500 likes | 700 Views
Guide to Network Defense and Countermeasures, Second Edition. 2. Objectives. Explain the goal of securing the network perimeterDescribe factors in choosing a bastion hostExplain how to supplement a firewall with a proxy serverSet up Network Address Translation (NAT)Decide when to use user, sessi
E N D
1. Guide to Network Defense and CountermeasuresSecond Edition Chapter 10
Firewall Topology
2. Guide to Network Defense and Countermeasures, Second Edition 2 Objectives Explain the goal of securing the network perimeter
Describe factors in choosing a bastion host
Explain how to supplement a firewall with a proxy server
Set up Network Address Translation (NAT)
Decide when to use user, session, or client authentication
3. Guide to Network Defense and Countermeasures, Second Edition 3 Securing Network Perimeters Goal is to provide adequate access without jeopardizing confidential or mission-critical areas
You need
Firewalls, IDSs, bastion host, Network Address Translation (NAT), proxy servers
Combined with authentication mechanisms
Bastion host
Provides Web, FTP, e-mail, or other services running on a specially secured server
4. Guide to Network Defense and Countermeasures, Second Edition 4 Choosing a Bastion Host Security software does not operate on its own
You install it on a computer
Bastion host
Computer that sits on the network perimeter
Has been specially protected through OS patches, authentication, and encryption
5. Guide to Network Defense and Countermeasures, Second Edition 5 General Requirements Steps in creating a bastion host
Select sufficient memory and processor speed
Choose and install OS and any patches or updates
Determine where the bastion host will fit in the network configuration
Install services you want to provide
Remove services and accounts that aren’t needed.
Back up the system and all data on it
Run a security audit
Connect the machine to the network
6. Guide to Network Defense and Countermeasures, Second Edition 6 Selecting the Bastion Host Machine Select familiar hardware and software
Ideal situation
One bastion host for each service you want to provide
Can be prohibitively expensive
Operating system
Pick a version that is stable and secure
Check OS Web site for patches and updates
7. Guide to Network Defense and Countermeasures, Second Edition 7 Selecting the Bastion Host Machine (continued) Memory and processor speed
Memory is always important when operating a server
Bastion host might provide only a single service
Does not need gigabytes of RAM
Match processing power to server load
You might have to add processor
Location on the network
Typically located outside the internal network
Combined with packet-filtering devices
Multiple bastion hosts are set up in the DMZ
8. Guide to Network Defense and Countermeasures, Second Edition 8
9. Guide to Network Defense and Countermeasures, Second Edition 9
10. Guide to Network Defense and Countermeasures, Second Edition 10 Hardening the Bastion Host Selecting services to provide
Close unnecessary ports
Disable unnecessary user accounts and services
Reduces chances of being attacked
Disable routing or IP forwarding services
Do not remove dependency services
System needs them to function correctly
11. Guide to Network Defense and Countermeasures, Second Edition 11 Hardening the Bastion Host (continued) Using honeypots
Honeypot
Computer placed on the network perimeter
Attracts attackers away from critical servers
Appears real
Network security experts are divided about honeypots
Laws on the use of honeypots are confusing at best
Another goal of a honeypot is logging
Logs are used to learn about attackers techniques
12. Guide to Network Defense and Countermeasures, Second Edition 12
13. Guide to Network Defense and Countermeasures, Second Edition 13 Hardening the Bastion Host (continued) Disabling user accounts
Default accounts are created during OS installation
Disable all user accounts from the bastion host
Users should not be able to connect to it
Rename the Administrator account
Passwords at least 6-8 alphanumeric characters
14. Guide to Network Defense and Countermeasures, Second Edition 14 Handling Backups and Auditing Essential steps in hardening a computer
Backups
Detailed recordkeeping
Auditing
Copy log files to other computers in your network
Check these files for viruses
Audit all failed and successful attempts to log on to the bastion host
And any attempts to access or change files
15. Guide to Network Defense and Countermeasures, Second Edition 15 Working with Proxy Servers Proxy server
Software product
Forwards packets to and from the network being protected
Caches Web pages to speed up network performance
16. Guide to Network Defense and Countermeasures, Second Edition 16 Goals of Proxy Servers Original goal
Speed up network communications
Information is retrieved from proxy cache instead of the Internet
If information has not changed at all
Other goals
Provide security at the application layer
Shield hosts on the internal network
Control Web sites users are allowed to visit
17. Guide to Network Defense and Countermeasures, Second Edition 17
18. Guide to Network Defense and Countermeasures, Second Edition 18 How Proxy Servers Work Proxy server goal
Prevent a direct connection between an external computer and an internal computer
Proxy servers work at the application layer
Opens the packet and examines the data
Decides to which application it should forward the packet
Reconstructs the packet and forwards it
Replace the original header with a new header
Containing proxy’s own IP address
19. Guide to Network Defense and Countermeasures, Second Edition 19
20. Guide to Network Defense and Countermeasures, Second Edition 20 How Proxy Servers Work (continued) Proxy server receives traffic before it goes to the Internet
Client programs are configured to connect to the proxy server instead of the Internet
Web browser
E-mail applications
21. Guide to Network Defense and Countermeasures, Second Edition 21
22. Guide to Network Defense and Countermeasures, Second Edition 22
23. Guide to Network Defense and Countermeasures, Second Edition 23 Choosing a Proxy Server Different proxy servers perform different functions
Freeware proxy servers
Often described as content filters
Do not have features for business applications
Example: Squid
Commercial proxy servers
Offer Web page caching, source and destination IP addresses translation, content filtering, and NAT
Example: Microsoft ISA Server
24. Guide to Network Defense and Countermeasures, Second Edition 24 Choosing a Proxy Server (continued) Proxy servers that can include firewall functions
Having an all-in-one program simplifies life
Disadvantages
Single point of failure
Try to use several software and hardware products to protect your network
25. Guide to Network Defense and Countermeasures, Second Edition 25 Filtering Content Proxy servers can open packets and examine data
Proxy servers can filter out content
That would otherwise appear in a user’s Web browser
Can block Web sites with content your users should not be viewing
Can also drop executable programs
Java applets
ActiveX controls
26. Guide to Network Defense and Countermeasures, Second Edition 26 Using Network Address Translation (NAT) Network Address Translation (NAT)
Go-between
Receives requests at its own IP address and forwards them to the correct IP address
A NAT-enable device is the only one that needs a public IP address
Essential functions many firewalls or routers perform
Shields IP addresses of internal hosts
NAT modes
Hide-mode and static mapping
27. Guide to Network Defense and Countermeasures, Second Edition 27 Hide-Mode Mapping Process of having multiple IP addresses behind one public IP address
Dynamic Host Configuration Protocol (DHCP)
Enables IP addresses to be assigned dynamically among hosts on a network
Disadvantages
Cannot hide all clients behind a single IP address
Does not work with some types of VPNs
Cannot provide more than one service with a single IP address
28. Guide to Network Defense and Countermeasures, Second Edition 28
29. Guide to Network Defense and Countermeasures, Second Edition 29 Static Mapping Internal IP addresses are mapped to external, routable IP addresses
On a one-to-one basis
Internal IP addresses are still hidden
Computers appear to have public addresses
All addresses are static
30. Guide to Network Defense and Countermeasures, Second Edition 30
31. Guide to Network Defense and Countermeasures, Second Edition 31 Authenticating Users Authentication
Identify users authorized to access the network
Important role in firewall or other security configurations
Depends on the exchange of information
Password
Key
Checksum
Smart card
32. Guide to Network Defense and Countermeasures, Second Edition 32 Step 1: Deciding What to Authenticate User authentication
Identify person authorized to access network
Users submit credentials and log on to the network
Can be automatic and based on key exchange
Define an user and assign it to a group
Set access rules for that group
Other restrictions
IP addresses
Time-based restrictions
33. Guide to Network Defense and Countermeasures, Second Edition 33
34. Guide to Network Defense and Countermeasures, Second Edition 34
35. Guide to Network Defense and Countermeasures, Second Edition 35 Step 1: Deciding What to Authenticate (continued) Client authentication
Grant access to network resources based on
Source IP address
Computer MAC address
Computer name
Identification can be automatic or manual
Manual requires extra effort but offers more security
Knowing a username and password is not enough
User must log on from an authorized IP address
36. Guide to Network Defense and Countermeasures, Second Edition 36
37. Guide to Network Defense and Countermeasures, Second Edition 37 Step 1: Deciding What to Authenticate (continued) Session authentication
Authorize user or computer on a per-connection basis
Uses special authentication software on the client
Exchanges information with the firewall
Gives the user more flexibility than user or client authentication
38. Guide to Network Defense and Countermeasures, Second Edition 38
39. Guide to Network Defense and Countermeasures, Second Edition 39 Step 2: Deciding How to Authenticate Password Security
User name and password compared against a database of approved users
Simplest and most straightforward authentication
Password systems
OS password
Firewall password
S/Key password
SecureID
40. Guide to Network Defense and Countermeasures, Second Edition 40
41. Guide to Network Defense and Countermeasures, Second Edition 41 Step 2: Deciding How to Authenticate (continued) Smart cards and tokens
Two-factor authentication
Combines objects the user posses with passwords
Most common objects used in authentication
Smart cards
Tokens
Smart cards
Similar to ATM cards
Tokens
Objects that enable users to authenticate themselves
Examples :Smart cards, handhelds, key fobs
42. Guide to Network Defense and Countermeasures, Second Edition 42 Step 2: Deciding How to Authenticate (continued) Exchanging public and private keys
Password is a code used to authenticate yourself
Computers can also authenticate each other
Exchanging codes
Code can be long and complicated
Called keys
Keys
Blocks of encrypted code generated by algorithms
Public key cryptography
Authenticates by exchanging public and private keys
43. Guide to Network Defense and Countermeasures, Second Edition 43
44. Guide to Network Defense and Countermeasures, Second Edition 44 Step 2: Deciding How to Authenticate (continued) Digital signatures
Message recipient can authenticate sender’s identity
One-way hash function
Called a message digest
Code of fixed-length
Results from processing a message through a mathematical function
One-way hash function characteristics
Value is unique for the hashed data
Data cannot be deduced from the hash
45. Guide to Network Defense and Countermeasures, Second Edition 45 Step 2: Deciding How to Authenticate (continued) Digital signatures
Signing software creates a hash of the message
And encrypts it using your private key
Validation process
Recipient uses signer’s public key to decrypt the hash
Computes hash value of received message
Using same hashing algorithm as the sender
Compares hash values
46. Guide to Network Defense and Countermeasures, Second Edition 46 Step 3: Putting It All Together S-HTTP
Secure Hypertext Transfer Protocol (S-HTTP)
Encrypts communication between a Web server and a Web browser
Using Secure Socket Layer (SSL) or Transport Layer Security (TLS)
SSL encrypts data portion of a packet not the header
Firewall can still filter and route it
SSL does not provide user authentication
47. Guide to Network Defense and Countermeasures, Second Edition 47 Step 3: Putting It All Together (continued) IPSec/IKE
IPSec encrypts communications at network layer of OSI model
Widely used
NAT can interfere with IPSec
Internet Key Exchange (IKE)
Allows exchange of public and private keys
Internet Security Association Key Management Protocol (ISAKMP)
Enables two computers to agree on security settings
48. Guide to Network Defense and Countermeasures, Second Edition 48 Step 3: Putting It All Together (continued) Dial-in Authentication: RADIUS and TACACS+
Terminal Access Controller Access Control System (TACACS+)
Called “Tac-plus”
Authentication protocols developed by Cisco Systems
Uses MD5 to produce an encrypted digest version of transmitted data
49. Guide to Network Defense and Countermeasures, Second Edition 49 Step 3: Putting It All Together (continued) Dial-in Authentication: RADIUS and TACACS+
Remote Authentication Dial-In User Service (RADIUS)
Provides less security than TACACS+
More widely supported
Transmits authentication packets unencrypted across the network
Vulnerable to packet sniffing
50. Guide to Network Defense and Countermeasures, Second Edition 50 Summary Modern networks require a variety of services
Firewalls cannot secure a network alone
Bastion host
Computer on the network perimeter
Specially protected through OS patches, authentication, and encryption
Proxy server
Forwards packets to and from the network
Caches Web pages to speed up network performance
51. Guide to Network Defense and Countermeasures, Second Edition 51 Summary (continued) Network Address Translation (NAT)
Conceals the IP addresses of computers on the internal network from external locations
Authentication types
Client authentication
User authentication
Session authentication
Encryption schemes
Secure Socket Layer (SSL)
Internet Protocol Security (IPSec)