Guide to Networking Essentials, Fifth Edition - Computer Science ...

smileybloatNetworking and Communications

Nov 20, 2013 (3 years and 7 months ago)

109 views

Guide to Networking Essentials, Fifth Edition



10
-
1



Chapter 10


Introduction to Network Security




At a Glance


Instructor’s Manual Table of Contents




Overview




Objectives




Teaching Tips




Quick Quizzes




Class Discussion Topics




Additional Projects




Additional Resources




Key Terms




Technical Notes for Han
ds
-
On Projects


Guide to Networking Essentials, Fifth Edition



10
-
2



Lecture Notes


Overview


Chapter 10 offers an introduction to network security. Students learn about the basics of
developing a network security policy and securing physical access to network
equipment. They also learn how to secure netw
ork data. Finally, they learn how to use
different tools to find network security weaknesses.



Objectives




Develop a network security policy



Secure physical access to network equipment



Secure network data



Use tools to find network security weaknesses



Te
aching Tips


Network Security Overview and Policies


1.

Explain that perceptions on security vary depending on who you are talking to, and the
industry this person works in.


2.

Stress that network security should be as unobtrusive as possible.


3.

Note that a comp
any that can demonstrate its information systems are secure is more
likely to attract customers, partners, and investors.


Developing a Network Security Policy


1.

Describe the role of a network security policy.


2.

Briefly discuss the desirable characteristics
of a network security policy.


Determining Elements of a Network Security Policy


1.

Briefly describe each of the elements that are (at least) required for most network
security policies: privacy policy, acceptable use policy, authentication policy, Internet
use policy, access policy, auditing policy, and data protection policy.


Guide to Networking Essentials, Fifth Edition



10
-
3


Teaching

Tip


To learn more about security policies, refer to RFC 2196 at:
http://rfc.net/rfc2196.html
. You may also visit
www.sans.org/resources/policies/

and
www.cisco.com/warp/public/126/secpol.html
.



2.

Stress that a security policy should protect an organization leg
ally, and that it should be
a continual work in progress.


Understanding Levels of Security


1.

Explain that security doesn’t come without a cost.


2.

List (and explain) the questions that should be answered before deciding on a level for
the security policy.


3.

N
ote that there are three levels of security policies.


4.

Highly restrictive security policies
. Describe the features included. Note that they might
require third
-
party hardware and software. Explain why this type of policy has high
implementation expenses. S
tress that this type of policy should be used when the cost of
a security breach is high.


5.

Moderately restrictive security policies
. Stress that most organizations can opt for this
type of policy. Describe its characteristics and note that its costs are pr
imarily in initial
configuration and support.


6.

Open security policies
. Describe the characteristics of this type of policy (with respect
to passwords, resource access, auditing, Internet access, and sensitive data). Note that
they make sense for a small co
mpany with the primary goal of making access to
network resources easy.


7.

Common elements of security policies
. Describe the common elements of security
policies: virus protection, backup procedures, policies, etc. Stress that security is aimed
not only at
preventing improper use of or access to network resources, but also at
safeguarding the company’s information.



Securing Physical Access to the Network


1.

Explain that if there’s physical access to equipment, there is no security. Describe the
risks involve
d in computers left alone without physical access control (including the
case when the computer is left with a user logged on).


Guide to Networking Essentials, Fifth Edition



10
-
4


Teaching

Tip


Read more about securing physical infrastructures at:
www.networkmagazineindia.com/200302/security2.shtml
.



Physical Security Best Practices


1.

Describe the most important physical security best practices: use of locked rooms for
servers and equipment, use of locking cabinets, adequate wirin
g protection, and
availability of a physical security plan.


2.

Physical security of servers
. Note that servers may be stashed away in lockable wiring
closets, along with the switches to which the servers are connected. Stress that they
often require more tig
htly controlled environmental conditions than patch panels, hubs,
and switches. Explain that server rooms should be equipped with power that’s
preferably on a circuit separate from other devices.


3.

Security of internetworking devices
. Explain the importance

of securing internetworking
devices, and describe how to achieve this.



Quick Quiz 1


1.

What is a privacy policy?

Answer: A privacy policy describes what staff, customers, and business partners can
expect for monitoring and reporting network use.


2.

Most org
anizations can probably opt for a(n) ____________________ restrictive
security policy.

Answer: moderately


3.

A physical security ____________________ should include procedures for recovery
from natural disasters, such as fire or flood.

Answer:
plan


4.

If you’r
e forced to place servers in a public access area, ____________________
cabinets are a must.

Answer:
locking



Securing Access to Data


1.

Briefly describe each of the facets required to secure access to data.


Guide to Networking Essentials, Fifth Edition



10
-
5


Implementing Secure Authentication and Authoriz
ation


1.

Explain the difference between
authentication

and
authorization
.


Teaching

Tip


The IETF has an Authentication, Authorization and Accounting (aaa) charter
(
www.ietf.org/html.charter
s/aaa
-
charter.html
).



2.

Describe the authentication and authorization security options and restrictions usually
configurable by NOSs’ tools.


3.

Explain that file system access controls and user permission settings determine what a
user can access on a netwo
rk and what actions a user can perform.


4.

Configuring password requirements in a Windows Environment
. Describe the password
requirements and options that can be configured in a Windows environment. Use Figure
10
-
1 to explain that password policies for a sin
gle Windows XP/Vista or Windows
Server 2003 computer can be set in the Local Security Settings MMC found in the
Administrative Tools section of Control Panel.


5.

Configuring password requirements in a Linux Environment
. Describe the password
requirements and

options that can be configured in a Linux environment. Don’t forget
to introduce the terms
shadow passwords

and
Pluggable Authentication Modules
(PAM)
.


6.

Reviewing password dos and don’ts
. Provide some tips on how to set secure passwords.


7.

Restricting logo
n hours and logon location
. Use Figure 10
-
2 to explain that both
Windows and Linux have solutions to restrict logon by time of day, day of the week,
and location. Explain that a common use of restricting logon hours is to disallow logon
during system backu
p, which usually takes place in the middle of the night. Figure 10
-
3
shows the Windows user account settings for logon location; the user can log on only to
the computers named smiller01 and engineering. As with logon hours, this option is
available only i
n a Windows domain environment. Note that although Linux offers
similar features for logon restrictions using the PAM authentication service, in general,
standard Linux distributions don’t include a GUI to configure these settings.


Teaching

Tip


Note tha
t in Novell NetWare, an administrator can configure all the logon
settings discussed previously in ConsoleOne, iManager, or NetWare
Administrator.



Guide to Networking Essentials, Fifth Edition



10
-
6


a.

Authorizing access to files and folders
. Describe each of the two options for file
security provided by W
indows OSs:
sharing permissions

and
NTFS permissions
.
Use Figure 10
-
4 to explain that to set Windows NTFS permissions on a folder,
you should right
-
click the folder, click Sharing and Security, and then click the
Security tab in the Properties dialog box.
Use Figure 10
-
5 to explain that Linux
also supports file and folder security. Note that Linux permissions are fairly
simple, compared with the multitude of configuration options in Windows
NTFS permissions.


Securing Data with Encryption


1.

Explain that
encr
yption

can be used to safeguard data as it travels across one or more
networks, and also to secure data stored on disks.


2.

Using IPSec to secure network data
. Explain that the most popular method for
encrypting data as it travels network media is to use an
extension to the IP protocol
called
IP Security (IPSec)
. Briefly describe how this protocol works, noting that an
association is formed by two devices authenticating their identities via a preshared key,
Kerberos authentication, or digital certificates. Us
e Figure 10
-
6 to explain that IPSec is
configured on a Windows Vista, Windows XP, or Windows Server 2003 computer in
the IP Security Policies MMC. Explain that three standard IPSec policies are available:
client, server, and secure server. Stress that thes
e policies are intended as models for
administrators to create their own policies suitable for their networks, but they can be
used as is or edited. Note that an IPSec policy must be assigned before IPSec can be
enabled on a computer, and that only one IPS
ec policy can be assigned per computer.
Use Figure 10
-
7 to explain that in a Linux Fedora Core 4 environment, IPSec is
configured with the Network Configuration tool.


Teaching

Tip

For more information on IPSec, visit:
http://en.wikipedia.org/wiki/Ipsec
.


3.

Securing data on disk drives
. Use Figure 10
-
8 to explain that in Windows XP, Vista,
and Server 2003, Encrypting File System (EFS)

is a standard feature available on
NTFS
-
formatted disks. Note that after

a file is encrypted, Windows Explorer displays
the file name in green text so that it’s recognizable as an encrypted file. Stress that by
default, only the creator of the file and the designated Data Recovery Agent for the
system can decrypt the file. Exp
lain that on Linux systems, a simple method to encrypt
files involves using a command
-
line program called gpg.


Securing Communication with Virtual Private Networks


1.

Use Figure 10
-
9 to explain how
VPNs

work. Explain that the tunnel is really a special
enca
psulation of the IP protocol, in which it appears to the client as though a direct
point
-
to
-
point connection exists between client and server.


Guide to Networking Essentials, Fifth Edition



10
-
7


Teaching

Tip

For more information on VPNs, visit:
http://en.wi
kipedia.org/wiki/VPN
.


2.

VPNs in a Windows environment
. Describe how PPTP and L2TP can be used to create
VPNs in a Windows environment.


3.

VPNs in Other OS environments
. Briefly describe how VPNs can be created in Linux,
NetWare, and Mac OS systems. Note tha
t one method of providing VPN services to
connect remote sites is to use routers with VPN capability to form a router
-
to
-
router
VPN connection.


4.

VPN benefits
. Discuss the advantages of using VPNs to secure remote access to
networks. Stress that VPNs save c
osts.


Protecting Networks with Firewalls


1.

Describe the role of a firewall. Explain the difference between software and hardware
firewalls.


Teaching

Tip


For more information on firewalls, visit:
http://en.wikipedia.org/wiki/Firewall_(networking)
.



2.

Explain how firewalls work and briefly discuss how rules are created and applied.
Introduce the term
stateful packet inspection (SPI)
.


Teaching

Tip


Explain that firewalls perform other fun
ctions not mentioned here, but the
functions discussed in this section are typically universal of all firewalls.



3.

Using a router as a firewall
. Explain how
access control lists

can be used to configure a
router with firewall capabilities. Note that typic
ally, an administrator builds access
control lists so that all packets are denied, and then creates rules that make exceptions.


4.

Using intrusion detection systems
. Briefly describe the role of
IDSs

in securing
networks.


Teaching

Tip

Snort (
www.snort.org/
) is a very good open source IDS.


5.

Using network address translation to improve security
. Explain how NAT can be used
to improve security.


Guide to Networking Essentials, Fifth Edition



10
-
8


Protecting a Network from Worms, Viruses, and Rootkits


1.

Introduce the terms

virus
,
worm
,
backdoor
,
malware
,
Trojan program
,
rootkit
, and
hoax
virus
.


Teaching

Tip


In the Computer section of the
www.snopes.com

site, you can find a list of real
and hoax viruses.



2.

Explain that to help preve
nt spread of malware, every computer should have virus
-
scanning software running.


Teaching

Tip

For more information on malware, visit:
http://en.wikipedia.org/wiki/Malware
.


3.

Stress that while malware

protection can be expensive, the loss of data and productivity
that can occur when a network becomes infected is much more costly.


Protecting a Network from Spyware and Spam


1.

Explain how
spyware

and
spam

affect a network and reduce productivity.


2.

Explain

how spyware and spam can be removed or prevented from reaching users, but
note that their detection and prevention is an uphill battle.


Implementing Wireless Security


1.

Explain that attackers who drive around looking for wireless LANs to intercept are
cal
led
wardrivers
.


2.

Describe each of the wireless security mechanisms that can be used to restrict access to
WLANs.


3.

Note that as an administrator, you should also set policies like limiting the AP signal
access, changing the encryption key regularly, etc.



Quick Quiz 2


1.

What is the difference between authentication and authorization?

Answer: Authentication and authorization are security features that allow administrators
to control who has access to the network (authentication) and what users can do after
th
ey are logged on to the network (authorization).


Guide to Networking Essentials, Fifth Edition



10
-
9


2.

Linux shadow passwords are stored in an encrypted format in the shadow file located in
the ____________________ directory; this file is accessible only by the root system
user.

Answer: /etc


3.

What is
encrypt
ion

used for?

Answer: Many network administrators use encryption technologies to safeguard data as
it travels across the Internet and even within the company network. This security
measure prevents somebody using eavesdropping technology, such as a packet
sniffer,
from capturing packets and using data in the packets for malicious purposes. Data
stored on disks can also be secured with encryption to prevent someone who has gained
physical access to the computer from being able to use the data.


4.

A(n) ________
____________ is a hardware device or software program that inspects
packets going into or out of a network or computer and then discards or forwards those
packets based on a set of rules.

Answer:
firewall



Using a Cracker’s Tools to Stop Network Attacks


1.

Explain that if you want to design a good, solid network infrastructure, you can hire a
security consultant who knows the tools of the cracker’s trade.


2.

Describe the difference between
crackers

and
hackers
. Introduce the terms “black hat”
and “white hat.”
Note that white hats often use the term
penetration tester

for their
consulting services.


Discovering Network Resources


1.

Explain that attackers use command
-
line utilities, such as Ping, Traceroute, Finger, and
Nslookup, to get information about the networ
k configuration and resources. Briefly
describe how these tools can be used to discover network resources.


2.

Describe how other tools like
ping scanners

(see Figure 10
-
10),
port scanners

(see
Figure 10
-
11), and
protocol analyzers

can be used to discover net
work resources.
Explain how a network administrator can use this information for security purposes.


3.

Use Figure 10
-
12 to explain that Whois is a handy utility for discovering information
about an Internet domain. You can find the name and address of the do
main name
owner, contact information for the domain, and the DNS servers that manage the
domain.


Guide to Networking Essentials, Fifth Edition


10
-
10


Gaining Access to Network Resources


1.

Explain that one of the easiest resources to open is one in which no password is set.
Explain how to avoid having this v
ulnerability.


2.

Explain how Finger, default account names and password
-
cracking utilities can be used
by attackers to learn user names and passwords.


Teaching

Tip


For a complete list of security and hacking tools, including password crackers,
visit:
www.securiteam.com/tools/archive.html
.



Teaching

Tip

For another good list of security tools, visit:
http://sectools.org/
.


Disabling Network Resources


1.

Exp
lain what a
DoS

attack is. Explain that DoS attacks can be performed in several
ways, including: packet storms, half
-
open SYN attacks, and ping floods.


2.

When describing a packet storm, introduce the term
spoofed address
.



Quick Quiz 3


1.

What is a cracker?

Answer: A cracker is someone who attempts to compromise a network or computer
system for the purposes of personal gain or to cause harm.


2.

What is a hacker?

Answer: Hacker is sometimes a derogatory term to describe an unskilled or
undisciplined programmer.
It can also mean someone who is highly skilled with
computer systems and programs and is able to use some of the same tools crackers use
to poke around networks or systems, but not for evil purposes.


3.

A(n) ____________________ scanner determines which TCP
and UDP ports are
available on a particular computer or device.

Answer:
port


4.

What is a DoS attack?

Answer: A denial
-
of
-
service (DoS) attack is an attacker’s attempt to tie up network
bandwidth or network services so that it renders those resources useless

to legitimate
users.



Guide to Networking Essentials, Fifth Edition


10
-
11


Class Discussion Topics


1.

Ask students if they have experienced any computer security problems before. Perhaps
their PCs have been infected by viruses or their logon password has been stolen using a
backdoor, etc. They should discuss

the problems they had and describe how they solved
them.


2.

What measures do students take to protect their PCs from malware?



Additional Projects


1.

CIA is a mnemonic for the three goals of information security (see
http://en.wikipedia.org/wiki/CIA_triad
). Ask students to do some research to find out
what these goals are. They should write a report with their findings and classify the
security problems presented in this chapter, depending on which of th
ese goals they
affect.


2.

Ask students to do some research on how SSH can be used to create secure tunnels.



Additional Resources


1.

The SANS Security Policy Project:

www.sans.org/resources/policies/



2.

Network Security Policy: Best Practices White Paper:

www.cisco.com/warp/public/126/secpol.html



3.

Secure Physical Infrastructure Too:

www.networkmagazineindia.com/200302/security2.shtml



4.

Virtual Private Network:

http://en.wikipedia.org/wiki/VPN



5.

Top 100 Network Security Tools:

http
://sectools.org/



6.

Authentication, Authorization and Accounting (aaa):

www.ietf.org/html.charters/aaa
-
charter.html



7.

IPsec:

http://en.wi
kipedia.org/wiki/Ipsec



8.

Penetration Testing IPsec VPNs:

www.securityfocus.com/infocus/1821



Guide to Networking Essentials, Fifth Edition


10
-
12


9.

Firewall (networking):

http://en.w
ikipedia.org/wiki/Firewall_(networking)



10.

Intrusion Detection FAQ:

www.sans.org/resources/idfaq/



11.

Intrusion
-
Detection System:

ht
tp://en.wikipedia.org/wiki/Intrusion
-
detection_system



12.

Malware:

http://en.wikipedia.org/wiki/Malware



13.

Securing your Wireless Network:

www.practicallynetworked.com/support/wireless_secure.htm



14.

Top 8 Tips for Wireless Home Network Security:

http://compnetworking.about.com/od/wirelesssec
urity/tp/wifisecurity.htm




Key Terms




802.11i


A security extension to 802.11 and a successor to Wi
-
Fi Protected Access
that is the currently accepted best security protocol for wireless networks.



access control lists


Sets of rules defined by an admi
nistrator that determine which
packets should be allowed and which should be denied.



authentication


A security feature that allows an administrator to control who has
access to the network.



authorization


A security feature that allows an administrator
to control what a user
can do and which resources can be accessed after the user is authenticated to the
network.



backdoor


A program installed on a computer that permits access to the computer,
thus bypassing the normal authentication process.



cracker


Someone who attempts to compromise a network or computer system for
the purposes of personal gain or to cause harm.



denial
-
of
-
service (DoS) attack


An attempt to tie up network bandwidth or services
so that network resources are rendered useless to legiti
mate users.



Encrypting File System (EFS)


A feature available on Windows operating systems
that allows file contents to be encrypted on the disk. These files can be opened only by
the file creator or designated agents.



encryption


A technology used to ma
ke data unusable and unreadable to anybody
except authorized users of the data.



firewall


A hardware device or software program that inspects packets going into or
out of a network or computer and then discards or forwards those packets based on a set
of
rules.



hacker


Sometimes a derogatory term to describe an unskilled or undisciplined
programmer. Hacker can also mean someone who is highly skilled with computer
systems and programs and is able to use some of the same tools crackers use to poke
around ne
tworks or systems, but not for evil purposes.

Guide to Networking Essentials, Fifth Edition


10
-
13




hoax virus


A type of virus that’s not really a virus but simply an e
-
mail
announcement of a made
-
up virus. Its harm lies in people believing the announcement
and forwarding the message on to others.



intrusion

detection system (IDS)


Usually a component of a firewall, an IDS detects
an attempted security breach and notifies the network administrator. An IDS can also
take countermeasures to stop an attack in progress.



IP Security (IPSec)


An extension to the I
P protocol suite that creates an encrypted
and secure conversation between two hosts.



MAC address filtering


A security method often used in wireless networks, whereby
only devices with MAC addresses specified by the administrator can gain access to the
w
ireless network.



malware


Any software designed to cause harm or disruption to a computer system
or otherwise perform activities on a computer without the consent of the computer’s
owner.



NTFS permissions


Permissions assigned to files or folders on an N
TFS
-
formatted
volume in a Windows system. NTFS permissions affect user access to resources
whether the user is logged on locally or over the network.



penetration tester


A term used to describe a security consultant who is able to
detect holes in a system
’s security for the purpose of correcting these vulnerabilities.



ping scanner


An automated method for pinging a range of IP addresses.



Pluggable Authentication Modules (PAM)


A software service used on many
Linux distributions for authenticating users.
PAM is extensible so that new
authentication features can be added as needed.



port scanner


Software that determines which TCP and UDP ports are available on a
computer or device.



protocol analyzers


Programs or devices that can capture packets traversin
g a
network and display packet contents in a form useful to the user.



rootkits


Forms of Trojan programs that can monitor traffic to and from a computer,
monitor keystrokes, and capture passwords. They are among the most insidious form of
Trojan software
because they can mask that the system has been compromised by
altering system files and drivers required for normal computer operation.



shadow passwords


A secure method of storing user passwords on a Linux system.



sharing permissions


A list of permissi
ons that can be assigned to users and groups
and applied to Windows shared folders. Sharing permissions don’t affect access to files
and folders by users logged on locally to the system hosting the files.



spam


Unsolicited e
-
mail. The harm in spam is the
loss of productivity when people
receive dozens or hundreds of spam messages daily and the use of resources to receive
and store spam on e
-
mail servers.



spoofed address


A source address inserted into a packet that is not the actual
address of the sending

station.



spyware


A type of malware that monitors or in some way controls part of your
computer at the expense of your privacy and to the gain of some third party.



stateful packet inspection (SPI)


A filtering method used in a firewall, whereby
packets
are not simply filtered based on packet properties but also the context in which
packets are being transmitted. If a packet is not part of a legitimate, ongoing data
conversation, it’s denied.



Trojan program


A program that appears to be something useful,

such as a free
utility you can use on your computer, but in reality contains some type of malware.

Guide to Networking Essentials, Fifth Edition


10
-
14




virtual private networks (VPNs)


Temporary or permanent connections across a
public network that use encryption technology to transmit and receive data.



vi
rus


A malicious program that spreads by replicating itself into other programs or
documents. A virus usually aims to disrupt computer or network functions by deleting
and corrupting files.



wardrivers


Attackers who drive around with a laptop or PDA look
ing for wireless
LANs to access.



Wi
-
Fi Protected Access (WPA)


A wireless security protocol that is the successor to
Wired Equivalency Protocol. WPA has enhancements that make cracking the
encryption code more difficult.



Wired Equivalency Protocol (WEP)


A form of wireless security that encrypts data
so that unauthorized people receiving wireless network signals can’t interpret the data
easily.



worm


A self
-
replicating program, similar to a virus, that uses network services such
as e
-
mail to spread to ot
her systems.



Technical Notes for Hands
-
On Projects


Hands
-
On Project 10
-
1: This project requires a Web browser, Internet access, and a program
for unzipping files. Students also use the Windows
net

and
ping

command
-
line utilities.


Hands
-
On Project 10
-
2:

This project requires the NetInfo program installed in the previous
project.


Hands
-
On Project 10
-
3: This project requires a computer with
Windows XP SP2 or later and
that students are able to enable Windows Firewall. Administrator access is necessary.


H
ands
-
On Project 10
-
4: This project requires Windows XP and Administrator access.


Hands
-
On Project 10
-
5: This project requires Windows XP and Administrator access.


Hands
-
On Project 10
-
6: This project requires a Web browser and Internet access.