Network Infrastructure

391 views
323 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
391
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Network Infrastructure

  1. 1. Chapter 5: Securing the Network Infrastructure Security+ Guide to Network Security Fundamentals Second Edition
  2. 2. Objectives <ul><li>Work with the network cable plant </li></ul><ul><li>Secure removable media </li></ul><ul><li>Harden network devices </li></ul><ul><li>Design network topologies </li></ul>
  3. 3. Network Cable Plant <ul><li>Cable plant : physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment </li></ul><ul><li>Three types of transmission media: </li></ul><ul><ul><li>Coaxial cables </li></ul></ul><ul><ul><li>Twisted-pair cables </li></ul></ul><ul><ul><li>Fiber-optic cables </li></ul></ul>
  4. 4. Coaxial Cables <ul><li>Coaxial cable was main type of copper cabling used in computer networks for many years </li></ul><ul><li>Has a single copper wire at its center surrounded by insulation and shielding </li></ul><ul><li>Called “coaxial” because it houses two (co) axes or shafts ― the copper wire and the shielding </li></ul><ul><li>There were two types of coax Ethernet installations: Thicknet and Thinnet </li></ul>
  5. 5. Thicknet and Thinnet <ul><li>Thicknet, also known as 10Base5 was the first coax Ethernet installation. </li></ul><ul><ul><li>The 10 stands for 10Mbps, the Base is for baseband signaling and the 5 is 500m signal propagation or max. cable run </li></ul></ul><ul><ul><li>Thicknet used “vampire taps” to add transceivers. </li></ul></ul><ul><li>Thinnet, also known as 10Base2 was the second coax Ethernet Installation. </li></ul><ul><ul><li>The 2 in 10Base2 stands for the 185m max. cable run rounded up to 2 </li></ul></ul>
  6. 6. Coaxial Cables (continued) <ul><li>Thin coaxial cable looks similar to the cable that carries a cable TV signal </li></ul><ul><li>A braided copper mesh channel surrounds the insulation and everything is covered by an outer shield of insulation for the cable itself </li></ul><ul><li>The copper mesh protects the core from interference </li></ul><ul><li>BNC connectors: connectors used on the ends of a thin coaxial cable http://en.wikipedia.org/wiki/BNC_connector </li></ul>
  7. 7. Coaxial Cables (continued)
  8. 8. Twisted-Pair Cables <ul><li>Standard for copper cabling used in computer networks today, replacing thin coaxial cable </li></ul><ul><li>Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket </li></ul>
  9. 9. Twisted-Pair Cables (continued) <ul><li>Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference </li></ul><ul><li>Unshielded twisted-pair (UTP) cables do not have any shielding </li></ul><ul><li>Twisted-pair cables have RJ-45 connectors </li></ul>
  10. 10. Fiber-Optic Cables <ul><li>Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal </li></ul><ul><li>Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses </li></ul><ul><li>A glass tube (cladding) surrounds the core </li></ul><ul><li>The core and cladding are protected by a jacket </li></ul><ul><li>http://en.wikipedia.org/wiki/Fiber_optic </li></ul><ul><li>http://www.jimhayes.com/lennielw/fiber.html </li></ul>
  11. 11. Fiber-Optic Cables (continued) <ul><li>Classified by the diameter of the core and the diameter of the cladding </li></ul><ul><ul><li>Diameters are measured in microns, each is about 1/25,000 of an inch or one-millionth of a meter (125 microns) </li></ul></ul><ul><li>Two types: </li></ul><ul><ul><li>Single-mode : used when data must be transmitted over long distances and has a core of about 9 microns and uses lasers as its light source </li></ul></ul><ul><ul><li>Multimode : supports many simultaneous light transmissions, generated by light-emitting diodes with a core of 62.5 microns </li></ul></ul>
  12. 12. Securing the Cable Plant <ul><li>Securing cabling outside the protected network is not the primary security issue for most organizations </li></ul><ul><li>Focus is on protecting access to the cable plant in the internal network </li></ul><ul><li>An attacker who can access the internal network directly through the cable plant has effectively bypassed the network security perimeter and can launch his attacks at will </li></ul>
  13. 13. Securing the Cable Plant <ul><li>The attacker can capture packets as they travel through the network by sniffing </li></ul><ul><ul><li>The hardware or software that performs such functions is called a sniffer </li></ul></ul><ul><li>Physical security </li></ul><ul><ul><li>First line of defense </li></ul></ul><ul><ul><li>Protects the equipment and infrastructure itself </li></ul></ul><ul><ul><li>Has one primary goal: to prevent unauthorized users from reaching the equipment or cable plant in order to use, steal, or vandalize it </li></ul></ul>
  14. 14. Securing Removable Media <ul><li>Securing critical information stored on a file server can be achieved through strong passwords, network security devices, antivirus software, and door locks </li></ul><ul><li>An employee copying data to a floppy disk or CD and carrying it home poses two risks: </li></ul><ul><ul><li>Storage media could be lost or stolen, compromising the information </li></ul></ul><ul><ul><li>A worm or virus could be introduced to the media, potentially damaging the stored information and infecting the network </li></ul></ul>
  15. 15. Magnetic Media <ul><li>Record information by changing the magnetic direction of particles on a platter </li></ul><ul><li>Floppy disks were some of the first magnetic media developed </li></ul><ul><li>The capacity of today’s 3 1/2-inch disks are 14 MB </li></ul><ul><li>Hard drives contain several platters stacked in a closed unit, each platter having its own head or apparatus to read and write information </li></ul><ul><li>Magnetic tape drives record information in a serial fashion </li></ul>
  16. 16. Optical Media <ul><li>Optical media use a principle for recording information different from magnetic media </li></ul><ul><li>A high-intensity laser burns a tiny pit into the surface of an optical disc to record a one, but does nothing to record a zero </li></ul><ul><li>Capacity of optical discs varies by type </li></ul><ul><li>A Compact Disc-Recordable (CD-R) disc can record up to 650 MB of data </li></ul><ul><ul><li>A DVD can record from 4GB to 16GB </li></ul></ul><ul><li>Data cannot be changed once recorded </li></ul>
  17. 17. Electronic Media <ul><li>Electronic media use flash memory for storage </li></ul><ul><ul><li>Flash memory is a solid state storage device ― everything is electronic, with no moving or mechanical parts </li></ul></ul><ul><li>SmartMedia cards range in capacity from 2 MB to 128 MB </li></ul><ul><li>The card itself is only 45 mm long, 37 mm wide, and less than 1 mm thick </li></ul>
  18. 18. Electronic Media (continued) <ul><li>CompactFlash card </li></ul><ul><ul><li>Consists of a small circuit board with flash memory chips and a dedicated controller chip encased in a shell </li></ul></ul><ul><ul><li>Come in 33 mm and 55 mm thicknesses and store between 8MB and 192 MB of data </li></ul></ul><ul><li>USB memory stick is becoming very popular </li></ul><ul><ul><li>Can hold between 8 MB and 1 GB of memory </li></ul></ul><ul><ul><li>USB hard drives range from 5GB to 40GB and above. </li></ul></ul>
  19. 19. Keeping Removable Media Secure <ul><li>Protecting removable media involves making sure that antivirus and other security software are installed on all systems that may receive a removable media device, including employee home computers </li></ul>
  20. 20. Hardening Network Devices <ul><li>Each device that is connected to a network is a potential target of an attack and must be properly protected </li></ul><ul><li>Network devices to be hardened categorized as: </li></ul><ul><ul><li>Standard network devices </li></ul></ul><ul><ul><li>Communication devices </li></ul></ul><ul><ul><li>Network security devices </li></ul></ul>
  21. 21. Hardening Standard Network Devices <ul><li>A standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router </li></ul><ul><li>This equipment has basic security features that you can use to harden the devices </li></ul>
  22. 22. Workstations and Servers <ul><li>Workstation: personal computer attached to a network (also called a client) </li></ul><ul><ul><li>Connected to a LAN and shares resources with other workstations and network equipment </li></ul></ul><ul><ul><li>Can be used independently of the network and can have their own applications installed </li></ul></ul><ul><li>Server: computer on a network dedicated to managing and controlling network services. </li></ul><ul><ul><li>Examples are file servers, print servers and Domain Controllers. </li></ul></ul>
  23. 23. Switches and Routers <ul><li>Switch </li></ul><ul><ul><li>Most commonly used in Ethernet LANs </li></ul></ul><ul><ul><li>Receives a packet from one network device and sends it to the destination device only </li></ul></ul><ul><ul><li>Limits the collision domain (part of network on which multiple devices may attempt to send packets simultaneously) </li></ul></ul><ul><li>A switch is used within a single network </li></ul><ul><li>Routers connect two or more single networks to form a larger network </li></ul>
  24. 24. Switches and Routers <ul><li>Switches and routers must also be protected against attacks </li></ul><ul><li>Switches and routers can be managed using the Simple Network Management Protocol (SNMP), part of the TCP/IP protocol suite </li></ul><ul><li>Software agents are loaded onto each network device to be managed </li></ul>
  25. 25. Switches and Routers - SNMP <ul><li>Each agent monitors network traffic and stores that information in its management information base (MIB) </li></ul><ul><li>A computer with SNMP management software (SNMP management station) communicates with software agents on each network device and collects the data stored in the MIBs </li></ul>
  26. 26. Remote Access Servers <ul><li>Set of technologies that allows a remote user to connect to a network through the Internet or a wide area network (WAN) </li></ul><ul><li>Users run remote access client software and initiate a connection to a Remote Access Server (RAS), which authenticates users and passes service requests to the network </li></ul>
  27. 27. Remote Access Servers
  28. 28. Remote Access Servers <ul><li>Remote access clients can run almost all network-based applications without modification </li></ul><ul><ul><li>Possible because remote access technology supports both drive letters and universal naming convention (UNC) names </li></ul></ul>
  29. 29. VPNs <ul><li>VPN stands for Virtual Private Network </li></ul><ul><li>VPNs come in two flavors: </li></ul><ul><ul><li>Site-to-site (also called LAN-to-LAN) </li></ul></ul><ul><ul><li>Remote acess </li></ul></ul><ul><li>Site-to-site VPNs securely connect two or more distant locations over the public Internet. </li></ul><ul><ul><li>IPSec and IKE are the two protocols that provide authentication, encryption and integrity checking. </li></ul></ul><ul><li>Remote access VPNs allow mobile users the ability to securely connect from home or on the road to the business network. </li></ul><ul><ul><li>Remote access VPNs also use IPSec and IKE but can also use SSL connections via their web browser. </li></ul></ul>
  30. 30. Hardening Network Security Devices <ul><li>The final category of network devices includes those designed and used strictly to protect the network </li></ul><ul><li>Include: </li></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><li>Intrusion-detection systems </li></ul></ul><ul><ul><li>Network monitoring and diagnostic devices </li></ul></ul>
  31. 31. Firewalls <ul><li>Typically used to filter packets </li></ul><ul><li>Designed to prevent malicious packets from entering the network or its computers (sometimes called a packet filter) </li></ul><ul><li>Typically located outside the network security perimeter as first line of defense </li></ul><ul><li>Can be software or hardware configurations </li></ul>
  32. 32. Firewalls (continued) <ul><li>Software firewall runs as a program on a local computer (sometimes known as a personal firewall) </li></ul><ul><ul><li>Enterprise firewalls are software firewalls designed to run on a dedicated device and protect a network instead of only one computer </li></ul></ul><ul><ul><li>One disadvantage is that it is only as strong as the operating system of the computer </li></ul></ul>
  33. 33. Firewalls (continued) <ul><li>Filter packets in one of two ways: </li></ul><ul><ul><li>Stateless packet filtering: permits or denies each packet based strictly on the rule base </li></ul></ul><ul><ul><li>Stateful packet filtering: records state of a connection between an internal computer and an external server; makes decisions based on connection and rule base </li></ul></ul><ul><li>Can perform content filtering to block access to undesirable Web sites </li></ul>
  34. 34. Firewalls (continued) <ul><li>An application layer firewall can defend against worms better than other kinds of firewalls </li></ul><ul><ul><li>Reassembles and analyzes packet streams instead of examining individual packets </li></ul></ul>
  35. 35. Intrusion-Detection Systems (IDS) <ul><li>Devices that establish and maintain network security </li></ul><ul><li>Active IDS (or reactive IDS) performs a specific function when it senses an attack, such as dropping packets or tracing the attack back to a source </li></ul><ul><ul><li>Installed on the server or, in some instances, on all computers on the network </li></ul></ul><ul><li>Passive IDS sends information about what happened, but does not take action </li></ul>
  36. 36. Intrusion-Detection Systems (IDS) <ul><li>Host-based IDS monitors critical operating system files and computer’s processor activity and memory; scans event logs for signs of suspicious activity </li></ul><ul><li>Network-based IDS monitors all network traffic instead of only the activity on a computer </li></ul><ul><ul><li>Typically located just behind the firewall </li></ul></ul><ul><li>Other IDS systems are based on behavior: </li></ul><ul><ul><li>W atch network activity and report abnormal behavior </li></ul></ul><ul><ul><li>May result in false alarms (false positives) </li></ul></ul><ul><ul><li>http://www.sans.org/resources/idfaq/ </li></ul></ul><ul><ul><li>http://www.securityfocus.com/infocus/1670 </li></ul></ul>
  37. 37. Network Monitoring and Diagnostic Devices <ul><li>SNMP enables network administrators to: </li></ul><ul><ul><li>Monitor network performance </li></ul></ul><ul><ul><li>Find and solve network problems </li></ul></ul><ul><ul><li>Plan for network growth </li></ul></ul><ul><li>Managed device: </li></ul><ul><ul><li>Network device that contains an SNMP agent </li></ul></ul><ul><ul><li>Collects and stores management information and makes it available to SNMP </li></ul></ul>
  38. 38. Designing Network Topologies <ul><li>Topology : physical layout of the network devices, how they are interconnected, and how they communicate </li></ul><ul><li>Essential to establishing its security </li></ul><ul><li>Although network topologies can be modified for security reasons, the network still must reflect the needs of the organization and users </li></ul>
  39. 39. Security Zones <ul><li>One of the keys to mapping the topology of a network is to separate secure users from outsiders through: </li></ul><ul><ul><li>Demilitarized Zones (DMZs) </li></ul></ul><ul><ul><li>Intranets </li></ul></ul><ul><ul><li>Extranets </li></ul></ul>
  40. 40. Demilitarized Zones (DMZs) <ul><li>Separate networks that sit outside the secure network perimeter </li></ul><ul><li>Outside users can access the DMZ , but cannot enter the secure network </li></ul><ul><li>The types of servers that should be located in the DMZ include: </li></ul><ul><ul><li>Web servers </li></ul></ul><ul><ul><li>E-mail servers </li></ul></ul><ul><ul><li>Remote access servers </li></ul></ul><ul><ul><li>FTP servers </li></ul></ul>
  41. 41. Demilitarized Zone (DMZ)
  42. 42. Network Address Translation (NAT) <ul><li>“ You cannot attack what you do not see” is the philosophy behind Network Address Translation (NAT) systems </li></ul><ul><li>Hides the IP addresses of network devices from attackers </li></ul><ul><li>Computers are assigned special IP addresses (known as private addresses) </li></ul><ul><ul><li>RFC 1918 addresses </li></ul></ul><ul><ul><li>10.0.0.0 – 10.255.255.255 </li></ul></ul><ul><ul><li>172.16.0.0 – 172.31.255.255 </li></ul></ul><ul><ul><li>192.168.0.0 – 192.168.255.255 </li></ul></ul>
  43. 43. <ul><li>These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network </li></ul><ul><li>Port address translation (PAT) is a variation of NAT </li></ul><ul><li>Each packet is given the same IP address, but a different TCP port number </li></ul>Network Address Translation (NAT)
  44. 44. Honeypots <ul><li>Computers located in a DMZ loaded with software and data files that appear to be authentic </li></ul><ul><li>Intended to trap or trick attackers </li></ul><ul><li>Two-fold purpose: </li></ul><ul><ul><li>To direct attacker’s attention away from real servers on the network </li></ul></ul><ul><ul><li>To examine techniques used by attackers </li></ul></ul>
  45. 45. Honeypots (continued)
  46. 46. Virtual LANs (VLANs) <ul><li>Segment a network with switches to divide the network into a hierarchy </li></ul><ul><li>Core switches reside at the top of the hierarchy and carry traffic between switches </li></ul><ul><li>Workgroup switches are connected directly to the devices on the network </li></ul><ul><li>Core switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches </li></ul>
  47. 47. Virtual LANs (VLANs)
  48. 48. Virtual LANs (VLANs) <ul><li>Segment a network by grouping similar users together </li></ul><ul><li>Instead of segmenting by user, you can segment a network by separating devices into logical groups (known as creating a VLAN) </li></ul>
  49. 49. Summary <ul><li>Cable plant: physical infrastructure (wire, connectors, and cables that carry data communication signals between equipment) </li></ul><ul><li>Removable media used to store information include: </li></ul><ul><ul><li>Magnetic storage (removable disks, hard drives) </li></ul></ul><ul><ul><li>Optical storage (CD and DVD) </li></ul></ul><ul><ul><li>Electronic storage (USB memory sticks, FlashCards) </li></ul></ul>
  50. 50. Summary (continued) <ul><li>Network devices (workstations, servers, switches, and routers) should all be hardened to repel attackers </li></ul><ul><li>A network’s topology plays a critical role in resisting attackers </li></ul><ul><li>Hiding the IP address of a network device can help disguise it so that an attacker cannot find it </li></ul>

×