Devices - PowerPoint PPT Presentation

About This Presentation
Title:

Devices

Description:

... install latest version of software and security patches Read product documentation Set strong passwords Quick Quiz The process by ... Security ACLs Virtual Local ... – PowerPoint PPT presentation

Number of Views:125
Avg rating:3.0/5.0
Slides: 64
Provided by: Anne3233
Category:
Tags: acls | devices | quiz

less

Transcript and Presenter's Notes

Title: Devices


1
Devices
  • Chapter 9

2
Learning Objectives
  • Understand the purpose of a network firewall and
    the kinds of firewall technology available on the
    market
  • Understand the role of routers, switches, and
    other networking hardware in security
  • Determine when VPN or RAS technology works to
    provide a secure network connection

3
Firewalls
  • Hardware or software device that provides means
    of securing a computer or network from unwanted
    intrusion
  • Dedicated physical device that protects network
    from intrusion
  • Software feature added to a router, switch, or
    other device that prevents traffic to or from
    part of a network

4
Management Cycle forFirewall Protection
  1. Draft a written security policy
  2. Design the firewall to implement the policy
  3. Implement the design by installing selected
    hardware and software
  4. Test the firewall
  5. Review new threats, requirements for additional
    security, and updates to systems and software
    repeat process from first step

5
Drafting a Security Policy
  • What am I protecting?
  • From whom?
  • What services does my company need to access over
    the network?
  • Who gets access to what resources?
  • Who administers the network?

6
Available Targets and Who Is Aiming at Them
  • Common areas of attack
  • Web servers
  • Mail servers
  • FTP servers
  • Databases
  • Intruders
  • Sport hackers
  • Malicious hackers

7
(No Transcript)
8
Who Gets Access to Which Resources?
  • List employees or groups of employees along with
    files and file servers and databases and database
    servers they need to access
  • List which employees need remote access to the
    network

9
Who Administers the Network?
  • Determine individual(s) and scope of individual
    management control

10
Designing the Firewallto Implement the Policy
  • Select appropriate technology to deploy the
    firewall

11
What Do Firewalls Protect Against?
  • Denial of service (DoS)
  • Ping of death
  • Teardrop or Raindrop attacks
  • SYN flood
  • LAND attack
  • Brute force or smurf attacks
  • IP spoofing

12
How Do Firewalls Work?
  • Network address translation (NAT)
  • Basic packet filtering
  • Stateful packet inspection (SPI)
  • Access control lists (ACL)

13
Network Address Translation (NAT)
  • Only technique used by basic firewalls
  • Enables a LAN to use one set of IP addresses for
    internal traffic and a second set for external
    traffic
  • Each active connection requires a unique external
    address for duration of communication
  • Port address translation (PAT)
  • Derivative of NAT
  • Supports thousands of simultaneous connections on
    a single public IP address

14
Basic Packet Filtering
  • Firewall system examines each packet that enters
    it and allows through only those packets that
    match a predefined set of rules
  • Can be configured to screen information based on
    many data fields
  • Protocol type
  • IP address
  • TCP/UDP port
  • Source routing information

15
Stateful Packet Inspection (SPI)
  • Controls access to network by analyzing
    incoming/outgoing packets and letting them pass
    or not based on IP addresses of source and
    destination
  • Examines a packet based on information in its
    header
  • Enhances security by allowing the filter to
    distinguish on which side of firewall a
    connection was initiated essential to blocking
    IP spoofing attaches

16
Access Control Lists (ACL)
  • Rules built according to organizational policy
    that defines who can access portions of the
    network
  • Access-list 101 permit tcp any 1.2.1.222 0.0.0.0
    eq 80
  • Access-list 101 deny ip any 1.2.1.222 0.0.0.0

17
Routers
  • Network management device that sits between
    network segments and routes traffic from one
    network to another
  • Allows networks to communicate with one another
  • Allows Internet to function
  • Act as digital traffic cop (with addition of
    packet filtering)

18
How a Router Moves Information
  • Examines electronic envelope surrounding a
    packet compares address to list of addresses
    contained in routers lookup tables
  • Determines which router to send the packet to
    next, based on changing network conditions

19
How a Router Moves Information
20
Beyond the Firewall
  • Demilitarized zone (DMZ)
  • Bastion hosts (potentially)

21
Demilitarized Zone
  • Area set aside for servers that are publicly
    accessible or have lower security requirements
  • Sits between the Internet and internal networks
    line of defense
  • Stateful device fully protects other internal
    systems
  • Packet filter allows external traffic only to
    services provided by DMZ servers
  • Allows a company to host its own Internet
    services without sacrificing unauthorized access
    to its private network

22
(No Transcript)
23
Bastion Hosts
  • Computers that reside in a DMZ and that host Web,
    mail, DNS, and/or FTP services
  • Gateway between an inside network and an outside
    network
  • Defends against attacks aimed at the inside
    network used as a security measure
  • Unnecessary programs, services, and protocols are
    removed unnecessary network ports are disabled
  • Do not share authentication services with trusted
    hosts within the network

24
Application Gateways
  • Also known as proxy servers
  • Monitor specific applications (FTP, HTTP, Telnet)
  • Allow packets accessing those services to go to
    only those computers that are allowed
  • Good backup to packet filtering

25
Application Gateways
  • Security advantages
  • Information hiding
  • Robust authentication and logging
  • Simpler filtering rules
  • Disadvantage
  • Two steps are required to connect inbound or
    outbound traffic can increase processor overhead

26
OSI Reference Model
  • Architecture that classifies most network
    functions
  • Seven layers
  • Application
  • Presentation
  • Session
  • Transport
  • Network
  • Data-Link
  • Physical

27
(No Transcript)
28
The OSI Stack
  • Layers 4 and 5
  • Where TCP and UDP ports that control
    communication sessions operate
  • Layer 3
  • Routes IP packets
  • Layer 2
  • Delivers data frames across LANs

29
Limitations of Packet-Filtering Routers
  • ACL can become long, complicated, and difficult
    to manage and comprehend
  • Throughput decreases as number of rules being
    processed increases
  • Unable to determine specific content or data of
    packets at layers 3 through 5

30
Switches
  • Provide same function as bridges (divide
    collision domains), but employ application-specifi
    c integrated circuits (ASICs) that are optimized
    for the task
  • Reduce collision domain to two nodes (switch and
    host)
  • Main benefit over hubs
  • Separation of collision domains limits the
    possibility of sniffing

31
Switches
32
Switch Security
  • ACLs
  • Virtual Local Area Networks (VLANs)

33
Virtual Local Area Network
  • Uses public wires to connect nodes
  • Broadcast domain within a switched network
  • Uses encryption and other security mechanisms to
    ensure that
  • Only authorized users can access the network
  • Data cannot be intercepted
  • Clusters users in smaller groups
  • Increases security from hackers
  • Reduces possibility of broadcast storm

34
Security Problems with Switches
  • Common ways of switch hijacking
  • Try default passwords which may not have been
    changed
  • Sniff network to get administrator password via
    SNMP or Telnet

35
Securing a Switch
  • Isolate all management interfaces
  • Manage switch by physical connection to a serial
    port or through secure shell (SSH) or other
    encrypted method
  • Use separate switches or hubs for DMZs to
    physically isolate them from the network and
    prevent VLAN jumping

continued
36
Securing a Switch
  • Put switch behind dedicated firewall device
  • Maintain the switch install latest version of
    software and security patches
  • Read product documentation
  • Set strong passwords

37
Quick Quiz
  • The process by which a private IP address in a
    corporate network is translated into a public
    address by a router or firewall is
    called_____________
  • True or False Advanced firewalls use stateful
    packet inspection to improve security.
  • A computer providing public network services that
    resides inside a corporate network but outside
    its firewall is called a ______.
  • True or False IP packets are routed by layer 2
    of the OSI model.
  • A feature available in some switches that permit
    separating the switch into multiple broadcast
    domains is called _________.

38
Wireless
  • Almost anyone can eavesdrop on a network
    communication
  • Encryption is the only secure method of
    communicating with wireless technology

39
Modems
40
DSL versus Cable Modem Security
  • DSL
  • Direct connection between computer/network and
    the Internet
  • Cable modem
  • Connected to a shared segment party line
  • Most have basic firewall capabilities to prevent
    files from being viewed or downloaded
  • Most implement the Data Over Cable Service
    Interface Specification (DOCSIS) for
    authentication and packet filtering

41
Dynamic versus Static IP Addressing
  • Static IP addresses
  • Provide a fixed target for potential hackers
  • Dynamic IP addresses
  • Provide enhanced security
  • By changing IP addresses of client machines, DHCP
    server makes them moving targets for potential
    hackers
  • Assigned by the Dynamic Host Configuration
    Protocol (DHCP)

42
Remote Access Service (RAS)
  • Provides a mechanism for one computer to securely
    dial in to another computer
  • Treats modem as an extension of the network
  • Includes encryption and logging
  • Accepts incoming calls
  • Should be placed in the DMZ

43
Security Problems with RAS
  • Behind physical firewall potential for network
    to be compromised
  • Most RAS systems offer encryption and callback as
    features to enhance security

44
Telecom/Private Branch Exchange (PBX)
  • PBX
  • Private phone system that offers features such as
    voicemail, call forwarding, and conference
    calling
  • Failure to secure a PBX can result in toll fraud,
    theft of information, denial of service, and
    enhanced susceptibility to legal liability

45
IP-Based PBX
46
PBX Security Concerns
  • Remote PBX management
  • Hoteling or job sharing
  • Many move codes are standardized and posted on
    the Internet

47
Virtual Private Networks
  • Provide secure communication pathway or tunnel
    through public networks (eg, Internet)
  • Lowest levels of TCP/IP are implemented using
    existing TCP/IP connection
  • Encrypts either underlying data in a packet or
    the entire packet itself before wrapping it in
    another IP packet for delivery
  • Further enhances security by implementing
    Internet Protocol Security (IPSec)

48
(No Transcript)
49
Intrusion Detection Systems (IDS)
  • Monitor networks and report on unauthorized
    attempts to access any part of the system
  • Available from many vendors
  • Forms
  • Software (computer-based IDS)
  • Dedicated hardware devices (network-based IDS)
  • Types of detection
  • Anomaly-based detection
  • Signature-based detection

50
Computer-based IDS
  • Software applications (agents) are installed on
    each protected computer
  • Make use of disk space, RAM, and CPU time to
    analyze OS, applications, system audit trails
  • Compare these to a list of specific rules
  • Report discrepancies
  • Can be self-contained or remotely managed
  • Easy to upgrade software, but do not scale well

51
Network-based IDS
  • Monitors activity on a specific network segment
  • Dedicated platforms with two components
  • Sensor
  • Passively analyzes network traffic
  • Management system
  • Displays alarm information from the sensor

52
(No Transcript)
53
Anomaly-based Detection
  • Builds statistical profiles of user activity and
    then reacts to any activity that falls outside
    these profiles
  • Often leads to large number of false positives
  • Users do not access computers/network in static,
    predictable ways
  • Cost of building a sensor that could hold enough
    memory to contain the entire profile and time to
    process the profiles is prohibitively large

54
Signature-based Detection
  • Similar to antivirus program in its method of
    detecting potential attacks
  • Vendors produce a list of signatures used by the
    IDS to compare against activity on the network or
    host
  • When a match is found, the IDS take some action
    (eg, logging the event)
  • Can produce false positives normal network
    activity may be construed as malicious

55
Network Monitoring and Diagnostics
  • Essential steps in ensuring safety and health of
    a network (along with IDS)
  • Can be either stand-alone or part of a
    network-monitoring platform
  • HPs OpenView
  • IBMs Netview/AIX
  • Fidelias NetVigil
  • Aprismas Spectrum

56
Ensuring Workstation andServer Security
  • Remove unnecessary protocols such as NetBIOS or
    IPX
  • Remove unnecessary user accounts
  • Remove unnecessary shares
  • Rename the administrator account
  • Use strong passwords

57
Personal Firewall Software Packages
  • Offer application-level blocking, packet
    filtering, and can put your computer into stealth
    mode by turning off most if not all ports
  • Many products available, including
  • Norton Firewall
  • ZoneAlarm
  • Black Ice Defender
  • Tiny Softwares Personal Firewall

58
Firewall Product Example
59
Antivirus Software Packages
  • Necessary even on a secure network
  • Many vendors, including
  • McAffee
  • Norton
  • Computer Associates
  • Network Associates

60
Mobile Devices
  • Can open security holes for any computer with
    which these devices communicate

61
Chapter Summary
  • Virtual isolation of a computer or network by
    implementing a firewall through software and
    hardware techniques
  • Routers
  • Switches
  • Modems
  • Various software packages designed to run on
    servers, workstations, and PDAs

continued
62
Chapter Summary
  • Virtual private networks (VPNs)
  • Private branch exchanges (PBX)
  • Remote Access Services (RAS)

63
Quick Quiz
  • The standard used to help secure cable modem
    communications is called ____________
  • True or False Static IP addressing is the most
    secure form of addressing.
  • True or False RAS should be placed in the DMZ.
  • A _____________ is used to provide a secure
    communication channel through the public Internet
  • ______________ based IDS uses statistical
    profiles.
Write a Comment
User Comments (0)
About PowerShow.com