Ch 10 - Infrastructure Security

1,881 views
1,700 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,881
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
38
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Either case creates a path for connection to the outside data networks and the Internet.
  • Ch 10 - Infrastructure Security

    1. 1. Lesson 10-Infrastructure Security
    2. 2. Background <ul><li>In the CIA of security, the “A” for availability is often overlooked. </li></ul><ul><ul><li>A failure allows unauthorized users to access resources and data. </li></ul></ul><ul><ul><ul><li>This compromises integrity or confidentiality. </li></ul></ul></ul><ul><ul><li>Failure prevents authorized users from accessing resources and data. </li></ul></ul><ul><ul><ul><li>Data is not available. </li></ul></ul></ul><ul><li>Infrastructure includes: </li></ul><ul><ul><li>Devices </li></ul></ul><ul><ul><li>Media </li></ul></ul><ul><ul><li>Security Concerns for Transmission Media </li></ul></ul><ul><ul><li>Removable Media </li></ul></ul><ul><ul><li>Security Topologies </li></ul></ul><ul><ul><li>Tunneling </li></ul></ul><ul><ul><li>Clients </li></ul></ul><ul><ul><li>Servers </li></ul></ul>
    3. 3. Infrastructure Security <ul><li>Infrastructure security begins with the actual design of the infrastructure itself. </li></ul><ul><ul><li>Network components are an essential aspect of a total computing environment. They rely upon: </li></ul></ul><ul><ul><ul><li>Routers, switches, and cables that connect the devices </li></ul></ul></ul><ul><ul><ul><li>Firewalls and gateways that manage the communication </li></ul></ul></ul><ul><ul><ul><li>Network design </li></ul></ul></ul><ul><ul><ul><li>Protocols that are employed </li></ul></ul></ul><ul><li>The primary goal of network infrastructure security is to allow all authorized use and deny all unauthorized use of resources. </li></ul>
    4. 4. End-User Devices <ul><li>Equipment that directly connects to a network segment is termed a device (end user and network). </li></ul><ul><li>End User Devices - hosts : </li></ul><ul><ul><li>Can exist without a network, standalone. </li></ul></ul><ul><ul><li>Physically connected to the network media via (NIC). </li></ul></ul><ul><ul><li>Each NIC carries a unique Media Access Control (MAC) address. </li></ul></ul><ul><ul><li>Different NICs are used for different physical protocols. </li></ul></ul>
    5. 5. Complete Network <ul><li>A complete network computer solution consists of more than just client computers and servers. </li></ul><ul><ul><li>Devices are needed to connect clients, servers, wireless, hand-held systems, hubs, switches, routers, wireless access points, and VPN devices. </li></ul></ul><ul><li>Workstation security can be increased by: </li></ul><ul><ul><li>Removing unnecessary protocols such as Telnet, NetBIOS, and IPX. </li></ul></ul><ul><ul><li>Removing modems unless needed and authorized. </li></ul></ul><ul><ul><li>Removing all unnecessary shares. </li></ul></ul><ul><ul><li>Renaming the administrator account and adding a strong password. </li></ul></ul><ul><ul><li>Removing unnecessary user accounts. </li></ul></ul><ul><ul><li>Installing an antivirus program and keeping it up-to-date. </li></ul></ul><ul><ul><li>Removing or disconnecting the floppy drive if not needed. </li></ul></ul><ul><ul><li>Ensuring there is a firewall between the machine and the Internet. </li></ul></ul><ul><ul><li>Keeping the OS patched and up-to-date. </li></ul></ul>
    6. 6. LAN Devices <ul><li>LANS consist of the following devices: </li></ul><ul><ul><li>Computers </li></ul></ul><ul><ul><li>Network interface cards </li></ul></ul><ul><ul><li>Peripheral devices </li></ul></ul><ul><ul><li>Networking media </li></ul></ul><ul><ul><li>Network devices </li></ul></ul><ul><li>Commmon LAN technologies include: </li></ul><ul><ul><li> Ethernet </li></ul></ul><ul><ul><li>Token Ring </li></ul></ul><ul><ul><li>FDDI </li></ul></ul>
    7. 7. Network Devices <ul><li>Devices that connect end-user devices together to allow them to communicate. </li></ul><ul><li>Layer 1 - A repeater and hub are network devices used to regenerate a signal. </li></ul><ul><li>Layer 2 - Bridges and switches segment traffic for small collision domains using MAC addresses. </li></ul><ul><li>Layer 3 - Routers have all the capabilities listed above and connect WANs using IP addresses </li></ul>
    8. 8. Layer 1 Network Devices <ul><li>Layer 1 – Repeaters and Hubs are both collision domains and broadcast domains. </li></ul>
    9. 9. Layer 2 - Switch Administration <ul><li>Switches are administered using the Simple Network Management Protocol ( SNMP ). </li></ul><ul><ul><li>SNMP sends passwords across the network. </li></ul></ul><ul><ul><li>Switches are shipped with default passwords and the passwords must be changed at set up. </li></ul></ul><ul><li>It is important to disable all access protocols other than a serial line, or use Secure Shell (SSH). </li></ul><ul><ul><li>Using secure access methods limits the exposure to hackers and malicious users. </li></ul></ul><ul><ul><li>Maintaining secure network switches is more important than securing individual boxes. </li></ul></ul><ul><ul><ul><li>The span of control to intercept data is much wider on a switch when reprogrammed by a hacker. </li></ul></ul></ul>
    10. 10. Layer 2 Security - VLAN Overview <ul><li>Virtual local area networks (VLANs) are a method of using a single switch and dividing it into multiple network segments. It has several characteristics: </li></ul><ul><ul><li>VLAN membership for users can be based on department or job function, regardless of where the users are located. </li></ul></ul><ul><ul><li>Easily move workstations on the LAN </li></ul></ul><ul><ul><li>Easily add workstations to the LAN </li></ul></ul><ul><ul><li>Easily change the LAN configuration </li></ul></ul><ul><ul><li>Easily control network traffic </li></ul></ul><ul><ul><li>Improve security </li></ul></ul><ul><ul><li>Increases network segregation. </li></ul></ul><ul><ul><li>Increases throughput and security . </li></ul></ul>
    11. 11. Routers <ul><li>Routers form the backbone of the Internet. </li></ul><ul><ul><li>They move traffic from network to network. </li></ul></ul><ul><ul><li>They inspect packets from every communication as they move optimized traffic. </li></ul></ul><ul><li>Routers examine each packet for destination addresses. </li></ul><ul><ul><li>They determine where to send a packet using algorithms and tables. </li></ul></ul><ul><ul><li>They may examine the source address and determine whether to allow a packet to pass. (Implements ACLs). </li></ul></ul><ul><ul><li>Some routers act as quasi-application gateways, performing stateful packet inspection and using contents as well as IP addresses to determine whether or not to permit a packet to pass. </li></ul></ul>Routers
    12. 12. Layer 3 - Router Security <ul><li>A security concern of routers is access to its internal functions. </li></ul><ul><ul><li>Physical control over a router is absolutely necessary. </li></ul></ul><ul><ul><li>Ensure that administrative passwords are never passed. </li></ul></ul><ul><ul><ul><li>Secure mechanisms are used to access the router. </li></ul></ul></ul><ul><ul><ul><li>Default passwords are reset to strong passwords. </li></ul></ul></ul>
    13. 13. The Security Policy <ul><li>A security policy is a series of rules that define what traffic is permissible and what traffic is to be blocked or denied. </li></ul><ul><ul><li>What am I protecting? </li></ul></ul><ul><ul><li>From whom? </li></ul></ul><ul><ul><li>What services does my company need to access over the network? </li></ul></ul><ul><ul><li>Who gets access to what resources? </li></ul></ul><ul><ul><li>Who administers the network? </li></ul></ul><ul><li>A key to security policies for firewalls is the principle of least access. </li></ul><ul><ul><li>Only allow the necessary access for a function, and block or deny all unneeded functionality. </li></ul></ul>
    14. 14. Firewalls <ul><li>A firewall is a network device—hardware, software, or a combination. </li></ul><ul><li>It enforces a security policy across its connections. </li></ul><ul><li>A corporate connection to the Internet should pass through a firewall to block all unauthorized network traffic. </li></ul>Firewall usage
    15. 15. How Do Firewalls Work? <ul><li>Firewalls enforce established security policies through mechanisms, including: </li></ul><ul><ul><li>Network Address Translation (NAT) will create private addressing scheme that can’t be reached by the internet </li></ul></ul><ul><ul><li>Basic packet filtering - Can filter by Protocol type, IP address, TCP/UDP port and Source routing information </li></ul></ul><ul><ul><li>Stateful packet filtering monitors traffic </li></ul></ul><ul><ul><li>ACLs are rules built according to organizational policy that defines who can access portions of the network </li></ul></ul><ul><ul><li>Application layer proxies prevent packets from traversing the firewall, but allows data to travel a proxy device that decides what to do with it. </li></ul></ul>
    16. 16. Stateful Packet Filtering <ul><li>Stateful packets keeps record of the connections made with other computers via state table </li></ul><ul><li>Stateful monitoring enables a system to determine which sets of communications are permissible and which should be blocked. </li></ul><ul><li>Internet Connection Firewall makes use of a state table to track connections based on source and destination IP and blocks any connection that hasn’t been initiated – very simple and doesn’t allow the control you need </li></ul>
    17. 17. Wireless Access Point <ul><li>Wireless devices bring additional security concerns. </li></ul><ul><ul><li>Placing wireless devices behind a firewall stops only physically connected traffic from getting to the device. </li></ul></ul><ul><li>It supports multiple concurrent devices accessing the network. </li></ul><ul><li>Basic network security for connections can be performed by forcing authentication and verifying authorization. </li></ul><ul><ul><li>WEP is designed to prevent wireless sniffing of network traffic over the wireless portion of the network. </li></ul></ul>
    18. 18. Modem, DSL and Cable Modem <ul><li>Modem is short for modulator/demodulator. </li></ul><ul><ul><li>Modems convert analog signals to digital and vice versa. </li></ul></ul><ul><li>DSL </li></ul><ul><ul><li>Direct connection between computer/network and the Internet </li></ul></ul><ul><li>Cable modem </li></ul><ul><ul><li>Connected to a shared segment; party line </li></ul></ul><ul><ul><li>Most have basic firewall capabilities to prevent files from being viewed or downloaded </li></ul></ul><ul><ul><li>Most implement the Data Over Cable Service Interface Specification ( DOCSIS ) for authentication and packet filtering </li></ul></ul><ul><li>Both cable modem and DSL services provide a continuous connection, which brings up the question of IP address life for a client. </li></ul><ul><ul><li>Most services have a Dynamic Host Configuration Protocol (DHCP) to manage their address space. </li></ul></ul>
    19. 19. RAS <ul><li>Remote Access Service (RAS) allows connection between a client and a server via a dial-up telephone connection. </li></ul><ul><li>When a user dials into a computer system, authentication and authorization are performed through a series of remote access protocols. </li></ul><ul><ul><li>A call-back system may be employed. </li></ul></ul><ul><li>RAS may also mean Remote Access Server , a term for a server designed to permit remote users access to a network and to regulate their access. </li></ul><ul><li>Once connected to the RAS server, a client has all the benefits of a direct network connection. </li></ul><ul><li>The RAS server treats its connected clients as extensions of the network. </li></ul><ul><ul><li>For security purposes, a RAS server should be placed in the DMZ and considered insecure. </li></ul></ul>
    20. 20. Telecom/PBX <ul><li>Private branch exchanges (PBXs) are an extension of the public telephone network into a business. </li></ul><ul><ul><li>PBXs are computer-based switching equipment designed to connect telephones into the local phone system. </li></ul></ul><ul><ul><li>They can be compromised from the outside and used by phone hackers (phreakers) to make phone calls at the organization’s expense. </li></ul></ul><ul><li>They cause a problem when interconnected with data systems by corporate connection or rogue modems belonging to users. </li></ul>
    21. 21. Virtual Private Network (VPN) <ul><li>Three main kinds: </li></ul><ul><ul><li>Access VPN – remote access for telecommuters or branch offices to a corp intra/extranet. </li></ul></ul><ul><ul><li>Intranet VPN – links remote offices to corp intranet. </li></ul></ul><ul><ul><li>Extranet VPN – link business partners & outside users to corp extranet. Extranets refer to applications and services that are Intranet based, and use extended, secure access to external users or enterprises </li></ul></ul>VPN is an encrypted connection that appears dedicated. Data is encrypted at both ends Offers secure, reliable connectivity
    22. 22. IDS <ul><li>IDS - the art of detecting inappropriate, incorrect, or anomalous activity </li></ul><ul><li>The two categories of (IDS ) are: </li></ul><ul><ul><li>Network-based systems – looks at network traffic </li></ul></ul><ul><ul><li>Host-based systems – looks at host traffic </li></ul></ul><ul><li>The two primary methods of detection are: </li></ul><ul><ul><li>Signature-based </li></ul></ul><ul><ul><li>Anomaly-based </li></ul></ul><ul><li>Multiple IDSs are required for large networks as they can have multiple entries into the system </li></ul><ul><li>Problem - Remote access protocols employ encryption technology that would hide the contents of packets from IDS inspection. </li></ul>
    23. 23. Network Monitoring/Diagnostic <ul><li>The Simple Network Management Protocol ( SNMP ) was developed to perform management, monitoring, and fault resolution across networks. </li></ul><ul><li>It enables a monitoring and control center to maintain, configure, and repair network devices (switches, routers, firewalls, IDSs, servers and remote access servers.) </li></ul><ul><ul><li>SNMP enables controllers at network operations centers (NOC) to measure the actual performance of network devices and make changes to the configuration and operation of devices. </li></ul></ul>
    24. 24. Mobile Devices <ul><li>Offer several challenges for network administrators. </li></ul><ul><ul><li>When data is moved from one network to another, opportunity for malware exists. </li></ul></ul><ul><ul><li>Antivirus protection is available. </li></ul></ul><ul><ul><li>CAN-spam law of 2003. </li></ul></ul><ul><ul><li>Third conviction using CAN-spam law. </li></ul></ul>
    25. 25. Media - Physical Layer <ul><li>The base of communications between devices is the physical layer of the OSI model </li></ul><ul><li>Methods of Connection </li></ul><ul><ul><li>There are four common methods of connecting equipment at the physical layer: </li></ul></ul><ul><ul><ul><li>Coaxial cable </li></ul></ul></ul><ul><ul><ul><li>Twisted-pair cable </li></ul></ul></ul><ul><ul><ul><li>Fiber optics </li></ul></ul></ul><ul><ul><ul><li>Wireless </li></ul></ul></ul><ul><li>The primary security concern is preventing physical access to a network devices, and s econdly, preventing unfettered access to network connections. </li></ul><ul><li>Methods for unauthorized entry to a network </li></ul><ul><ul><li>Inserting a device on the network by attaching to the cable or adding a wireless device. Once attached, sniffing is easy. </li></ul></ul>
    26. 26. Coax and Fiber <ul><li>Coaxial cable is familiar as a method of connecting televisions to VCRs or to satellite or cable services. </li></ul><ul><ul><li>It has high bandwidth and shielding capabilities. </li></ul></ul><ul><li>Fiber optic cable uses laser light to connect devices over a thin glass wire. </li></ul><ul><li>The biggest advantage of fiber is its bandwidth, with transmission capabilities in the range of terabits per second. </li></ul><ul><li>Connection to fiber is difficult and expensive. </li></ul>A coax connector A typical fiber optic fiber
    27. 27. UTP/STP <ul><li>Twisted-pair wires use the same technology used by the phone company. </li></ul><ul><li>Twisted pairs come in two types, </li></ul><ul><ul><li>Shielded twisted-pair (STP) has a foil shield to reduce electromagnetic interference. </li></ul></ul><ul><ul><li>Unshielded twisted-pair (UTP) relies on the twist to eliminate interference. </li></ul></ul><ul><li>There are three categories of twisted-pairs currently in use: </li></ul><ul><ul><ul><li>Category 3 (Cat 3) minimum for voice and 10 Mbps Ethernet </li></ul></ul></ul><ul><ul><ul><li>Category 5 (Cat 5) for 100 Mbps Fast Ethernet </li></ul></ul></ul><ul><ul><ul><li>Category 6 (Cat 6) for Gigabit Ethernet </li></ul></ul></ul>
    28. 28. Unguided Media <ul><li>Unguided media covers all transmission media not guided by wire, fiber, or other constraints. </li></ul><ul><ul><li>Infrared (IR) is a band of electromagnetic energy just beyond the red end of the visible spectrum which cannot penetrate walls but instead bounces off them. </li></ul></ul><ul><ul><li>Radio frequency (RF) waves use a variety of frequency bands with special characteristics. </li></ul></ul><ul><ul><li>Microwave describes a specific portion of the RF spectrum that is used for communication as well as other tasks such as cooking. Microwave communications can penetrate reasonable amounts of building structure. </li></ul></ul>
    29. 29. Security Topologies <ul><li>Security-related topologies include separating portions of the network by use and function, strategically designing points to monitor for IDS systems, building in redundancy, and adding fault-tolerant aspects. </li></ul><ul><li>Trade-offs between access and security are handled through zones. </li></ul><ul><ul><li>The outermost layers provide basic protection. </li></ul></ul><ul><ul><li>The innermost layers provide the highest level of protection. </li></ul></ul><ul><li>Successive zones are guarded by firewalls enforcing ever increasingly strict security policies. </li></ul><ul><li>Accessibility is inversely related to the level of protection. </li></ul>
    30. 30. The Big Picture <ul><li>The outermost zone is the Internet, a free area beyond any specific controls. </li></ul><ul><li>Between the inner secure corporate network and the Internet is an area where machines are considered at risk, called the DMZ , after its military counterpart, the demilitarized zone, where neither side has any specific controls. </li></ul><ul><li>The demilitarized zone (DMZ) is a buffer zone between the Internet, where no controls exist, and the inner secure network, where an organization has security policies in place. </li></ul>
    31. 31. DMZ <ul><li>To demarcate the zones and enforce separation, a firewall is used on each side of the DMZ. </li></ul><ul><ul><li>The firewalls are specifically designed to prevent access across the DMZ </li></ul></ul><ul><ul><li>Any server directly accessed from the outside, untrusted Internet zone needs to be in the DMZ. </li></ul></ul><ul><li>All network devices placed in the DMZ, should all be hardened. </li></ul><ul><li>If the outside user requests a resource from the trusted network, then this request follows the given scenario: </li></ul><ul><ul><li>A user from an untrusted network (the Internet) requests data via a Web page from a Web server in the DMZ. </li></ul></ul><ul><ul><li>The Web server in the DMZ requests data from the application server, which can be in the DMZ or in the inner, trusted network. </li></ul></ul><ul><ul><li>The application server requests the data from the database server in the trusted network. </li></ul></ul><ul><ul><li>The database server returns the data to the requesting application server. </li></ul></ul><ul><ul><li>The application server returns the data to the requesting Web server. </li></ul></ul>
    32. 33. Internet, Intranet and Extranet <ul><li>Internet should be considered to be untrusted. </li></ul><ul><ul><li>A firewall should exist at any connection between a trusted network and the Internet. </li></ul></ul><ul><li>Intranet is a a collection of all LANs inside the firewall ( campus network .) </li></ul><ul><li>Extranet is an extension of a selected portion of a company's intranet to external partners. </li></ul><ul><ul><li>This allows a business to share information with customers, suppliers, partners, and other trusted groups while using a common set of Internet protocols </li></ul></ul><ul><ul><li>Extranets can use public networks and some form of security, typically VPN, is used to secure this channel. </li></ul></ul><ul><li>Two methods exist to access outside information. </li></ul><ul><ul><li>-Duplication onto servers in the DMZ </li></ul></ul><ul><ul><li>-The use of extranets </li></ul></ul>
    33. 34. Tunneling <ul><li>Tunneling is a method of packaging packets so that they can traverse a network in a secure, confidential manner. </li></ul><ul><li>Tunneling encapsulates packets within packets, which enabling dissimilar protocols to coexist in a single communication stream, as in IP traffic routed over an ATM network. </li></ul><ul><li>On a VPN connection, an edge device on one network, usually a router, connects to another edge device on the other network. </li></ul><ul><ul><li>Using IPsec protocols, these routers establish a secure, encrypted path between them. </li></ul></ul>Tunneling across a public network
    34. 35. Network Address Translation (NAT) <ul><li>NAT translates a public IP address into a private IP address. </li></ul><ul><ul><li>This permits enterprises to use the nonroutable private IP address space internally and reduce the number of external public IP addresses used across the Internet. </li></ul></ul><ul><li>NAT translates the address when traffic passes the device, such as a firewall. </li></ul><ul><ul><li>Typically, a pool of external IP addresses is used by the NAT device, with the device keeping track of which internal address is using which external address at any given time. </li></ul></ul><ul><li>Static NAT is where there is a 1:1 binding of external address to internal address used for devices required a fixed address (Web servers or e-mail servers.) </li></ul><ul><li>Dynamic NAT assigns multiple private address to a public address. </li></ul>

    ×