Documente Academic
Documente Profesional
Documente Cultură
Network Security
CHAPTER SIX Strategies
1
Oppenheimer
NETWORK SECURITY DESIGN:
THE 12 STEP PROGRAM
1. Identify network assets 8. Achieve buy-in from users, managers, and
technical staff
2. Analyze security risks
9. Train users, managers, and technical staff
3. Analyze security requirements and tradeoffs
10. Implement the technical strategy and
4. Develop a security plan security procedures
5. Define a security policy 11. Test the security and update it if any
6. Develop procedures for applying security problems are found
policies 12. Maintain security
7. Develop a technical implementation strategy
2
NETWORK ASSETS
Hardware – switch, router, firewall, end device, server
Software – network software (network monitoring/
management, server monitoring, networking tools,
security management), OS/IOS software, Computer
software/Application software (word processing, web
browsers), System software,
Applications
Data
Intellectual property –pattern, copyright
Trade secrets - encompass manufacturing or
industrial secrets and commercial secrets.
Company’s reputation
3
SECURITY RISKS
Hacked network devices
Data can be intercepted, analyzed, altered, or deleted
User passwords can be compromised
Device configurations can be changed
First, the malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive.
Then the intruder determines which services or ports are active on the live IP addresses. From this information, the intruder
queries the ports to determine the type and version of the application and operating system running on the target host.
[http://computernetworkingnotes.com/network-security-access-lists-standards-and-extended/reconnaissance-attacks.html]
Denial-of-service attacks
a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS
attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols.
[http://searchsoftwarequality.techtarget.com/definition/denial-of-service] 4
SECURITY REQUIREMENTS AND TRADEOFFS
Tradeoffs must be made between security goals and other goals:
Affordability
Usability
Performance
Availability
Manageability
5
A SECURITY PLAN
WHAT?
High-level document that proposes what an
organization is going to do to meet security
requirements
HOW?
Specifies time, people, and other resources
that will be required to develop a security
policy and achieve implementation of the
policy
6
A SECURITY POLICY
RFC 2196, “The Site Security Handbook,” stated that a security policy is a:
“Formal statement of the rules by which people who are given access to an
organization’s technology and information assets must abide.”
7
SECURITY MECHANISMS
Physical security
Physical security is the protection of personnel, hardware, programs,
networks, and data from physical circumstances and events that could
cause serious losses or damage to an enterprise, agency, or
institution.
Authentication
Authentication is the process of determining whether someone or
something is, in fact, who or what it is declared to be.
Authorization
Authorization is the process of giving someone permission to do or
have something.
Accounting (Auditing)
auditing usage 8
SECURITY MECHANISMS (CONTINUE)
Data encryption
To hide the data
Packet filters
Filters the packet, choose the needed one/right one only
Firewalls
Restriction in place to secure the data travel thru in/out the network
Intrusion Detection Systems (IDSs)
Software/system to detect any threats/attacks
9
MODULARIZING SECURITY DESIGN
Security defense in depth:
Network security should be multilayered with many different techniques used to protect
the network
10
SECURE NETWORK TOPOLOGY-CASE
STUDY –DESIGN A SECURE LAN
11
DESIGNING A SECURE LAN
Securing LAN from the viewpoint of the network architecture, focusing on 3
main areas:
1. The network topology – physical & logical design of the network
2. Securing the routers and switches – which connects segments and hosts to
form the network
13
TOPOLOGY AND ARCHITECTURE
•A critical step in designing a secure network design is defining the network topology.
•On the physical side, need to provide distribution to the offices or buildings where the
users are located.
•Need to provide connectivity to the servers which comprise our intranet, to the
Internet and to other company locations , remote users, etc.
•Logical topology concerns with technologies to adopt such as VLAN or VPAN.
•Need to consider the security policy in logical topology.
•Which part of the network is trusted ? Which is less trusted
•Which groups of devices and users should be grouped together and which should be
separated?
14
Connection to the Internet with a border router and firewall.
The public extranet servers are connected to the firewall.
EXAMPLE The firewall, workgroup switch and Intranet switch are all
connected to core router/layer 3 switch.
Ref: SANS 15
EXAMPLE 2: MANAGEMENT VLAN
Need to keep management traffic off the
production traffic- to ensure data is
secure.
Have different VLAN for each type of
services offered.
Encrypted the link using ssh or IPSEC.
AAB2014 16
SECURING ROUTERS AND SWITCHES -BUILDING SECURITY INTO
NETWORK ELEMENTS AND CONFIGURATIONS
Segment the network into subnets based on function and possibly location.
•By implementing routing at the network core, our segments are isolated into individual
broadcast domain.
This improves performance and also security by preventing sniffing or arp based attacks between segments.
•Within each subnet the hosts are connected to an Ethernet switch. A switch provides high
performance by putting each host in its own Collison domain.
Improves security by making sniffing and arp based attacks difficult.
17
LAYER 3 DESIGN AND ACCESS LISTS
18
SECURING LAYER 3
need to ensure that routers are free from attacks.
how to ensure this?
Many mechanism can be apply.
1. the management VLAN – ensures that the management traffic does not flow using
the production traffic.
2. Access list should be configured on the management ports to block illegitimate
connections. Use out-of-band(OOB) communication such as a terminal server to secure
the management traffic.
3. use strong authentication provided by one-time password server.
Encrypted the link
Logging to the syslog servers will meet the auditing requirements.
19
LAYER 2 DESIGN
To achieve the highest level of security, need to configure only one VLAN per switch.
This will minimize the chance of an attacker jumping VLANs and reduce the chance of
misconfiguration.
The switch port is the getaway into the network, hence need to implement physical security
when possible.
Need to control access to switch ports and disabling unused ports.
let user to be authenticate via RADIUS or LDAP before they are granted any
services/information.
Limiting the MAC addresses that are permitted to communicate on the ports.
Limit the MAC addresses that can be appear on each port.
Apply the Spanning tree mechanism
20
DMZ
Used by a company to host its
own Internet services without
sacrificing unauthorized access to
its private network
Sits between Internet and internal
network’s line of defense, usually
some combination of firewalls and
bastion hosts
Traffic originating from it should
be filtered
www.cuyamaca.net/gainswor/security/chap11.ppt
DMZ
Typically contains devices accessible to Internet traffic
Web (HTTP) servers
FTP servers
SMTP (e-mail) servers
DNS servers
Optional, more secure approach to a simple firewall; may include a proxy server
www.cuyamaca.net/gainswor/security/chap11.ppt
EXAMPLE 1
Ref : Google/images
AAB2014 23
EXAMPLE 2
DMZ
Enterprise Internet
Network
AAB2014 26
SECURITY TOPOLOGIES
Internet
Firewall
DMZ
Enterprise Network
www.cuyamaca.net/gainswor/security/chap11.ppt
DMZ DESIGN GOALS
A useful mechanism to meet goals is to add the
filtering of traffic initiated from the DMZ network to
the Internet, impairs an attacker's ability to have a
vulnerable host communicate to the attacker's host
keep the vulnerable host from being exploited altogether
keep a compromised host from being used as a traffic-
generating agent in distributed denial-of-service attacks.
The key is to limit traffic to only what is needed, and to
drop what is not required, even if the traffic is not a direct
threat to your internal network
www.cuyamaca.net/gainswor/security/chap11.ppt
DMZ DESIGN GOALS
Filtering DMZ traffic would identify
traffic coming in from the DMZ interface of the firewall or
router that appears to have a source IP address on a network other the DMZ network number (spoofed
traffic).
the firewall or router should be configured to initiate a log message or rule alert to
notify administrator
www.cuyamaca.net/gainswor/security/chap11.ppt
WHAT TO SECURE?
AAB2014 31
SECURING INTERNET CONNECTIONS
Physical security
Firewalls and packet filters
Audit logs, authentication, authorization
Well-defined exit and entry points
Routing protocols that support authentication
AAB2014 32
SECURING PUBLIC SERVERS
Place servers in a DMZ that is protected via firewalls
Run a firewall on the server itself
Enable DoS (denial of attack) protection
Limit the number of connections per timeframe
AAB2014 33
SECURING REMOTE-ACCESS AND VIRTUAL
PRIVATE NETWORKS
Physical security
Firewalls
Authentication, authorization, and auditing
Encryption
One-time passwords
Security protocols
CHAP
RADIUS
IPSec
AAB2014 34
SECURING NETWORK SERVICES
Treat each network device (routers, switches, and so on) as a high-
value host and harden it against possible intrusions
Require login IDs and passwords for accessing devices
Require extra authorization for risky configuration commands
AAB2014 35
SECURING SERVER FARMS
Deploy network and host IDSs to monitor server subnets and individual
servers
Configure filters that limit connectivity from the server in case the server
is compromised
Fix known security bugs in server operating systems
Require authentication and authorization for server access and
management
Limit root password to a few people
Avoid guest accounts
AAB2014 36
SECURING USER SERVICES
Specify which applications are allowed to run on networked PCs in
the security policy
Require personal firewalls and antivirus software on networked PCs
Implement written procedures that specify how the software is installed and kept
current
AAB2014 37
SECURING WIRELESS NETWORKS
Place wireless LANs (WLANs) in their own subnet or VLAN
Simplifies addressing and makes it easier to configure packet filters
Require all wireless (and wired) laptops to run personal firewall and
antivirus software
Disable beacons that broadcast the SSID, and require MAC address
authentication
Except in cases where the WLAN is used by visitors
AAB2014 38
WLAN SECURITY OPTIONS
Wired Equivalent Privacy (WEP)
IEEE 802.11i
Wi-Fi Protected Access (WPA)
IEEE 802.1X Extensible Authentication Protocol (EAP)
Lightweight EAP or LEAP (Cisco)
Protected EAP (PEAP)
AAB2014 39
WIRED EQUIVALENT PRIVACY (WEP)
Defined by IEEE 802.11
Users must possess the appropriate WEP key that is also configured
on the access point
64 or 128-bit key (or passphrase)
WEP encrypts the data using the RC4 stream cipher method
Infamous for being crackable
AAB2014 40
WEP ALTERNATIVES
Vendor enhancements to WEP
Temporal Key Integrity Protocol (TKIP)
Every frame has a new and unique WEP key
AAB2014 41
EXTENSIBLE AUTHENTICATION PROTOCOL
(EAP)
With 802.1X and EAP, devices take on one of three roles:
The supplicant resides on the wireless LAN client
The authenticator resides on the access point
An authentication server resides on a RADIUS server
AAB2014 42
EAP (CONTINUED)
An EAP supplicant on the client obtains credentials from the user,
which could be a user ID and password
AAB2014 43
CISCO’S LIGHTWEIGHT EAP (LEAP)
Standard EAP plus mutual authentication
The user and the access point must authenticate
AAB2014 44
OTHER EAPS
EAP-Transport Layer Security (EAP-TLS) was developed by Microsoft
Requires certificates for clients and servers.
AAB2014 45
VPN SOFTWARE ON WIRELESS CLIENTS
Safest way to do wireless networking for corporations
Wireless client requires VPN software
Connects to VPN concentrator at HQ
Creates a tunnel for sending all traffic
VPN security provides:
User authentication
Strong encryption of data
Data integrity
AAB2014 46
VPN
Extends a private network across a public network., i.e internet.
It is created by establishing a virtual point-to-point connection through the use of
dedicated connections , virtual tunneling protocols or traffic encryptions.
Advantage of having VPN- data send and receive across shared or public networks
as it if were directly connected to the private network and get the benefit from the
private network security , management policies and functionality.
AAB2014 47
EXAMPLE -VPN
AAB2014 49
REFERENCES
1. SANS institute InfoSec Reading Room.
2. google/images
AAB2014 50