Chapter 13 – Network Security

slurpslapoutNetworking and Communications

Nov 20, 2013 (3 years and 6 months ago)

77 views

1

Chapter 13


Network Security



Password Protection



Security Models



Firewalls



Security Protocols


2

Using Passwords



Passwords are the most common method of
securing network resources.



Passwords can be an effective security
mechanism, or they can be useless,
depending on how they are used.



The strength of any password protection is
based on the password policies that
administrators set.

3

Using Passwords



Most operating systems include tools that
allow administrators to impose password
policies on users, such as


Password length restrictions


Password change intervals



Password policies are typically available in
network operating systems that use a
directory service to authenticate users and
grant them access to network resources.

4

Controlling User Account Password
Settings



5

Using the Windows 2000 Group
Policy Interface



6

Setting a Minimum Password Length



7

Setting a Password Change Interval



8

Enforcing Password Complexity



9

Setting Account Lockout Policies



10

Security Models/Security Levels


Client/Server Networks



Peer
-
to
-
peer Networks



User
-
Level Security



Share Level Security


11

Client/Server Networks


User accounts are stored in a central location.



A user logs on to the network from a
computer that transmits the user name and
password to a server, which either grants or
denies access to the network.

12

Client/Server Networks


Account information can be stored in a
centralized directory service or on individual
servers.



A directory service, such as the Microsoft
Windows 2000 Active Directory service or
Novell Directory Services (NDS), provides
authentication services for an entire network.

13

Peer
-
to
-
Peer Networks



Each computer maintains its own security
information and performs its own
authentications.



Computers on this type of network can
function as both clients and servers.

14

Peer
-
to
-
Peer Networks



When a computer functioning as a client
attempts to use resources (called shares) on
another computer that is functioning as a
server, the server itself authenticates the
client before granting it access.

15

Peer
-
to
-
Peer User
-
Level Security



When users log on to their computers, they are
authenticated against an account on that system.


If several people use the same computer, each must
have a separate user account.


When users elsewhere on the network attempt to
access server resources on that computer, they are
also authenticated against the accounts on the
computer that hosts the resources.


The user
-
level, peer
-
to
-
peer security model is
suitable only for relatively small networks.


If users want to change their account passwords,
they must change them on every computer on which
they have an account.

16

Client/Server User
-
Level Security



Administrators create user accounts in a directory
service, such as Active Directory in Windows 2000 or
a Microsoft Windows NT domain.


When users log on to their computers, the directory
service authenticates them.


When you want to allow other network users to gain
access to resources on your computer, you select
their user accounts from a list provided by the
domain controller.


With all accounts stored in a centralized directory
service, administrators and users can make changes
more easily.


17

Peer
-
to
-
Peer Share Level Security



Microsoft Windows Me, Microsoft Windows 98, and
Microsoft Windows 95 cannot maintain their own user
accounts.


In peer
-
to
-
peer mode, Windows Me, Windows 98, and
Windows 95 operate by using share
-
level security.



In share
-
level security, users assign passwords to the individual
shares they create on their computers.


When network users want to access a share on another computer,
they must supply the appropriate password.


The share passwords are stored on the individual computers.


When sharing drives, users can specify two different passwords to
provide both read
-
only access and full control of the share.


Share
-
level security is not as flexible as user
-
level security and
does not provide as much protection.


18

Setting Share
-
Level Passwords



19

What Is a Firewall?



A firewall is a hardware or software product designed
to protect a network from unauthorized access.


A network connected to the Internet must have a
firewall to protect it from Internet intruders.


A firewall is a barrier between two networks that
evaluates all incoming or outgoing traffic to
determine whether it should be permitted to pass to
the other network.



Some firewalls are dedicated routers with additional
software that monitors incoming and outgoing traffic.


Some firewalls are software products that run on a standard
computer.


20

Packet Filtering



The most basic type of firewall



Functions



Examines arriving packets


Decides whether to allow the packets to gain
access to the network, based on the information
found in the protocol headers used to construct
the packets


21

Packet Filter Types



Hardware addresses.

Filter packets based on
hardware addresses, enabling only certain
computers to transmit data to the network



IP addresses.

Permit only traffic destined to
or originating from specific addresses to pass
through to the network

22

Packet Filter Types



Protocol identifiers.

Filter packets based on
the protocol that generated the information
carried within an Internet Protocol (IP)
datagram



Port numbers.

Filter packets based on the
source or destination port number specified in
a packet’s transport layer protocol header

23

NAT



NAT stands for network address translation.



NAT is a network layer technique that protects the
computers on your network from Internet intruders
by masking their IP addresses.



NAT allows you to assign unregistered IP addresses
to your computers.

24

NAT



The router that provides Internet access can use
NAT.



The NAT router functions as an intermediary between
the private network and the Internet.



NAT is implemented in numerous firewall products,
ranging from high
-
end routers used on large
corporate networks to inexpensive Internet
connection
-
sharing solutions.

NAT

25

Proxy Servers



Proxy servers are similar to NAT routers, except
that they function at the application layer of the
Open Systems Interconnection (OSI) reference
model.



A proxy server acts as an intermediary between the
clients on a private network and the Internet
resources they want to access.


Clients send their requests to the proxy server, which sends a
duplicate request to the desired Internet server.


The Internet server replies to the proxy server, which relays
the response to the client.


26

Proxy Servers



Proxy servers can cache the information they
receive from the Internet.



Administrators can configure proxy servers to
filter

the traffic they receive,
blocking

users
on the private network
from accessing
certain services
.



The main problem with proxy servers is that
you sometimes must configure applications to
use them.

27

Configuring a Proxy Server Client



28

Security Protocols


IPSec


Internet Protocol Security, Protects
data transmitted over the LAN


IP AH


IP Authentication Header


IP ESP


IP Encapsulating Security Payload


L2TP


Layer 2 Tunneling Protocol


SSL


Secure Socket Layer

29

IPSec



IPSec stands for Internet Protocol Security.


IPSec is a series of draft standards published by the
Internet Engineering Task Force (IETF).


IPSec defines a methodology that uses
authentication

and
encryption
to secure the data
transmitted over a local area network (LAN).


IPSec consists of two separate protocols that provide
different levels of security protection: IP
Authentication Header (AH) and IP Encapsulating
Security Payload (ESP).


Using the two protocols together provides the best
possible security IPSec can offer.

30

IP AH Protocol


AH provides authentication and guaranteed integrity
of IP datagrams.


AH adds an extra header, right after the IP header,
to the datagrams generated by the transmitting
computer.


When you use AH, the Protocol field in the IP header
identifies the AH protocol, instead of the transport
layer protocol contained in the datagram.


The AH header contains


A sequence number that prevents unauthorized computers
from replying to a message


An integrity check value (ICV) that the receiving computer
uses to verify that incoming packets have not been altered

31

IP ESP Protocol


Provides datagram encryption


Encapsulates the transport layer data in each
datagram by using its own header and trailer


Encrypts all of the data following the ESP
header


Also contains a sequence number and an ICV


32

L2TP



L2TP stands for Layer 2 Tunneling Protocol.


L2TP is derived from the Cisco Systems Layer
2 Forwarding protocol and the Microsoft
Point
-
to
-
Point Tunneling Protocol (PPTP).


IPSec can operate in tunnel mode
independently or with L2TP.


L2TP creates a tunnel by encapsulating Point
-
to
-
Point Protocol (PPP) frames inside User
Datagram Protocol (UDP) packets.


33

SSL



SSL stands for Secure Sockets Layer.


SSL is a special
-
purpose security protocol that is
designed to protect the data transmitted between
Web servers and their client browsers.


Virtually all of the Web servers and browsers
available today support SSL.


For example, when you access a secured site on the
Internet to purchase a product with a credit card, your
browser is probably using SSL to communicate with the
server.



Like IPSec, SSL provides authentication and
encryption services.


34

Kerberos



Kerberos is an authentication protocol typically used
by directory services, such as Active Directory, to
provide users with a single network logon capability.


Kerberos was developed at the MIT and is now
standardized by the IETF.


When a server running Kerberos (called an
authentication server) authenticates a client, the
server grants that client the credentials needed to
access resources anywhere on the network.


Windows 2000 and other operating systems rely
heavily on Kerberos to secure their client/server
network exchanges.


35

Chapter Summary



Password policies ensure that users choose effective
passwords.


User
-
level security requires a separate account for
each user.


In share
-
level security, all users access shares by
using the same passwords.


A firewall is a hardware or software product that
protects a network from unauthorized access, using
techniques such as packet filtering, NAT, or proxy
servers.


Applications and operating systems use security
protocols, such as IPSec, L2TP, SSL, and Kerberos, to
protect their data as it is transmitted over the
network.