630 likes | 794 Views
Devices. Chapter 9. Learning Objectives. Understand the purpose of a network firewall and the kinds of firewall technology available on the market Understand the role of routers, switches, and other networking hardware in security
E N D
Devices Chapter 9
Learning Objectives • Understand the purpose of a network firewall and the kinds of firewall technology available on the market • Understand the role of routers, switches, and other networking hardware in security • Determine when VPN or RAS technology works to provide a secure network connection
Firewalls • Hardware or software device that provides a means of securing a computer or network from unwanted intrusion • Dedicated physical device that protects network from intrusion • Software feature added to a router, switch, or other device that prevents traffic to or from part of a network
Management Cycle forFirewall Protection • Draft a written security policy • Design the firewall to implement the policy • Implement the design by installing selected hardware and software • Test the firewall • Review new threats, requirements for additional security, and updates to systems and software; repeat process from first step
Drafting a Security Policy • What am I protecting? • From whom? • What services does my company need to access over the network? • Who gets access to what resources? • Who administers the network?
Available Targets and Who Is Aiming at Them • Common areas of attack • Web servers • Mail servers • FTP servers • Databases • Intruders • Sport hackers • Malicious hackers
Who Gets Access to Which Resources? • List employees or groups of employees along with files and file servers and databases and database servers they need to access • List which employees need remote access to the network
Who Administers the Network? • Determine individual(s) and scope of individual management control
Designing the Firewallto Implement the Policy • Select appropriate technology to deploy the firewall
What Do Firewalls Protect Against? • Denial of service (DoS) • Ping of death • Teardrop or Raindrop attacks • SYN flood • LAND attack • Brute force or smurf attacks • IP spoofing
How Do Firewalls Work? • Network address translation (NAT) • Basic packet filtering • Stateful packet inspection (SPI) • Application gateways • Access control lists (ACL)
Network Address Translation (NAT) • Only technique used by basic firewalls • Enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic • Each active connection requires a unique external address for duration of communication • Port address translation (PAT) • Derivative of NAT • Supports thousands of simultaneous connections on a single public IP address
Basic Packet Filtering • Firewall system examines each packet that enters it and allows through only those packets that match a predefined set of rules • Can be configured to screen information based on many data fields: • Protocol type • IP address • TCP/UDP port • Source routing information
Stateful Packet Inspection (SPI) • Controls access to network by analyzing incoming/outgoing packets and letting them pass or not based on IP addresses of source and destination • Examines a packet based on information in its header • Enhances security by allowing the filter to distinguish on which side of firewall a connection was initiated; essential to blocking IP spoofing attaches
Access Control Lists (ACL) • Rules built according to organizational policy that defines who can access portions of the network
Routers • Network management device that sits between network segments and routes traffic from one network to another • Allows networks to communicate with one another • Allows Internet to function • Act as digital traffic cop (with addition of packet filtering)
How a Router Moves Information • Examines electronic envelope surrounding a packet; compares address to list of addresses contained in router’s lookup tables • Determines which router to send the packet to next, based on changing network conditions
Beyond the Firewall • Demilitarized zone (DMZ) • Bastion hosts (potentially)
Demilitarized Zone • Area set aside for servers that are publicly accessible or have lower security requirements • Sits between the Internet and internal network’s line of defense • Stateful device fully protects other internal systems • Packet filter allows external traffic only to services provided by DMZ servers • Allows a company to host its own Internet services without sacrificing unauthorized access to its private network
Bastion Hosts • Computers that reside in a DMZ and that host Web, mail, DNS, and/or FTP services • Gateway between an inside network and an outside network • Defends against attacks aimed at the inside network; used as a security measure • Unnecessary programs, services, and protocols are removed; unnecessary network ports are disabled • Do not share authentication services with trusted hosts within the network
Application Gateways • Also known as proxy servers • Monitor specific applications (FTP, HTTP, Telnet) • Allow packets accessing those services to go to only those computers that are allowed • Good backup to packet filtering
Application Gateways • Security advantages • Information hiding • Robust authentication and logging • Simpler filtering rules • Disadvantage • Two steps are required to connect inbound or outbound traffic; can increase processor overhead
OSI Reference Model • Architecture that classifies most network functions • Seven layers • Application • Presentation • Session • Transport • Network • Data-Link • Physical
The OSI Stack • Layers 4 and 5 • Where TCP and UDP ports that control communication sessions operate • Layer 3 • Routes IP packets • Layer 2 • Delivers data frames across LANs
Limitations of Packet-Filtering Routers • ACL can become long, complicated, and difficult to manage and comprehend • Throughput decreases as number of rules being processed increases • Unable to determine specific content or data of packets at layers 3 through 5
Switches • Provide same function as bridges (divide collision domains), but employ application-specific integrated circuits (ASICs) that are optimized for the task • Reduce collision domain to two nodes (switch and host) • Main benefit over hubs • Separation of collision domains limits the possibility of sniffing
Switch Security • ACLs • Virtual Local Area Networks (VLANs)
Virtual Local Area Network • Uses public wires to connect nodes • Broadcast domain within a switched network • Uses encryption and other security mechanisms to ensure that • Only authorized users can access the network • Data cannot be intercepted • Clusters users in smaller groups • Increases security from hackers • Reduces possibility of broadcast storm
Security Problems with Switches • Common ways of switch hijacking • Try default passwords which may not have been changed • Sniff network to get administrator password via SNMP or Telnet
Securing a Switch • Isolate all management interfaces • Manage switch by physical connection to a serial port or through secure shell (SSH) or other encrypted method • Use separate switches or hubs for DMZs to physically isolate them from the network and prevent VLAN jumping continued…
Securing a Switch • Put switch behind dedicated firewall device • Maintain the switch; install latest version of software and security patches • Read product documentation • Set strong passwords
Wireless • Almost anyone can eavesdrop on a network communication • Encryption is the only secure method of communicating with wireless technology
DSL versus Cable Modem Security • DSL • Direct connection between computer/network and the Internet • Cable modem • Connected to a shared segment; party line • Most have basic firewall capabilities to prevent files from being viewed or downloaded • Most implement the Data Over Cable Service Interface Specification (DOCSIS) for authentication and packet filtering
Dynamic versus Static IP Addressing • Static IP addresses • Provide a fixed target for potential hackers • Dynamic IP addresses • Provide enhanced security • By changing IP addresses of client machines, DHCP server makes them moving targets for potential hackers • Assigned by the Dynamic Host Configuration Protocol (DHCP)
Remote Access Service (RAS) • Provides a mechanism for one computer to securely dial in to another computer • Treats modem as an extension of the network • Includes encryption and logging • Accepts incoming calls • Should be placed in the DMZ
Security Problems with RAS • Behind physical firewall; potential for network to be compromised • Most RAS systems offer encryption and callback as features to enhance security
Telecom/Private Branch Exchange (PBX) • PBX • Private phone system that offers features such as voicemail, call forwarding, and conference calling • Failure to secure a PBX can result in toll fraud, theft of information, denial of service, and enhanced susceptibility to legal liability
PBX Security Concerns • Remote PBX management • Hoteling or job sharing • Many move codes are standardized and posted on the Internet
Virtual Private Networks • Provide secure communication pathway or tunnel through public networks (eg, Internet) • Lowest levels of TCP/IP are implemented using existing TCP/IP connection • Encrypts either underlying data in a packet or the entire packet itself before wrapping it in another IP packet for delivery • Further enhances security by implementing Internet Protocol Security (IPSec)
Internet Protocol Security (IPSec) • Allows encryption of either just the data in a packet (transport mode) or the packet as a whole (tunnel mode) • Enables a VPN to eliminate packet sniffing and identity spoofing • Requirement of Internet Protocol version 6 (IPv6) specification
Intrusion Detection Systems (IDS) • Monitor networks and report on unauthorized attempts to access any part of the system • Available from many vendors • Forms • Software (computer-based IDS) • Dedicated hardware devices (network-based IDS) • Types of detection • Anomaly-based detection • Signature-based detection