340 likes | 369 Views
Network+ Guide to Networks, Fourth Edition. Chapter 14 Network Security. Security Audits. Every organization should assess security risks by conducting a security audit Thorough examination of each aspect of network to determine how it might be compromised
E N D
Network+ Guide to Networks, Fourth Edition Chapter 14 Network Security
Security Audits • Every organization should assess security risks by conducting a security audit • Thorough examination of each aspect of network to determine how it might be compromised • At least annually, preferably quarterly • The more devastating a threat’s effects and the more likely it is to happen, the more rigorously your security measures should address it • In-house or third-party audits Network+ Guide to Networks, 4e
Security Risks • Not all security breaches result from manipulation of network technology • Staff members purposely or inadvertently reveal passwords • Undeveloped security policies • Malicious and determined intruders may “cascade” their techniques Network+ Guide to Networks, 4e
Risks Associated with People • Human errors, ignorance, and omissions cause majority of security breaches • Risks associated with people: • Social engineering or snooping to obtain passwords • Incorrectly creating or configuring user IDs, groups, and their associated rights on file server • Overlooking security flaws in topology or hardware configuration • Overlooking security flaws in OS or application configuration • Lack of documentation and communication Network+ Guide to Networks, 4e
Risks Associated with Transmission and Hardware • Risks inherent in network hardware and design: • Transmissions can be intercepted • Networks using leased public lines vulnerable to eavesdropping • Network hubs broadcast traffic over entire segment • Unused hub, router, or server ports can be exploited and accessed by hackers • Not properly configuring routers to mask internal subnets Network+ Guide to Networks, 4e
Risks Associated with Protocols and Software • Networked software only as secure as it is configured to be • Risks pertaining to networking protocols and software: • TCP/IP contains several security flaws • Trust relationships between one server and another may allow hackers to access entire network • NOSs may contain “back doors” or security flaws allowing unauthorized access to system Network+ Guide to Networks, 4e
Risks Associated with Internet Access • Common Internet-related security issues: • Firewall may not be adequate protection, if not configured properly • IP spoofing • When user Telnets or FTPs to site over Internet, user ID and password transmitted in plain text • Hackers may obtain information about user IDs from newsgroups, mailing lists, forms filled out on Web • Flashing • Denial-of-service attack Network+ Guide to Networks, 4e
An Effective Security Policy • Security policy identifies security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for team members, responsibilities for each employee • Specifies how to address security breaches • Should not state exact hardware, software, architecture, or protocols used to ensure security • Nor how hardware or software will be installed and configured • Details change occasionally Network+ Guide to Networks, 4e
Physical Security • Restrict physical access to components • Computer room, hubs, routers, switches, etc. • Locks may be physical or electronic • Electronic access badges • Numeric key codes • Bio-recognition access • Closed-circuit TV systems • Most important way to ensure physical security is to plan for it Network+ Guide to Networks, 4e
Physical Security (continued) Figure 14-1: Badge access security system Network+ Guide to Networks, 4e
Security in Network Design: Firewalls • Selectively filter or block traffic between networks • Hardware-based, software-based, or combination • Packet-filtering firewall examines header of every packet of data received • Common filtering criteria: • IP addresses • Ports • Flags set in IP header • Transmissions that use UDP or ICMP • First packet in new data stream? • Inbound or outbound? Network+ Guide to Networks, 4e
Proxy Servers • Proxy service:software that acts as intermediary between external and internal networks • Screen all incoming and outgoing traffic • Manage security at Application layer • May be combined with Firewall for greater security • Improve performance for users accessing resources external to network by caching files Network+ Guide to Networks, 4e
Proxy Servers (continued) Figure 14-4: A proxy server used on a WAN Network+ Guide to Networks, 4e
Remote Access • Must remember that any entry point to a LAN or WAN creates potential security risk • Remote control: • Can present serious security risks • Most remote control software programs offer features that increase security • Desirable security features: • User name and password requirement • Ability of host system to call back • Support for data encryption Network+ Guide to Networks, 4e
Remote Access (continued) • Remote control (continued): • Desirable security features (continued): • Ability to leave host system’s screen blank while remote user works • Ability to disable host system’s keyboard and mouse • Ability to restart host system when remote user disconnects Network+ Guide to Networks, 4e
Remote Access (continued) • Dial-up networking • Effectively turns remote workstation into node on network • Secure remote access server package should include at least: • User name and password authentication • Ability to log all dial-up connections, their sources, and their connection times • Ability to perform callbacks to users • Centralized management of dial-up users and their rights on network Network+ Guide to Networks, 4e
Network Operating System Security • Regardless of NOS, can implement basic security by restricting what users authorized to do • Limit public rights • Administrators should group users according to security levels Network+ Guide to Networks, 4e
Logon Restrictions • Additional restrictions that network administrators can use to strengthen security of network: • Time of day • Total time logged on • Source address • Unsuccessful logon attempts Network+ Guide to Networks, 4e
Passwords • Tips for making and keeping passwords secure: • Always change system default passwords • Do not use familiar information • Do not use dictionary words • Make password longer than eight characters • Choose combination of letters and numbers • Do not write down or share passwords • Change password at least every 60 days • Do not reuse passwords Network+ Guide to Networks, 4e
Encryption • Use of algorithm to scramble data into format that can be read only by reversing the algorithm • Encryption provides following assurances: • Data not modified after sender transmitted it and before receiver picked it up • Data can only be viewed by intended recipient • All data received at intended destination truly issued by stated sender and not forged by an intruder Network+ Guide to Networks, 4e
Private Key Encryption • Data encrypted using single key that only sender and receiver know • Data Encryption Standard (DES): 56-bit key • Triple DES (3DES): weaves 56-bit key through data three times • Advanced Encryption Standard (AES): weaves 128-, 160-, 192-, or 256-bit keys through data multiple times • Used in military communication • Sender must share key with recipient Network+ Guide to Networks, 4e
Private Key Encryption (continued) Figure 14-6: Private key encryption Network+ Guide to Networks, 4e
Public Key Encryption • Data encrypted using two keys: • Private key • Public key associated with user • Public key server: publicly accessible host that freely provides list of users’ public keys • Key pair: combination of public key/private key • Public keys more vulnerable than private keys • Use longer keys • RSA: most popular public key algorithm • Digital certificate: password-protected, encrypted file that holds identification information Network+ Guide to Networks, 4e
PGP (Pretty Good Privacy) • Typical e-mail communication is highly insecure • PGP: public key encryption system that can verify authenticity of an e-mail sender and encrypt e-mail data in transmission • Freely available • Most popular tool for encrypting e-mail • Can be used to encrypt data on storage devices or with applications other than e-mail Network+ Guide to Networks, 4e
SSL (Secure Sockets Layer) • Method of encrypting TCP/IP transmissions en route between client and server • Public key encryption • HTTPS (HTTP over Secure Sockets Layer): uses TCP port 443, rather than port 80 • SSL session: association between client and server defined by agreement on specific set of encryption techniques • Created by SSL handshake protocol • IETF has attempted to standardize SSL with Transport Layer Security (TLS) Network+ Guide to Networks, 4e
IPSec (Internet Protocol Security) • Defines encryption, authentication, and key management for TCP/IP transmissions • Encrypts data by adding security information to header of IP packets • Operates at Network layer • Accomplishes authentication in two phases: • Key management: Internet Key Exchange (IKE) • Encryption: authentication header (AH) or Encapsulating Security Payload (ESP) • Can be used with any type of TCP/IP transmission Network+ Guide to Networks, 4e
PAP (Password Authentication Protocol) • Authentication protocol that works over PPP • Simple, not very secure • Does not protect against possibility of malicious intruder attempting to guess user’s password through brute force attack Figure 14-9: Two-step authentication used in PAP Network+ Guide to Networks, 4e
CHAP and MS-CHAP • Challenge Handshake Authentication Protocol (CHAP): operates over PPP • Encrypts user names and passwords • Three-way handshake • Password never transmitted alone or as clear text • Microsoft Challenge Authentication Protocol (MS-CHAP): similar to CHAP • Used on Windows systems • MS-CHAPv2 uses stronger encryption • Mutual authentication: both computers verify credentials of the other Network+ Guide to Networks, 4e
CHAP and MS-CHAP (continued) Figure 14-10: Three-way handshake used in CHAP Network+ Guide to Networks, 4e
EAP (Extensible Authentication Protocol) • Another extension to PPP protocol suite • Does not perform encryption or authentication • Requires authenticator to initiate authentication process by asking connected computer to verify itself • Flexible: supported by most OSs and can be used with any authentication method • Works with biorecognition and wireless protocols Network+ Guide to Networks, 4e
Kerberos • Cross-platform authentication protocol • Uses key encryption to verify identity of clients and to securely exchange information • Significant advantages over NOS authentication • Does not automatically trust clients • Requires client to prove identity through third party • Key Distribution Center (KDC): server that issues keys • authentication service (AS): authenticates a principal • Issues a ticket Network+ Guide to Networks, 4e
Wireless Network Security: WEP (Wired Equivalent Privacy) • Wireless transmissions susceptible to eavesdropping • War driving • By default, 802.11 standard does not offer security • Allows for optional encryption using WEP • Uses keys to authenticate network clients and encrypt data in transit • Network key • On Windows XP, network key can be saved as part of wireless connection’s properties • Current versions of WEP allow 28-bit network keys Network+ Guide to Networks, 4e
IEEE 802.11i and WPA (Wi-Fi Protected Access) • Uses EAP with strong encryption scheme • Dynamically assigns every transmission own key • Logging on to wireless network more complex than with WEP • AP acts as proxy between remote access server and station until station successfully authenticates • Requires mutual authentication • After authentication, remote access server instructs AP to allow traffic from client into network • Client and server agree on encryption key Network+ Guide to Networks, 4e
IEEE 802.11i and WPA (continued) • 802.11i specifies AES encryption method • Mixes each packet in data stream with different key • WPA: subset of 802.11i standard • Main difference from 802.11i is that WPA specifies RC4 encryption rather than AES Network+ Guide to Networks, 4e