Chap 9

prunelimitRéseaux et Communications

23 oct. 2013 (il y a 5 années et 2 mois)

121 vue(s)


Chapter 9

Learning Objectives

Understand the purpose of a network
firewall and the kinds of firewall
technology available on the market

Understand the role of routers, switches,
and other networking hardware in security

Determine when VPN or RAS technology
works to provide a secure network


Hardware or software device that provides
means of securing a computer or network
from unwanted intrusion

Dedicated physical device that protects
network from intrusion

Software feature added to a router, switch, or
other device that prevents traffic to or from
part of a network

Management Cycle for

Firewall Protection

Draft a written security policy

Design the firewall to implement the policy

Implement the design by installing selected
hardware and software

Test the firewall

Review new threats, requirements for
additional security, and updates to systems and
software; repeat process from first step

Drafting a Security Policy

What am I protecting?

From whom?

What services does my company need to
access over the network?

Who gets access to what resources?

Who administers the network?

Available Targets and

Who Is Aiming at Them

Common areas of attack

Web servers

Mail servers

FTP servers



Sport hackers

Malicious hackers

Who Gets Access to Which

List employees or groups of employees
along with files and file servers and
databases and database servers they need
to access

List which employees need remote access
to the network

Who Administers the Network?

Determine individual(s) and scope of
individual management control

Designing the Firewall

to Implement the Policy

Select appropriate technology to deploy the

What Do Firewalls Protect Against?

Denial of service (DoS)

Ping of death

Teardrop or Raindrop attacks

SYN flood

LAND attack

Brute force or smurf attacks

IP spoofing

How Do Firewalls Work?

Network address translation (NAT)

Basic packet filtering

Stateful packet inspection (SPI)

Access control lists (ACL)

Network Address Translation (NAT)

Only technique used by basic firewalls

Enables a LAN to use one set of IP addresses for
internal traffic and a second set for external

Each active connection requires a unique external
address for duration of communication

Port address translation (PAT)

Derivative of NAT

Supports thousands of simultaneous connections on a
single public IP address

Basic Packet Filtering

Firewall system examines each packet that enters
it and allows through only those packets that
match a predefined set of rules

Can be configured to screen information based on
many data fields:

Protocol type

IP address

TCP/UDP port

Source routing information

Stateful Packet Inspection (SPI)

Controls access to network by analyzing
incoming/outgoing packets and letting them pass
or not based on IP addresses of source and

Examines a packet based on information in its header

Enhances security by allowing the filter to
distinguish on which side of firewall a connection
was initiated; essential to blocking IP spoofing

Access Control Lists (ACL)

Rules built according to organizational
policy that defines who can access portions
of the network

list 101 permit tcp any eq 80

list 101 deny ip any


Network management device that sits
between network segments and routes
traffic from one network to another

Allows networks to communicate with one

Allows Internet to function

Act as digital traffic cop (with addition of
packet filtering)

How a Router Moves Information

Examines electronic envelope surrounding
a packet; compares address to list of
addresses contained in router’s lookup

Determines which router to send the packet
to next, based on changing network

How a Router Moves Information

Beyond the Firewall

Demilitarized zone (DMZ)

Bastion hosts (potentially)

Demilitarized Zone

Area set aside for servers that are publicly
accessible or have lower security requirements

Sits between the Internet and internal network’s
line of defense

Stateful device fully protects other internal systems

Packet filter allows external traffic only to services
provided by DMZ servers

Allows a company to host its own Internet
services without sacrificing unauthorized access
to its private network

Bastion Hosts

Computers that reside in a DMZ and that host
Web, mail, DNS, and/or FTP services

Gateway between an inside network and an
outside network

Defends against attacks aimed at the inside
network; used as a security measure

Unnecessary programs, services, and protocols
are removed; unnecessary network ports are

Do not share authentication services with trusted
hosts within the network

Application Gateways

Also known as proxy servers

Monitor specific applications (FTP, HTTP,

Allow packets accessing those services to
go to only those computers that are

Good backup to packet filtering

Application Gateways

Security advantages

Information hiding

Robust authentication and logging

Simpler filtering rules


Two steps are required to connect inbound or
outbound traffic; can increase processor

OSI Reference Model

Architecture that classifies most network

Seven layers








The OSI Stack

Layers 4 and 5

Where TCP and UDP ports that control
communication sessions operate

Layer 3

Routes IP packets

Layer 2

Delivers data frames across LANs

Limitations of

Filtering Routers

ACL can become long, complicated, and
difficult to manage and comprehend

Throughput decreases as number of rules
being processed increases

Unable to determine specific content or
data of packets at layers 3 through 5


Provide same function as bridges (divide
collision domains), but employ application
specific integrated circuits (ASICs) that are
optimized for the task

Reduce collision domain to two nodes (switch
and host)

Main benefit over hubs

Separation of collision domains limits the possibility
of sniffing


Switch Security


Virtual Local Area Networks (VLANs)

Virtual Local Area Network

Uses public wires to connect nodes

Broadcast domain within a switched network

Uses encryption and other security mechanisms
to ensure that

Only authorized users can access the network

Data cannot be intercepted

Clusters users in smaller groups

Increases security from hackers

Reduces possibility of broadcast storm

Security Problems with Switches

Common ways of switch hijacking

Try default passwords which may not have
been changed

Sniff network to get administrator password
via SNMP or Telnet

Securing a Switch

Isolate all management interfaces

Manage switch by physical connection to a
serial port or through secure shell (SSH) or
other encrypted method

Use separate switches or hubs for DMZs to
physically isolate them from the network
and prevent VLAN jumping


Securing a Switch

Put switch behind dedicated firewall

Maintain the switch; install latest version
of software and security patches

Read product documentation

Set strong passwords

Quick Quiz

The process by which a private IP address in a corporate
network is translated into a public address by a router or
firewall is called_____________

True or False: Advanced firewalls use stateful packet
inspection to improve security.

A computer providing public network services that resides
inside a corporate network but outside its firewall is called a

True or False: IP packets are routed by layer 2 of the OSI

A feature available in some switches that permit separating the
switch into multiple broadcast domains is called _________.


Almost anyone can eavesdrop on a
network communication

Encryption is the only secure method of
communicating with wireless technology


DSL versus Cable Modem Security


Direct connection between computer/network and the

Cable modem

Connected to a shared segment; party line

Most have basic firewall capabilities to prevent files
from being viewed or downloaded

Most implement the Data Over Cable Service
Interface Specification (DOCSIS) for authentication
and packet filtering

Dynamic versus Static IP Addressing

Static IP addresses

Provide a fixed target for potential hackers

Dynamic IP addresses

Provide enhanced security

By changing IP addresses of client machines,
DHCP server makes them moving targets for
potential hackers

Assigned by the Dynamic Host Configuration
Protocol (DHCP)

Remote Access Service (RAS)

Provides a mechanism for one computer to
securely dial in to another computer

Treats modem as an extension of the

Includes encryption and logging

Accepts incoming calls

Should be placed in the DMZ

Security Problems with RAS

Behind physical firewall; potential for
network to be compromised

Most RAS systems offer encryption and
callback as features to enhance security

Telecom/Private Branch Exchange


Private phone system that offers features such
as voicemail, call forwarding, and conference

Failure to secure a PBX can result in toll
fraud, theft of information, denial of service,
and enhanced susceptibility to legal liability

Based PBX

PBX Security Concerns

Remote PBX management

Hoteling or job sharing

Many move codes are standardized and posted
on the Internet

Virtual Private Networks

Provide secure communication pathway or tunnel
through public networks (eg, Internet)

Lowest levels of TCP/IP are implemented using
existing TCP/IP connection

Encrypts either underlying data in a packet or the
entire packet itself before wrapping it in another
IP packet for delivery

Further enhances security by implementing
Internet Protocol Security (IPSec)

Intrusion Detection Systems (IDS)

Monitor networks and report on unauthorized
attempts to access any part of the system

Available from many vendors


Software (computer
based IDS)

Dedicated hardware devices (network
based IDS)

Types of detection

based detection

based detection

based IDS

Software applications (“agents”) are installed on
each protected computer

Make use of disk space, RAM, and CPU time to
analyze OS, applications, system audit trails

Compare these to a list of specific rules

Report discrepancies

Can be self
contained or remotely managed

Easy to upgrade software, but do not scale well

based IDS

Monitors activity on a specific network

Dedicated platforms with two components


Passively analyzes network traffic

Management system

Displays alarm information from the sensor

based Detection

Builds statistical profiles of user activity and then
reacts to any activity that falls outside these

Often leads to large number of false positives

Users do not access computers/network in static,
predictable ways

Cost of building a sensor that could hold enough
memory to contain the entire profile and time to
process the profiles is prohibitively large

based Detection

Similar to antivirus program in its method of
detecting potential attacks

Vendors produce a list of signatures used by the
IDS to compare against activity on the network
or host

When a match is found, the IDS take some action
(eg, logging the event)

Can produce false positives; normal network
activity may be construed as malicious

Network Monitoring and Diagnostics

Essential steps in ensuring safety and
health of a network (along with IDS)

Can be either stand
alone or part of a
monitoring platform

HP’s OpenView

IBM’s Netview/AIX

Fidelia’s NetVigil

Aprisma’s Spectrum

Ensuring Workstation and

Server Security

Remove unnecessary protocols such as

Remove unnecessary user accounts

Remove unnecessary shares

Rename the administrator account

Use strong passwords

Personal Firewall Software Packages

Offer application
level blocking, packet filtering,
and can put your computer into stealth mode by
turning off most if not all ports

Many products available, including:

Norton Firewall


Black Ice Defender

Tiny Software’s Personal Firewall

Firewall Product Example

Antivirus Software Packages

Necessary even on a secure network

Many vendors, including:



Computer Associates

Network Associates

Mobile Devices

Can open security
holes for any
computer with which
these devices

Chapter Summary

Virtual isolation of a computer or network
by implementing a firewall through
software and hardware techniques:




Various software packages designed to run on
servers, workstations, and PDAs


Chapter Summary

Virtual private networks (VPNs)

Private branch exchanges (PBX)

Remote Access Services (RAS)

Quick Quiz

The standard used to help secure cable modem
communications is called ____________

True or False: Static IP addressing is the most secure
form of addressing.

True or False: RAS should be placed in the DMZ.

A _____________ is used to provide a secure
communication channel through the public Internet

______________ based IDS uses statistical profiles.