• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ch 10 - Infrastructure Security
 

Ch 10 - Infrastructure Security

on

  • 464 views

 

Statistics

Views

Total Views
464
Views on SlideShare
464
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Either case creates a path for connection to the outside data networks and the Internet.

Ch 10 - Infrastructure Security Ch 10 - Infrastructure Security Presentation Transcript

  • Lesson 10-Infrastructure Security
  • Background
    • In the CIA of security, the “A” for availability is often overlooked.
      • A failure allows unauthorized users to access resources and data.
        • This compromises integrity or confidentiality.
      • Failure prevents authorized users from accessing resources and data.
        • Data is not available.
    • Infrastructure includes:
      • Devices
      • Media
      • Security Concerns for Transmission Media
      • Removable Media
      • Security Topologies
      • Tunneling
      • Clients
      • Servers
  • Infrastructure Security
    • Infrastructure security begins with the actual design of the infrastructure itself.
      • Network components are an essential aspect of a total computing environment. They rely upon:
        • Routers, switches, and cables that connect the devices
        • Firewalls and gateways that manage the communication
        • Network design
        • Protocols that are employed
    • The primary goal of network infrastructure security is to allow all authorized use and deny all unauthorized use of resources.
  • End-User Devices
    • Equipment that directly connects to a network segment is termed a device (end user and network).
    • End User Devices - hosts :
      • Can exist without a network, standalone.
      • Physically connected to the network media via (NIC).
      • Each NIC carries a unique Media Access Control (MAC) address.
      • Different NICs are used for different physical protocols.
  • Complete Network
    • A complete network computer solution consists of more than just client computers and servers.
      • Devices are needed to connect clients, servers, wireless, hand-held systems, hubs, switches, routers, wireless access points, and VPN devices.
    • Workstation security can be increased by:
      • Removing unnecessary protocols such as Telnet, NetBIOS, and IPX.
      • Removing modems unless needed and authorized.
      • Removing all unnecessary shares.
      • Renaming the administrator account and adding a strong password.
      • Removing unnecessary user accounts.
      • Installing an antivirus program and keeping it up-to-date.
      • Removing or disconnecting the floppy drive if not needed.
      • Ensuring there is a firewall between the machine and the Internet.
      • Keeping the OS patched and up-to-date.
  • LAN Devices
    • LANS consist of the following devices:
      • Computers
      • Network interface cards
      • Peripheral devices
      • Networking media
      • Network devices
    • Commmon LAN technologies include:
      • Ethernet
      • Token Ring
      • FDDI
  • Network Devices
    • Devices that connect end-user devices together to allow them to communicate.
    • Layer 1 - A repeater and hub are network devices used to regenerate a signal.
    • Layer 2 - Bridges and switches segment traffic for small collision domains using MAC addresses.
    • Layer 3 - Routers have all the capabilities listed above and connect WANs using IP addresses
  • Layer 1 Network Devices
    • Layer 1 – Repeaters and Hubs are both collision domains and broadcast domains.
  • Layer 2 - Switch Administration
    • Switches are administered using the Simple Network Management Protocol ( SNMP ).
      • SNMP sends passwords across the network.
      • Switches are shipped with default passwords and the passwords must be changed at set up.
    • It is important to disable all access protocols other than a serial line, or use Secure Shell (SSH).
      • Using secure access methods limits the exposure to hackers and malicious users.
      • Maintaining secure network switches is more important than securing individual boxes.
        • The span of control to intercept data is much wider on a switch when reprogrammed by a hacker.
  • Layer 2 Security - VLAN Overview
    • Virtual local area networks (VLANs) are a method of using a single switch and dividing it into multiple network segments. It has several characteristics:
      • VLAN membership for users can be based on department or job function, regardless of where the users are located.
      • Easily move workstations on the LAN
      • Easily add workstations to the LAN
      • Easily change the LAN configuration
      • Easily control network traffic
      • Improve security
      • Increases network segregation.
      • Increases throughput and security .
  • Routers
    • Routers form the backbone of the Internet.
      • They move traffic from network to network.
      • They inspect packets from every communication as they move optimized traffic.
    • Routers examine each packet for destination addresses.
      • They determine where to send a packet using algorithms and tables.
      • They may examine the source address and determine whether to allow a packet to pass. (Implements ACLs).
      • Some routers act as quasi-application gateways, performing stateful packet inspection and using contents as well as IP addresses to determine whether or not to permit a packet to pass.
    Routers
  • Layer 3 - Router Security
    • A security concern of routers is access to its internal functions.
      • Physical control over a router is absolutely necessary.
      • Ensure that administrative passwords are never passed.
        • Secure mechanisms are used to access the router.
        • Default passwords are reset to strong passwords.
  • The Security Policy
    • A security policy is a series of rules that define what traffic is permissible and what traffic is to be blocked or denied.
      • What am I protecting?
      • From whom?
      • What services does my company need to access over the network?
      • Who gets access to what resources?
      • Who administers the network?
    • A key to security policies for firewalls is the principle of least access.
      • Only allow the necessary access for a function, and block or deny all unneeded functionality.
  • Firewalls
    • A firewall is a network device—hardware, software, or a combination.
    • It enforces a security policy across its connections.
    • A corporate connection to the Internet should pass through a firewall to block all unauthorized network traffic.
    Firewall usage
  • How Do Firewalls Work?
    • Firewalls enforce established security policies through mechanisms, including:
      • Network Address Translation (NAT) will create private addressing scheme that can’t be reached by the internet
      • Basic packet filtering - Can filter by Protocol type, IP address, TCP/UDP port and Source routing information
      • Stateful packet filtering monitors traffic
      • ACLs are rules built according to organizational policy that defines who can access portions of the network
      • Application layer proxies prevent packets from traversing the firewall, but allows data to travel a proxy device that decides what to do with it.
  • Stateful Packet Filtering
    • Stateful packets keeps record of the connections made with other computers via state table
    • Stateful monitoring enables a system to determine which sets of communications are permissible and which should be blocked.
    • Internet Connection Firewall makes use of a state table to track connections based on source and destination IP and blocks any connection that hasn’t been initiated – very simple and doesn’t allow the control you need
  • Wireless Access Point
    • Wireless devices bring additional security concerns.
      • Placing wireless devices behind a firewall stops only physically connected traffic from getting to the device.
    • It supports multiple concurrent devices accessing the network.
    • Basic network security for connections can be performed by forcing authentication and verifying authorization.
      • WEP is designed to prevent wireless sniffing of network traffic over the wireless portion of the network.
  • Modem, DSL and Cable Modem
    • Modem is short for modulator/demodulator.
      • Modems convert analog signals to digital and vice versa.
    • DSL
      • Direct connection between computer/network and the Internet
    • Cable modem
      • Connected to a shared segment; party line
      • Most have basic firewall capabilities to prevent files from being viewed or downloaded
      • Most implement the Data Over Cable Service Interface Specification ( DOCSIS ) for authentication and packet filtering
    • Both cable modem and DSL services provide a continuous connection, which brings up the question of IP address life for a client.
      • Most services have a Dynamic Host Configuration Protocol (DHCP) to manage their address space.
  • RAS
    • Remote Access Service (RAS) allows connection between a client and a server via a dial-up telephone connection.
    • When a user dials into a computer system, authentication and authorization are performed through a series of remote access protocols.
      • A call-back system may be employed.
    • RAS may also mean Remote Access Server , a term for a server designed to permit remote users access to a network and to regulate their access.
    • Once connected to the RAS server, a client has all the benefits of a direct network connection.
    • The RAS server treats its connected clients as extensions of the network.
      • For security purposes, a RAS server should be placed in the DMZ and considered insecure.
  • Telecom/PBX
    • Private branch exchanges (PBXs) are an extension of the public telephone network into a business.
      • PBXs are computer-based switching equipment designed to connect telephones into the local phone system.
      • They can be compromised from the outside and used by phone hackers (phreakers) to make phone calls at the organization’s expense.
    • They cause a problem when interconnected with data systems by corporate connection or rogue modems belonging to users.
  • Virtual Private Network (VPN)
    • Three main kinds:
      • Access VPN – remote access for telecommuters or branch offices to a corp intra/extranet.
      • Intranet VPN – links remote offices to corp intranet.
      • Extranet VPN – link business partners & outside users to corp extranet. Extranets refer to applications and services that are Intranet based, and use extended, secure access to external users or enterprises
    VPN is an encrypted connection that appears dedicated. Data is encrypted at both ends Offers secure, reliable connectivity
  • IDS
    • IDS - the art of detecting inappropriate, incorrect, or anomalous activity
    • The two categories of (IDS ) are:
      • Network-based systems – looks at network traffic
      • Host-based systems – looks at host traffic
    • The two primary methods of detection are:
      • Signature-based
      • Anomaly-based
    • Multiple IDSs are required for large networks as they can have multiple entries into the system
    • Problem - Remote access protocols employ encryption technology that would hide the contents of packets from IDS inspection.
  • Network Monitoring/Diagnostic
    • The Simple Network Management Protocol ( SNMP ) was developed to perform management, monitoring, and fault resolution across networks.
    • It enables a monitoring and control center to maintain, configure, and repair network devices (switches, routers, firewalls, IDSs, servers and remote access servers.)
      • SNMP enables controllers at network operations centers (NOC) to measure the actual performance of network devices and make changes to the configuration and operation of devices.
  • Mobile Devices
    • Offer several challenges for network administrators.
      • When data is moved from one network to another, opportunity for malware exists.
      • Antivirus protection is available.
      • CAN-spam law of 2003.
      • Third conviction using CAN-spam law.
  • Media - Physical Layer
    • The base of communications between devices is the physical layer of the OSI model
    • Methods of Connection
      • There are four common methods of connecting equipment at the physical layer:
        • Coaxial cable
        • Twisted-pair cable
        • Fiber optics
        • Wireless
    • The primary security concern is preventing physical access to a network devices, and s econdly, preventing unfettered access to network connections.
    • Methods for unauthorized entry to a network
      • Inserting a device on the network by attaching to the cable or adding a wireless device. Once attached, sniffing is easy.
  • Coax and Fiber
    • Coaxial cable is familiar as a method of connecting televisions to VCRs or to satellite or cable services.
      • It has high bandwidth and shielding capabilities.
    • Fiber optic cable uses laser light to connect devices over a thin glass wire.
    • The biggest advantage of fiber is its bandwidth, with transmission capabilities in the range of terabits per second.
    • Connection to fiber is difficult and expensive.
    A coax connector A typical fiber optic fiber
  • UTP/STP
    • Twisted-pair wires use the same technology used by the phone company.
    • Twisted pairs come in two types,
      • Shielded twisted-pair (STP) has a foil shield to reduce electromagnetic interference.
      • Unshielded twisted-pair (UTP) relies on the twist to eliminate interference.
    • There are three categories of twisted-pairs currently in use:
        • Category 3 (Cat 3) minimum for voice and 10 Mbps Ethernet
        • Category 5 (Cat 5) for 100 Mbps Fast Ethernet
        • Category 6 (Cat 6) for Gigabit Ethernet
  • Unguided Media
    • Unguided media covers all transmission media not guided by wire, fiber, or other constraints.
      • Infrared (IR) is a band of electromagnetic energy just beyond the red end of the visible spectrum which cannot penetrate walls but instead bounces off them.
      • Radio frequency (RF) waves use a variety of frequency bands with special characteristics.
      • Microwave describes a specific portion of the RF spectrum that is used for communication as well as other tasks such as cooking. Microwave communications can penetrate reasonable amounts of building structure.
  • Security Topologies
    • Security-related topologies include separating portions of the network by use and function, strategically designing points to monitor for IDS systems, building in redundancy, and adding fault-tolerant aspects.
    • Trade-offs between access and security are handled through zones.
      • The outermost layers provide basic protection.
      • The innermost layers provide the highest level of protection.
    • Successive zones are guarded by firewalls enforcing ever increasingly strict security policies.
    • Accessibility is inversely related to the level of protection.
  • The Big Picture
    • The outermost zone is the Internet, a free area beyond any specific controls.
    • Between the inner secure corporate network and the Internet is an area where machines are considered at risk, called the DMZ , after its military counterpart, the demilitarized zone, where neither side has any specific controls.
    • The demilitarized zone (DMZ) is a buffer zone between the Internet, where no controls exist, and the inner secure network, where an organization has security policies in place.
  • DMZ
    • To demarcate the zones and enforce separation, a firewall is used on each side of the DMZ.
      • The firewalls are specifically designed to prevent access across the DMZ
      • Any server directly accessed from the outside, untrusted Internet zone needs to be in the DMZ.
    • All network devices placed in the DMZ, should all be hardened.
    • If the outside user requests a resource from the trusted network, then this request follows the given scenario:
      • A user from an untrusted network (the Internet) requests data via a Web page from a Web server in the DMZ.
      • The Web server in the DMZ requests data from the application server, which can be in the DMZ or in the inner, trusted network.
      • The application server requests the data from the database server in the trusted network.
      • The database server returns the data to the requesting application server.
      • The application server returns the data to the requesting Web server.
  •  
  • Internet, Intranet and Extranet
    • Internet should be considered to be untrusted.
      • A firewall should exist at any connection between a trusted network and the Internet.
    • Intranet is a a collection of all LANs inside the firewall ( campus network .)
    • Extranet is an extension of a selected portion of a company's intranet to external partners.
      • This allows a business to share information with customers, suppliers, partners, and other trusted groups while using a common set of Internet protocols
      • Extranets can use public networks and some form of security, typically VPN, is used to secure this channel.
    • Two methods exist to access outside information.
      • -Duplication onto servers in the DMZ
      • -The use of extranets
  • Tunneling
    • Tunneling is a method of packaging packets so that they can traverse a network in a secure, confidential manner.
    • Tunneling encapsulates packets within packets, which enabling dissimilar protocols to coexist in a single communication stream, as in IP traffic routed over an ATM network.
    • On a VPN connection, an edge device on one network, usually a router, connects to another edge device on the other network.
      • Using IPsec protocols, these routers establish a secure, encrypted path between them.
    Tunneling across a public network
  • Network Address Translation (NAT)
    • NAT translates a public IP address into a private IP address.
      • This permits enterprises to use the nonroutable private IP address space internally and reduce the number of external public IP addresses used across the Internet.
    • NAT translates the address when traffic passes the device, such as a firewall.
      • Typically, a pool of external IP addresses is used by the NAT device, with the device keeping track of which internal address is using which external address at any given time.
    • Static NAT is where there is a 1:1 binding of external address to internal address used for devices required a fixed address (Web servers or e-mail servers.)
    • Dynamic NAT assigns multiple private address to a public address.
  •