1 / 68

Network Plus Unit 5 – Section 1 Security

Network Plus Unit 5 – Section 1 Security. 1/28/2010. 1/28/2010. Identify and Describe Security Risks. People Transmissions Protocols Internet Access. Risks Associated with People. Half of all security breaches Human errors, ignorance, omissions Social engineering

dacia
Download Presentation

Network Plus Unit 5 – Section 1 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network PlusUnit 5 – Section 1 Security 1/28/2010 1/28/2010

  2. Identify and Describe Security Risks People Transmissions Protocols Internet Access

  3. Risks Associated with People Half of all security breaches Human errors, ignorance, omissions Social engineering Strategy to gain password Phishing Glean access, authentication information Pose as someone needing information Network+ Guide to Networks, 5th Edition 6

  4. Risks Associated with Transmission and Hardware Physical, Data Link, Network layer security risks Require more technical sophistication Risks inherent in network hardware and design Transmission interception Man-in-the-middle attack Eavesdropping Networks connecting to Internet via leased public lines Sniffing Network hubs broadcasting traffic over entire segment Network+ Guide to Networks, 5th Edition 7

  5. Risks Associated with Transmission and Hardware (cont’d.) Risks inherent in network hardware and design (cont’d.) Private address availability to outside Routers not properly configured to mask internal subnets Port access via port scanner Unused hub, switch, router, server ports not secured Router attack Routers not configured to drop suspicious packets Network+ Guide to Networks, 5th Edition 8

  6. Risks Associated with Transmission and Hardware (cont’d.) Risks inherent in network hardware and design (cont’d.) Security holes Modems accept incoming calls Dial-in access servers not secured, monitored General public computer access Computers hosting sensitive data Insecure passwords Easily guessable, default values Network+ Guide to Networks, 5th Edition 9

  7. Risks Associated with Protocols and Software Includes Transport, Session, Presentation, and Application layers Networking protocols and software risks TCP/IP security flaws NOS Problems Invalid trust relationships NOS back doors, security flaws NOS allows server operators to exit to command prompt Administrators default security options Network+ Guide to Networks, 5th Edition 10

  8. Risks Associated with Internet Access Common Internet-related security issues Improperly configured firewall Outsiders obtain internal IP addresses: IP spoofing Chat session flashing Denial-of-service attack Smurf attack: hacker issues flood of broadcast ping messages Telnets or FTPs Transmit user ID, password in plain text Social media (Facebook, mailing lists, forums) Provide hackers user information Network+ Guide to Networks, 5th Edition 12

  9. Network Security Technology Router Access Lists Intruder Detection and Prevention Firewalls Proxy Servers

  10. Security in Network DesignRouter Access Lists Control traffic through routers Routers main function Examine packets, determine where to send Based on Network layer addressing information ACL (access control list) Known as access list Routers decline to forward certain packets 24

  11. Router Access Lists (cont’d.) ACL instructs router Permit or deny traffic according to variables: Network layer protocol (IP, ICMP) Transport layer protocol (TCP, UDP) Source IP address Source netmask Destination IP address Destination netmask TCP, UDP port number 25

  12. Router Access Lists (cont’d.) Router receives packet, examines packet Refers to ACL for permit, deny criteria Drops packet if characteristics match Flagged as deny Access list statements Deny all traffic from source addresses Netmask 255.255.255.255 Deny all traffic destined for TCP port 23 Separate ACL’s for: Interfaces Inbound and outbound traffic 26

  13. Intrusion Detection and Prevention Provides more proactive security measure Detecting suspicious network activity IDS (intrusion detection system) Software monitoring traffic On dedicated IDS device On another device performing other functions Port mirroring Port configured to send copy of all traffic to another port for monitoring purposes Detects many suspicious traffic patterns Denial-of-service, smurf attacks 27

  14. Intrusion Detection and Prevention (cont’d.) DMZ (demilitarized zone) Network’s protective perimeter IDS sensors installed at network edges IDS at DMZ drawback Number of false positives logged IDS can only detect and log suspicious activity 28

  15. DMZ In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. An external attacker only has access to equipment in the DMZ, rather than any other part of the network.

  16. Intrusion Detection and Prevention (cont’d.) IPS (intrusion-prevention system) Reacts to suspicious activity When alerted Detect threat and prevent traffic from flowing to network Based on originating IP address Compared to firewalls IPS originally designed as more comprehensive traffic analysis, protection tool Differences now diminished 29

  17. Intrusion Detection and Prevention (cont’d.) Figure 12-2 Placement of an IDS/IPS on a network 30

  18. Firewalls Specialized device and computer installed with specialized software Selectively filters, blocks traffic between networks Involves hardware, software combination Resides Between two interconnected private networks Between private network and public network (network-based firewall) Firewall default configuration Block most common security threats Preconfigured to accept, deny certain traffic types Network administrators often customize settings Network+ Guide to Networks, 5th Edition 31

  19. Firewalls (cont’d.) Figure 12-3 Placement of a firewall between a private network and the Internet Network+ Guide to Networks, 5th Edition 32

  20. Types of Firewalls Packet-filtering firewall (screening firewall) Simplest firewall Blocks traffic into LAN Examines header Check for IP address, Port number, IP header flags Blocks traffic attempting to exit LAN Stops spread of worms Stops Zombie programs/spyware Port blocking Based on TCPor UDP port numbers Prevents connection to and transmission completion through ports 34

  21. Firewall Configuration Common packet-filtering firewall criteria Source, destination IP addresses Source, destination ports Flags set in the IP header Transmissions using UDP or ICMP protocols Packet’s status as first packet in new data stream, subsequent packet Packet’s status as inbound to, outbound from private network Logging, auditing capabilities Protect internal LAN’s address identity 35

  22. Firewall Functions Firewall may have more complex functions Encryption User authentication Central management Easy rule establishment Filtering Content-filtering firewalls Stateful - Monitor data stream from end to end Stateless firewall – Block individual packets Network+ Guide to Networks, 5th Edition 36

  23. Proxy Servers Proxy service Network host software application Intermediary between external, internal networks Screens all incoming and outgoing traffic Proxy server Network host running proxy service Application layer gateway, application gateway, and proxy Manages security at Application layer 38

  24. Proxy Server Functions Security Prevent outside world from discovering internal network the addresses Improves performance Caching files 39

  25. Proxy Servers (cont’d.) Figure 12-5 A proxy server used on a WAN Network+ Guide to Networks, 5th Edition 40

  26. NOS (Network Operating System) Security Restrict user authorization Centralized administration Active Directory Secure access to server files and directories Public rights Conferred to all users Very limited Keep software updated with latest patches Provide strong policies for passwords and logon restrictions 41

  27. Logon Restrictions Additional restrictions Time of day Total time logged on Source address Unsuccessful logon attempts Secure Password 42

  28. Passwords Tips Change system default passwords Do not use familiar information or dictionary words Dictionary attack Use long passwords Letters, numbers, special characters Do not write down or share Change frequently Do not reuse Use different passwords for different applications Network+ Guide to Networks, 5th Edition 44

  29. Encryption • Use of keys to scramble data to prevent eavesdropping • Symmetric vs Asymmetric keys • Encryption systems

  30. Encryption Use of algorithm Scramble data Format read by algorithm reversal (decryption) Purpose Information privacy Key Encryption Based on number of bits Strength of encryption double with each bit Network+ Guide to Networks, 5th Edition 45

  31. Key Encryption Figure 12-6 Key encryption and decryption 48

  32. Private (Symmetric) Key Encryption Data encrypted using single key Known by sender and receiver Symmetric encryption Same key used during both encryption and decryption DES (Data Encryption Standard) Most popular private key encryption IBM developed (1970s) 56-bit key: secure at the time Triple DES Weaves 56-bit key three times 49

  33. Symmetric Key Encryption

  34. Private Key Encryption AES (Advanced Encryption Standard) Weaves 128, 160, 192, 256 bit keys through data multiple times Uses Rijndael algorithm More secure than DES Much faster than Triple DES Replaced DES in high security level situations Private key encryption drawback Sender must somehow share key with recipient 50

  35. Public (Asymmetric) Key Encryption Data encrypted using two keys Private key: user knows Public key: anyone may request Public key server Publicly accessible host Freely provides users’ public keys Key pair Combination of public key and private key Asymmetric encryption Requires two different keys 51

  36. Figure 12-8 Public key encryption 52

  37. Public Key EncryptionPKI – Public Key Infrastructure RC4 Key up to 2048 bits long Highly secure, fast E-mail, browser program use Lotus Notes, Netscape Digital certificate Password-protected, encrypted file Holds identification information Public key CA (certificate authority) Issues, maintains digital certificates Example: Verisign 54

  38. Data Encryption Systems • Pretty Good Privacy (PGP) • Used with email • Secure Sockets Layers (SSL) • Used with HTTPS • Secure Shell (SSH) • Replaces Telenet – uses SSL • Secure Copy (SCP) • Replaces FTP – Uses SSL • IP Security (IP Sec) • Used at Network layer with VPNs

  39. PGP (Pretty Good Privacy) Secures e-mail transmissions Developed by Phil Zimmerman (1990s) Public key encryption system Verifies e-mail sender authenticity Encrypts e-mail data in transmission Administered at MIT Freely available Open source and proprietary Also used to encrypt storage device data 56

  40. SSL (Secure Sockets Layer) Encrypts TCP/IP transmissions Web pages, Web form data entered into Web forms En route between client and server Using Public key encryption technology Web pages using HTTPS HTTP over Secure Sockets Layer, HTTP Secure Data transferred from server to client (vice versa) Using SSL encryption HTTPS uses TCP port 443 Used by SSL VPNs 57

  41. SSL (cont’d.) SSL session Association between client and server Specific set of encryption techniques Created by SSL handshake protocol Allows client and server to authenticate SSL Netscape originally developed IETF attempted to standardize TLS (Transport Layer Security) protocol 58

  42. HTTPS • Based on SSL • Presentation layer encyrption • Uses Port 443 • Browser may show padlock symbol or green color

  43. SSH (Secure Shell) Collection of protocols Provides Telnet capabilities with security Guards against security threats Unauthorized host access IP spoofing Interception of data in transit DNS spoofing Encryption algorithm (depends on version) DES, Triple DES, RSA, Kerberos 59

  44. SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol) Part of SSH which runs on Port 22 SCP (Secure CoPy) utility Extension to OpenSSH Allows copying of files from one host to another securely Replaces insecure file copy protocols (FTP) Does not encrypt user names, passwords, data Proprietary SSH version (SSH Communications Security) Requires SFTP (Secure File Transfer Protocol) to copy files Slightly different from SCP (does more than copy files) 61

  45. IPSec (Internet Protocol Security) Defines encryption, authentication, key management Works at Network layer for TCP/IP transmissions Native IPv6 standard Difference from other methods Encrypts data by adding security information to all IP packet headers Transforms data packets Operates at Network layer (Layer 3) Used by L2TP VPN connections 63

  46. IPSec (cont’d.) Figure 12-9 Placement of a VPN concentrator on a WAN 66

  47. Network Authentication • Allow a user to login to a server or service without revealing the user password to packet sniffers. • Requires some form of encryption • Secure Login Systems

  48. Authentication Protocols Authentication Process of verifying a user’s credentials Grant user access to secured resources Authentication protocols Rules computers follow to accomplish authentication Several authentication protocol types RADIUS/TACACS PAP CHAP EAP and 802.1x (EAPoL) Kerberos 67

  49. RADIUS and TACACS Provides centralized network authentication, accounting for multiple users Defined by IETF Runs over UDP RADIUS server Central Authentication of users Does not replace functions performed by remote access server TACACS (Terminal Access Controller Access Control System) Similar, earlier centralized authentication version 68

  50. RADIUS and TACACS (cont’d.) Figure 12-10 A RADIUS server providing centralized authentication 70

More Related