Part06 infrastructure security
Upcoming SlideShare
Loading in...5

Part06 infrastructure security






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Part06 infrastructure security Part06 infrastructure security Document Transcript

  • 3/7/2012 Contents Crafting a Security Network Applying Network Security Devices Protocol Analyzers Integrated Network Security Hardware Network Defenses A Defense-in-Depth Approach IT Falcuty – DaLat University March - 2012 2 Phan Thi Thanh Nga Crafting a Security Network Security through Network DesignSecurity through Network Design Subnetting  Network segmentation/ Subnetting  Instead of just having networks and hosts,  Virtual LAN (VLAN) using subnetting, networks can essentially be  Demilitarized Zone (DMZ) divided into three parts: network, subnet, and hostSecurity through Network Technologies  Each network can contain several subnets  Network Address Translation (NAT) and each subnet connected through different  Network Access Control (NAC) routers can contain multiple hosts 3 Phan Thi Thanh Nga 4 Phan Thi Thanh Nga Security through Network Design Security through Network Design  Advantages of subnetting 5 Phan Thi Thanh Nga 6 Phan Thi Thanh Nga 1
  • 3/7/2012 Security through Network Design Security through Network DesignSubnetting: improve network security  Subnetting: improve network security  Networks can be subnetted so that each  Wireless subnetworks, research and department, remote office, campus building, development subnetworks, finance floor in a building, or group of users can have subnetworks, human resource subnetworks, its own subnet address and subnetworks that face the Internet can all  Network administrators can utilize network be separate security tools to make it easier to regulate  The source of potential security issues can who has access in and out of a particular be quickly addressed subnetwork7 Phan Thi Thanh Nga 8 Phan Thi Thanh Nga Security through Network Design Security through Network DesignSubnetting: improve network security  Virtual LAN (VLAN)  It allows network administrators to hide the  ln most network environments, networks are internal network layout divided or segmented by using switches to  This can make it more difficult for attackers divide the network into a hierarchy. to target their attacks.  Core switches reside at the top of the hierarchy and carry traffic between switches, while workgroup switches are connected directly to the devices on the network9 Phan Thi Thanh Nga 10 Phan Thi Thanh Nga Security through Network Design Security through Network Design  Virtual LAN (VLAN)  Grouping by user can sometimes be difficult because all users may not be in the same location and served by the same switch. Segment a network by separating devices into logical groups. This is known as creating a virtual LAN (VLAN)  VLANS can be isolated so that sensitive data is transmitted only to members of the VLAN11 Phan Thi Thanh Nga 12 Phan Thi Thanh Nga 2
  • 3/7/2012 Security through Network Design Security through Network Design Virtual LAN (VLAN)  Demilitarized Zone (DMZ)  VLANS can also be victims of attacks  Devices that provide services to outside users  Because a VLAN is heavily dependent upon are most vulnerable to attack the switch for correctly directing packets,  If attackers are able to penetrate the security of these servers,they may be able to access devices on the internal LAN .  An additional level of security would be to isolate these services in their own network.13 Phan Thi Thanh Nga 14 Phan Thi Thanh Nga Security through Network Design Security through Network Design Demilitarized Zone (DMZ)  A demilitarized zone (DMZ) is a separate network that sits outside the secure network perimeter  Outside users can access the DM Z but cannot enter the secure network15 Phan Thi Thanh Nga 16 Phan Thi Thanh Nga Security through Network Design Security through Network Design Demilitarized Zone (DMZ): DMZ with single firewall  A single firewall with three network interfaces is used: the link to the lnternet, the DMZ, and the secure internal LAN  this makes the firewall device a single point of failure for the network  the firewall device also take care of all of the traffic to both the DMZ and internal network17 Phan Thi Thanh Nga 18 Phan Thi Thanh Nga 3
  • 3/7/2012Security through Network Technologies Security through Network Technologies Network Address Translation (NAT)  “You cannot attack what you cannot see” is the security philosophy behind systems using network address translation (NAT).  NAT hides the IP addresses of network devices from attackers.  An attacker who captures the packet on the lnternet cannot determine the actual IP address of the sender  Without that address, it is more difficult to identify and attack a computer19 Phan Thi Thanh Nga 20 Phan Thi Thanh NgaSecurity through Network Technologies Security through Network Technologies Network Access Control (NAC)  NAC examines the current state of a system or network device before it is allowed to connect to the network  Any device that does not meet a specified set of criteria, such as having the most current antivirus signature or the software firewall properly enabled is only allowed to connect to a quarantine network where the security deficiencies are corrected21 Phan Thi Thanh Nga 22 Phan Thi Thanh NgaSecurity through Network Technologies Security through Network Technologies NAC process  NAC process  The cient performs a self-assessment using a  If the client is approved by the HRA it is System Health Agent (SHA) to determine its issued a Health Certificate. current security posture  The HeaIth Certificate is then presented to the  The assessment, known as a Statement of network servers to verify that the clients Hea1th (SoH), is sent to a server called the security condition has been approved. Health Registration Authority (HRA). This  If the client is not approved, it is connected to server enforces the security policies of the a quarantine VLAN where the deficien-cies network. It also integrates with other external are corrected, and then the computer is authorities such as antivirus and patch allowed to connect to the network management servers in order to retrieve current configuration information23 Phan Thi Thanh Nga 24 Phan Thi Thanh Nga 4
  • 3/7/2012Security through Network Technologies Contents NAC  NAC can be an effective tool for identifying Crafting a Security Network and correcting systems that do not have adequate security installed and preventing Applying Network Security Devices these devices from infecting others. Protocol Analyzers Integrated Network Security Hardware A Defense-in-Depth Approach25 Phan Thi Thanh Nga 26 Phan Thi Thanh Nga Applying Network Security Devices Applying Network Security Devices Firewall  Firewall Proxy Server  A firewall is a hardware or software component designed to protect one network Honey pots from another Network Intrusion Detection Systems  Often, firewalls are deployed between a (NIDS) private trusted network and a public untrustedHost and Network Intrusion Prevention network (such as the Internet) or between two Systems (HIPS/NIPS) networks that belong to the same organization but are from different departments27 Phan Thi Thanh Nga 28 Phan Thi Thanh Nga Applying Network Security Devices Applying Network Security Devices Firewall  There are three basic types of  Firewalls manage traffic using filters. firewalls, plus an additional form  A filter is just a rule. If a packet meets the (stateful inspection) that combines the identification criteria of a rule, then the action features of the first three of that rule is applied. If a packet doesn’t meet  Packet filter the criteria of rule, then no action from that  Circuit-level gateway rule is applied, and the next rule is checked.  Application-level gateway  Stateful inspection firewall29 Phan Thi Thanh Nga 30 Phan Thi Thanh Nga 5
  • 3/7/2012 Firewall Firewall Packet filter  Circuit-level gateway  A packet filter firewall filters traffic based on  A circuit-level gateway firewall filters traffic by basic identification items found in a network monitoring the activity within a session packet’s header between an internal trusted host and an  Packet-filtering firewalls operate at the external untrusted host. Network layer (layer 3) of the OSI model  This monitoring occurs at the Session layer (layer 5) of the OSI model31 Phan Thi Thanh Nga 32 Phan Thi Thanh Nga Firewall Firewall Application-level gateway  Stateful inspection firewall  Filters traffic based on user access, group  Combines features of the three basic firewall membership, the application or service used, types and includes the ability to understand or even the type of resources being the context of communications across multiple transmitted. packets and across multiple layers.  This type of firewall operates at the  Application layer (layer 7) of the OSI model.33 Phan Thi Thanh Nga 34 Phan Thi Thanh Nga Firewall Applying Network Security Devices  Proxy  A proxy server is a computer system (or an application program) that intercepts internal user requests and then processes that request on behalf of the user.  Similar to NAT, the goal of a proxy server is to hide the IP address of client systems inside the secure network.35 Phan Thi Thanh Nga 36 Phan Thi Thanh Nga 6
  • 3/7/2012 Applying Network Security Devices Applying Network Security Devices Reverse proxy  A reverse proxy does not serve clients but instead routes incoming requests to the correct server.  Requests for services are sent to the reverse proxy that then forwards it to the server.  To the outside user the IP address of the reverse proxy is the final IP address for requesring services  Only the reverse proxy can access the internal servers.37 Phan Thi Thanh Nga 38 Phan Thi Thanh Nga Applying Network Security Devices Applying Network Security Devices Honeypot  A honeypot is a computer typically located in a DMZ  Loaded with software and data files that appear to be authentic, yet they are actually imitations of real data files.  Intended to trap or trick attackers39 Phan Thi Thanh Nga 40 Phan Thi Thanh Nga Honeypot Applying Network Security Devices There are three primary purposes of a  Network Intrusion Detection Systems honeypot: (NIDS)  Deflect attention  Attempts to identify inappropriate activity • direct an attackers attention away from legitimate (same functionality as a burglar alarm system) servers  Host lntrusion Detection Systems (HIDS) • encourages attackers to spend their time and attempt to monitor and possibly prevent energy on the decoy server attempts to attack a local system  Early warnings of new attacks  A network intrusion detection system (NIDS)  Examine attacker techniques watches for attempts to penetrate a network41 Phan Thi Thanh Nga 42 Phan Thi Thanh Nga 7
  • 3/7/2012 Applying Network Security Devices Applying Network Security Devices  Host and Network Intrusion Prevention Systems (HIPS/NIPS)  finds malicious traffic deals with it immediately  block all incoming traffic on a specific port  HIPS: monitoring and intercepting requests in order to prevent attacks.  NIPS: work to protect the entire network and all devices that are connected to it.43 Phan Thi Thanh Nga 44 Phan Thi Thanh Nga Contents Protocol Analyzers  There are three ways in which an Crafting a Security Network intrusion detection system or intrusion prevention system can detect a Applying Network Security Devices potential intrusion.  detect statistical anomalies. Protocol Analyzers  examine network traffic and look for well- Integrated Network Security Hardware known patterns of attack, much like antivirus scanning. A Defense-in-Depth Approach • the pattern lcgi-bin/pbf? usually indicates that an attacker is attempting to access a vulnerable script on a W eb server.45 Phan Thi Thanh Nga 46 Phan Thi Thanh Nga Protocol Analyzers Contents  Use protocol analyzer technology. • Protocol analyzers can fully decode application- Crafting a Security Network layer network protocols • Once these protocols are decoded, the different Applying Network Security Devices parts of the protocol can be analyzed for any suspicious behavior. Protocol Analyzers Integrated Network Security Hardware A Defense-in-Depth Approach47 Phan Thi Thanh Nga 48 Phan Thi Thanh Nga 8
  • 3/7/2012 Integrated Network Security Hardware Integrated Network Security Hardware lnformation can be protected either by Dedicated security appliances: using software that runs on the device  provide a single security service, such as that is being protected or by a separate firewall or antivirus protection hardware device.  more easily scale as needs increase.Software-only defenses are more often  Multipurpose security appliances: limited to home computers  Provide multiple security functions, such as:Most organizations use security Antispam and antiphishing, Antivirus and antispyware, Bandwidth optimization, Content hardware appliances. filtering, Encryption, Firewall, lnstant messaging control, lntrusion protection system, Web filtering49 Phan Thi Thanh Nga 50 Phan Thi Thanh Nga Integrated Network Security Hardware Contents Recent trend:  Combine or integrate multipurpose security Crafting a Security Network appliances with a traditional network device such as a switch or router to create integrated Applying Network Security Devices network security hardware.  Advantage: these network devices already Protocol Analyzers process every packet that flows across the network. Integrated Network Security Hardware A Defense-in-Depth Approach51 Phan Thi Thanh Nga 52 Phan Thi Thanh Nga A Defense-in-Depth Approach A Defense-in-Depth Approach Defense in depth increases security by Defense-in- Data raising the cost of an attack. DepthThis system places multiple barriers Applications between an attacker and your business Security Model Hosts critical information resources: the deeper an attacker tries to go, the Internal harder it gets Perimeter53 Phan Thi Thanh Nga 54 Phan Thi Thanh Nga 9
  • 3/7/2012 Network Defenses Network Segmentation Network SegmentationAccess PointsRouters and SwitchesFirewallsContent FilteringIDS / IPSRemote AccessEvent ManagementVulnerability Management55 Phan Thi Thanh Nga 56 Phan Thi Thanh Nga Network Access / Entry Points Network Access Points Entry points into the network infrastructureClassify the access pointsDevelop a security risk profile for each access pointEach access point presents a threat for unauthorized and malicious access to the network infrastructure.57 Phan Thi Thanh Nga 58 Phan Thi Thanh Nga Routers and Switches Simple Router & Switch Network Typically responsible for transporting data to all areas of the networkSometimes overlooked as being able to provide a defense layerCapable of providing an efficient and effective security role in a Defense-in- Depth strategy59 Phan Thi Thanh Nga 60 Phan Thi Thanh Nga 10
  • 3/7/2012 Firewalls Firewalls First defenses thought of when working on a Defense-in-Depth strategy Provide granular access controls for a network infrastructure Firewall Types:  Packet filtering  Proxy based  Stateful Inspection Continuing to increase their role by performing application layer defenses on the network 61 Phan Thi Thanh Nga 62 Phan Thi Thanh Nga Content Filtering Content Filtering Protection of application and data content being delivered across the networkContent filtering looks for:  Virus  File attachments  SPAM  Erroneous Web Surfing  Proprietary / Intellectual PropertyCommonly used network protocols:  SMTP, HTTP, FTP, and instant messaging 63 Phan Thi Thanh Nga 64 Phan Thi Thanh Nga IDS / IPS IDS / IPS Detect malicious network traffic and unauthorized computer usage Detection Strategies  Signature-based  Anomaly-based  Heuristic-based  Behavioral-based View of traffic from a single point Similar technologies are applied at the host and network layers 65 Phan Thi Thanh Nga 66 Phan Thi Thanh Nga 11
  • 3/7/2012 Remote Access Remote AccessIdentify all remote access points into the network infrastructure.Driven by the need to promote business productivityExpanding the perimeterRequires strict access controls and continuous activity monitor67 Phan Thi Thanh Nga 68 Phan Thi Thanh Nga Security Event Management Security Event Management The collection and correlation events on all devices attached to the network infrastructure.Provides insight into events which would go unnoticed at other individual defense layersProvide automated alerts of suspicious activity69 Phan Thi Thanh Nga 70 Phan Thi Thanh Nga Vulnerability Management Vulnerability ManagementContinuous process of assessing and evaluating the network infrastructureMultiple views / perspectivesIntegration with Patch Management and ticketing systemsConfiguration & maintenance validation71 Phan Thi Thanh Nga 72 Phan Thi Thanh Nga 12
  • 3/7/2012 Additional Defenses References Connecting the Hosts & Network James Michael Stewart, Security+ Fass  Security Policies Pass, Sybex, 2004  Network Admission Control (NAC) Mark Ciampa, Security+ Guide to Network  Authentication Services Security Fundamentals, Third Edition  Data Encryption Jason A. Wessel, Network Security: A  Patch Management Defense-in-Depth Approach, AVP Security  Application Layer Gateway Services, CADRE – Information Security CEH v7, Module 1673 Phan Thi Thanh Nga 74 Phan Thi Thanh Nga 13