15 Network Security ..


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

15 Network Security ..

  1. 1. Network Security Overview By Bob Larson
  2. 2. Security Concerns Viruses Denial of Service Information Theft Unauthorized Access Industrial Espionage Hacktivism Public Confidence Privacy Pornography Internet
  3. 3. The Need for Security – Then Network designed and implemented in a corporate environment Providing connectivity only to known parties and sites No connections to public networks
  4. 4. The Need for Security – Now
  5. 5. Securing Network Resources <ul><li>Hardware threats </li></ul><ul><li>Environmental threats </li></ul><ul><li>Electrical threats </li></ul><ul><li>Maintenance threats </li></ul>
  6. 6. Trends Affecting Network Security What motivates companies?
  7. 7. Security Expectations <ul><li>Users can perform only authorized tasks </li></ul><ul><li>Users can obtain only authorized information </li></ul><ul><li>Users can’t cause damage to </li></ul><ul><ul><li>Data </li></ul></ul><ul><ul><li>Applications </li></ul></ul><ul><ul><li>Operating environment of a system </li></ul></ul>
  8. 8. The Goals of Network Security <ul><li>C onfidentiality </li></ul><ul><ul><li>Securing data from prying eyes </li></ul></ul><ul><li>I ntegrity </li></ul><ul><ul><li>Authenticating the source </li></ul></ul><ul><ul><ul><li>Is the sender who they claim to be </li></ul></ul></ul><ul><ul><li>Authenticating the data </li></ul></ul><ul><ul><ul><li>Has the data been modified </li></ul></ul></ul><ul><li>A vailability </li></ul><ul><ul><li>Users need reasonable access to data they are authorized to use </li></ul></ul>
  9. 9. Security Awareness <ul><li>Security techniques and technologies </li></ul><ul><li>Methodologies for evaluating (not the same) </li></ul><ul><ul><li>Threats </li></ul></ul><ul><ul><li>Vulnerabilities </li></ul></ul><ul><ul><li>Risk </li></ul></ul><ul><li>Selection criteria and planning required to implement controls </li></ul><ul><li>What if security is not maintained </li></ul><ul><ul><li>What is at risk </li></ul></ul><ul><ul><li>What is the cost if a breach occurs (all costs) </li></ul></ul><ul><ul><ul><li>Financial </li></ul></ul></ul><ul><ul><ul><li>Reputation </li></ul></ul></ul><ul><ul><ul><li>Loss of the resource </li></ul></ul></ul><ul><ul><ul><li>Loss of competitive advantage </li></ul></ul></ul>
  10. 10. Threats, Vulnerabilities and Risk <ul><li>Threats </li></ul><ul><ul><li>Something bad </li></ul></ul><ul><ul><li>Something that can cause harm </li></ul></ul><ul><li>Vulnerabilities </li></ul><ul><ul><li>Susceptible to attack or harm </li></ul></ul><ul><ul><li>Without adequate protection </li></ul></ul><ul><li>Risks </li></ul><ul><ul><li>Chance of something happening </li></ul></ul><ul><ul><ul><li>Statistical odds </li></ul></ul></ul>
  11. 11. Threats and Consequences
  12. 12. Network Security Weaknesses <ul><li>Technology weaknesses </li></ul><ul><li>Configuration weaknesses </li></ul><ul><li>Security policy weaknesses </li></ul>
  13. 13. Technology Weaknesses <ul><li>All computer and network technologies have inherent security weaknesses or vulnerabilities. </li></ul><ul><li>Don’t overlook: </li></ul><ul><ul><li>Hardware issues </li></ul></ul><ul><ul><li>Operating System issues </li></ul></ul><ul><ul><li>Network protocol issues (even TCP/IP) </li></ul></ul><ul><ul><li>Application vulnerabilities </li></ul></ul>
  14. 14. Configuration Weaknesses <ul><li>Insecure default settings </li></ul><ul><ul><li>If you left the defaults, you are dead. </li></ul></ul><ul><li>Misconfigured network equipment </li></ul><ul><ul><li>A little knowledge is a dangerous thing </li></ul></ul><ul><li>Insecure user accounts/passwords </li></ul><ul><ul><li>End-users can’t be trusted to use strong pws. </li></ul></ul><ul><li>Misconfigured Internet services </li></ul><ul><ul><li>HTTP, Java, CGI, unneeded services. </li></ul></ul>
  15. 15. What Is a Security Policy? <ul><li>“ A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” </li></ul><ul><li>RFC 2196, Site Security Handbook </li></ul>Could be applied to a family with kids!
  16. 16. Security Policy Weaknesses <ul><li>Lack of a written security policy </li></ul><ul><li>Internal politics </li></ul><ul><li>Lack of business continuity </li></ul><ul><ul><li>Turnover in staff/management can be devastating </li></ul></ul><ul><li>Logical access controls to network equipment not applied </li></ul><ul><li>Security administration is lax, including monitoring and auditing </li></ul><ul><li>Lack of awareness of having been attacked </li></ul><ul><li>Software or hardware installation and changes that don’t follow the policy </li></ul><ul><li>Security incident and disaster recovery procedures not in place </li></ul>
  17. 17. Security Resources <ul><li>SecurityFocus.com— http://www.securityfocus.com </li></ul><ul><li>SANS— http://www.sans.org </li></ul><ul><ul><li>Security Policy Project – free templates </li></ul></ul><ul><ul><li>Masters Degrees in Security </li></ul></ul><ul><li>CERT— http://www.cert.org </li></ul><ul><ul><li>Center of Internet security expertise at Carnegie Mellon U </li></ul></ul><ul><li>CIAC— http://www.ciac.org/ciac </li></ul><ul><ul><li>US Dept of Energy </li></ul></ul><ul><li>CVE— http://cve.mitre.org </li></ul><ul><ul><li>Common Vulnerabilities and Exposures – Homeland Security </li></ul></ul><ul><li>Computer Security Institute— http://www.gocsi.com </li></ul><ul><li>Center for Internet Security— ttp://www.cisecurity.org </li></ul>
  18. 18. National Security Agency (NSA) Guides http://www.nsa.gov/snac/
  19. 19. Fin…