1 / 50

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures, Second Edition. 2. Objectives. Explain the goal of securing the network perimeterDescribe factors in choosing a bastion hostExplain how to supplement a firewall with a proxy serverSet up Network Address Translation (NAT)Decide when to use user, sessi

stavros
Download Presentation

Guide to Network Defense and Countermeasures Second Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Guide to Network Defense and Countermeasures Second Edition Chapter 10 Firewall Topology

    2. Guide to Network Defense and Countermeasures, Second Edition 2 Objectives Explain the goal of securing the network perimeter Describe factors in choosing a bastion host Explain how to supplement a firewall with a proxy server Set up Network Address Translation (NAT) Decide when to use user, session, or client authentication

    3. Guide to Network Defense and Countermeasures, Second Edition 3 Securing Network Perimeters Goal is to provide adequate access without jeopardizing confidential or mission-critical areas You need Firewalls, IDSs, bastion host, Network Address Translation (NAT), proxy servers Combined with authentication mechanisms Bastion host Provides Web, FTP, e-mail, or other services running on a specially secured server

    4. Guide to Network Defense and Countermeasures, Second Edition 4 Choosing a Bastion Host Security software does not operate on its own You install it on a computer Bastion host Computer that sits on the network perimeter Has been specially protected through OS patches, authentication, and encryption

    5. Guide to Network Defense and Countermeasures, Second Edition 5 General Requirements Steps in creating a bastion host Select sufficient memory and processor speed Choose and install OS and any patches or updates Determine where the bastion host will fit in the network configuration Install services you want to provide Remove services and accounts that aren’t needed. Back up the system and all data on it Run a security audit Connect the machine to the network

    6. Guide to Network Defense and Countermeasures, Second Edition 6 Selecting the Bastion Host Machine Select familiar hardware and software Ideal situation One bastion host for each service you want to provide Can be prohibitively expensive Operating system Pick a version that is stable and secure Check OS Web site for patches and updates

    7. Guide to Network Defense and Countermeasures, Second Edition 7 Selecting the Bastion Host Machine (continued) Memory and processor speed Memory is always important when operating a server Bastion host might provide only a single service Does not need gigabytes of RAM Match processing power to server load You might have to add processor Location on the network Typically located outside the internal network Combined with packet-filtering devices Multiple bastion hosts are set up in the DMZ

    8. Guide to Network Defense and Countermeasures, Second Edition 8

    9. Guide to Network Defense and Countermeasures, Second Edition 9

    10. Guide to Network Defense and Countermeasures, Second Edition 10 Hardening the Bastion Host Selecting services to provide Close unnecessary ports Disable unnecessary user accounts and services Reduces chances of being attacked Disable routing or IP forwarding services Do not remove dependency services System needs them to function correctly

    11. Guide to Network Defense and Countermeasures, Second Edition 11 Hardening the Bastion Host (continued) Using honeypots Honeypot Computer placed on the network perimeter Attracts attackers away from critical servers Appears real Network security experts are divided about honeypots Laws on the use of honeypots are confusing at best Another goal of a honeypot is logging Logs are used to learn about attackers techniques

    12. Guide to Network Defense and Countermeasures, Second Edition 12

    13. Guide to Network Defense and Countermeasures, Second Edition 13 Hardening the Bastion Host (continued) Disabling user accounts Default accounts are created during OS installation Disable all user accounts from the bastion host Users should not be able to connect to it Rename the Administrator account Passwords at least 6-8 alphanumeric characters

    14. Guide to Network Defense and Countermeasures, Second Edition 14 Handling Backups and Auditing Essential steps in hardening a computer Backups Detailed recordkeeping Auditing Copy log files to other computers in your network Check these files for viruses Audit all failed and successful attempts to log on to the bastion host And any attempts to access or change files

    15. Guide to Network Defense and Countermeasures, Second Edition 15 Working with Proxy Servers Proxy server Software product Forwards packets to and from the network being protected Caches Web pages to speed up network performance

    16. Guide to Network Defense and Countermeasures, Second Edition 16 Goals of Proxy Servers Original goal Speed up network communications Information is retrieved from proxy cache instead of the Internet If information has not changed at all Other goals Provide security at the application layer Shield hosts on the internal network Control Web sites users are allowed to visit

    17. Guide to Network Defense and Countermeasures, Second Edition 17

    18. Guide to Network Defense and Countermeasures, Second Edition 18 How Proxy Servers Work Proxy server goal Prevent a direct connection between an external computer and an internal computer Proxy servers work at the application layer Opens the packet and examines the data Decides to which application it should forward the packet Reconstructs the packet and forwards it Replace the original header with a new header Containing proxy’s own IP address

    19. Guide to Network Defense and Countermeasures, Second Edition 19

    20. Guide to Network Defense and Countermeasures, Second Edition 20 How Proxy Servers Work (continued) Proxy server receives traffic before it goes to the Internet Client programs are configured to connect to the proxy server instead of the Internet Web browser E-mail applications

    21. Guide to Network Defense and Countermeasures, Second Edition 21

    22. Guide to Network Defense and Countermeasures, Second Edition 22

    23. Guide to Network Defense and Countermeasures, Second Edition 23 Choosing a Proxy Server Different proxy servers perform different functions Freeware proxy servers Often described as content filters Do not have features for business applications Example: Squid Commercial proxy servers Offer Web page caching, source and destination IP addresses translation, content filtering, and NAT Example: Microsoft ISA Server

    24. Guide to Network Defense and Countermeasures, Second Edition 24 Choosing a Proxy Server (continued) Proxy servers that can include firewall functions Having an all-in-one program simplifies life Disadvantages Single point of failure Try to use several software and hardware products to protect your network

    25. Guide to Network Defense and Countermeasures, Second Edition 25 Filtering Content Proxy servers can open packets and examine data Proxy servers can filter out content That would otherwise appear in a user’s Web browser Can block Web sites with content your users should not be viewing Can also drop executable programs Java applets ActiveX controls

    26. Guide to Network Defense and Countermeasures, Second Edition 26 Using Network Address Translation (NAT) Network Address Translation (NAT) Go-between Receives requests at its own IP address and forwards them to the correct IP address A NAT-enable device is the only one that needs a public IP address Essential functions many firewalls or routers perform Shields IP addresses of internal hosts NAT modes Hide-mode and static mapping

    27. Guide to Network Defense and Countermeasures, Second Edition 27 Hide-Mode Mapping Process of having multiple IP addresses behind one public IP address Dynamic Host Configuration Protocol (DHCP) Enables IP addresses to be assigned dynamically among hosts on a network Disadvantages Cannot hide all clients behind a single IP address Does not work with some types of VPNs Cannot provide more than one service with a single IP address

    28. Guide to Network Defense and Countermeasures, Second Edition 28

    29. Guide to Network Defense and Countermeasures, Second Edition 29 Static Mapping Internal IP addresses are mapped to external, routable IP addresses On a one-to-one basis Internal IP addresses are still hidden Computers appear to have public addresses All addresses are static

    30. Guide to Network Defense and Countermeasures, Second Edition 30

    31. Guide to Network Defense and Countermeasures, Second Edition 31 Authenticating Users Authentication Identify users authorized to access the network Important role in firewall or other security configurations Depends on the exchange of information Password Key Checksum Smart card

    32. Guide to Network Defense and Countermeasures, Second Edition 32 Step 1: Deciding What to Authenticate User authentication Identify person authorized to access network Users submit credentials and log on to the network Can be automatic and based on key exchange Define an user and assign it to a group Set access rules for that group Other restrictions IP addresses Time-based restrictions

    33. Guide to Network Defense and Countermeasures, Second Edition 33

    34. Guide to Network Defense and Countermeasures, Second Edition 34

    35. Guide to Network Defense and Countermeasures, Second Edition 35 Step 1: Deciding What to Authenticate (continued) Client authentication Grant access to network resources based on Source IP address Computer MAC address Computer name Identification can be automatic or manual Manual requires extra effort but offers more security Knowing a username and password is not enough User must log on from an authorized IP address

    36. Guide to Network Defense and Countermeasures, Second Edition 36

    37. Guide to Network Defense and Countermeasures, Second Edition 37 Step 1: Deciding What to Authenticate (continued) Session authentication Authorize user or computer on a per-connection basis Uses special authentication software on the client Exchanges information with the firewall Gives the user more flexibility than user or client authentication

    38. Guide to Network Defense and Countermeasures, Second Edition 38

    39. Guide to Network Defense and Countermeasures, Second Edition 39 Step 2: Deciding How to Authenticate Password Security User name and password compared against a database of approved users Simplest and most straightforward authentication Password systems OS password Firewall password S/Key password SecureID

    40. Guide to Network Defense and Countermeasures, Second Edition 40

    41. Guide to Network Defense and Countermeasures, Second Edition 41 Step 2: Deciding How to Authenticate (continued) Smart cards and tokens Two-factor authentication Combines objects the user posses with passwords Most common objects used in authentication Smart cards Tokens Smart cards Similar to ATM cards Tokens Objects that enable users to authenticate themselves Examples :Smart cards, handhelds, key fobs

    42. Guide to Network Defense and Countermeasures, Second Edition 42 Step 2: Deciding How to Authenticate (continued) Exchanging public and private keys Password is a code used to authenticate yourself Computers can also authenticate each other Exchanging codes Code can be long and complicated Called keys Keys Blocks of encrypted code generated by algorithms Public key cryptography Authenticates by exchanging public and private keys

    43. Guide to Network Defense and Countermeasures, Second Edition 43

    44. Guide to Network Defense and Countermeasures, Second Edition 44 Step 2: Deciding How to Authenticate (continued) Digital signatures Message recipient can authenticate sender’s identity One-way hash function Called a message digest Code of fixed-length Results from processing a message through a mathematical function One-way hash function characteristics Value is unique for the hashed data Data cannot be deduced from the hash

    45. Guide to Network Defense and Countermeasures, Second Edition 45 Step 2: Deciding How to Authenticate (continued) Digital signatures Signing software creates a hash of the message And encrypts it using your private key Validation process Recipient uses signer’s public key to decrypt the hash Computes hash value of received message Using same hashing algorithm as the sender Compares hash values

    46. Guide to Network Defense and Countermeasures, Second Edition 46 Step 3: Putting It All Together S-HTTP Secure Hypertext Transfer Protocol (S-HTTP) Encrypts communication between a Web server and a Web browser Using Secure Socket Layer (SSL) or Transport Layer Security (TLS) SSL encrypts data portion of a packet not the header Firewall can still filter and route it SSL does not provide user authentication

    47. Guide to Network Defense and Countermeasures, Second Edition 47 Step 3: Putting It All Together (continued) IPSec/IKE IPSec encrypts communications at network layer of OSI model Widely used NAT can interfere with IPSec Internet Key Exchange (IKE) Allows exchange of public and private keys Internet Security Association Key Management Protocol (ISAKMP) Enables two computers to agree on security settings

    48. Guide to Network Defense and Countermeasures, Second Edition 48 Step 3: Putting It All Together (continued) Dial-in Authentication: RADIUS and TACACS+ Terminal Access Controller Access Control System (TACACS+) Called “Tac-plus” Authentication protocols developed by Cisco Systems Uses MD5 to produce an encrypted digest version of transmitted data

    49. Guide to Network Defense and Countermeasures, Second Edition 49 Step 3: Putting It All Together (continued) Dial-in Authentication: RADIUS and TACACS+ Remote Authentication Dial-In User Service (RADIUS) Provides less security than TACACS+ More widely supported Transmits authentication packets unencrypted across the network Vulnerable to packet sniffing

    50. Guide to Network Defense and Countermeasures, Second Edition 50 Summary Modern networks require a variety of services Firewalls cannot secure a network alone Bastion host Computer on the network perimeter Specially protected through OS patches, authentication, and encryption Proxy server Forwards packets to and from the network Caches Web pages to speed up network performance

    51. Guide to Network Defense and Countermeasures, Second Edition 51 Summary (continued) Network Address Translation (NAT) Conceals the IP addresses of computers on the internal network from external locations Authentication types Client authentication User authentication Session authentication Encryption schemes Secure Socket Layer (SSL) Internet Protocol Security (IPSec)

More Related