network by announcing threats to
responsible contacts within each school, and recommending actions to be taken by school
managers and their technicians.

The information disseminated may come from commercial or other professional security
services and
response teams, from vendors, from Internet bulletins and similar sources, or
from local knowledge. Information from some of these sources may need additional
interpretation or explanation to make it directly useful to schools.


6
References

DfES Standards

Fund Guidance

ICT in Schools Standards Fund Grant 2004
-
05

Guidance for Schools and LEAs

http://www.dfes.gov.uk/ictinschools/funding/

UK Government’s e
-
Government Interoperability Framework
(e
-
GIF)

http://www.govtalk.gov.uk/interoperability/egif.asp
.

Government Strategy Framework and guidelines on Security

envoy.gov.uk/Resources/FrameworksAndPolicy/fs/en
-
http://www.e

Security Policy

http://www.kent.gov.uk/eis/
follow ‘broadband’ link to ICT security policy

-


Risk Management

http://www.ja.net/conferences/SJ4/manage_risks/prog.html

Firewall
s

http://safety.ngfl.gov.uk/schools/document.php3?D=d68

Laptops for teachers

http://www.naace.org/resourceView.asp?menuItemId=2&resourceId=451

Wireless Networks

http://www.bgfl.org/services/editsupp/wireless.htm

System Protection

CERT/prevention/machines.html
-
http://www.ja.net/CERT/JANET

Passwords

http://wp.netscape.com/security/basics/passwords.html

User education and acceptable use policies

http://www.kented.org.uk/ngfl/policy.html

Safe Internet Use

http://www.thinkuknow.co.uk/

http://www.scotland.gov.uk/clickthinking/default.htm

Virus Scanning

http://safety.ngfl.gov.uk/schools/document.php3?D=d52

Content filtering

http://safety.ngfl.gov.uk/schools/document.php3?D=d55


External Attacks

http://www.cert.org/csirts/


Internal Attacks

bcp.html
-
http://www.linx.net/noncore/bcp/traceability


Network Monitoring

http://www.ja.net/documents/factsheets/unusual_traffic.pdf


General information

http://safety.ngfl.gov.uk/schools/


National Interco
nnect Technical Specifications

http://www.ja.net/schoolsbroadband/technical_specs.pdf


Regional broadband C
onsortia (RBC)

http://buildingthegrid.becta.org.uk/index.php?locId=143





Appendix A: Glossary

This glossary explains the terms used in this document. An extensive general networking
glossary can be found at the JANET National User Group Web site:
.
http://www.jnug.ac.uk/netglossary.html

Address

In this document refers to an IP address. An IP address is the unique layer identifier
for a host on the local IP network.


Authentication

The process or processes which enable one party in an electronic communication
(typically a user or a client) to say to another party (a server or provider) who they
are in a way satisfactory to that second party. Examples include supplying a user or
accou
nt name and a password, presenting a smart card and entering a PIN, having a
thumbprint recognised, sending a cryptographic certificate which matches one held
by the other party or responding to a challenge in the correct way. Note that in some
situations
it may not be obvious which way round the roles are; when connecting to
a 'secure' Web site using SSL it is the Web site that seeks to convince the human
user's Web browser of its identity.

The purpose of authentication is usually to support authorisation
, the granting or
denial of access to some resources.

Broadband

A transmission medium capable of supporting a wide range of frequencies. It can
carry multiple signals by dividing the total capacity of the medium into multiple,
independent bandwidth channe
ls, where each channel operates only on a specific
range of frequencies. [Source: RFC1392]


CERT

Computer Emergency Response Team (also known as CSIRT, Computer Security
Incident Response Team, or IRT) Coordinates responses to computer security threats
an
d incidents on behalf of some community or network. such as CERT/CC and FIRST
in the US:

http://www.cert.org/


http://www.first.org/


csirt/
-
forces/tf
-
http://www.terena.nl/tech/task





Certificate

A collection of data which indicates entitlement to some resources. A certificate is
typically unintelligible to a human reader and is pro
duced and read using
cryptographic software. It may include the identity of the person or object to whom
it refers, some details of the resources to be made available (such as a time limit),
and some indication of a chain of trust. Certificates are of valu
e to persons or
computers controlling resources because those controllers can confirm that they
were issued with the authority of a party they have arranged to trust for that
purpose (a 'Certificate Authority'). X.509 is the most widely accepted standard f
or
cryptographic certificates.


Data Protection

Legislation and guidance on the use of information about individual people ('personal
data'). UK legislation is harmonised with EU Directives; practice in the United States

has far less emphasis on the care to be taken with personal data, and the
international nature of the Internet makes this a complex issue. The UK lays down
Data Protection Principles and requires people and organisations handling personal
data to register

with the Information Commissioner:

http://www.informationcommissioner.gov.uk/



Default
-
deny

A style of management and configuration for control devices in networks (such as
routers,
firewall
s, proxies and servers) in which no access is permitted by default, and
every item of access needed (port, protocol, service, network etc) must be explicitly
enabled.


Domain Name System

The basic name
-
to
-
address translation mechanism used in the IP

environment. Used
to translate between human
-
friendly names such as

www.ja.net and the numeric IP
addresses that computers themselves use to communicate. DNS infor
mation can
also be used to direct the operation of some Internet services, notably electronic
mail. UK schools can have domain names ending in 'sch.uk'.


DNS is specified in
:


http://www.ietf.org/rfc/rfc1034.txt
RFC 1034 (STD 13)

http://www.ietf.org/rfc/rfc1035.txt
RFC 1035



Appendix B: Internet Services in a School
Network

The following table lists Internet services likely to be
required in schools' networks. It
is by no means definitive or exhaustive, but the requirements of these applications
illustrate the range of technical and management issues in making the network secure.

For most of these services there is a choice between

local and outsourced provision.
The second column gives the recommended approach for best security in each case.
Recognising that there may be local or regional circumstances that make this
recommendation inappropriate, the third column suggests possible
alternatives; these
are, however, likely to be more difficult to manage securely or give a less effective
service.



Service

Recommended

Alternative

Mail

Remote Web mail service with
virus & UBE scanning

Mail system at school
(scanning may be done on
central relay)

Filtered web browsing (inc. FTP)

Via remote proxy/filter

Via local proxy/filter

Web serving (public)

Remote Web server

Local provision not
recommended. If done, must
be on a separate, untrusted,
network segment

Web serving (internal)

Remote Web server

Local Web server

Video/Audio receiver

Hierarchical content delivery
service


Direct from Internet servers

Video/Audio conferencing

See separate document

-

Remote access to filestore

(very hard to do securely, so
ensure that the risk
is justified)

If needed, use remote
outsourced service (may be
external to education network)

VPN through central gateway
to professionally maintained
server on a separate LAN
segment

VLE

Remote VLE server (may be
external to education network)

Local
system

Conferencing, Messaging

Remote server

Local server



Infrastructure services (not of interest to ordinary users)

Default route (gateway)

From remote DHCP

Local; static upstream

DHCP

Remote (single address)

Local server

NAT

None (single
computer)

Local translator

DNS resolver

Local resolver

Remote resolver

Connection
firewall
*

LA/RBC managed

Locally managed

DNS zone serving

Remote server, data may be
locally managed

Local server with offsite
secondary

Synchronise computer clocks

Loca
l timeserver slaved to
remote (NTP) source

Remote (NTP) server for local
clients

Web server certificates (to
support SSL)

Centrally issued by authority or
commercial CA

Self
-
signed certificate from
local server


* The deployment of school firewalls,
whilst potentially providing a greater level of security,
can lead to complications if managed independently from a local authority/RBC central
firewall service. It is therefore recommended that firewalls be deployed and managed either
in conjunction with
or by local authorities/RBCs (see section 3.2).







------------------------------