1 / 57

Network Access Security

Network Access Security. Lesson 10. Objectives. Objectives. Objectives. Objectives. Firewalls. A network firewall: Prevents a hacker or other security threats from entering the network Limits ability of hackers or other security threats from spreading through the network.

amosier
Download Presentation

Network Access Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Access Security Lesson 10

  2. Objectives

  3. Objectives

  4. Objectives

  5. Objectives

  6. Firewalls • A network firewall: • Prevents a hacker or other security threats from entering the network • Limits ability of hackers or other security threats from spreading through the network

  7. Network-based Firewalls • Reside on the network • Are usually hardware in nature but augmented with additional software • Many are built into or on top of routers • Two common configurations • Single firewall: Uses only one firewall • Dual firewall: Uses two firewalls • Area between dual firewalls is Demilitarized Zone (DMZ)

  8. Single Firewall Configuration

  9. Dual Firewall Configuration

  10. Server Placement with a DMZ

  11. Proxy Server • Used as intermediary between networks and servers • Purpose built device, or • Application running on a server • Upon receipt of signal • Evaluate and decide to pass it on • Interpret and attempt to service (cache) • Conceal identity of person requesting • Alter requests to avoid restrictions

  12. Network Intrusion Detection System/Network Intrusion Prevention System (NIDS/NIPS) • Software designed to look for evidence of intruder activity and stop it once detected • Works like IDS and IPS (Lesson 9) • Differences from IDS/IPS • Where software located; NIDS/NIPS on a network • Used for both incoming and outgoing communications

  13. Possible NIDS Placement Locations

  14. Host-based Firewalls • Software packages that run on a computer platform • Evaluate packets, determine if malicious • Host-Based Intrusion Detection System (HIDS); Host-Based Intrusion Prevention System (HIPS) • System Intrusion Detection Software (SIDS); System Intrusion Prevention System (SIPS)

  15. Common Features of a Firewall • Application layer versus network layer • Stateful versus stateless • Scanning services • Content filters • Signature identification • Zones

  16. Application Layer Versus Network Layer • Application layer firewalls work with protocols and services located on the TCP/IP protocol stack • Designed to target one or two protocols • Network firewalls work on the network layer of the TCP/IP protocol stack • Primarily target packet communications • Stateful versus stateless

  17. Network Layer Firewalls (Continued) • Stateful • Network must track connections through router • Router needs to continually know state of every connection • Stateless • Treat each packet separately • Faster speed, lower costs • Easier to hijack

  18. Scanning Services • Ability of firewall to scan packets and protocols for specific threats • Scan http traffic for spyware or viruses • Scan e-mail for spam

  19. Content Filters • Evaluates incoming data against predefined guidelines • Blocks spam due to content • Blocks websites containing specific words • Parental controls

  20. Signature Identification • A process using signatures or definitions to identify threats • Threat is compared to signature database • Identified threats are sent to the administrator for action • Only works against known threats • Sofware updates crucial

  21. Zones • Creates firewall on a router based groups of interfaces • Three rules that always apply • Interfaces sharing same zone always talk to each other • Interfaces in one zone cannot interface with another zone unless explicit written rules allow it • Interfaces not part of a zone cannot talk to those that are part of a zone

  22. Zone-based Firewall

  23. Filtering • Access control lists (ACLs) • List of rules or policies programmed into a router, or other device, to control what is able to gain access to a network • MAC filtering • IP filtering • Port filtering • Port security

  24. Honey Pots • Are network security tools • Provide hacker with a decoy target to attack rather than the protected network • Distracted hacker can be identified and neutralized • Method employed to attack decoy is used to strengthen real network security (research laboratory) • Honey net is two or more honey pots

  25. Tunneling and Encryption Concepts • Site-to-site and client-to-site • Site-to-site: Two different remote networks connected • Client-to-site: Single computer connected to remote network • Secure Sockets Layer (SSL) • Secures connection between client and server

  26. Tunneling and Encryption Concepts (Cont.) • Transport Layer Security (TLS) • TLS Record Protocol • Provides security and encryption • TLS Handshake Protocol • Authenticates and negotiates algorithm • Internet Security Association and Key Management Protocol (ISAKMP) • Establishes Security Associations and cryptographic keys

  27. Point-to-Point Protocol (PPP) • Method to encapsulate multi-protocol datagrams • Transports multiple protocols • Link Control Protocol (LCP) • Establishes, configures, and tests connections • Network Control Protocol (NCP) • Establishes and configures different protocols

  28. Tunneling • Process of establishing a connection through a public network that looks like a point-to-point connection • Carrier protocol • Encapsulating protocol • Passenger protocol

  29. How Tunneling Works

  30. Encryption • Algorithm (cipher) process used to encode header or entire network communication packet • Plaintext is not encrypted • Layer 2 Tunneling Protocol (L2TP) • Point-to-Point Tunneling Protocol (PPTP) • Layer 2 Forwarding (L2F) • Internet Protocol Security (IPSec) • Generic Routing Encapsulation (GRE)

  31. L2TP, PPTP, and L2F • L2TP • Designed to create a tunnel across a public packet switched network • PPTP • Provides flow and congestion encapsulation service for PPP • L2F • Designed so PPP can be tunneled over the Internet and used in VPNs

  32. Internet Protocol Security (IPSec) • Suite of protocols designed to provide security options to IP • Internet Key Exchange (IKE) • Authentication Header (AH) • Encapsulating Security Payload (ESP) • Works in two modes • Transport • Tunnel

  33. Different Types of Network Communications • VPN tunnel mode can be used fornetwork-to-network, network-to-host, andhost-to-hostcommunications

  34. Generic Routing Encapsulation (GRE) • Encapsulates arbitrary Network layer protocol over any other arbitrary Network layer protocol • Most commonly used protocol is IP

  35. Virtual Private Network (VPN) • Connects client computer outside local network to an Enterprise LAN • Specific form of network tunneling • Secure Sockets Layer (SSL) VPN • Allows VPN sessions to be set up from within a browser • VPN concentrator • Concentrates multiple VPN connections into a single device

  36. Remote Access • Allows remote end users to access a network and its information as if the users were directly connected to that network • Remote Access Services (RAS) • Point-to-Point Protocol over Ethernet (PPPoe) • Remote Desktop Protocol (RDP) • Virtual Network Computing (VNC) • Independent Computing Architecture (ICA) • Secure Shell (SSH)

  37. Remote Access Services (RAS) • All the technology, hardware, and software used to make remote access to a network • Authentication of user attempting to gain access to network • Limiting user access to permitted resources • Verifying communications between remote user and local network are not being eavesdropped on by hackers

  38. Point-to-Point Protocol over Ethernet (PPPoe) • A method that allows PPP to be used in an Ethernet environment • Most commonly used in connection with DSL • Discovery stage • PPP seeks to discover the MAC address of the client and server computers on the network • PPPoE session identification number created and a link established

  39. Point-to-Point Protocol over Ethernet Discovery Stage

  40. Remote Desktop Protocol (RDP) • Proprietary protocol from Microsoft to create graphical interface between computers • Controls several features • 32-bit or lower color support; 128-bit encryption; network level authentication • Audio, file system, printer, and port redirection; shared clipboard • Terminal Services gateway; support for TLS; multiple monitor support

  41. Virtual Network Computing (VNC) • Allows remote access to a desktop computer; similar to Microsoft's RDP • Open source • Works with any graphical user interface (GUI) • Pixel-based • Three components: VNC server, VNC client (VNC viewer), and VNC communications protocols

  42. Independent Computing Architecture (ICA) • Proprietary protocol which lays down specific rules for passing data between client and server • Runs application on server while allowing remote client access • Supports Windows, OS/X, various UNIX platforms, and various Linux platforms

  43. Secure Shell Protocol (SSH) • Updated and more secure version of TELNET • Used to remotely configure devices • Allows remote control of a device via command line commands • Makes effort to encrypt commands and/or configuration instructions

  44. Wireless Authentication and Encryption • Wi-Fi Protected Access (WPA) • Wired Equivalent Privacy (WEP) • Remote Authentication Dial-In User Service (RADIUS) • Temporal Key Integrity Protocol (TKIP)

  45. Wi-Fi Protected Access (WPA) • A specification or certification • Not a security protocol • Replaces WEP • WPA created as security placeholding standard • WPA2 includes mandatory requirements of IEEE 802.11i • Enterprise versions of WPA and WPA2 available

  46. Wired Equivalent Privacy (WEP) • Aspired to make wireless communications as secure and private as wired communications • Includes streamed cipher RC4 and 32-CRC (Cyclical Redundancy Check) • Authentication components • Open System • Shared Key

  47. Remote Authentication Dial-In User Service (RADIUS) • Authenticator allows user onto a wireless network • Authentication Server in IEEE 802.1x wireless networks • Authorizer controls where user can go on a network

  48. How 802.1X Works

  49. Temporal Key Integrity Protocol (TKIP) • Suite of algorithms designed to add additional security on top of that provided by WEP • Increases strength and capability • Encrypts individual packets • Time stamps when packets sent • Employs a sequence counter • Stronger Cyclical Redundancy Check

  50. Best Practices—Policies and Procedures • Creating a network security policy • Password policies • Access policies • Reporting problems

More Related