1 / 57

Chapter Fifteen

Chapter Fifteen. Network Security. Objectives. Identify security risks in LANs and WANs Explain how physical security contributes to network security Discuss hardware- and design-based security techniques. Objectives. Use network operating system techniques to provide basic security

daxia
Download Presentation

Chapter Fifteen

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter Fifteen Network Security

  2. Objectives • Identify security risks in LANs and WANs • Explain how physical security contributes to network security • Discuss hardware- and design-based security techniques

  3. Objectives • Use network operating system techniques to provide basic security • Implement enhanced security through specialized software • Describe the elements of an effective security policy

  4. Terminology • A hacker is someone who masters the inner workings of operating systems and utilities in an effort to better understand them • A cracker is someone who uses his or her knowledge of operating systems and utilities to intentionally damage or destroy data or systems • In general, root refers to a highly privileged user ID that has all rights to create, delete, modify, move, read, write, or execute files on a system • A firewall is a specialized device that selectively filters or blocks traffic between networks

  5. Security Audits • Assessment of an organization’s security risks • Regular security audits should be performed at least annually and preferably quarterly • You should also conduct a security audit after making any significant changes to your network

  6. Security Risks • Social engineering • Manipulating relationships to circumvent network security measures and gain access to a system • Some risks associated with people: • Intruders or attackers using social engineering or snooping to obtain passwords • An administrator incorrectly creating or configuring user IDs, groups, and their associated rights on a file server

  7. Security Risks • Some risks associated with people (cont.): • Network administrators overlooking security flaws in topology or hardware configuration • Network administrators overlooking security flaws in operating system or application configuration • Lack of proper documentation and communication of security policies • Dishonest or disgruntled employees abusing their file and access rights • An unusual computer or terminal being left logged into the network

  8. Security Risks • Some risks associated with people (cont.): • Users or administration choosing easy-to-guess passwords • Authorized staff leaving computer room doors open or unlocked • Staff discarding disks or backup tapes in public waste containers • Administrators neglecting to remove access files and rights for former employees • Users leaving passwords out in open spaces

  9. Risks Associated with Hardware and Network Design • Inherent risks in network hardware and design: • Wireless transmission can typically be intercepted • Networks that use leased lines are vulnerable to eavesdropping • Network hubs broadcast traffic over the entire segment • If they are not disabled, unused hubs, routers, or server ports can be exploited and accessed by crackers

  10. Risks Associated with Hardware and Network Design • Inherent risks in network hardware and design (cont.): • If routers are not properly configured to mask internal subnets, users on outside networks can read the private addresses • Modems attached to network devices may be configured to accept incoming calls • Dial-in access servers used by telecommuting or remote staff may not be carefully secured and monitored • Computers hosting very sensitive data may coexist on the same subnet with computers open to the general public

  11. Risks Associated with Protocols and Software • Some risks pertaining to networking protocols and software: • TCP/IP contains several security flaws • Trust relationships between one server and another may allow a cracker to access the entire network because of a single flaw • Network operating system software typically contains “backdoors” or security flaws

  12. Risks Associated with Protocols and Software • Some risks pertaining to networking protocols and software (cont.): • If the network operating system allows server operators to exit to a command prompt, intruders could run destructive command-line programs • Administrators might accept the default security options after installing an operating system or application • Transactions that take place between applications may be left open to interception

  13. Risks Associated with Internet Access • Common Internet-related security breaches: • IP spoofing • Outsiders obtain internal IP addresses, then use those addresses to pretend that they have authority to access your internal network from the Internet • When a user Telnets or FTPs to your site over the Internet, his or her user ID and password will be transmitted in plain text • Crackers may obtain information about your user ID from newsgroups, mailing lists, or forms filled out on the Web

  14. Risks Associated with Internet Access • Common Internet-related security breaches (cont.): • Flashing • Internet user send commands to another Internet user’s machine that cause the screen to fill with garbage characters • Denial-of-service attack • Occurs when a system becomes unable to function because it has been deluged with messages or otherwise disrupted

  15. Addressing Risks Associated with People • An effective security policy • Typical goals for security policies: • Ensuring that authorized users have appropriate access to the resources they need • Preventing unauthorized users from gaining access to the network, systems, programs, or data • Protecting sensitive data from unauthorized access

  16. Addressing Risks Associated with People • Typical goals for security policies (cont.): • Preventing accidental damage to hardware or software • Preventing intentional damage to hardware or software • Creating an environment where the network and systems can withstand and quickly recover from any type of threat • Communicating each employee’s responsibilities with respect to maintaining data integrity and system security

  17. Security Policy Content • After risks are identified and responsibilities for managing them are assigned, the policy’s outline should be generated with those risks in mind • The security policy should explain clearly to users: • What they can and cannot do • How these measures protect the network’s security

  18. Response Policy • Suggestions for team roles • Dispatcher • Manager • Technical support specialist • Public relations specialist

  19. Passwords • Tips for making and keeping passwords secure: • Do not use the familiar types of passwords • Do not use any word that might appear in a dictionary • Make passwords longer than six characters

  20. Passwords • Tips for making and keeping passwords secure (cont.): • Choose a combination of letters and numbers • Do not write down your password or share it with others • Change your password at least every 90 days

  21. Physical Security FIGURE 15-1 Badge access security system

  22. Physical Security • Bio-recognition access • Device scans an individual’s unique physical characteristics • Relevant questions in assessing physical security: • Which rooms contain critical systems or data and need to be secured? • Through what means might intruders gain access to the facility, computer room, telecommunications room, wiring closet, or data storage areas?

  23. Physical Security • Relevant questions in assessing physical security (cont.): • How and to what extent are authorized personnel granted entry? • Are employees instructed to ensure security after entering or leaving secured areas? • Are authentication methods difficult to forge or circumvent?

  24. Physical Security • Relevant questions in assessing physical security (cont.): • Do supervisors or security personnel make periodic physical security checks? • Are all combinations, codes, or other access means to computer facilities protected at all times? • Does a plan exist for documenting and responding to physical security breaches?

  25. Addressing Risks Associated with Hardware and Design • Firewall • Specialized device that selectively filters or blocks traffic between networks Figure 15-2: Placement of a firewall between a private network and the Internet

  26. Firewalls • Packet filtering firewall • Router that operates at the Data Link and Transport layers of the OSI Model • Also called screening firewalls Figure 15-3: Packet filtering firewall

  27. Firewalls • Criteria that a firewall might use to accept or deny data: • Source and destination IP addresses • Source and destination ports • TCP, UDP, or ICMP protocols

  28. Firewalls • Criteria that a firewall might use to accept or deny data (cont.): • Packet’s status as the first packet in a new data stream or a subsequent packet • Packet’s status as inbound or outbound to or from your private network • Packet’s status as originating from or being destined for an application on your private network

  29. Firewalls • Proxy service • Software application on a network host that acts as an intermediary between external and internal networks • Network host that runs the proxy service is known as a proxy server, or gateway

  30. Firewalls Figure 15-4: Proxy server used on a WAN

  31. Firewalls • Questions to ask when choosing a firewall: • Does the firewall support encryption? • Does the firewall support authentication? • Does the firewall allow you to manage it centrally and through a standard interface?

  32. Firewalls • Questions to ask when choosing a firewall (cont.): • How easily can you establish rules for access to and from the firewall? • Does the firewall support filtering at the highest layers of the OSI Model? • Does the firewall provide logging and auditing capabilities, or alert you to intrusions? • Does the firewall protect the identity of your internal LAN’s addresses from the outside world?

  33. Remote Access • Remote access • Capability for traveling employees, telecommuters, or distant vendors to access an organization’s private LAN or WAN through specialized remote access servers

  34. Remote Control • Important security features for a remote control program: • Login ID and password requirements for gaining access to the host system • Ability for the host system to call back • Support for data encryption on transmissions between the remote user and the system

  35. Remote Control • Important security features for a remote control program (cont.): • Ability to leave the host system’s screen blank while a remote user works on it • The ability to disable the host system’s keyboard and mouse • Ability to restart the host system when a remote user disconnects from the system

  36. Dial-Up Networking • Recommended features for a secure remote access server package: • Login ID and password authentication • Ability to log all dial-up connections, their resources, and their connection times • Ability to perform callbacks to users who initiate connections • Centralized management of dial-up users and their rights on the network

  37. Remote Authentication Dial-In User Service (RADIUS) • Terminal Access Controller Access Control System (TACACS) • Centralized authentication system for remote access servers that is similar to RADIUS Figure 15-5: RADIUS server providing central authentication

  38. Addressing Risks Associated with Protocols and Software • Restriction that network administrators can use to strengthen the security of their networks • Some users may be valid only during specific hours • Some user IDs may be restricted to a specific number of hours per day of logged-in time • You can specify that user IDs can log in only from certain workstation or certain areas of the network • Set a limit on how many unsuccessful login attempts from a single user the server will accept before blocking that ID from even attempting to log on

  39. Encryption • Use of an algorithm to scramble data into a format that can be read only by reversing the algorithm • In order to protect data, encryption provides the following assurances: • Data were not modified after the sender transmitted them and before receiver picked them up • Data can only be viewed by their intended recipient (or at their intended destination) • All of the data received at intended destination were truly issued by the stated sender and not forged by an intruder

  40. Encryption • The most popular kind of encryption weaves a key (random string of characters) into the original data’s bits to generate a unique data block • The scrambled data block is known as cipher text • The longer the key, the less easily the cipher text can be decrypted by an unauthorized system

  41. Encryption Figure 15-6: Key encryption and decryption

  42. Encryption • Private key encryption • Data are encrypted using a single that only the sender and receiver know • Also known as symmetric encryption • The most popular private key encryption is the data encryption standard (DES)

  43. Encryption Figure 15-17: Private key encryption

  44. Encryption • Public key encryption • Data are encrypted using two keys • Also know as asymmetric encryption • Public-key server • Freely provides provides a list of users’ public keys • Combination of public key and private key is known as key pair

  45. Encryption • Digital certificates • Password-protected and encrypted file holding an individual’s identification information Figure 15-8: Public key encryption

  46. Encryption Figure 15-8: Public key encryption

  47. Kerberos • Cross-platform authentication protocol using key encryption to verify identity of clients and to securely exchange information once a client logs onto a system • The server issuing keys to clients during initial client authentication is known as a key distribution center (KDC) • In order to authenticate a client, KDC runs an authentication service (AS) • An AS issues a ticket (temporary set of credentials) • A kerberos client, or user, is known as a principal

  48. Kerberos • Session key • Issues to both client and service by authentication service that uniquely identifies their session • Authenticator • User’s timestamp encrypted with the session key • Ticket granting service (TGS) • Application separate from AS that also runs on the KDC • TGS issues client a ticket granting ticket (TGT)

  49. PGP and SSL • Pretty Good Privacy (PGP) • Public key encryption system that verifies authenticity of an e-mail sender and encrypts e-mail data in transmission • Secure Sockets Layer (SSL) • Method of encrypting TCP/IP transmissions en route between client and server using public key encryption technology

  50. SSL • HTTP • URL prefix indicating a Web page requires its data to be exchanged between client and server using SSL encryption • SSL session • Association between the client and server identified by an agreement on a specific set of encryption techniques • Handshake protocol • Perhaps the most significant protocol within SSL

More Related