Chapter14 -- networking security


Published on

Basic Networking Guide

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Chapter14 -- networking security

  1. 1. Chapter 14: Networking Security Network+ Guide to Networks
  2. 2. Objectives <ul><li>Identify security risks in LANs and WANs and design security policies that minimize risks </li></ul><ul><li>Explain how physical security contributes to network security </li></ul><ul><li>Discuss hardware- and design-based security techniques </li></ul>
  3. 3. Objectives (continued) <ul><li>Understand methods of encryption that can secure data in storage and in transit </li></ul><ul><li>Implement security methods unique to wireless networks </li></ul><ul><li>Use network operating system techniques to provide basic security </li></ul>
  4. 4. In the early days <ul><li>Secured mainframes </li></ul><ul><li>Dumb Terminals </li></ul><ul><li>Limited rights </li></ul><ul><li>Network security was all but unassailable. </li></ul>
  5. 5. Security Audits <ul><li>Before spending time and money </li></ul><ul><ul><li>Examine your network’s security risks </li></ul></ul><ul><ul><li>Learn about each risk </li></ul></ul><ul><ul><ul><li>loss of data </li></ul></ul></ul><ul><ul><ul><li>programs </li></ul></ul></ul><ul><ul><ul><li>Access </li></ul></ul></ul><ul><ul><li>Serious the potential consequences </li></ul></ul><ul><ul><ul><li>attention you will want to pay to the security of your network </li></ul></ul></ul>
  6. 6. Security Risks <ul><li>With People </li></ul><ul><ul><li>Using social engineering or snooping </li></ul></ul><ul><ul><li>Incorrectly creating or configuring user IDs, groups, and their associated rights </li></ul></ul><ul><ul><li>Flaws in topology or hardware configuration </li></ul></ul><ul><ul><li>Flaws in the operating system or application configuration </li></ul></ul>
  7. 7. Security Risks (continued) <ul><li>With People (continued) </li></ul><ul><ul><li>Lack of proper documentation and communication </li></ul></ul><ul><ul><li>Dishonest or disgruntled employees </li></ul></ul><ul><ul><li>Unused computer or terminal being left logged on </li></ul></ul><ul><ul><li>Easy-to-guess passwords </li></ul></ul>
  8. 8. Security Risks (continued) <ul><li>With People (continued) </li></ul><ul><ul><li>Leaving computer room doors open or unlocked </li></ul></ul><ul><ul><li>Discarding disks or backup tapes in public waste containers </li></ul></ul><ul><ul><li>Neglecting to remove access and file rights for employees who have left the organization </li></ul></ul><ul><ul><li>Users writing their passwords in an easily accessible place </li></ul></ul>
  9. 9. Security Risks (continued) <ul><li>Associated with Transmission and Hardware </li></ul><ul><ul><li>Transmissions can be intercepted </li></ul></ul><ul><ul><li>Leased public lines </li></ul></ul><ul><ul><li>Network hubs broadcast traffic over the entire segment </li></ul></ul><ul><ul><li>Unused hub, router, or server ports </li></ul></ul>
  10. 10. Security Risks (continued) <ul><li>Associated with Transmission and Hardware (continued) </li></ul><ul><ul><li>Routers are not properly configured </li></ul></ul><ul><ul><li>Modems configured to accept incoming calls </li></ul></ul><ul><ul><li>Dial-in access servers not carefully secured and monitored </li></ul></ul><ul><ul><li>Computers hosting very sensitive on the same subnet with computers open to the general public. </li></ul></ul>
  11. 11. Security Risks (continued) <ul><li>Associated with Transmission and Hardware (continued) </li></ul><ul><ul><li>Passwords for switches, routers, and other devices </li></ul></ul><ul><ul><ul><li>Not sufficiently difficult to guess </li></ul></ul></ul><ul><ul><ul><li>Not changed frequently </li></ul></ul></ul><ul><ul><ul><li>Left at their default value </li></ul></ul></ul>
  12. 12. Security Risks (continued) <ul><li>Associated with Protocols and Software </li></ul><ul><ul><li>TCP/IP contains several security flaws. </li></ul></ul><ul><ul><li>Trust relationships between one server and another. </li></ul></ul><ul><ul><li>NOSs may contain “back doors” or security flaws </li></ul></ul><ul><ul><li>If the NOS allows server operators to exit to a command prompt </li></ul></ul>
  13. 13. Security Risks (continued) <ul><li>Associated with Protocols and Software (continued) </li></ul><ul><ul><li>Default security options after installing an operating system or application. </li></ul></ul><ul><ul><li>Transactions that take place between applications, such as databases and Web-based forms, may be open to interception </li></ul></ul>
  14. 14. Security Risks (continued) <ul><li>Associated with Internet Access </li></ul><ul><ul><li>Firewall configured improperly </li></ul></ul><ul><ul><li>User Telnets or FTPs to your site over the Internet </li></ul></ul><ul><ul><li>Your user ID from newsgroups, mailing lists, or forms you have filled out on the Web </li></ul></ul><ul><ul><li>Users remain logged on to Internet chat sessions </li></ul></ul>
  15. 15. Security Risks (continued) <ul><li>Associated with Internet Access (continued) </li></ul><ul><ul><li>Denial-of-service attack </li></ul></ul>
  16. 16. An Effective Security Policy <ul><li>Security Policy Goals </li></ul><ul><ul><li>Ensure that authorized users have appropriate access to the resources they need </li></ul></ul><ul><ul><li>Prevent unauthorized users from gaining access to the network, systems, programs, or data </li></ul></ul><ul><ul><li>Protect sensitive data from unauthorized access, both from within and from outside the organization </li></ul></ul>
  17. 17. An Effective Security Policy (continued) <ul><ul><li>Prevent accidental damage to hardware or software </li></ul></ul><ul><ul><li>Prevent intentional damage to hardware or software </li></ul></ul><ul><ul><li>Create network and systems that withstand and quickly respond to and recover from any type of threat </li></ul></ul><ul><ul><li>Communicate each employee’s responsibilities with respect to maintaining data integrity and system security </li></ul></ul>
  18. 18. An Effective Security Policy (continued) <ul><li>Security Policy Content </li></ul><ul><ul><li>Risks are identified </li></ul></ul><ul><ul><li>Responsibilities for managing them are assigned </li></ul></ul><ul><ul><li>Explain to users what they can and cannot do </li></ul></ul><ul><ul><li>Create a section that applies only to users </li></ul></ul><ul><ul><li>Define what “confidential” means </li></ul></ul>
  19. 19. An Effective Security Policy (continued) <ul><li>Response Policy </li></ul><ul><ul><li>Identify the members of a response team </li></ul></ul><ul><ul><ul><li>Dispatcher—person on call </li></ul></ul></ul><ul><ul><ul><li>Manager—coordinates the resources </li></ul></ul></ul><ul><ul><ul><li>Technical support specialist—focuses on problem </li></ul></ul></ul><ul><ul><ul><li>Public relations specialist—official spokesperson </li></ul></ul></ul>
  20. 20. Physical Security <ul><li>Restricting physical access </li></ul><ul><ul><li>Rooms </li></ul></ul><ul><ul><li>Points at which your systems or data could be compromised </li></ul></ul><ul><ul><ul><li>Hubs or switches </li></ul></ul></ul><ul><ul><ul><li>Unattended workstation </li></ul></ul></ul><ul><ul><ul><li>Stored archived data and backup tapes </li></ul></ul></ul><ul><ul><li>Locks may be either physical or electronic. </li></ul></ul>
  21. 21. Physical Security (continued)
  22. 22. Physical Security (continued) <ul><li>Planning by asking questions: </li></ul><ul><ul><li>Rooms contain critical systems or data </li></ul></ul><ul><ul><li>Means might intruders gain access </li></ul></ul><ul><ul><li>Authorized personnel granted entry </li></ul></ul><ul><ul><li>Employees instructed to ensure security </li></ul></ul><ul><ul><li>Authentication methods difficult to forge or circumvent </li></ul></ul>
  23. 23. Physical Security (continued) <ul><li>Planning by asking questions: (continued) </li></ul><ul><ul><li>Supervisors or security personnel make periodic physical security checks </li></ul></ul><ul><ul><li>Combinations, codes, means protected at all times </li></ul></ul><ul><ul><li>Combinations changed frequently </li></ul></ul><ul><ul><li>Plan for documenting and responding to physical security breaches? </li></ul></ul>
  24. 24. Security in Network Design <ul><li>Firewalls </li></ul><ul><ul><li>Specialized devices, or a computers installed with specialized software, that selectively filter or block traffic between networks </li></ul></ul>
  25. 25. Security in Network Design (continued)
  26. 26. Security in Network Design (continued)
  27. 27. Security in Network Design (continued) <ul><li>Firewalls </li></ul><ul><ul><li>Packet-filtering firewalls </li></ul></ul><ul><ul><ul><li>Source and destination IP addresses </li></ul></ul></ul><ul><ul><ul><li>Source and destination ports </li></ul></ul></ul><ul><ul><ul><li>Flags set in the IP header </li></ul></ul></ul>
  28. 28. Security in Network Design (continued) <ul><li>Firewalls (continued) </li></ul><ul><ul><li>Packet-filtering firewalls (continued) </li></ul></ul><ul><ul><ul><li>Transmissions that use UDP or ICMP protocols </li></ul></ul></ul><ul><ul><ul><li>Packet’s status as first packet in a new data stream or a subsequent packet </li></ul></ul></ul><ul><ul><ul><li>Packet’s status as inbound to or outbound from </li></ul></ul></ul>
  29. 29. Security in Network Design (continued) <ul><li>Firewalls (continued) </li></ul><ul><ul><li>More complex factors </li></ul></ul><ul><ul><ul><li>Support for encryption </li></ul></ul></ul><ul><ul><ul><li>User authentication </li></ul></ul></ul><ul><ul><ul><li>Manage it centrally and through a standard interface </li></ul></ul></ul><ul><ul><ul><li>Establish rules for access to and from </li></ul></ul></ul>
  30. 30. Security in Network Design (continued) <ul><li>Firewalls (continued) </li></ul><ul><ul><li>More complex factors (continued) </li></ul></ul><ul><ul><ul><li>Filtering at the highest layers of the OSI Mode </li></ul></ul></ul><ul><ul><ul><li>Logging and auditing, or alert capabilities </li></ul></ul></ul><ul><ul><ul><li>Protecting the identity of internal LAN addresses from the outside world </li></ul></ul></ul>
  31. 31. Security in Network Design (continued) <ul><li>Proxy Servers </li></ul><ul><ul><li>Software application on a network host </li></ul></ul><ul><ul><ul><li>Intermediary between the external and internal networks screening all incoming and outgoing traffic </li></ul></ul></ul><ul><ul><li>Network host that runs the proxy service is known as a proxy server </li></ul></ul><ul><ul><li>Also called Application layer gateway, an application gateway, or simply, a proxy </li></ul></ul>
  32. 32. Security in Network Design (continued)
  33. 33. Security in Network Design (continued) <ul><li>Remote Access </li></ul><ul><ul><li>Remote Control </li></ul></ul><ul><ul><ul><li>User name and password requirement </li></ul></ul></ul><ul><ul><ul><li>Host system call back </li></ul></ul></ul><ul><ul><ul><li>Data encryption on transmissions </li></ul></ul></ul><ul><ul><ul><li>Host system’s screen blank </li></ul></ul></ul>
  34. 34. Security in Network Design (continued) <ul><li>Remote Access (continued) </li></ul><ul><ul><li>Remote Control (continued) </li></ul></ul><ul><ul><ul><li>Disable the host system’s keyboard and mouse </li></ul></ul></ul><ul><ul><ul><li>Restart the host system when remote user disconnects </li></ul></ul></ul>
  35. 35. Security in Network Design (continued) <ul><li>Remote Access (continued) </li></ul><ul><ul><li>Dial-up Networking </li></ul></ul><ul><ul><ul><li>User name and password authentication </li></ul></ul></ul><ul><ul><ul><li>Log all connections, sources, and connection times </li></ul></ul></ul><ul><ul><ul><li>Perform callbacks to users who initiate connections </li></ul></ul></ul><ul><ul><ul><li>Centralized management of dial-up users and their rights </li></ul></ul></ul>
  36. 36. Security in Network Design (continued)
  37. 37. Network Operating System Security (continued) <ul><li>Logon Restrictions </li></ul><ul><ul><li>Time of day </li></ul></ul><ul><ul><li>Total time logged on </li></ul></ul><ul><ul><li>Source address </li></ul></ul><ul><ul><li>Unsuccessful logon attempts </li></ul></ul>
  38. 38. Network Operating System Security (continued) <ul><li>Passwords </li></ul><ul><ul><li>Change system default passwords </li></ul></ul><ul><ul><li>Do not use familiar information </li></ul></ul><ul><ul><li>Do not use any word in a dictionary </li></ul></ul><ul><ul><li>Make the password longer than eight characters </li></ul></ul>
  39. 39. Network Operating System Security (continued) <ul><li>Passwords (continued) </li></ul><ul><ul><li>Choose a combination of letters and numbers </li></ul></ul><ul><ul><li>Do not write down your password or share it </li></ul></ul><ul><ul><li>Change your password at least every 60 days </li></ul></ul><ul><ul><li>Do not reuse passwords. </li></ul></ul>
  40. 40. Encryption <ul><li>Encryption provides the following assurances: </li></ul><ul><ul><li>Data was not modified after transmitted and before picked up </li></ul></ul><ul><ul><li>Data can only be viewed by its intended recipient </li></ul></ul><ul><ul><li>Data received at the intended destination was truly issued by the stated sender and not forged by an intruder </li></ul></ul>
  41. 41. Encryption (continued) <ul><li>Key Encryption </li></ul><ul><ul><li>Encryption algorithm weaves a key (a random string of characters) into the original data’s bits </li></ul></ul><ul><ul><li>Scrambled data block is known as ciphertext </li></ul></ul><ul><ul><li>Two categories </li></ul></ul><ul><ul><ul><li>Private Key </li></ul></ul></ul><ul><ul><ul><li>Public Key </li></ul></ul></ul>
  42. 42. Encryption (continued)
  43. 43. Encryption (continued) <ul><li>Key Encryption </li></ul><ul><ul><li>Private Key Encryption </li></ul></ul><ul><ul><ul><li>Data is encrypted using a single key that only the sender and the receiver know </li></ul></ul></ul><ul><ul><ul><li>Also known as symmetric encryption </li></ul></ul></ul>
  44. 44. Encryption (continued)
  45. 45. Encryption (continued) <ul><li>Key Encryption (continued) </li></ul><ul><ul><li>Public Key Encryption </li></ul></ul><ul><ul><ul><li>Data is encrypted using two keys </li></ul></ul></ul><ul><ul><ul><ul><li>Key known only to a user </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Public key associated with the user </li></ul></ul></ul></ul>
  46. 46. Encryption (continued)
  47. 47. Encryption (continued) <ul><li>Kerberos </li></ul><ul><ul><li>Cross-platform authentication protocol that uses key encryption </li></ul></ul><ul><li>Pretty Good Privacy (PGP) </li></ul><ul><ul><li>Public key encryption system that can verify the authenticity of an e-mail sender and encrypt e-mail data in transmission </li></ul></ul><ul><li>Secure Sockets Layer (SSL) </li></ul><ul><ul><li>Method of encrypting TCP/IP transmissions </li></ul></ul>
  48. 48. Encryption (continued) <ul><li>Secure Shell (SSH) </li></ul><ul><ul><li>Securely log on to a host, execute commands on that host, and copy files to or from that host </li></ul></ul><ul><li>Internet Protocol Security (IPSec) </li></ul><ul><ul><li>Defines encryption, authentication, and key management for TCP/IP transmissions </li></ul></ul>
  49. 49. Wireless Network Security <ul><li>Wired Equivalent Privacy (WEP) </li></ul><ul><ul><li>Key encryption technique that uses keys both to authenticate network clients and to encrypt data in transit </li></ul></ul><ul><li>Extensible Authentication Protocol (EAP) </li></ul><ul><ul><li>Does not perform encryption or authentication </li></ul></ul><ul><ul><li>Works in conjunction with other encryption and authentication schemes </li></ul></ul>
  50. 50. Chapter Summary (continued) <ul><li>Conducting a security audit </li></ul><ul><li>Intruder access by social engineering </li></ul><ul><li>Risks a network administrator must guard against </li></ul><ul><li>Risks inherent in network transmission and design </li></ul><ul><li>Risks pertaining to networking protocols and software </li></ul>
  51. 51. Chapter Summary (continued) <ul><li>Denial-of-service attack </li></ul><ul><li>Security policy identifies an organization’s security needs </li></ul><ul><li>Computer room access </li></ul><ul><li>Firewalls </li></ul><ul><li>Proxy service and proxy servers </li></ul>
  52. 52. Chapter Summary (continued) <ul><li>Secure remote access server package </li></ul><ul><li>Remote Authentication Dial-In User Service (RADIUS) </li></ul><ul><li>NOS limit users’ access to files and directories on the network </li></ul><ul><li>Choosing secure passwords </li></ul><ul><li>Encryption </li></ul><ul><li>Wireless networks </li></ul>