580 likes | 726 Views
CIST 1601 Information Security Fundamentals. Chapter 2 Infrastructure and Connectivity. Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College.
E N D
CIST 1601 Information Security Fundamentals Chapter 2 Infrastructure and Connectivity Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College
Mastering TCP/IP - Working with the TCP/IP Suite The Application Layer The Application layer is the highest layer of the suite. It allows applications to access services or protocols to exchange data. Most programs, such as web browsers, interface with TCP/IP at this level. The most commonly used Application layer protocols are as follows: Hypertext Transfer Protocol is the protocol that is used by a web browser to communicate with web servers. File Transfer Protocol is a common application used to transfer files between hosts on the Internet. Simple Mail Transfer Protocol is the standard protocol used for sending e-mail messages. Telnet is a terminal emulation protocol that provides a remote logon to another host over the network. Domain Name Service allows hosts to resolve hostnames to an IP address. Routing Information Protocol allows routing information to be exchanged between routers on an IP network. Simple Network Management Protocol is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. Most routers, bridges, and intelligent hubs can communicate using SNMP. Post Office Protocol and IMAP4 transmit e-mail between the e-mail client and the e-mail server.
Mastering TCP/IP - Working with the TCP/IP Suite The Transport Layer The Transport layer provides the Application layer with session and datagram communications services. The TCP and User Datagram Protocol (UDP) operate at this layer. These two protocols provide a huge part of the functionality of the TCP/IP network: TCP is responsible for providing a reliable one-to-one, connection-oriented persistent session. TCP establishes a connection and ensures reliable data transfer through sequencing and acknowledgements. When the session ends, the connection is broken. UDP provides an unreliable connectionless communication method between hosts. UDP protocol is considered a best-effort protocol, but it’s considerably faster than TCP. The sessions don’t establish a synchronized session like the kind used in TCP, and UDP doesn’t guarantee error-free communications. The primary purpose of UDP is to send small packets of information. The application is responsible for acknowledging the correct reception of the data.
Mastering TCP/IP - Working with the TCP/IP Suite The Internet Layer The Internet layer is responsible for: Routing IP addressing packets Here are the four standard protocols of the Internet layer: Internet Protocol (IP) is a routable protocol, and it’s responsible for IP addressing. IP only routes information; it doesn’t verify it for accuracy. IP determines if a destination is known and, if so, routes the information to that destination. If the destination is unknown, IP sends the packet to the router, which sends it on. Address Resolution Protocol (ARP) is responsible for resolving IP addresses to hardware (MAC) addresses. MAC addresses are used to identify hardware devices such as a NIC. Internet Control Message Protocol (ICMP) provides maintenance and reporting functions. It’s used by the Ping program. When a user wants to test connectivity to another host, they can enter the PING command with the IP address, and the user’s system will test connectivity to the other host’s system. If connectivity is good, ICMP will return data to the originating host. ICMP will also report if a destination is unreachable. Routers and other network devices report path information between hosts with ICMP. Internet Group Management Protocol (IGMP) is responsible primarily for managing IP multicast groups. IP multicasts can send messages or packets to a specified group of hosts.
Mastering TCP/IP - Working with the TCP/IP Suite The Network Interface Layer The lowest level of the TCP/IP suite is the Network Interface layer. This layer is responsible for placing and removing packets on the physical network through communications with the network adapters in the host. This process allows TCP/IP to work with virtually any type of network topology or technology with little modification. If a new physical network topology were installed—say, a 10GB Fiber Ethernet connection—TCP/IP would only need to know how to communicate with the network controller in order to function properly. TCP/IP can also communicate with more than one network topology simultaneously. This allows the protocol to be used in virtually any environment.
IPv4 vs. IPv6 The current numbering system, known as IP version 4 (IPv4) is what is described throughout this chapter and still widely used today. IP version 6 (IPv6) was introduced several years ago to replace IPv4 but has failed to do so, and most systems currently support both at the Internet layer. IPv6 supports 128-bit addresses, while IPv4 supports 32-bit addresses, and IPv6 includes mandatory IPSec security
Understanding Encapsulation The encapsulation process of an e-mail message Encapsulation allows a transport protocol to be sent across the network and utilized by the equivalent service or protocol at the receiving host. The figure to the right shows how e‑mail is encapsulated as it moves from the application protocols through the transport and Internet protocols. Each layer adds header information as the e‑mail moves down the layers. After it is encapsulated, the message is sent to the server. Transmission of the packet between the two hosts occurs through the physical connection in the network adapter. Notice that in The figure to the right the message is sent via the Internet; it could have just as easily been sent locally. The e‑mail client doesn’t know how the message is delivered, and the server application doesn’t care how the message got there. This makes designing and implementing services such as e‑mail possible in a global or Internet environment. An e-mail message that an e-mail client sent to an e-mail server across the Internet
Common Network Ports (4:01) Overview of Network Ports (5:29) Working with Protocols and ServicesWell-Known Ports Ports identify how a communication process occurs. A port is nothing more than a bit of additional information added to either the TCP or UDP message. This information is added in the header of the packet. The layer below it encapsulates the message with its header. Well-known ports are special addresses that allow communication between hosts. A port number is added from the originator, indicating which port to communicate with on a server. If a server has this port defined and available for use, it will send back a message accepting the request. If the port isn’t valid, the server will refuse the connection. All the ports allow access to your network; even if you establish a firewall, you must have some of these ports open if you want to provide services such as e‑mail or web services.
TCP Three-Way Handshake TCP, which is a connection-oriented protocol, establishes a session using a three-way handshake. A host called a client originates this connection. The client sends a TCP segment, or message, to the server. This client segment includes an Initial Sequence Number (ISN) for the connection and a window size. The server responds with a TCP segment that contains its ISN and a value indicating its buffer, or window size. The client then sends back an acknowledgment of the server’s sequence number. After this occurs, the two systems communicate with each other. A server can handle many requests simultaneously. Each session has a different sequence number even though all sessions use the same port. All the communications in any given session use this sequence number to keep the sessions from becoming confused.
Application Programming Interface Application Programming Interfaces (APIs) allow programmers to create interfaces to the protocol. When a programmer writes an application, they can call or use one of these APIs to: Make the connection Send or receive data End the connection Microsoft uses an API called a Windows socket (WinSock) to interface to the protocol. It can access either TCP or UDP. A Windows socket is the combination of the IP address and the port number separated by a colon. For example, 190.10.5.1:80 would be a WinSock connection to HTTP.
Distinguishing between Security Topologies Setting Design Goals Sending data across an insecure network, such as the Internet, affects confidentiality and integrity. It is the responsibility of the sender to ensure that proper security controls are in place. Confidentiality and integrity should be implemented to ensure the accuracy of the data and its accessibility to authorized personnel. The three core security objectives for the protection of the information assets of an organization are: Confidentiality Integrity Availability These three objectives are also referred to as the CIA triad. Most computer attacks result in the violation of the CIA triad.
Confidentiality, Integrity, and Availability (5:10) Confidentiality Meeting the goal of confidentiality is to prevent or minimize unauthorized access to and disclosure of data and information. Confidentiality is the minimum level of secrecy that is maintained to protect sensitive information from unauthorized disclosure. In many instances, laws and regulations require specific information confidentiality. Confidentiality can be implemented through encryption, access control data classification, and security awareness. Maintaining the confidentiality of information prevents an organization from attacks, such as shoulder surfing and social engineering, which can lead to disclosure of confidential information and disrupt business operations. Lack of sufficient security controls to maintain confidentiality leads to the disclosure of information.
Integrity Ensuring the integrity of information implies that the information is protected from unauthorized modification and that the contents have not been altered. To meet the goal of integrity, you must verify that information being used is accurate and hasn’t been tampered with. Integrity ensures the following conditions: The data is accurate and reliable. The data and the system are protected from unauthorized alteration. Attacks and user mistakes do not affect the integrity of the data and the system. Integrity is coupled with accountability to ensure that data is accurate and that a final authority exists to verify this, if needed.
Availability To meet the goal of availability, you must protect data and prevent its loss. Data that can’t be accessed is of little value. If a mishap or attack brings down a key server or database, that information won’t be available to the people who need it. This can cause havoc in an organization. Your job is to provide maximum availability to your users while ensuring integrity and confidentiality. The hardest part of this process is determining the balance you must maintain between these three aspects to provide acceptable security for the organization’s information and resources.
Accountability The final and often overlooked goal of design concerns accountability. Accountability involves identifying who owns or is responsible for the accuracy of certain information in an organization. Many of the resources used by an organization are shared between departments and individuals. The department or individual that is accountable for certain information would also be responsible for verifying accuracy in the event of a data-tampering incident. You should also be able to track and monitor data changes to detect and repair the data in the event of loss or damage. Most systems will track and store logs on system activities and data manipulation, and they will also provide reports on problems. TS2
Creating Security Zones It’s common for a network to have connections among departments, companies, countries, and public access using private communication paths and through the Internet. Not everyone in a network needs access to all the assets in the network. The term security zone describes design methods that isolate systems from other systems or networks. You can isolate networks from each other using hardware and software. The Internet creates a challenge for security. Security zones allow you to isolate systems from unauthorized users. Here are the four most common security zones you’ll encounter: Internet Intranet Extranet Demilitarized zone (DMZ) By implementing intranets, extranets, and DMZs, you can create a reasonably secure environment for your organization.
Internet The Internet is a global network connecting computers and individual networks together. In this environment, you should have a low level of trust in the people who use the Internet. You must always assume that the people visiting your website may have bad intentions; they may want: To buy your product To hire your firm To bring your servers to a screaming halt Because the Internet involves such a high level of anonymity, you must always safeguard your data with the utmost precautions
Intranets Intranets are private networks implemented and maintained by an individual company or organization. An intranet is the private network of the company that contains most of the private resources and network infrastructure equipment of the company. An intranet belongs to and is controlled by the company. Intranets use the same technologies used by the Internet. You can think of an intranet as an Internet that doesn’t leave your company: It’s internal to the company. Access is limited to systems within the intranet. Access to the intranet is granted to trusted users inside the corporate network or to users in remote locations.
Extranets Extranets extend intranets to include outside connections to partners. An extranet is the public area of the company network infrastructure that enables resources to be accessed by external users. An extranet is a semi-secure zone that allows partners of the organization to access specific resources. The partners can be vendors, suppliers, or similar parties who need access to your data for legitimate reasons. Extranet connections involve connections between trustworthy organizations. Security for the extranet security zone can include a number of strategies: Using VPN connections Regularly auditing all services Removing all unnecessary services Limiting the number of services provided
Demilitarized Zone (DMZ) A demilitarized zone (DMZ), or perimeter network, provides a layer of security and privacy between the company infrastructure and the Internet. A DMZ might contain Internet accessible servers such as access web servers, FTP servers, and mail-relay servers for restrictive access by people you might not trust otherwise. By isolating a server in a DMZ, you can hide or remove access to other areas of your network. The internal network isn’t visible to external users lowering the threat of intrusion in the internal network. A DMZ is a separate subnet coming off a separate router interface. Most organizations deploy, at a minimum, two firewalls. The first firewall is placed in front of the DMZ to allow requests from the external public interface destined for servers in the DMZ or to route requests to an authentication proxy. The second firewall is placed to allow outbound requests and denies public traffic to pass through the interface that connects to the internal private network. From there, you can decide what traffic goes where; for example, HTTP traffic would be sent to the DMZ, and e‑mail would go to the internal network. All initial necessary connections are located on the DMZ machines. For example, a RADIUS server may be running in the DMZ for improved performance and enhanced security, even though its database resides inside the company intranet.
Demilitarized Zone (DMZ) A typical DMZ
Virtualization (2:20) Working with Newer Technologies Virtualization Technology Virtual environments are available to run on just about everything from servers and routers to USB thumb drives. Hardware vendors are rapidly embracing virtualization and developing new features to simplify virtualization techniques. Virtual environments can be used to improve security by: Allowing unstable applications to be used in an isolated environment. Providing better disaster recovery solutions. Virtual environments are also used for cost-cutting measures. One well-equipped server can host several virtual servers, reducing the need for power and equipment. Forensic analysts often use virtual environments as a method of viewing the environment the same way the criminal did. A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides multiple operating systems running on a host computer at the same time. A Type 1 native or bare-metal hypervisor is software that runs directly on a hardware platform. The guest operating systems runs at the second level above the hardware. This technique allows full guest systems to be run in a relatively efficient manner. The guest OS is not aware it is being virtualized and requires no modification. A Type 2 or hosted hypervisor is software that runs within an operating system environment, and the guest operating system runs at the third level above the hardware. The hypervisor runs as an application or shell on another already running operating system.
Virtualization (9:22) Working with Newer Technologies Virtualization Technology Security policy should address virtual environment vulnerabilities. Software without a defined business need should not be allowed on systems, including virtual environments. If a virtual machine is compromised, an intruder can gain control of all the guest operating systems. In addition, because hardware is shared, most virtual machines run with very high privileges, allowing an intruder who compromises a virtual machine to compromise the host machine, too. Segmenting virtual machines by the information they handle. The organization should have a policy in place that states that high-security virtual machines never share the same hardware as virtual machines for testing or lower security applications. Also: Be cognizant of share files among guest and host operating systems. Use standard locked-down virtual images. Other areas that present issues for a virtualized environment and need special consideration are: Deploying financial applications on virtualized shared hosting Secure storage on storage-area network (SAN) technologies Virtual machine environments need to be patched just like host environments and are susceptible to the same issues as a host operating system.
VLANs (1:55) Virtual Local Area Networks A virtual local area network (VLAN) allows you to create groups of users and systems and segment them on the network. This segmentation lets you hide segments of the network from other segments and thereby control access. VLANs enable you to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Networks can coexist on the same wiring and be unaware of each other. VLANs enable administrators to segment one broadcast domain into two or multiple domains, segmenting groups of users that have similar data sensitivity levels together and thereby increasing security. VLAN advantages include: Reducing the scope of broadcasts Improving performance and manageability Decreased dependence on the physical topology Switches are used to create VLANs. A router or other routing-type device would be needed to connect these VLANs. When a switch is compromised, the attacker could next compromise the VLANs created by the switch.
Virtual Local Area Networks A typical segmented VLAN
Network Address Translation (3:48) Network Address Translation Network Address Translation (NAT) acts as a liaison between an internal network and the Internet. NAT effectively hides your network from the world, making it much harder to determine what systems exist on the other side of the router. Most new routers and current Microsoft Server operating systems support NAT The NAT server effectively operates as a firewall for the network. Typically, the router or NAT server acts as the interface between a local area network and the Internet using one IP address. The router or NAT server maps all inbound and outbound requests and maintains a table for returned messages. NAT allows the organization to use publicly assigned IP addresses over the Internet that is different from its private IP addresses. In this way, NAT hides the private network from the public. There are specific reserved, non-Internet-routable, private IP addresses for use on an internal network. In Class C the range is 192.168.0.1 to 192.168.255.254. In Class B the range is 172.16.0.1 to 172.31.255.254 In Class A the range is 10.0.0.1 to 10.255.255.254. Port Address Translation In addition to NAT, Port Address Translation (PAT) is possible.
Tunneling Tunneling refers to creating a virtual dedicated secure connection between two systems or networks. Tunneling sends private data across a public network (the Internet) by placing (encapsulating) that data into other packets (to prevent sniffing over the public network). Tunnels are usually secure and present themselves as extensions of both networks. You create the tunnel between the two ends by encapsulating the data in a mutually agreed upon protocol for transmission. Tunneling protocols usually include data security as well as encryption. Most tunnels are virtual private networks (VPNs). Several popular standards have emerged for tunneling, with the most popular being the Layer 2 Tunneling Protocol (L2TP). A connection being made between two networks across the Internet. To each end of the network, this appears to be a single connection. TS3
Telephony The combination of telephone technology with information technology is telephony. Voice over IP (VOIP) can be easily sniffed and is susceptible to Denial of Service attacks because it rides on UDP. There is also the outage issue with VoIP in cases where the data network goes down and you lose the telephony as well. SecureLogix markets a voice firewall, and Cisco has published a paper titled “IP Telephony Security in Depth. From a security standpoint, the biggest problem with VoIP and data being on the same line is that they are then both vulnerable in the event of a PBX attack.
Understanding Infrastructure Security Infrastructure security deals with the most basic aspect of how information flows and how work occurs in your network and systems. This includes servers, networks, network devices, workstations, and the processes in place to facilitate work. Your network is composed of a variety of media and devices that both facilitate communications and provide security. Some of these devices (such as routers, modems, and PBX systems) provide external connectivity from your network to other systems and networks. Some of the devices (such as CD-Rs, disks, USB thumb drives, and tape) provide both internal archival storage and working storage for your systems. Networks are tied together using the Internet and other network technologies, thereby making them vulnerable to any number of attacks. To provide reasonable security, you must know how these devices work and how they provide, or fail to provide, security. Each time you add a device, change configurations, or switch technologies, you’re potentially altering the fundamental security capabilities of your network. The job of a security professional is to eliminate the obvious threats, to anticipate how the next creative assault on your infrastructure might occur, and to be prepared to neutralize it before it happens. A network is no more secure than its weakest node.
Working with Hardware Components Network hardware components include physical devices such as routers, servers, firewalls, workstations, and switches. From a security perspective you must evaluate your network from the standpoint of each and every device within it. It cannot be overstated: The complexity of most networks makes securing them extremely complicated. To provide reasonable security, you must evaluate every device to determine its unique strengths and vulnerabilities. Network Separation (2:52) This network has Internet connections. Internet connections expose your network to the highest number of external threats. These threats can come from virtually any location worldwide.
Working with Software Components Hardware exists to run software. The software is intended to make the hardware components easy to configure and easy to support, however, that software can also make the hardware easy to bypass. Network infrastructure includes servers and workstations running operating systems, routers, firewalls, and dedicated devices that have their own communications and control programs. This situation leaves networks open to attacks and security problems because many of these systems work independently. Many larger organizations have built a single area for network monitoring and administrative control of systems called a Network Operations Center (NOC). This centralization lets you see a larger overall picture of the network, and it lets you take actions on multiple systems or network resources if an attack is under way. Using a NOC makes it easier to see how an attack develops and to provide countermeasures. NOCs are expensive and require a great deal of support: factors beyond the economy or scale of all but the largest businesses. After a NOC is developed and implemented it must be constantly evaluated and changed as needed.
Understanding the Different Network Infrastructure Devices - Firewalls Firewalls, Routers, and Switches (7:47)All-in-one Security Appliances and Spam Filters (2:36) A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world. It can be composed of hardware, software, or a combination of both. Firewalls are the front line defense devices for networks that are connected to the Internet. A firewall protects hosts on a internal private network from attackers on a external public network by: Packet filtering Port filtering IP address filtering A software firewall is a program that runs within an OS, such as Linux, Unix, or Windows. With a software firewall, adding interfaces is as easy as adding and configuring another NIC. It is easier to make configuration errors in a software firewall. A hardware firewall is also referred to as an appliance firewall. Appliance firewalls are often designed as stand-alone black box solutions that can be plugged in to a network and operated with minimal configuration and maintenance. A hardware firewall is purchased with a fixed number of interfaces available. Hardware firewalls outperform and generally provide increased security over software firewalls.
Packet Filter Firewalls Firewall Rules (7:57) A packet-filtering firewall is typically a router and operate at the network layer of the OSI model. A packet filtering firewall only looks at a data packet to obtain the source and destination addresses and the protocol and port used. This information is then compared to the configured packet filtering rules to decide if the packet will be dropped or forwarded to its destination. A packet filtering firewall only examines the packet header information, not the data or payload. Packet filters examine each incoming (and usually outgoing) packet then pass or discard it based on network data packet fields: Source and destination IP address Specified port numbers Specific protocols (TCP, UDP, ICMP) Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. The packet-filtering firewall provides high performance.
Proxy Firewalls Proxy firewalls serve as go-betweens for the network and the Internet by processing requests received from external networks and reprocessing them for use internally. This type of firewall has a set of rules that the packets must pass to get in or out. The primary security feature of a proxy firewall is that it hides the client information. It can be used to hide the internal addresses from the outside would through Network Address Translation, which does not allow the computers on the network to directly access the Internet. NAT hides a packet’s IP address before sending it through another network. It is the only computer on a network that communicates with mistrusted computers. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content. A proxy-based firewall provides greater network isolation than a stateful firewall. A proxy firewall blocking network access from external networks
Proxy Firewalls Web Application Firewalls (3:05) An application firewall is typically integrated into another type of firewall to filter traffic that is traveling at the Application layer of the OSI model. The proxy function can occur at either the application level or the circuit level. An application firewall creates a virtual circuit between the firewall clients. Each protocol has its own dedicated portion of the firewall that is concerned only with how to properly filter that protocol’s data. This type of server is advanced and must know the rules and capabilities of the protocol used. A unique application-level proxy server must exist for each protocol supported. Unlike a circuit-level firewall, an application-level firewall does not examine the IP address and port of the data packet. An application-level proxy firewall is most detrimental to network performance because it requires more processing per packet.
Proxy Firewalls A proxy firewall typically uses two network interface cards (NICs). This type of firewall is referred to as a dual-homed firewall. Dual-homed computers have two NICs installed, each connected to a separate network. A dual-homed firewall has two network interfaces. One interface connects to the public network, usually the Internet. The other interface connects to the private network. The forwarding and routing function should be disabled on the firewall to ensure that network segregation occurs. A dual-homed firewall segregating two networks from each other
Stateful Inspection Firewalls Stateful inspection is also referred to as stateful packet filtering. A stateful-inspection firewall, a combination of all types of firewalls,is suited for main perimeter security. Stateful-inspection firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested. Stateful inspection firewalls work at the Network Layer to provide an additional layer of security and also monitor the state of each connection. Most of the devices used in networks don’t keep track of how information is routed or used. After a packet is passed, the packet and path are forgotten. In stateful packet filtering records are kept using a state table that tracks every communications channel. Stateful inspections provide additional security, especially in connectionless protocols such as UDP and ICMP. Denial-of-service (DoS) attacks present a challenge because flooding techniques are used to overload the state table and effectively cause the firewall to shut down or reboot. Stateful and circuit-level proxy firewalls, while slower than packet-filtering firewalls, offer better performance than application-level firewalls.
Firewalls and DMZs Firewalls can be used to create demilitarized zones (DMZs). A DMZ is a network segment placed between an internal (private) network and an external (public) network, such as the Internet. Typically, either one or two firewalls are used to create a DMZ. A DMZ implemented with one firewall connected to a public network, a private network and a DMZ segment is cheaper to implement than a DMZ implemented with two firewalls. A DMZ with a firewall on each end is typically more secure than a single-firewall DMZ. The main objective for the placement of firewalls is to allow only traffic that the organization deems necessary and provide notification of suspicious behavior.
Physical Port Security (5:24) Hubs Hubs act as a central connection point for network devices on one network segment. Hubs are used to extend the length of network beyond the cable’s maximum segment distance. They work at the Physical layer of the OSI model. Hubs are network devices that allow many hosts to inter-communicate through the usage of physical ports. This makes hubs central connectivity devices and prone to being attacked. Traffic sent to one port is regenerated it to all other ports. Hubs do not provide data isolation between endpoint ports, allowing any node to observe data traffic to and from all other nodes on the same device providing attackers with access to inspect network traffic for interception of user credentials, security encryption traffic, and other forms of sensitive transmitted data. Hubs are considered highly unsecure.
Modems A modem is a hardware device that connects the digital signals from a computer to the analog telephone line. It allows these signals to be transmitted longer distances than are possible with digital signals. The word "modem" is an amalgam of the words "modulator" and "demodulator," which are the two functions that occur during transmission. Modems present a unique set of challenges from a security perspective. Leaving modems open for incoming calls with little to no authentication for users dialing in can be a clear security vulnerability in the network. For example, war-dialing attacks take advantage of this situation. War-dialing is the process by which an automated software application is used to dial numbers in a given range to determine whether any of the numbers are serviced by modems that accept dial-in requests. Setting the callback features to have the modem call the user back at a preset number and using encryption and firewall solutions will help keep the environment safe from attacks. Monitor computers that have modems to check whether they have been compromised Check for software updates for computers that have modems. Remove all unnecessary modems from computers.
Remote Access (2:50) Remote Access Services Remote access servers (RAS) allow clients to use dial-up connections and network technologies to access servers and internal networks. RAS connections are achieved through dial-up DSL, VPNs, cable modems and ISDN. Client systems with a modem can connect using normal dial-up connections to a properly equipped remote-access service server, which functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. The RAS environment is vulnerable to public PBX infrastructure vulnerabilities, RAS software bugs, buffer overflows, and social engineering. You should apply vendor security patches as soon as they are available to protect against RAS software bugs. Social engineering and the public PBX infrastructure is a common method used by intruders to access your RAS environment. Typical methods of securing remote access servers: Implementing a strong authentication method or two-factor authentication Limiting which users are allowed to dial-in and limiting the dial-in hours Implementing account lockout and strict password policies Implementing a real-time alerting system Allowing dial-in only and forcing callback to a preset number are strategies for securing remote access servers (RAS). A RAS connection between a remote workstation and a Windows server
Routers Routers enable connectivity between two or more networks and can connect multiple network segments into one network. Routers operate at the Network Layer (Layer 3) by using IP addresses to route packets to their destination along the most efficient path. Routers store information about network destinations in routing tables. Routing tables contain information about known hosts on both sides of the router. Routers can be configured in many instances to act as packet-filtering firewalls. When configured properly, they can prevent unauthorized ports from being opened. Routers are the first line of defense and should therefore be configured to forward only traffic that is authorized by the network administrator. Access entries can be specified to allow only authorized traffic and deny unauthorized traffic. Methods for securing routers: Routers should be kept in locked rooms You should use complex passwords for administrative consoles Routers should be kept current with the latest available vendor security patches Configure access list entries to prevent unauthorized connections and routing of traffic Use monitoring equipment to protect connection points and devices Secure Router Configuration (2:38)
Routers Routers, in conjunction with a CSU/DSU) are also used to translate LAN to WAN framing. Such routers are referred to as border routers. Border routers decide who can come in and under what conditions. Dividing internal networks into two or more subnets is a common use for routers. Routers can also be connected internally to other routers, effectively creating autonomouslzones. This type of connection keeps local network traffic off the network backbone and provides additional security internally. Routers establish routing tables. A router contains information about the networks connected to it and where to send requests if the destination is unknown. These tables grow as connections are made through the router. Routers communicate routing information using three standard protocols: Routing Information Protocol (RIP) is a simple protocol that is part of the TCP/IP protocol suite. Routers that use RIP routinely broadcast the status and routing information of known routers. RIP also attempts to find routes between systems using the smallest number of hops or connections. Border Gateway Protocol (BGP) allows groups of routers to share routing information. Open Shortest Path First (OSPF) allows routing information to be updated faster than with RIP.
Switch Port Security and 802.1X (5:35) Switches VLAN Management (3:44) Switches can be used to connect multiple LAN segments. Switches operate at the Data Link layer of the OSI model (Layer 2), using the MAC address to send packets to their destination. Switches create virtual circuits between systems in a network. These virtual circuits are somewhat private and reduce network traffic when used. Virtual circuits are more difficult to examine with network monitors. Only packets destined for the computer on a particular port of a switch can be seen. With computers connected through a switch, eventually any individual computer would be exposed to only traffic destined for that particular computer or for all computers. Therefore, any port would be able to see only traffic destined for it and broadcasts. Switches are used to create security segments on a LAN through the implementation of VLANs. Physical access control to the networking closet is critical to protect switched networks against any exposed supervisory ports that can be exploited by an attacker. Methods for securing switches: Switches should be kept in locked rooms You should use complex passwords for administrative consoles Switches should be kept current with the latest a Use monitoring equipment to protect connection points and device available vendor security patches
Telecom/PBX Systems Many modern PBX (private branch exchange) systems integrate voice and data onto a single data connection to your phone service provider. These connections are made using existing network connections such as a T1 or T3 network. A PBX provides a connection to the public switched telephone network (PSTN) and provides telephone extensions for employees. A PBX is a programmable telephone switch that is typically located on a company’s premises. A PBX can usually be remotely administered. For years, PBX-type systems have been targeted by hackers, mainly to get free long-distance service. The vulnerabilities that phone networks are subject to include social engineering, long-distance toll fraud, and breach of data privacy. To protect a PBX from hacker attacks: Make sure the PBX is in a secure area Limit the number of entry points Change default passwords Only allow authorized maintenance Remote PBX administration should require user names and passwords The telephone number used to remotely administer a PBX should be unlisted Block all toll numbers and limit long-distance calling Implement a PBX password change and audit policy Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port. A modern digital PBX system integrating voice and data onto a single network connection
VPN Concentrators (2:06) Virtual Private Networks VPNs are used to make connections between private networks across a public network. VPN connections provide a mechanism for the creation of a secured “tunnel” through a public network such as the Internet using a tunneling protocol, such as L2TP or PPTP. These connections are not guaranteed to be secure unless, and an encryption system, such as IPSec, is used.
VPN Server in Front of the Firewall For the Internet interface on the VPN server, configure the input and output filters using the Routing and Remote Access snap-in. With the VPN server in front of the firewall attached to the Internet you need to add packet filters to the Internet interface that only allow VPN traffic to and from the IP address of the VPN server's interface on the Internet. For inbound traffic, when the tunneled data is decrypted by the VPN server it is forwarded to the firewall, which employs its filters to allow the traffic to be forwarded to intranet resources. Because the only traffic that is crossing the VPN server is traffic generated by authenticated VPN clients, firewall filtering in this scenario can be used to prevent VPN users from accessing specific intranet resources. Because the only Internet traffic allowed on the intranet must go through the VPN server, this approach also prevents the sharing of File Transfer Protocol (FTP) or Web intranet resources with non-VPN Internet users.
VPN Server Behind the Firewall More commonly, the firewall is connected to the Internet and the VPN server is another intranet resource connected to a DMZ. The VPN server has an interface on the DMZ and an interface on the intranet. In this approach, the firewall must be configured with input and output filters on its Internet interface to allow the passing of tunnel maintenance traffic and tunneled data to the VPN server. Additional filters can allow the passing of traffic to Web servers, FTP servers, and other types of servers on the DMZ. The firewall does not have the encryption keys for each VPN connection so it can only filter on the plaintext headers of the tunneled data, meaning that all tunneled data passes through the firewall. No problem, because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server. When you deploy a VPN gateway in its own DMZ behind the external firewall, you receive the following benefits: The firewall can protect the VPN gateway The firewall can inspect plain text from the VPN Internet connectivity does not depend on the VPN gateway In this deployment, the following drawbacks are experienced: The firewall will need special routes to the VPN gateway configured Roaming client support is hard to achieve For the Internet interface on the firewall, input and output filters need to be configured using the firewall's configuration software.
Web Security Gateway A web security gateway can be thought of as a proxy server with web protection software built in. Web protection can range from a standard virus scanner on incoming packets to also monitoring outgoing user traffic for red flags. Potential red flags the gateway can detect/prohibit include: • Inappropriate content • Trying to establish a peer-to-peer connection with a file-sharing site • Instant messaging • Unauthorized tunneling You can configure most web security gateways to block known HTTP/HTML exploits, strip ActiveX tags, strip Java applets, and block/strip cookies.
Spam Filters Spam filters can be added to catch unwanted email and filter it out before it gets delivered internally. The filtering is done based on rules that are established: • Block email coming from certain IP addresses • Block email that contains particular words in the subject line Spam filters can scan both incoming and outgoing messages and thus act as a quick identifier of internal PCs that may have contracted a virus. A number of vendors make all-in-one devices that combine spam filters with firewalls, load balancers, and a number of other services.