In the CIA of security, the “A” for availability is often overlooked.
A failure allows unauthorized users to access resources and data.
This compromises integrity or confidentiality.
Failure prevents authorized users from accessing resources and data.
Data is not available.
Security Concerns for Transmission Media
Infrastructure security begins with the actual design of the infrastructure itself.
Network components are an essential aspect of a total computing environment. They rely upon:
Routers, switches, and cables that connect the devices
Firewalls and gateways that manage the communication
Protocols that are employed
The primary goal of network infrastructure security is to allow all authorized use and deny all unauthorized use of resources.
Equipment that directly connects to a network segment is termed a device (end user and network).
End User Devices - hosts :
Can exist without a network, standalone.
Physically connected to the network media via (NIC).
Each NIC carries a unique Media Access Control (MAC) address.
Different NICs are used for different physical protocols.
A complete network computer solution consists of more than just client computers and servers.
Devices are needed to connect clients, servers, wireless, hand-held systems, hubs, switches, routers, wireless access points, and VPN devices.
Workstation security can be increased by:
Removing unnecessary protocols such as Telnet, NetBIOS, and IPX.
Removing modems unless needed and authorized.
Removing all unnecessary shares.
Renaming the administrator account and adding a strong password.
Removing unnecessary user accounts.
Installing an antivirus program and keeping it up-to-date.
Removing or disconnecting the floppy drive if not needed.
Ensuring there is a firewall between the machine and the Internet.
Keeping the OS patched and up-to-date.
LANS consist of the following devices:
Network interface cards
Commmon LAN technologies include:
Devices that connect end-user devices together to allow them to communicate.
Layer 1 - A repeater and hub are network devices used to regenerate a signal.
Layer 2 - Bridges and switches segment traffic for small collision domains using MAC addresses.
Layer 3 - Routers have all the capabilities listed above and connect WANs using IP addresses
Layer 1 Network Devices
Layer 1 – Repeaters and Hubs are both collision domains and broadcast domains.
Layer 2 - Switch Administration
Switches are administered using the Simple Network Management Protocol ( SNMP ).
SNMP sends passwords across the network.
Switches are shipped with default passwords and the passwords must be changed at set up.
It is important to disable all access protocols other than a serial line, or use Secure Shell (SSH).
Using secure access methods limits the exposure to hackers and malicious users.
Maintaining secure network switches is more important than securing individual boxes.
The span of control to intercept data is much wider on a switch when reprogrammed by a hacker.
Layer 2 Security - VLAN Overview
Virtual local area networks (VLANs) are a method of using a single switch and dividing it into multiple network segments. It has several characteristics:
VLAN membership for users can be based on department or job function, regardless of where the users are located.
Easily move workstations on the LAN
Easily add workstations to the LAN
Easily change the LAN configuration
Easily control network traffic
Increases network segregation.
Increases throughput and security .
Routers form the backbone of the Internet.
They move traffic from network to network.
They inspect packets from every communication as they move optimized traffic.
Routers examine each packet for destination addresses.
They determine where to send a packet using algorithms and tables.
They may examine the source address and determine whether to allow a packet to pass. (Implements ACLs).
Some routers act as quasi-application gateways, performing stateful packet inspection and using contents as well as IP addresses to determine whether or not to permit a packet to pass.
Layer 3 - Router Security
A security concern of routers is access to its internal functions.
Physical control over a router is absolutely necessary.
Ensure that administrative passwords are never passed.
Secure mechanisms are used to access the router.
Default passwords are reset to strong passwords.
The Security Policy
A security policy is a series of rules that define what traffic is permissible and what traffic is to be blocked or denied.
What am I protecting?
What services does my company need to access over the network?
Who gets access to what resources?
Who administers the network?
A key to security policies for firewalls is the principle of least access.
Only allow the necessary access for a function, and block or deny all unneeded functionality.
A firewall is a network device—hardware, software, or a combination.
It enforces a security policy across its connections.
A corporate connection to the Internet should pass through a firewall to block all unauthorized network traffic.
How Do Firewalls Work?
Firewalls enforce established security policies through mechanisms, including:
Network Address Translation (NAT) will create private addressing scheme that can’t be reached by the internet
Basic packet filtering - Can filter by Protocol type, IP address, TCP/UDP port and Source routing information
Stateful packet filtering monitors traffic
ACLs are rules built according to organizational policy that defines who can access portions of the network
Application layer proxies prevent packets from traversing the firewall, but allows data to travel a proxy device that decides what to do with it.
Stateful Packet Filtering
Stateful packets keeps record of the connections made with other computers via state table
Stateful monitoring enables a system to determine which sets of communications are permissible and which should be blocked.
Internet Connection Firewall makes use of a state table to track connections based on source and destination IP and blocks any connection that hasn’t been initiated – very simple and doesn’t allow the control you need
Placing wireless devices behind a firewall stops only physically connected traffic from getting to the device.
It supports multiple concurrent devices accessing the network.
Basic network security for connections can be performed by forcing authentication and verifying authorization.
WEP is designed to prevent wireless sniffing of network traffic over the wireless portion of the network.
Modem, DSL and Cable Modem
Modem is short for modulator/demodulator.
Modems convert analog signals to digital and vice versa.
Direct connection between computer/network and the Internet
Connected to a shared segment; party line
Most have basic firewall capabilities to prevent files from being viewed or downloaded
Most implement the Data Over Cable Service Interface Specification ( DOCSIS ) for authentication and packet filtering
Both cable modem and DSL services provide a continuous connection, which brings up the question of IP address life for a client.
Most services have a Dynamic Host Configuration Protocol (DHCP) to manage their address space.
Remote Access Service (RAS) allows connection between a client and a server via a dial-up telephone connection.
When a user dials into a computer system, authentication and authorization are performed through a series of remote access protocols.
A call-back system may be employed.
RAS may also mean Remote Access Server , a term for a server designed to permit remote users access to a network and to regulate their access.
Once connected to the RAS server, a client has all the benefits of a direct network connection.
The RAS server treats its connected clients as extensions of the network.
For security purposes, a RAS server should be placed in the DMZ and considered insecure.
Private branch exchanges (PBXs) are an extension of the public telephone network into a business.
PBXs are computer-based switching equipment designed to connect telephones into the local phone system.
They can be compromised from the outside and used by phone hackers (phreakers) to make phone calls at the organization’s expense.
They cause a problem when interconnected with data systems by corporate connection or rogue modems belonging to users.
Virtual Private Network (VPN)
Three main kinds:
Access VPN – remote access for telecommuters or branch offices to a corp intra/extranet.
Intranet VPN – links remote offices to corp intranet.
Extranet VPN – link business partners & outside users to corp extranet. Extranets refer to applications and services that are Intranet based, and use extended, secure access to external users or enterprises
VPN is an encrypted connection that appears dedicated. Data is encrypted at both ends Offers secure, reliable connectivity
IDS - the art of detecting inappropriate, incorrect, or anomalous activity
The two categories of (IDS ) are:
Network-based systems – looks at network traffic
Host-based systems – looks at host traffic
The two primary methods of detection are:
Multiple IDSs are required for large networks as they can have multiple entries into the system
Problem - Remote access protocols employ encryption technology that would hide the contents of packets from IDS inspection.
The Simple Network Management Protocol ( SNMP ) was developed to perform management, monitoring, and fault resolution across networks.
It enables a monitoring and control center to maintain, configure, and repair network devices (switches, routers, firewalls, IDSs, servers and remote access servers.)
SNMP enables controllers at network operations centers (NOC) to measure the actual performance of network devices and make changes to the configuration and operation of devices.
Offer several challenges for network administrators.
When data is moved from one network to another, opportunity for malware exists.
Antivirus protection is available.
CAN-spam law of 2003.
Third conviction using CAN-spam law.
Media - Physical Layer
The base of communications between devices is the physical layer of the OSI model
Methods of Connection
There are four common methods of connecting equipment at the physical layer:
The primary security concern is preventing physical access to a network devices, and s econdly, preventing unfettered access to network connections.
Methods for unauthorized entry to a network
Inserting a device on the network by attaching to the cable or adding a wireless device. Once attached, sniffing is easy.
Coax and Fiber
Coaxial cable is familiar as a method of connecting televisions to VCRs or to satellite or cable services.
It has high bandwidth and shielding capabilities.
Fiber optic cable uses laser light to connect devices over a thin glass wire.
The biggest advantage of fiber is its bandwidth, with transmission capabilities in the range of terabits per second.
Connection to fiber is difficult and expensive.
A coax connector A typical fiber optic fiber
Twisted-pair wires use the same technology used by the phone company.
Twisted pairs come in two types,
Shielded twisted-pair (STP) has a foil shield to reduce electromagnetic interference.
Unshielded twisted-pair (UTP) relies on the twist to eliminate interference.
There are three categories of twisted-pairs currently in use:
Category 3 (Cat 3) minimum for voice and 10 Mbps Ethernet
Category 5 (Cat 5) for 100 Mbps Fast Ethernet
Category 6 (Cat 6) for Gigabit Ethernet
Unguided media covers all transmission media not guided by wire, fiber, or other constraints.
Infrared (IR) is a band of electromagnetic energy just beyond the red end of the visible spectrum which cannot penetrate walls but instead bounces off them.
Radio frequency (RF) waves use a variety of frequency bands with special characteristics.
Microwave describes a specific portion of the RF spectrum that is used for communication as well as other tasks such as cooking. Microwave communications can penetrate reasonable amounts of building structure.
Security-related topologies include separating portions of the network by use and function, strategically designing points to monitor for IDS systems, building in redundancy, and adding fault-tolerant aspects.
Trade-offs between access and security are handled through zones.
The outermost layers provide basic protection.
The innermost layers provide the highest level of protection.
Successive zones are guarded by firewalls enforcing ever increasingly strict security policies.
Accessibility is inversely related to the level of protection.
The Big Picture
The outermost zone is the Internet, a free area beyond any specific controls.
Between the inner secure corporate network and the Internet is an area where machines are considered at risk, called the DMZ , after its military counterpart, the demilitarized zone, where neither side has any specific controls.
The demilitarized zone (DMZ) is a buffer zone between the Internet, where no controls exist, and the inner secure network, where an organization has security policies in place.
To demarcate the zones and enforce separation, a firewall is used on each side of the DMZ.
The firewalls are specifically designed to prevent access across the DMZ
Any server directly accessed from the outside, untrusted Internet zone needs to be in the DMZ.
All network devices placed in the DMZ, should all be hardened.
If the outside user requests a resource from the trusted network, then this request follows the given scenario:
A user from an untrusted network (the Internet) requests data via a Web page from a Web server in the DMZ.
The Web server in the DMZ requests data from the application server, which can be in the DMZ or in the inner, trusted network.
The application server requests the data from the database server in the trusted network.
The database server returns the data to the requesting application server.
The application server returns the data to the requesting Web server.
Internet, Intranet and Extranet
Internet should be considered to be untrusted.
A firewall should exist at any connection between a trusted network and the Internet.
Intranet is a a collection of all LANs inside the firewall ( campus network .)
Extranet is an extension of a selected portion of a company's intranet to external partners.
This allows a business to share information with customers, suppliers, partners, and other trusted groups while using a common set of Internet protocols
Extranets can use public networks and some form of security, typically VPN, is used to secure this channel.
Two methods exist to access outside information.
-Duplication onto servers in the DMZ
-The use of extranets
Tunneling is a method of packaging packets so that they can traverse a network in a secure, confidential manner.
Tunneling encapsulates packets within packets, which enabling dissimilar protocols to coexist in a single communication stream, as in IP traffic routed over an ATM network.
On a VPN connection, an edge device on one network, usually a router, connects to another edge device on the other network.
Using IPsec protocols, these routers establish a secure, encrypted path between them.
Tunneling across a public network
Network Address Translation (NAT)
NAT translates a public IP address into a private IP address.
This permits enterprises to use the nonroutable private IP address space internally and reduce the number of external public IP addresses used across the Internet.
NAT translates the address when traffic passes the device, such as a firewall.
Typically, a pool of external IP addresses is used by the NAT device, with the device keeping track of which internal address is using which external address at any given time.
Static NAT is where there is a 1:1 binding of external address to internal address used for devices required a fixed address (Web servers or e-mail servers.)
Dynamic NAT assigns multiple private address to a public address.