Information Security Lesson 5 - Network Infrastructure - Eric Vanderburg
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Information Security Lesson 5 - Network Infrastructure - Eric Vanderburg

  • 220 views
Uploaded on

Information Security Lesson 5 - Network Infrastructure - Eric Vanderburg

Information Security Lesson 5 - Network Infrastructure - Eric Vanderburg

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
220
On Slideshare
220
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
22
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Information Security Chapter 5 Securing the Network Infrastructure Information Security © 2006 Eric Vanderburg
  • 2. Cabling • Cable Plant – Network infrastructure • Cable Characteristics – – – – – – – – – Bandwidth Rating Max Segment Length Segments per network Devices per segment Interference Susceptibility (EMI & RFI) Connection Hardware Cable Grade (PVC or Plenum Grade Teflon) Bend radius Cost (Material, Installation, & Maintenance) Information Security © 2006 Eric Vanderburg
  • 3. Coaxial Cable (Coax) • Thicknet (10base5) – – – – ½ inch thick RG-11 or RG-8 Vampire tap AUI (Attachment Unit Interface) - 15 pin DB-15 • Thinnet (10base2) – BNC (British Naval Connector) – 50 ohms impedance – RG-58 • Coax for Broadband (RG-59, 75 Ohm) Information Security © 2006 Eric Vanderburg
  • 4. Twisted Pair • Twists reduce crosstalk • UTP (Unshielded Twisted Pair) 10baseT • STP (Shielded Twisted Pair) – Foil wrapped around wires • Phone line (RJ-11) • TP Network cable (RJ-45) • 100 Meter max length Information Security © 2006 Eric Vanderburg
  • 5. Twisted Pair Categories • • • • • • • • Cat1 – voice only, before 1982 Cat2 – 4 wires, 4Mbps Cat3 – 4 wires, 10Mbps, 3 twists/foot Cat4 – 8 wires, 16Mbps Cat5 – 8 wires, 100Mbps Cat5e – 8 wires, 1Gbps, full-duplex, 100MHz* Cat6 – 8 wires, 1Gbps, 250MHz*, larger, more sensitive Cat7 – 8 wires, shielded, 1Gbps, 600MHz*, individually shielded pairs • *Easier to detect defects with higher frequencies Information Security © 2006 Eric Vanderburg
  • 6. Fiber Optic • • • • • • • • • Signal sent by light No eavesdropping No interference Two cables needed for full duplex Surrounded by Kevlar Max length: 2-100 km 1Gbps & 10Gbps implementations Difficult to install Expensive (Cable, Install, Maintenance) Information Security © 2006 Eric Vanderburg
  • 7. Fiber Optic Connectors ST (Straight Tip) SC (Straight Connection) LC (Link Control) MIC (Medium Interface Connector) MT-RJ two cables in one RJ-45 clone SMA (Subminiature Type A) Information Security © 2006 Eric Vanderburg
  • 8. Fiber Optic cable types • Single mode – – – – Laser based Spans longer distance One piece of glass Core: 2-9 microns • Multi-mode – – – – LED based Shorter distance Multiple pieces of glass Core: 25-200 microns Information Security © 2006 Eric Vanderburg
  • 9. Quick Comparison Type Length Bandwidth Installation Interference Cost UTP 100 meters 10Mbps-1Gbps Easy High Cheapest STP 100 meters 16Mbps-1Gbps Moderate Moderate Moderate Thinnet 185 meters 10Mbps Easy Moderate Cheap Thicknet 500 meters 10Mbps Hard Low Expensive 2-100 kilometers 100Mbps-10Gbps Moderate None Most Expensive Fiber Information Security © 2006 Eric Vanderburg
  • 10. Sniffers • Captures all data packets that travel on a network. • Designed for use in network diagnostics • Hard to trace because it is passive • Can be used to find passwords or other sensitive information • Mitigate with switched networks • Protect the physical environment • Watch out for comprimised hosts Information Security © 2006 Eric Vanderburg
  • 11. Removable Media • Optical Media – CD – DVD • Magnetic Media – – – – Floppy disk Hard drive Micro drive Tape • Flash Media – USB Stick, CF (non microdrive), SD, MMC, SmartMedia, Game cartridge, PCMCIA, Rom Chips Information Security © 2006 Eric Vanderburg
  • 12. Securing Removable Media • Encrypt USB Sticks • Disable or lock USB ports on the computer • Physical check that devices are not brought in Information Security © 2006 Eric Vanderburg
  • 13. Terms • Workstation • Server • Terminal Information Security © 2006 Eric Vanderburg
  • 14. Server Types • • • • • • • • Domain Controller Application Server File Server Print Server Communication Server Web Server Mail Server Name Server Information Security © 2006 Eric Vanderburg
  • 15. Server Vendors • • Sun Microsystems Microsoft – Solaris – Looking Glass – Windows NT – Windows 2000 – Windows 2003 • • • Linux (Various Distributions) Novell Netware OS/2 • Apple – Mac OSX Server • FreeBSD • NeXT Operating Systems Microsoft Linux UNIX BSD NeXT MacOSX NetWare v1-5 Mac OS 1-9 NetWare 6 Information Security © 2006 Eric Vanderburg OS/2
  • 16. Equipment • Repeater • Hubs – Active (powered – regenerates signal) – Passive (unpowered) • Bridge – Translation bridge – translates differing frame types for different architectures (ATM, Ethernet) • Router – Reduces the broadcast domain – Looks at packets – Can filter by packets Information Security © 2006 Eric Vanderburg
  • 17. Equipment • Switches – Cut-through switching – reads only the first part of the frame to forward it. – Store & forward switching • Reads entire frame before forwarding. Also does error checking using the CRC field, discards if errors. • Saves bandwidth because bad frames are not forwarded. Requires faster switches • Fragment free switching – reads enough to know it is not a malformed or damaged frame – – – – Reduces the collision domain Looks at frames VLANs (Virtual LAN) Core switch – central to the network. Other switches connect into it – Workgroup switch – connects to network nodes Information Security © 2006 Eric Vanderburg
  • 18. Network Management • SNMP (Simple Network Management Protocol) – Agents – MIB (Management Information Base) – Ports 161 & 162 UDP – SNMP enabled devices are called managed devices Information Security © 2006 Eric Vanderburg
  • 19. Securing Network Devices • Create a custom logon prompt to remove any info about the device • Disable HTTP or SNMP access if they are not used – If used, try SSL instead of HTTP – Use SNMP version 3 • Limit access to certain machines or subnets • Log activity • Encrypt management communications Information Security © 2006 Eric Vanderburg
  • 20. Communication Devices • Modem (Modulator / Demodulator) • DSL (Digital Subscriber Line) – uses phone lines on a much higher frequency. Dedicated line. • Cable Modem – faster max speed but a shared medium • Central Office (CO) or Head in – local connection point where a neighborhood of connections terminate and are connected into the ISP’s network. • Always-on connections can be tempting for attackers. Firewalls are a must. Information Security © 2006 Eric Vanderburg
  • 21. Remote Access • RAS (Remote Access Server) – A computer that allows others to connect into it. – Modem – VPN • Protect using – Authentication – Privileges – Account lockout policies – Firewalls & ACL Information Security © 2006 Eric Vanderburg
  • 22. File Browsing • UNC (Universal Naming Convention) – Windows shares are named computernamesharename Information Security © 2006 Eric Vanderburg
  • 23. Telcos • PBX (Private Branch Exchange) – private switching station for voice and data services • PBX attacks – Data modification – Denial of service – Information disclosure – Traffic analysis – where calls go to and from, frequency, time – Theft of service Information Security © 2006 Eric Vanderburg
  • 24. Network Security Devices • Firewalls – filters packets based on criteria such as an ACL or a rule base • Routers can serve this purpose but they are not as efficient as a dedicated device • Personal firewall (host based) • Enterprise software firewall – designed to run on a powerful machine that analyzes all network traffic running through it. • Hardware firewall – engineered to be able to process packets quickly and efficiently. Information Security © 2006 Eric Vanderburg
  • 25. Firewalls • Packet filtering – Stateless – allows or denies packets based on rules – Stateful – keeps a state table of outgoing connections and allows corresponding incoming connections. • Advanced firewalls – Antivirus scanning – Content filtering – looks at web sites and such. Could use a database from another vendor which is updated regularly. Enable and disable types of content – Application layer firewall – looks at many packets together to determine whether to let them in. Information Security © 2006 Eric Vanderburg
  • 26. Firewalls • DMZ (Demilitarized Zone) – area that is closer to the untrusted network than the rest of the LAN. Used for services made available to the Internet. • These servers may reside there: – Web server – Email server – RAS server – FTP server – Proxy server Information Security © 2006 Eric Vanderburg
  • 27. IDS (Intrusion Detection System) • Monitors the packets on the network for signatures. – Network based - Looks at the overall flow. Positioned where a lot of traffic flows – Host based – resides on one machine and monitors the data coming to that machine. It may communicate with a central device. (Agent based) – Active IDS – can take action when an attack happens. – Passive IDS – alerts the administrator when there is an attack. – Anomaly based IDS or IPS (Intrusion Prevention System) – looks at behavior rather than signatures. May result in more positives. Information Security © 2006 Eric Vanderburg
  • 28. Other concepts • • • • Intranet Extranet NAT (Network Address Translation) Honeypot Information Security © 2006 Eric Vanderburg
  • 29. Acronyms • • • • • • • • CD-ROM, Compact Disk Read Only Memory CD-R, Compact Disk Recordable CD-RW, Compact Disk Rewritable DMZ, Demilitarized Zone DSL, Digital Subscriber Line DVD, Digital Versatile Disk DVD-R, Digital Versatile Disk Recordable DVD-RAM, Digital Versatile Disk Random Access Memory • DVD-RW, Digital Versatile Disk Rewritable • IDS, Intrusion Detection System Information Security © 2006 Eric Vanderburg
  • 30. Acronyms • • • • • • • • • • MIB, Management Information base NAT, Network Address Translation PAT, Port Address Translation PBX, Private Branch Exchange RAS, Remote Access Server STP, Shielded Twisted Pair SNMP, Simple Network Management Protocol UNC, Universal Naming Convention UTP, Unshielded Twisted pair VLAN, Virtual Local Area Network Information Security © 2006 Eric Vanderburg