Unit 17 Local Area Network Security

collarlimabeansSecurity

Feb 23, 2014 (3 years and 8 months ago)

98 views


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

1

Unit 17


Local Area Network Security



BUSINESS IMPACT


SECURITY POLICY DEVELOPMENT


VIRUS PROTECTION


FIREWALLS


AUTHENTICATION AND ACCESS CONTROL


ENCRYPTION


APPLIED SECURITY SCENARIOS


GOVERNMENT IMPACT


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

2

BUSINESS IMPACT


Network security is a business problem.


The development and implementation of a sound network security policy
must start with strategic business assessment followed by strong
management support throughout the policy development and implementation
stages.


Enterprise network security goals must be set by corporate presidents and/or
board of directors.


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

3

SECURITY POLICY DEVELOPMENT


Security policy development life cycle (SPDLC)
. Figure 16
-
1.


A cycle because evaluation processes validate the effectiveness of original
analysis stages.


Security Requirements Assessment


Require a structured approach to ensure that all potential user group/information
resource combinations have been considered.


A network analyst can create a matrix grid mapping all potential user groups
against all potential corporate information resources.


Refer Figure 16
-
3.


These security processes:


Restrictions to information access imposed upon each user group


Definition the responsibilities of each user group for security policy implementation
and enforcement.


It should be reviewed on a periodic basis through ongoing auditing, monitoring,
evaluation, and analysis.



Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

4

Figure 16
-
1 The Security Policy Development Life Cycle


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

5

SECURITY POLICY DEVELOPMENT


Scope Definition and Feasibility Studies


Define the scope or limitations of the project


Feasibility studies gain vital information on the difficulty of the security policy
development process as well as the assets (human and financial) required to
maintain such a process.


Need to decide on the balance between security and productivity.


See Figure 16
-
4.


Need to identify those key values that a corporation should be maintained.


Five most typical fundamental values of network security policy development:


Identification/Authentication: the process of reliably determining the genuine identity
of the communicating computer (host) or user.


Access Control / Authorization: authenticated users are only allowed to those
information and network resources they are supposed to access.


Privacy/Confidentiality: ensure tat data is disclosed only to intended recipients.


Data Integrity: assure that data are genuine and cannot be changed without proper
controls.


Non
-
Repudiation: users cannot deny the occurrence of given events or transactions.



Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

6

Figure 16
-
4 Security vs. Productivity Balance


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

7

SECURITY POLICY DEVELOPMENT


Assets, Threats, Vulnerabilities, and Risks


Most security policy development methodologies boil down to the following six
major steps:

1.
Identify assets

2.
Identify threats

3.
Identify vulnerabilities

4.
Consider the risks

5.
Identify risk domains

6.
Take protective measures


Assets
: corporate property of some value that requires varying degrees of
protection.


Data or Information can be classified:


Unclassified or Public


Sensitive


Confidential


Secret


Top Secret



Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

8

SECURITY POLICY DEVELOPMENT


Assets, Threats, Vulnerabilities, and Risks


Threats
: processes or people that pose a potential danger to identified assets.


Vulnerabilities
: manner or path by which threats are able to attack assets.


Risks
: probability of a particular threat successfully attacking a particular asset in a given amount of
time via a particular vulnerability. E.g.


Intruders or attackers may use social engineering or snooping to obtain user passwords


An administrator may incorrectly create or configure user ids, groups, and their associated rights
on a file server, resulting in file and login access vulnerabilities


Network administrators may overlook security flaws in topology or hardware configuration


Network administrators may overlook security flaws in operating system or application
configuration;


Lack of proper documentation and communication of security policies may lead to deliberate or
inadvertent misuse of files or network access;


Dishonest or disgruntled employees may abuse the file and access rights they’ve been given;


A computer or terminal left logged into the network while its operator goes away may provide an
entry point for an intruder;


Users or even administrators choose passwords that are easy to guess;


Authorized staff may leave computer room doors propped open or unlocked, allowing
unauthorized individuals to enter;


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

9

SECURITY POLICY DEVELOPMENT


Assets, Threats, Vulnerabilities, and Risks


Staff may discard disks or backup tapes in “public” waste containers


Administrators may neglect to remove access and file rights for employees
who have left the organisation.


Figure 16
-
7 shows the relationship between assets, threats,
vulnerabilities, risks, and protective measures.



Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

10

Figure 16
-
7 Assets,

Threats,

Vulnerabilities, Risks,

and Protective

Measures


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

11

SECURITY POLICY DEVELOPMENT


Attack Strategies


Some of common attack strategies as well as potential protective
measures:


Masquerading : Authentication


Eavesdropping: Encryption


Man
-
in
-
the
-
Middle
-
Attack: Digital certificates, digital signatures


Address Spoofing: Firewalls


Data Diddling: Encrypted message digest


Dictionary Attack: Strong passwords, intruder detection


Replay Attack: Time stamping or sequence numbering


Virus Attack: Virus management policy


Trojan Horse Attack: Firewalls


Denial of Service Attack: Authentication, service filtering



Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

12

SECURITY POLICY DEVELOPMENT


Management Role and Responsibilities


Plan your action to develop and implement a solution.


Not to underestimate the labor resources and time requirements necessary to
scale up your security analysis to an enterprise
-
wide security policy development
and implementation process.


Be sure that all affected user groups are represented on the policy development
task force.


Potential areas for development of acceptable use policies:


Password protection and management, software license, virus protection, internet
access, remote access, e
-
mail, policies regarding penalties/warnings, physical access


Policy Implementation Process


The policies need the support of executives and managers.


Users should also be expected to actively support the implemented acceptable user
policies.


Security architecture map clearly justified security functional requirements to
currently available security technical solution.


See Figure 16
-
13 for the information security architecture.




Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

13

Figure 16
-
13

Representative Security

Architecture


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

14

SECURITY POLICY DEVELOPMENT


Auditing


Audit and monitor a corporate security policy on a continual basis.


Auditing can be automated or manual.


Manual audits serve to verify the effectiveness of policy development and
implementation


Automated audits is able to assess the weaknesses of your network security and
security standards, to analyze the network for potential vulnerabilities and make
recommendations for corrective action.



Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

15

VIRUS PROTECTION


A comprehensive virus protection plan must combine policy, people, processes and
technology in order to be effective.


Virus Categories



work by infecting other legitimate programs and causing them to become destructive or
disrupt the system in some other manner.


Use some type of replication method to get the virus to spread and infect other programs,
systems, or networks


Need some sort of trigger or activation mechanism to set them off. Viruses may remain
dormant and undetected for long periods of time.


Refer to Figure 16
-
16 for the major virus categories.



Antivirus Strategies


Effective antivirus policies and procedures must first focus on the use and checking of all
diskettes before pursuing technology
-
based solutions.


Use virus scanning software for detecting virus in collaborative applications to avoid
infection/reinfection cycle.


Figure 16
-
18 shows the collaboration software infection/reinfection cycle.


Figure16
-
19 shows virus infection points of attack and protective measures



Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

16

Figure 16
-
18 Collaborative Software Infection/Re
-
infection Cycle


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

17

Figure 16
-
19 Virus Infection Points of Attack and Protective Measures


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

18


Firewall

software usually runs on a dedicated server that is connected to, but
outside of, the corporate network.


Firewalls provide a layer of isolation between the inside network and the
outside network.


Firewall Architectures


Packet Filtering
: examines source and destination addresses and determines
access based on the entries in a filter table.


Packet filter can be breached by hackers known as
IP spoofing
. Hacker can make a
packet appear to come from an authorized or trusted IP address, it can pass through
the firewall.


Application Gateway filters or Proxies


It examine the entire request for data rather than just the source and destination
addresses.


Secure files can be marked as such and application
-
level filters will not show those
files to be transferred, even to users authorized by port
-
level filters.

FIREWALLS


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

19


Dual
-
homed gateway


Application gateway is physically connected to the private secure network and the
packet
-
filtering router is connected to the nonsecure network.


All outside traffic still goes through the application gateway first and then to the
information servers.


Trusted gateway


Certain applications are identified as trusted and are able to bypass the application
gateway entirely and are able to establish connections directly rather than executed by
proxy.


See Figure 16
-
20.

FIREWALLS


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

20

Figure 16
-
20 Packet Filters,

Application Gateways, Proxies,

Trusted Gateways, and Dual
-

Homed Gateways


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

21


Authentication

is to ensure that users attempting to gain access to networks
are really who they claim to be.


Authentication products break down into three overall categories:


What you know. Authentication technology that can deliver single sign
-
on
(SSO) access to multiple network attached servers and resources via passwords.


What you have. It uses one
-
time or session passwords or other techniques to
authenticate users and validate the authenticity of messages or files.


What you are. It validates user based on some physical characteristic.



Token Authentication


Smart Cards


Token Authentication technology may have multiple forms:


Hardware
-
based Smart Cards


In
-
line authentication device


Software token on client PC


There are two overall approaches to the token authentication process.

AUTHENTICATION AND ACCESS CONTROL


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

22


Challenge
-
response token authentication

1.
The user enters an assigned user ID and password at the client workstation.

2.
The token authentication server software return a numeric string known as a challenge

3.
The challenge number and a personal ID number are entered on the hand
-
held Smart Card

4.
The Smart Card displays a response number on the LCD screen

5.
This response number is entered on the client workstation and transmitted back to the
token authentication server

6.
The token authentication server validates the response against the expected response from
this particular user and this particular Smart Card. If the two match, the user is deemed
authentic and the login session is enabled.


Time synchronous token authentication

1.
Every 60 seconds, the time
-
synchronous Smart Card and the server
-
based software
generate a new access code.

2.
The user enters their user ID, a personal ID number, and the access code currently
displayed on the Smart Card.

3.
The server receives the access code and authenticate the user by comparing the received
access code with the expected access code unique to that SmarCard which was generated
at the server in time synchronous fashion.

4.
See Figure 16
-
24.

AUTHENTICATION AND ACCESS CONTROL


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

23

Figure 16
-
24 Challenge

Response vs. Time

Synchronous Token

Authentication


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

24


If the security offered by token authentication is insufficient,
biometric
authentication

can authenticate users based on fingerprints, palm prints, retinal
patterns, voice recognition or other physical characteristics.



Authorization


a subset of authentication. While authentication ensures that only legitimate
users can log into the network, authorization ensures that these properly
authenticated users access only the network resources for which they are
properly authorized.


the authorization security software can be either server
-
based (
brokered
authorization
) or workstation
-
based (
trusted node
).

AUTHENTICATION AND ACCESS CONTROL


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

25


A security process complimentary rather than mutually exclusive to
authentication and authorization.


encryption ensures that the contents of the transmission would be
meaningless (called
ciphertext
) if they were intercepted. Encryption must
accompanied by decryption, to change the unreadable text back into its
original form.


Data Encryption Standard (DES)

is often used to allow encryption
devices manufactured by different manufacturers to interoprate successfully.
The DES encryption standard actually includes two parts for greater security


method of encrypting data 64 bits at a time


a variable 64
-
bit key (
private key
)


Private key


This private key must be known by both the sending and the receiving
encryption devices and allows so many unique combination (2 to the 64th
power), that unauthorized decryption is nearly impossible.



ENCRYPTION


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

26


Public key
or Public/private key encryption


the process actually combines public and private keys.


In public key encryption, the sending encryption device encrypts a document
using the intended recipient’s public key and the originating party’s private key.
This public key is readily available in a public directory.


To decrypt the document, the receiving encryption device must be programmed
with the recipient’s private key and the sending party’s public key.


This method requires only the receiving party to possess their private key and
eliminates the need for transmission of private keys.


Digital signature encryption


appends an encrypted digital signature to the encrypted document as an
electronic means of guaranteeing the authenticity of the sending party and
assurance that encrypted documents have not been tampered with during
transmission.


the digital signature is regenerated at the receiving encryption device from the
transmitted document and compared to the transmitted digital signature.


See Figure 16
-
26.

ENCRYPTION


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

27

Figure 16
-
26 Private Key

Encryption, Public Key

Encryption, and Digital

Signature Encryption


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

28


Overall Design Strategies


Some general guidelines the would apply to most situations:


Install only software and hardware that you really need on your network.


Allow only essential traffic into and out of the corporate network


Investigate the business case for outsourcing web
-
hosting services


Use routers to filter traffic by IP address


Make sure that router operating system software has been patched


Identify those information assets that are most critical to the corporation


Implement physical security constraints to hinder physical access to critical resrouces
such as servers


Monitor system activity logs carefully


Develop a simple, effective and enforceable security policy and monitor its
implementation and effectiveness


Consider installing a proxy server or application layer firewall


Block incoming DNS queries and requests for zone transfers


Don’t publish the corporation’s complete DNS map on DNS servers that are outside
the corporate firewall.


Disable all TCP ports and services that are not essential

APPLIED SECURITY SCENARIOS


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

29


Remote Access Security


How to manage the activity of all of the remote access users that have logged in
via a variety of multi
-
vendor equipment and authentication technology.


Remote authentication dial
-
in user service (RADIUS)
offers the potential to
enable centralized management of remote access users and technology.


See Figure 16
-
28.


It enables communication between the following three tiers of technology:


Remote access devices such as remote access servers and token authentication
technology from a variety of vendors, otherwise known as network access servers
(NAS)


Enterprise database that contains authentication and access control information


RADIUS authentication server


Users request connections and provide useRIDs and passwords to the network
access servers which, in turn, pass the information along to the RADIUS
authentication server for authentication approval or denial.

APPLIED SECURITY SCENARIOS


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

30

Figure 16
-
28 Remote Authentication Dial
-
In User Services (RADIUS) Architecture


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

31


RADIUS
:


Allows network manager to centrally manage remote access users, access methods,
and logon restriction.


Centralized auditing, e.g. keep track of volume of traffic sent and amount of time on
-
line


Enforces remote access limitations, e.g. server access restrictions or on
-
line time
limitation


Supports password authentication protocol (PAP), challenge handshake authentication
protocol (CHAP) and Secure ID token authentication.


Transmit passwords in encrypted format only



Virtual Private Network Security


To provide virtual private networking capabilities using the Internet as an
enterprise network backbone, specialized
tunneling protocols
needed to be
developed that could establish private, secure channels between connected
systems.


Two rival standards are examples of such tunneling protocols:
Point
-
to
-
Point
Tunneling Protocol (PPTP)
and
Layer Two Forwarding (L2F)

APPLIED SECURITY SCENARIOS


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

32


See Figure 16
-
29.


Two rival specifications currently exist for establishing security over VPN
tunnels: IPsec and PPTP.

APPLIED SECURITY SCENARIOS


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

33

Figure 16
-
29 Tunneling Protocols Enable Virtual Private Networks


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

34


Enterprise Network Security


To maintain proper security over a widely distributed enterprise network, it is
essential to be able to conduct certain security
-
related processes from a single,
centralised, security management location. These processes are:


Single point of registration (SPR)
allows a network security manager to enter a
new user form a single centralized location and assign all associated rights,
privileges and access control to enterprise resources


Single sign
-
on (SSO)

allows the user to login to the enterprise network and to be
authenticated from their client PC location.


Single access control view

allows the user’s access from their client workstation to
only display those resources that the user actually has access to.


Security auditing and intrusion detection

is able to track and identify suspicious
behaviors from both internal employees and potential intruders.


APPLIED SECURITY SCENARIOS


Networking






CMPC531
\
tc_17.ppt
\
\

page 17
-

35


Government agencies play a major role in the area of network security.


The primary function of these various government agencies is :


Standards
-
making organizations that set standards for the design,
implementation, and certification of security technology and systems


GOVERNMENT IMPACT

**** END ****