Chapter 5: Securing the Network Infrastructure
description
Transcript of Chapter 5: Securing the Network Infrastructure
Chapter 5: Securing the Network Infrastructure
Security+ Guide to Network Security Fundamentals
Second Edition
Security+ Guide to Network Security Fundamentals, 2e
2
Objectives
• Work with the network cable plant
• Secure removable media
• Harden network devices
• Design network topologies
Security+ Guide to Network Security Fundamentals, 2e
3
Working with the Network Cable Plant
• Cable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment
• Three types of transmission media:
– Coaxial cables
– Twisted-pair cables
– Fiber-optic cables
Security+ Guide to Network Security Fundamentals, 2e
4
Coaxial Cables
• Coaxial cable was main type of copper cabling used in computer networks for many years
• Has a single copper wire at its center surrounded by insulation and shielding
• Called “coaxial” because it houses two (co) axes or shafts―the copper wire and the shielding
• Thick coaxial cable has a copper wire in center surrounded by a thick layer of insulation that is covered with braided metal shielding
Security+ Guide to Network Security Fundamentals, 2e
5
Coaxial Cables (continued)
• Thin coaxial cable looks similar to the cable that carries a cable TV signal
• A braided copper mesh channel surrounds the insulation and everything is covered by an outer shield of insulation for the cable itself
• The copper mesh channel protects the core from interference
• BNC connectors: connectors used on the ends of a thin coaxial cable
Security+ Guide to Network Security Fundamentals, 2e
6
Coaxial Cables (continued)
Security+ Guide to Network Security Fundamentals, 2e
7
Twisted-Pair Cables
• Standard for copper cabling used in computer networks today, replacing thin coaxial cable
• Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket
Security+ Guide to Network Security Fundamentals, 2e
8
Twisted-Pair Cables (continued)
• Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference
• Unshielded twisted-pair (UTP) cables do not have any shielding
• Twisted-pair cables have RJ-45 connectors
Security+ Guide to Network Security Fundamentals, 2e
9
Fiber-Optic Cables
• Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal
• Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses
• A glass tube (cladding) surrounds the core
• The core and cladding are protected by a jacket
Security+ Guide to Network Security Fundamentals, 2e
10
Fiber-Optic Cables (continued)
• Classified by the diameter of the core and the diameter of the cladding
– Diameters are measured in microns, each is about 1/25,000 of an inch or one-millionth of a meter
• Two types:
– Single-mode fiber cables: used when data must be transmitted over long distances
– Multimode cable: supports many simultaneous light transmissions, generated by light-emitting diodes
Security+ Guide to Network Security Fundamentals, 2e
11
Securing the Cable Plant
• Securing cabling outside the protected network is not the primary security issue for most organizations
• Focus is on protecting access to the cable plant in the internal network
• An attacker who can access the internal network directly through the cable plant has effectively bypassed the network security perimeter and can launch his attacks at will
Security+ Guide to Network Security Fundamentals, 2e
12
Securing the Cable Plant (continued)
• The attacker can capture packets as they travel through the network by sniffing
– The hardware or software that performs such functions is called a sniffer
• Physical security
– First line of defense
– Protects the equipment and infrastructure itself
– Has one primary goal: to prevent unauthorized users from reaching the equipment or cable plant in order to use, steal, or vandalize it
Security+ Guide to Network Security Fundamentals, 2e
13
Securing Removable Media
• Securing critical information stored on a file server can be achieved through strong passwords, network security devices, antivirus software, and door locks
• An employee copying data to a floppy disk or CD and carrying it home poses two risks:
– Storage media could be lost or stolen, compromising the information
– A worm or virus could be introduced to the media, potentially damaging the stored information and infecting the network
Security+ Guide to Network Security Fundamentals, 2e
14
Magnetic Media
• Record information by changing the magnetic direction of particles on a platter
• Floppy disks were some of the first magnetic media developed
• The capacity of today’s 3 1/2-inch disks are 14 MB
• Hard drives contain several platters stacked in a closed unit, each platter having its own head or apparatus to read and write information
• Magnetic tape drives record information in a serial fashion
Security+ Guide to Network Security Fundamentals, 2e
15
Optical Media
• Optical media use a principle for recording information different from magnetic media
• A high-intensity laser burns a tiny pit into the surface of an optical disc to record a one, but does nothing to record a zero
• Capacity of optical discs varies by type
• A Compact Disc-Recordable (CD-R) disc can record up to 650 MB of data
• Data cannot be changed once recorded
Security+ Guide to Network Security Fundamentals, 2e
16
Optical Media (continued)
• A Compact Disc-Rewriteable (CD-RW) disc can be used to record data, erase it, and record again
• A Digital Versatile Disc (DVD) can store much larger amounts of data
– DVD formats include Digital Versatile Disc-Recordable (DVD-R), which can record once up to 395 GB on a single-sided disc and 79 GB on a double-sided disc
Security+ Guide to Network Security Fundamentals, 2e
17
Electronic Media
• Electronic media use flash memory for storage
– Flash memory is a solid state storage device―everything is electronic, with no moving or mechanical parts
• SmartMedia cards range in capacity from 2 MB to 128 MB
• The card itself is only 45 mm long, 37 mm wide, and less than 1 mm thick
Security+ Guide to Network Security Fundamentals, 2e
18
Electronic Media (continued)
• CompactFlash card
– Consists of a small circuit board with flash memory chips and a dedicated controller chip encased in a shell
– Come in 33 mm and 55 mm thicknesses and store between 8MB and 192 MB of data
• USB memory stick is becoming very popular
– Can hold between 8 MB and 1 GB of memory
Security+ Guide to Network Security Fundamentals, 2e
19
Keeping Removable Media Secure
• Protecting removable media involves making sure that antivirus and other security software are installed on all systems that may receive a removable media device, including employee home computers
Security+ Guide to Network Security Fundamentals, 2e
20
Hardening Network Devices
• Each device that is connected to a network is a potential target of an attack and must be properly protected
• Network devices to be hardened categorized as:
– Standard network devices
– Communication devices
– Network security devices
Security+ Guide to Network Security Fundamentals, 2e
21
Hardening Standard Network Devices
• A standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router
• This equipment has basic security features that you can use to harden the devices
Security+ Guide to Network Security Fundamentals, 2e
22
Workstations and Servers
• Workstation: personal computer attached to a network (also called a client)
– Connected to a LAN and shares resources with other workstations and network equipment
– Can be used independently of the network and can have their own applications installed
• Server: computer on a network dedicated to managing and controlling the network
• Basic steps to harden these systems are outlined on page 152
Security+ Guide to Network Security Fundamentals, 2e
23
Switches and Routers• Switch
– Most commonly used in Ethernet LANs
– Receives a packet from one network device and sends it to the destination device only
– Limits the collision domain (part of network on which multiple devices may attempt to send packets simultaneously)
• A switch is used within a single network
• Routers connect two or more single networks to form a larger network
Security+ Guide to Network Security Fundamentals, 2e
24
Switches and Routers (continued)
• Switches and routers must also be protected against attacks
• Switches and routers can be managed using the Simple Network Management Protocol (SNMP), part of the TCP/IP protocol suite
• Software agents are loaded onto each network device to be managed
Security+ Guide to Network Security Fundamentals, 2e
25
Switches and Routers (continued)
• Each agent monitors network traffic and stores that information in its management information base (MIB)
• A computer with SNMP management software (SNMP management station) communicates with software agents on each network device and collects the data stored in the MIBs
• Page 154 lists defensive controls that can be set for switches and routers
Security+ Guide to Network Security Fundamentals, 2e
26
Hardening Communication Devices
• A second category of network devices are those that communicate over longer distances
• Include:
– Modems
– Remote access servers
– Telecom/PBX Systems
– Mobile devices
Security+ Guide to Network Security Fundamentals, 2e
27
Modems
• Most common communication device
• Broadband is increasing in popularity and can create network connection speeds of 15 Mbps and higher
• Two popular broadband technologies:
– Digital Subscriber Line (DSL) transmits data at 15 Mbps over regular telephone lines
– Another broadband technology uses the local cable television system
Security+ Guide to Network Security Fundamentals, 2e
28
Modems (continued)
• A computer connects to a cable modem, which is connected to the coaxial cable that brings cable TV signals to the home
• Because cable connectivity is shared in a neighborhood, other users can use a sniffer to view traffic
• Another risk with DSL and cable modem connections is that broadband connections are charged at a set monthly rate, not by the minute of connect time
Security+ Guide to Network Security Fundamentals, 2e
29
Remote Access Servers
• Set of technologies that allows a remote user to connect to a network through the Internet or a wide area network (WAN)
• Users run remote access client software and initiate a connection to a Remote Access Server (RAS), which authenticates users and passes service requests to the network
Security+ Guide to Network Security Fundamentals, 2e
30
Remote Access Servers (continued)
Security+ Guide to Network Security Fundamentals, 2e
31
Remote Access Servers (continued)
• Remote access clients can run almost all network-based applications without modification
– Possible because remote access technology supports both drive letters and universal naming convention (UNC) names
• Minimum security features are listed on page 158
Security+ Guide to Network Security Fundamentals, 2e
32
Telecom/PBX Systems
• Term used to describe a Private Branch eXchange
• The definition of a PBX comes from the words that make up its name:
– Private
– Branch
– eXchange
Security+ Guide to Network Security Fundamentals, 2e
33
Mobile Devices
• As cellular phones and personal digital assistants (PDAs) have become increasingly popular, they have become the target of attackers
• Some defenses against attacks on these devices use real-time data encryption and passwords to protect the system so that an intruder cannot “beam” a virus through a wireless connection
Security+ Guide to Network Security Fundamentals, 2e
34
Hardening Network Security Devices
• The final category of network devices includes those designed and used strictly to protect the network
• Include:
– Firewalls
– Intrusion-detection systems
– Network monitoring and diagnostic devices
Security+ Guide to Network Security Fundamentals, 2e
35
Firewalls
• Typically used to filter packets
• Designed to prevent malicious packets from entering the network or its computers (sometimes called a packet filter)
• Typically located outside the network security perimeter as first line of defense
• Can be software or hardware configurations
Security+ Guide to Network Security Fundamentals, 2e
36
Firewalls (continued)
• Software firewall runs as a program on a local computer (sometimes known as a personal firewall)
– Enterprise firewalls are software firewalls designed to run on a dedicated device and protect a network instead of only one computer
– One disadvantage is that it is only as strong as the operating system of the computer
Security+ Guide to Network Security Fundamentals, 2e
37
Firewalls (continued)
• Filter packets in one of two ways:
– Stateless packet filtering: permits or denies each packet based strictly on the rule base
– Stateful packet filtering: records state of a connection between an internal computer and an external server; makes decisions based on connection and rule base
• Can perform content filtering to block access to undesirable Web sites
Security+ Guide to Network Security Fundamentals, 2e
38
Firewalls (continued)
• An application layer firewall can defend against worms better than other kinds of firewalls
– Reassembles and analyzes packet streams instead of examining individual packets
Security+ Guide to Network Security Fundamentals, 2e
39
Intrusion-Detection Systems (IDSs)
• Devices that establish and maintain network security
• Active IDS (or reactive IDS) performs a specific function when it senses an attack, such as dropping packets or tracing the attack back to a source
– Installed on the server or, in some instances, on all computers on the network
• Passive IDS sends information about what happened, but does not take action
Security+ Guide to Network Security Fundamentals, 2e
40
Intrusion-Detection Systems (IDSs) (continued)
• Host-based IDS monitors critical operating system files and computer’s processor activity and memory; scans event logs for signs of suspicious activity
• Network-based IDS monitors all network traffic instead of only the activity on a computer
– Typically located just behind the firewall
• Other IDS systems are based on behavior:
– Watch network activity and report abnormal behavior
– Result in many false alarms
Security+ Guide to Network Security Fundamentals, 2e
41
Network Monitoring and Diagnostic Devices
• SNMP enables network administrators to:
– Monitor network performance
– Find and solve network problems
– Plan for network growth
• Managed device:
– Network device that contains an SNMP agent
– Collects and stores management information and makes it available to SNMP
Security+ Guide to Network Security Fundamentals, 2e
42
Designing Network Topologies
• Topology: physical layout of the network devices, how they are interconnected, and how they communicate
• Essential to establishing its security
• Although network topologies can be modified for security reasons, the network still must reflect the needs of the organization and users
Security+ Guide to Network Security Fundamentals, 2e
43
Security Zones
• One of the keys to mapping the topology of a network is to separate secure users from outsiders through:
– Demilitarized Zones (DMZs)
– Intranets
– Extranets
Security+ Guide to Network Security Fundamentals, 2e
44
Demilitarized Zones (DMZs)
• Separate networks that sit outside the secure network perimeter
• Outside users can access the DMZ, but cannot enter the secure network
• For extra security, some networks use a DMZ with two firewalls
• The types of servers that should be located in the DMZ include:
– Web servers – E-mail servers
– Remote access servers – FTP servers
Security+ Guide to Network Security Fundamentals, 2e
45
Demilitarized Zones (DMZs) (continued)
Security+ Guide to Network Security Fundamentals, 2e
46
Intranets
• Networks that use the same protocols as the public Internet, but are only accessible to trusted inside users
• Disadvantage is that it does not allow remote trusted users access to information
Security+ Guide to Network Security Fundamentals, 2e
47
Extranets
• Sometimes called a cross between the Internet and an intranet
• Accessible to users that are not trusted internal users, but trusted external users
• Not accessible to the general public, but allows vendors and business partners to access a company Web site
Security+ Guide to Network Security Fundamentals, 2e
48
Network Address Translation (NAT)
• “You cannot attack what you do not see” is the philosophy behind Network Address Translation (NAT) systems
• Hides the IP addresses of network devices from attackers
• Computers are assigned special IP addresses (known as private addresses)
Security+ Guide to Network Security Fundamentals, 2e
49
Network Address Translation (NAT) (continued)
• These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network
• Port address translation (PAT) is a variation of NAT
• Each packet is given the same IP address, but a different TCP port number
Security+ Guide to Network Security Fundamentals, 2e
50
Honeypots
• Computers located in a DMZ loaded with software and data files that appear to be authentic
• Intended to trap or trick attackers
• Two-fold purpose:
– To direct attacker’s attention away from real servers on the network
– To examine techniques used by attackers
Security+ Guide to Network Security Fundamentals, 2e
51
Honeypots (continued)
Security+ Guide to Network Security Fundamentals, 2e
52
Virtual LANs (VLANs)
• Segment a network with switches to divide the network into a hierarchy
• Core switches reside at the top of the hierarchy and carry traffic between switches
• Workgroup switches are connected directly to the devices on the network
• Core switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches
Security+ Guide to Network Security Fundamentals, 2e
53
Virtual LANs (VLANs) (continued)
Security+ Guide to Network Security Fundamentals, 2e
54
Virtual LANs (VLANs) (continued)
• Segment a network by grouping similar users together
• Instead of segmenting by user, you can segment a network by separating devices into logical groups (known as creating a VLAN)
Security+ Guide to Network Security Fundamentals, 2e
55
Summary
• Cable plant: physical infrastructure (wire, connectors, and cables that carry data communication signals between equipment)
• Removable media used to store information include:
– Magnetic storage (removable disks, hard drives)
– Optical storage (CD and DVD)
– Electronic storage (USB memory sticks, FlashCards)
Security+ Guide to Network Security Fundamentals, 2e
56
Summary (continued)
• Network devices (workstations, servers, switches, and routers) should all be hardened to repel attackers
• A network’s topology plays a critical role in resisting attackers
• Hiding the IP address of a network device can help disguise it so that an attacker cannot find it