670 likes | 942 Views
Raval • Fichadia John Wiley & Sons, Inc. 2007. Network Security. Chapter Eleven Prepared by: Raval, Fichadia. Chapter Eleven Objectives. Learn the basic concepts of networks and associated terminology. Understand the risks that impact networks and the controls to mitigate them.
E N D
Raval • Fichadia John Wiley & Sons, Inc. 2007 Network Security Chapter Eleven Prepared by: Raval, Fichadia
Chapter Eleven Objectives • Learn the basic concepts of networks and associated terminology. • Understand the risks that impact networks and the controls to mitigate them. • Gain the skills to assess the security posture of a networks and make management recommendations. • Apply security principles and best practices to a network.
The Big Picture Elements of a network. Some risks that impact networks.
Network primer Networks: A series of interconnected nodes that can communicate with each other. • Networks allow computers to talk to each other for functionality (e-mails, B2B), sharing work load (client-server), for specialization (printers print). • Communication occurs via agreed upon protocols such as TCP/IP, SNA, etc. • Internet is THE network – interconnecting millions of computers. Internal company networks are often called Intranets.
Network primer Networks: OSI model defines the conceptual framework for putting together a network. • Open Systems Interconnect (OSI) proposes a network stack with seven layers. • The layers are: application, presentation, session, transport, network, datalink, and physical. • Layers numbering in descending order – i.e., application layer is layer 7 and physical layer is layer 1. • Each layer plays a specific task and is independent of the others.
Network primer Networks: Seven layers of OSI model. • Application layer: Provides different network services to user applications. • Presentation layer: Deals with the syntax and semantics of transmitted data. It converts presentation format for incoming and outgoing data. • Session layer: Sets up, manages, and terminate conversations between the applications. Deals with session and connection coordination. • Transport layer: Manages complete data transfer by providing end-to-end communication control and error checking.
Network primer Networks: Seven layers of OSI model contd. • Network layer: Deals with addressing and routing data on the network. • Data link layer: Deals with proper framing of data bits on the physical media and ensures error control between adjacent nodes. • Physical layer: Deals with transmission of bits over the physical media. Provides connectivity of the node to the transmission media. • Useful pneumonic: All People Seem To Need Data Processing.
Network primer Networks: Encapsulation/decapsulation of data. • Data has to be passed from application layer to application layer on a network. • Each layer adds a header and passes the data to the lower layer. This process is called encapsulation. • Physical layer, the lower most layer, sends the data over the physical medium to the destination. • Upon reaching destination physical layer, data is passed up the stack. • Each destination layer strips appropriate header off and passes it on to upper layer. This process is called decapsulation.
Network primer Networks: Encapsulation/decapsulation of data. • The headers contain information for corresponding layer on the receiving end.
Network primer Networks: TCP/IP model defines specifications of network layers. • TCP/IP model is similar to the OSI model – however has only four layers. • The layers are: application, transport, internetwork, and network access. • Layers numbering in descending order – i.e., application layer is layer 4 and network layer is layer 1. • Each layer plays a specific task and is independent of the others.
Network primer Networks: TCP/IP model defines specifications of network layers. • Model provides actual specifications via various protocol definitions (unlike OSI model). • Model specifies several dozen protocols, but is named after two of its most famous protocols – TCP and IP. • Similar to OSI model, TCP/IP model goes through the process of encapsulation and decapsulation.
Network primer Networks: Four layers of TCP/IP model. • Application layer: Corresponds to the first three layers of the OSI model. Protocols at this layer include STMP (e-mails), HTTP (web), and FTP (file transfers). • Transport layer: Corresponds to layer 4 (Transport) of the OSI model. Protocols include TCP and UDP. • Internetwork layer: Corresponds to layer 3 (network) of the OSI model. Protocols include IP and ICMP. • Network access layer: Corresponds to layers 1 and 2 (physical and data link) of the OSI model. Works with Ethernet/token ring type of technologies. (Some refer to Internetwork layer as Network layer and Network access layer to Data link layer)
Network primer Networks: Role of four layers of TCP/IP model. • Application layer: End user applications use protocols at this layer to communicate. For example, web browser uses the HTTP protocol. • Transport layer: Uses protocols like TCP to open connection with destination and to ensure data sent is indeed received. • Internetwork layer: Uses protocols like IP to route the data packets across the Internet to its destination IP address. • Network access layer: Deals with getting data from destination router to the appropriate computer on the network.
Network primer Networks: Encapsulation/decapsulation of data on TCP/IP network. • Data has to be passed from application layer to application layer on a network. • Each layer adds a header and passes the data to the lower layer. This process is called encapsulation. • Physical layer, the lower most layer, sends the data over the physical medium to the destination. • Upon reaching destination physical layer, data is passed up the stack. • Each destination layer strips appropriate header off and passes it on to upper layer. This process is called decapsulation.
Network primer Networks: Encapsulation/decapsulation of data on TCP/IP network. • The headers contain information for corresponding layer on the receiving end.
Network primer Networks: End to end journey of data across TCP/IP network. • Internetwork layer needs IP addresses to route data to destination network (not destination computer). • IP addresses contain a network address and a host (computer address). • Routers use the network address portion for getting data packets to the destination network. • Data reaches the right computer after reaching the destination network is typically via ARP protocol. • Port numbers are used to get the data to the right application on the destination computer. • Transport layer ensures data reaches destination – else retransmits it.
Network primer Networks: IP address scheme. • Current version of IP addresses is IP version 4. • IPv4 defines IP address with 32 bits organized in four octets (8 bits in each). IP version 6 has 128 bits. • Decimal values of the bits in each octet are separated by dots while writing an IP address. • E.g. 69.58.201.25 • Certain bits from the left correspond to the network address (69.58.201) and the remaining correspond to define the computer (host) on the network (25). • Subnet mask defines boundary between network portion and the host portion of the IP address.
Network primer Networks: Ports. • Ports define the unique application/service on a computer that sends or receives the data. • E.g. Port 80 is used by Web Server software to receive requests from browsers. • Port numbers can range from 0 through 65,356. • IANA designates “well-known” ports (0-1023) for specific purposes. • E.g. port 80 is for web traffic, port 25 is for e-mail traffic.
Management concerns Concerns about operating system security typically include the following: • Ensuring the availability of the networks for web traffic, e-commerce/EDI EDI transactions, and e-mails. • Maintaining the confidentiality & integrity of data flowing over the networks (from home and within company). • Building networks with business partners to aid with B2B transactions without compromising security. • Having an effective backup, recovery, business resumption and a disaster recovery plan.
Risks and controls Clear-text transmissions: Data that goes over the network in an unencrypted fashion. • Networks are shared by multiple computers. • These computers place nice and read only those packets on the network that are addressed to them. They ignore data packets that aren’t meant for them. • A “sniffer” computer can read packets that aren’t meant for it by putting its network card into “promiscuous” mode – thereby by accessing unauthorized data. • Intruders often user sniffers to capture user IDs, passwords, and other sensitive data.
Risks and controls Clear-text transmissions: Data that goes over the network in an unencrypted fashion. • Sniffers can capture data belonging to others.
Risks and controls Clear-text transmission risks: • Disclosure of sensitive information. Controls: • Employ encryption for sensitive data. • Limit access to physical networks.
Risks and controls Modems: Devices that allow users to connect to the Internet. • Modems can be dial-up modems or cable modems. • Dial-up modems installed in computers communicate via analog phone lines to modems within company networks or with the Internet Service Providers (ISP). • Cable-modems are highly popular now and connect over cable lines with the cable companies that provide Internet connectivity. • Cable-modems offer much faster speeds than dial-up modems.
Risks and controls Modems: Devices that allow users to connect to the Internet. • Cable modems are lot more popular than dial-up modems.
Risks and controls Dial-up modem risks: • Intruders use war-dialers to identify company modems and crack the passwords to get in. A single insecure modem can undo the security offered by a million-dollar firewall. Controls: • Company should war-dial itself to identify unauthorized modems and disable them. • Authorized modems should offer no login banners or information that helps intruders fingerprint the modem. • Employ intruder lockouts and strong user ID and password management routines.
Risks and controls Controlscontd. • Consider using modems with two-factor authentication (something you know and something you have). • Consider using callback modems that return calls to prespecified numbers upon a connection request.
Risks and controls Cable modem risks: • Cable modems provide a static target to attackers often with the same IP address. • Cable modems may allow users to sniff neighbor’s data. Controls: • Turn off cable-modems when not required. • Employ personal firewalls on machines behind a cable modem. • Secure the machines via operating system security practices.
Risks and controls Virtual Private Networks: Allows for securing traffic sent via the Internet to company networks. • Remote users often dialed into company modems via toll-free numbers to connect to company networks. • Dedicated modems lines and toll-free numbers was expensive for companies. • VPNs solved the problem by encrypting and sending data over the public network (Internet). • Remote users just needed a connection to their ISP and a VPN client that connected to a VPN server on the company end.
Risks and controls Virtual Private Networks: Devices that allow users to connect to the Internet. • Modem banks and dedicated toll-free lines were required for remote connectivity before VPNs.
Risks and controls Virtual Private Networks: Devices that allow users to connect to the Internet. • VPNs allowed companies to lower cost by securely tunneling data to company network via the Internet.
Risks and controls Virtual Private Networks: There are three popular tunneling protocols used for VPNs. • Point-to-Point Tunneling protocol (PPTP) by Microsoft works at layer 2 of OSI model and is natively supported by Windows. • Layer 2 Tunneling Protocol (L2TP) by Cisco also works at layer 2 of OSI model and combines features of L2F and PPTP. • IPSec protocol by IETF works at layer 3 of the OSI model and generally provides for stronger encryption and data integrity via digital certificates.
Risks and controls VPN risks: • VPN may employ weak authentication mechanisms (when compared against the risk of sending traffic over the Internet). • Insecure end user machine may allow intruders to bridge into the company network. • Encryption protocols may be weak. Controls: • Use stronger authentication means such as digital certificates or two-factor authentications.
Risks and controls Controls contd: • Ensure VPN solution uses strong encryption means. • Employ personal firewalls on machines behind a cable modem. • Secure the machines via operating system security practices.
Risks and controls Firewalls (FWs): Devices that control traffic entering and exiting a company network. • Firewalls act as perimeter sentries for a network. • All incoming & outgoing traffic goes through the firewall. • Firewalls has rulesets (policies) that decide what type of passes and what doesn’t. For example: • Outsiders can access Company web pages and can send e-mails, but can’t connect to other company servers. • Inside employees can connect to external servers, but can’t to peer-to-peer networks. • In addition to filtering, some firewalls can provide additional functionality like authentication, virus scanning, intrusion detection, spam filtering etc.
Risks and controls Firewalls: There are three main types of firewalls. • Packet filter (PF) FWs filter based on source & destination IP addresses and/or source & destination port numbers.
Risks and controls Firewalls: There are three main types of firewalls. • Stateful packet inspection (SPI) FWs build on packet-filtering FWs by looking at the content of the packet. • In addition, SPI FWs look at the state of the packet. This ensures that packet that is incoming, but wasn’t a response to a previous outgoing request will be dropped.
Risks and controls Firewalls: There are three main types of firewalls. • Application-level/proxy FWs are conceptually different in that they broker all transactions between the sender and receiver by providing a proxy service to both sides. • No other traffic can pass since proxy software for that traffic isn’t present on the FW.
Risks and controls Firewalls: Firewall placement in network has security ramifications. Some sample placements include: • Screening router setup wherein packet filter/SPI firewalls separate trusted networks from the untrusted networks (Internet).
Risks and controls Firewalls: Firewall placement in network has security ramifications. Some sample placements include: • Dual-homed host setup wherein a “bastion” host with proxy FW separates trusted networks from the untrusted networks (Internet).
Risks and controls Firewalls: Firewall placement in network has security ramifications. Some sample placements include: • Screened host setup is a combination of a screening router setup (with packet fitler/SPI FW) and a “bastion” host inside the trusted network with a proxy FW.
Risks and controls Firewalls: Firewall placement in network has security ramifications. Some sample placements include: • Screened subnet setup wherein an extra screening router (with packet filter/SPI FW) is added and a “bastion” host (with proxy FW) is moved outside the company network in the DeMilitarized Zone (DMZ).
Risks and controls Firewall risks: • Properly configured FW has no risk. However, the rulesets can get complicated fast. • Firewalls don’t protect against malicious internal users. • Firewalls can be undone by rogue modems/wireless APs. Controls: • Audit FW rulesets to ensure policies are correctly implemented. • Use anti-virus, intrusion detection, etc. in addition to firewalls. • Prevent rogue modems and/or wireless APs.
Risks and controls Denial of Service (DoS): Attacks on a network aimed at disrupting service to users of a network. • Attack not aimed at steal data or compromising security, rather denying legitimate users access to a resource. • Occurs mostly at the network, although DoS against operating systems and applications are also possible. • There are several types of DoS/DDoS attacks.
Risks and controls Denial of Service (DoS): Types of DoS attacks on networks. • Network connectivity resource consumption attack • Attacker consumes network connectivity resources denying users the ability to connect to the network. • Example includes SYN flood attack that exploits TCP handshake for establishing connection as shown below.
Risks and controls Denial of Service (DoS): Types of DoS attacks on networks. • Network connectivity resource consumption attack contd. • Attacker sends spoofed SYN packets asking for a connection, however, the victim never receives ACK packets back and keeps waiting. As spoofed SYN packets increase, the victim runs out of resources for valid users to connect.
Risks and controls Denial of Service (DoS): Types of DoS attacks on networks. • Bandwidth consumption attack • Attacker consumes all network bandwidth denying users a place on the network. Attackers magnify their traffic multiple-fold to flood the victim’s network via “magnification attacks.” • Example includes smurf attack that exploits ICMP broadcast feature to generate loads of traffic. • Attacker finds susceptible routers on the web that allow broadcast pings (one ping to the router causes ping responses to all computers on the network). These are the “amplifiers” sites. • Attacker sends spoofed ICMP pings purporting itself to be the victim to these amplifiers sites, who all respond back to the victim, flooding the victim’s network.
Risks and controls Denial of Service (DoS): Types of DoS attacks on networks. • Bandwidth consumption attack contd. • Attacker thus leverages unsuspecting routers on the Internet to attack a victim.
Risks and controls Denial of Service (DoS): Types of DoS attacks on networks. • Distributed DoS attack. • Single sources of attack can be often be filtered out. Hence attacker leverage several compromised machines – “zombies” – to generate a distributed victim. These “zombies” come alive by a single command from attacker and attack the victim.
Risks and controls DoS risks: • Risks include loss of revenue, decline in customer faith. Controls: • Increase number of connections & decrease ACK time-outs to mitigate network resource consumption attacks. • Disable ICMP broadcasts for routers. • DDoS attacks are difficult to prevent. • Receiving routers can’t easily identify spoofed packets coming in. Plus, they are bogged down under attack. • However, sending routers can detect spoofed packets being generated. Also, them may not be bogged down. • Hence, it is easier to prevent DDoS attack at closer to source than at a victim’s site.
Risks and controls Wireless networks: Popular networking wherein data is passed over the air instead of a physical (wired) media. • Bluetooth/IEEE 802.11 networks are being rapidly adopted because of the convenience it offers. • Bluetooth works over small distances (few feet) where-as 802.11 networks work over several hundred feet. • Chapter focuses on 802.11 based wireless networks. • While 802.11(b) is the most widely adopted Wireless LAN (WLAN) standard, 802.11(a) and (g) are gaining popularity because of higher transmission speeds.