Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg


Published on

Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg

  1. 1. Chapter 10 Appendix Security Networking Concepts – Eric Vanderburg ©2005
  2. 2. Security  Know the costs  Costs due to loss of data  Costs of downtime  Cost of implementing security measures  Physical must be protected first  Share oriented security (Win9x)  User oriented security (Win2k, 2k3, XP) Networking Concepts – Eric Vanderburg ©2005
  3. 3. Security  Securing data  Make it safe from intruders  Make sure damaged data can be replaced  Plan for network security  Identify threats  Communicate with other managers in office to make sure security system meets needs (it is not only about IT & think of the users) Networking Concepts – Eric Vanderburg ©2005
  4. 4. Windows Security Features  Kerberos  PKI (Public Key Infrastructure)  Group Policy  VPN (Virtual Private Network)  IPSec (IP Security) Networking Concepts – Eric Vanderburg ©2005
  5. 5. Windows 2003  CLR (Command Language Runtime) – reduces bugs that leave Windows vulnerable by reducing the power of individual programs, placing them under the control of the OS.  IIS 6.0 – configured for maximum security by default & disabled by default  Unsecured clients cannot login – Windows 95, and NT prior to SP4 cannot login to Windows 2003 domain by default; certificates and encryption required by all clients Networking Concepts – Eric Vanderburg ©2005
  6. 6. Kerberos  Authentication Method (Win2k &2k3 default)  Based on RFC 1510  Uses Kerberos version 5  Replaces NTLM (NT LAN Manager) & NTLMv2 – still used with pre 2k clients Networking Concepts – Eric Vanderburg ©2005
  7. 7. Kerberos Components KDC (Key Distribution Center)  AS (Authentication Service)  Verifies identity through AD  Gives TGT (Ticket Granting Ticket) which gives access to certain resources  TGS (Ticket-Granting Service)  Verifies TGT  Creates a service ticket & session key for a resource based on TGT. Client can present the service ticket to another server to access it’s content. NOTE: Servers have tickets too.  Only services it’s own domain. Must refer to another TGS for interdomain resource access (gives referral ticket)  Server with the desired resource  Client  Networking Concepts – Eric Vanderburg ©2005
  8. 8. Items of Note  Delegation with Forwarding and Proxy For a server such as a database server to access resources on your behalf. (given proxy or forwarding ticket)  NTP (Network Time Protocol) is used to synchronize time between machines. Keys are based on system time so all must be the same. Networking Concepts – Eric Vanderburg ©2005
  9. 9. PKI  Deploying a PKI allows you to perform tasks such as:  Digitally signing files (documents and applications)  Securing e-mail  Enabling secure connections between computers,  Better user authentication (smart cards) Networking Concepts – Eric Vanderburg ©2005
  10. 10. Certificates   Digital certificates Electronic credentials, consisting of public keys, which are used to sign and encrypt data. Certificate Vendors: Entrust, Verisign Networking Concepts – Eric Vanderburg ©2005 Select CA Role
  11. 11. Certificates  Create certificate templates so subordinates can issue certs Certificate Template Certificate Details Networking Concepts – Eric Vanderburg ©2005
  12. 12. Certificates  CA (Certification Authority) Issues digital certificates. Form a hierarchy  Root CA  Subordinate CA Intermediate CA Issuing CA Rudimentary CA restricted to issuing certain certs Networking Concepts – Eric Vanderburg ©2005
  13. 13. Certificates Certificate policy and practice statements The two documents that outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on.  Certificate repositories - Where certificates are stored and published. (AD)  CRL (Certificate Revocation List) - List of certificates that have been revoked before reaching the scheduled expiration date  CTL (Certificate Trust List) - The list of the certificates you trust. If you trust a root, you trust all certs from that root.  Double click to see cert View issued certs from Certificates MMC Networking Concepts – Eric Vanderburg ©2005
  14. 14. Certificate Server Role     Publish certificates - The PKI administrator makes certificate templates available to clients (users, services, applications, and computers) and enables additional CAs to issue certificates. Enroll clients - Users, services, or computers request and receive certificates from an issuing CA or a Registration Authority (RA). The CARA administrator or enrollment agent uses the information provided to authenticate the identity of the requester before issuing a certificate. Publish CRL & CTL - Users need to know which certificates are revokes and which servers are trusted by their CA. Renew or revoke certificates Networking Concepts – Eric Vanderburg ©2005
  15. 15. Group Policy AD Users & Computers MMC Select your group policy Group Policy MMC Edit as needed Networking Concepts – Eric Vanderburg ©2005
  16. 16. Group Policy Properties Double click an item to edit the properties for it Networking Concepts – Eric Vanderburg ©2005
  17. 17. VPN  Encapsulates & encrypt one packet inside another  Server to Server - Connecting LANs  Client to Server - Remote users & Extranet Networking Concepts – Eric Vanderburg ©2005
  18. 18. VPN Protocols   L2TP (Layer 2 Tunneling Protocol)  Encrypts with IPSec  Works on many protocols (X.25, ATM, IP, Frame Relay) PPTP (Point to Point Tunneling Protocol)  Encrypts with MPPE (Microsoft Point to Point Encryption) - 40, 56, or 128bit  Authenticates with PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MSCHAP, or EAP  Works only over IP Networking Concepts – Eric Vanderburg ©2005
  19. 19. VPN Advantages  Distance is not a concern  More scalable - can adjust bandwidth to use  Less reliant on expensive modem pools Networking Concepts – Eric Vanderburg ©2005
  20. 20. IPSec     Tunnel - encrypts the header and the payload of each packet Transport - encrypts the payload only. All systems must be IPSec compliant Encryption  Authentication Encryption    Data Encryption     SHA (Secure Hash Algorithm) - 160bit, high overhead. MD5 (Message Digest 5) - 128bit DES (Data Encryption Standard) 56bit 3DES (Triple DES) - high processor overhead AES IPv6 has IPSec built-in Networking Concepts – Eric Vanderburg ©2005
  21. 21. IPSec  IPSec filters specifies what type of traffic will be accepted by a machine  Permit (unsecured packets sent)  Request Security (Preference is IPSec encrypted packets but plaintext is allowed)  Require Security (Packets must be encrypted) Networking Concepts – Eric Vanderburg ©2005
  22. 22. Security  Firewalls  IDS  Honeypot  Malicious Code  Wireless A “hardened” OS is one that has been made as secure as possible Networking Concepts – Eric Vanderburg ©2005
  23. 23. Hardware Firewalls Screening Router - filters packets & closes ports Screened host - hardware firewall filters packets & ports. Bastion host does application filtering. NAT or proxy Multiple DMZ – each section has its own set of firewalls and DMZ separating it from the others Screened Subnet/DMZ (Demilitarized Zone) – put external access machines in between 2 firewalls Networking Concepts – Eric Vanderburg ©2005
  24. 24. Hardware requirements  Storage – large amounts of log files will be present on this computer so there must be a large amount of storage  Processor – this computer will be analyzing many packets  2 NICs – must be able to connect the outside with the inside Networking Concepts – Eric Vanderburg ©2005
  25. 25. Software Firewalls  Most are cumbersome to configure and control  Inexpensive extra layer of protection  Firewall places itself in between the NIC and the TCP/IP stack  Vendors Windows Firewall (built-in)  Novell Border Manager (built-in)  Macintosh Firewall (built-in)  Norton Internet Security  BlackIce  ZoneAlarm  Networking Concepts – Eric Vanderburg ©2005
  26. 26. Firewalls (cont)  Multiple firewalls can be used for load balancing Networking Concepts – Eric Vanderburg ©2005
  27. 27. Firewalls ZoneAlarm Windows Firewall Networking Concepts – Eric Vanderburg ©2005
  28. 28. IDS (Intrusion Detection System)       NIDS (Network IDS) – analyzes network traffic HIDS (Host IDS) – analyzes traffic sent only to its host LIDS (Linux IDS) – Open source IDS for linux clients or servers ( Looks at network or host traffic based on rules to determine whether an attack is in progress The IDS can be configured to respond accordingly ex: close ports, ban IP addresses, alert admins, close shares, disable accounts, ect.. Examples: snort Networking Concepts – Eric Vanderburg ©2005
  29. 29. Rules  Rule base – set of rules that tell the firewall or IDS what action to take when types of traffic flow through it.  Should be based on security policy Networking Concepts – Eric Vanderburg ©2005
  30. 30. Honeypot A lure for a hacker  Wastes the hackers time  Fake computer or network behind security barriers  Can be analyzed to view attack methods and improve security. Identify what they are after, what is their skill level, and what tools they use. Networking Concepts – Eric Vanderburg ©2005
  31. 31. Malicious Code Virus - self-replicating code segment which is be attached to an executable. When the program is started, the virus code may also run. If possible, the virus will replicate by attaching a copy of itself to another file. A virus may also have an additional ``payload'' that runs when specific conditions are met.  Trojan horse - malicious code pretending to be a legitimate application. The user believes they are running an innocent application when the program is actually initiating its ulterior activities. Trojan horses do not replicate.  Worm - self-replicating program, does not require a host program, creates a copy and causes it to execute; no user intervention is required. Worms commonly utilize network services to propagate to other computer systems  Spyware - a program that secretly monitors your actions. Could be a remote control program used by a hacker, or it could be used to gather data about users for advertising, aggregation/research, or preliminary information for an attack. Some spyware is configured to download other programs on the computer.  Networking Concepts – Eric Vanderburg ©2005
  32. 32. Viruses  Implement virus protection at these locations: Workstation – protects a single computer by scanning files from server or e-mail messages  Server – scans data read from or written to server; prevents virus from server spreading throughout network  Internet gateway – scans all Web browser, FTP, and e-mail traffic; stops viruses before they enter network. Do not infect those checking your website  Networking Concepts – Eric Vanderburg ©2005
  33. 33. Wireless Security  Site Survey - adjust location and range so that wireless access extends only to business borders  Passwords should be changed and so should WEP keys. WEP should be enabled.  Filter MACs  Disable SSID broadcasting Networking Concepts – Eric Vanderburg ©2005
  34. 34. Hardening  Remove unneeded services  Close unused ports  Remove unused user accounts Networking Concepts – Eric Vanderburg ©2005
  35. 35. Auditing  Records certain actions for security and troubleshooting  Failed access  Granted access  Should use auditing sparingly – uses resources & more is harder to utilize effectively Networking Concepts – Eric Vanderburg ©2005
  36. 36. Enabling Auditing     Administrative Tools  Local Security Policy Local Policies  Audit Policy. Double-click the policy that you want to enable or disable. Click the Success (An audited security access attempt that succeeds) and Fail (audited security access attempt that fails) Networking Concepts – Eric Vanderburg ©2005