Guide to protecting networks - Eric Vanderburg
-
Upload
eric-vanderburg -
Category
Technology
-
view
89 -
download
1
description
Transcript of Guide to protecting networks - Eric Vanderburg
GUIDE TO PROTECTING NETWORKSERIC VANDERBURG
2
OBJECTIVES• Describe network security devices
• Describe firewall technology
• Describe intrusion detection systems
• Describe honeypots
3
UNDERSTANDING NETWORK SECURITY DEVICES
• Network security devices• Routers• Firewalls• Intrusion detection systems• Honeypots
4
UNDERSTANDING ROUTERS
• Routers are hardware devices used on a network to send packets to different network segments
• Operate at the network layer of the OSI model
• Routing protocols used by routers
• Link-state routing protocol
• Router advertises link-state to identify network topology and any changes on paths
• Distance-vector routing protocol
• Router passes its routing table to all routers participating on the network
5
UNDERSTANDING BASIC HARDWARE ROUTERS
• Cisco routers are widely used in the networking community
• More than one million Cisco 2500 series routers are currently being used by companies around the world
• Vulnerabilities exist in Cisco as they do in any operating system
• Security professionals must consider these vulnerabilities when conducting a security test
6
CISCO ROUTER COMPONENTS
• A Cisco router uses the Cisco Internetwork Operating System (IOS) to function
• Components
• Random access memory (RAM)
• Holds the router’s running configuration, routing tables, and buffers
• If you turn off the router, the contents stored in RAM are wiped out
• Nonvolatile RAM (NVRAM)
• Holds the router’s configuration file, but the information is not lost if the router is turned off
7
CISCO ROUTER COMPONENTS (CONTINUED)• Components (continued)• Flash memory
• Holds the IOS the router is using• Is rewritable memory, so you can upgrade the IOS
• Read-only memory (ROM)• Contains a minimal version of the IOS used to boot the
router if flash memory gets corrupted
• Interfaces• Hardware connectivity points• Example: an Ethernet port is an interface that connects to a
LAN
8
CISCO ROUTER CONFIGURATION
• Configuration modes:
• User mode
• Administrator can perform basic troubleshooting tests and list information stored on the router
• Router-name>, indicates that you are in user mode
• Privileged mode
• Administrator can perform full router configuration tasks
• Router-name#, indicates that you are in privileged mode
• By default, you are in user mode
• Type “enable” or “en” to change to privileged mode
9
CISCO ROUTER CONFIGURATION (CONTINUED)
• Once in privileged mode, you can change to two more configuration modes
• Global configuration mode
• Administrator can configure router settings that affect overall router operation
• To use this mode, you enter the command config t at the Router-name# prompt
• Router-name (config)# tells the user she is in global configuration mode
10
CISCO ROUTER CONFIGURATION (CONTINUED)
• Once in privileged mode, you can change to two more configuration modes (continued)
• Interface configuration mode
• Administrator can configure an interface on the router
• To use this mode, you enter global configuration mode first
• Next, you enter the command for interface configuration mode and the interface name you want to configure
• Router-name(config-if)# indicates you are in interface configuration mode
11
UNDERSTANDING ACCESS CONTROL LISTS
• There are several types of access control lists
• We will focus on IP access lists
• IP access lists
• Lists of IP addresses, subnets, or networks that are allowed or denied access through a router’s interface
• Two different types of access lists on Cisco router
• Standard IP access lists
• Extended IP access lists
12
STANDARD IP ACCESS LISTS
• Can restrict IP traffic entering or leaving a router’s interface based on source IP address
• The syntax of a standard access list is as follows:access-list [list #] [permit|deny] [source address]
[source wildcard mask]
• [list #] is a number in the range of 1 to 99
• permit | deny] are keywords to permit or deny traffic
• [source address] specifies the IP address of the source host
• [source wildcard mask] signifies which bits of the source address are significant
13
STANDARD IP ACCESS LISTS (CONTINUED)
• Example:access-list 1 deny 173.110.0.0 0.0.255.255access-list permit any
• A wildcard mask is similar to a subnet mask• Example: access-list 1 deny 10.10.1.112 0.0.0.0• The 0s used after the IP address signify that every octet
in the IP address must match the IP address being filtered
• Another example:access-list 1 deny 192.168.10.0 0.0.0.255access-list 1 permit any
14
STANDARD IP ACCESS LISTS (CONTINUED)• Cisco allows a shortcut for the mask 0.0.0.0
access-list 1 deny host 192.168.10.112
• Access lists always end with an implicit deny rule
• To avoid this, you must add the “permit any” statement
access-list 1 deny host 192.168.10.112
access-list 1 permit any
• Steps for applying the access list to an interface
• Enter global configuration mode
• Create the access list
• Enter interface configuration mode
• Use the ip access-group command
15
STANDARD IP ACCESS LISTS (CONTINUED)
• ExampleRouter> en
Password ******
Router# config t
Router(config)# access-list 1 deny 172.16.5.0 0.0.0.255
Router(config)# access-list 1 permit any
Router(config)# int e0
Router(config-if)# ip access-group 1 out
Router(config-if) Ctrl+z [to save and exit global
configuration mode]
Router#
16
EXTENDED IP ACCESS LISTS
• Allow packet filtering based on
• Source IP address
• Destination IP address
• Protocol type
• Application port number
• Syntax for extended IP access lists
access-list [list #] [permit|deny] [protocol] [source IP
address] [source wildcard mask] [destination IP address]
[destination wildcard mask] [operator] [port] [log]
• [list #] is a number in the range of 100 to 199
• [permit | deny] are keywords to permit or deny traffic
17
EXTENDED IP ACCESS LISTS (CONTINUED)
• Syntax for extended IP access lists (continued)
• [protocol] can be IP, TCP, UDP, ICMP, and so on
• [source IP address] is the IP address of the source
• [source wildcard mask] determines significant bits of source IP address
• [destination IP address] is the IP address of the destination
• [destination wildcard mask] determines significant bits of destination IP address
• [operator] can be lt, gt, eq, or neq
18
EXTENDED IP ACCESS LISTS (CONTINUED)
• Syntax for extended IP access lists (continued)
• [port] port number of the protocol to be filtered
• [log] logs all activity of the access list for the administrator
• Example:access-list 100 deny tcp host 172.16.1.112 host
172.30.1.100 eq www
19
EXTENDED IP ACCESS LISTS (CONTINUED)
• Applying an access list to an interfaceRouter> en
Password ******
Router# config t
Router(config)# access-list 100 deny tcp host
172.16.1.112 host 172.30.1.100
Router(config)# access-list 100 permit any
Router(config)# int e0
Router(config-if)# ip access-group 100 in
Router(config-if) Ctrl+z
Router#
20
UNDERSTANDING FIREWALLS
• Firewalls are hardware devices or software installed on a system and have two purposes
• Controlling access to all traffic that enters an internal network
• Controlling all traffic that leaves an internal network
• Advantages of hardware firewalls
• They are usually faster than software firewalls
• They can handle a larger throughput than software firewalls
21
UNDERSTANDING FIREWALLS (CONTINUED)
• Disadvantage of hardware firewalls
• You are locked into the firewall’s hardware
• Advantage of software firewalls
• You can easily add NICs to the server running the firewall software
• Disadvantage of software firewalls
• You might have to worry about configuration problems
• They rely on the OS on which they are running
22
UNDERSTANDING FIREWALL TECHNOLOGY
• Firewall technologies
• Network address translation (NAT)
• Access control lists
• Packet filtering
• Stateful packet inspection (SPI)
23
NETWORK ADDRESS TRANSLATION (NAT)
• The most basic security feature of a firewall
• With NAT, internal private IP addresses are mapped to public external IP addresses
• Hiding the internal infrastructure
• Port Address Translation (PAT)
• Technology derived from NAT
• This allows thousands of internal IP addresses to be mapped to one external IP address
24
ACCESS CONTROL LISTS
• Access lists are used to filter traffic based on source IP address, destination IP address, and ports or services
• Firewalls also use this technology
• Creating access control lists in a firewall is a similar process to creating them in a router
25
PACKET FILTERING• Packet filters screen packets based on
information contained in the packet header
• Protocol type
• IP address
• TCP/UDP port
26
STATEFUL PACKET INSPECTION (SPI)• Stateful packet filters record session-specific
information about a network connection
• Create a state table
• Can help reduce port scans that rely on spoofing or sending packets after a three-way handshake
• Stateful packet filters recognize types of anomalies that most routers ignore
• Stateless packet filters handle each packet on an individual basis
• Spoofing or DoS attacks are more prevalent
27
IMPLEMENTING A FIREWALL
• Placing a firewall between a company’s internal network and the Internet is dangerous
• It leaves the company open to attack if a hacker compromises the firewall
• Use a demilitarized zone instead
28
DEMILITARIZED ZONE (DMZ)
• DMZ is a small network containing resources available to Internet users
• Helps maintain security on the company’s internal network
• Sits between the Internet and the internal network
• It is sometimes referred to as a “perimeter network”
29
UNDERSTANDING THE PRIVATE INTERNET EXCHANGE (PIX) FIREWALL
• Cisco PIX firewall
• One of the most popular firewalls on the market
30
CONFIGURATION OF THE PIX FIREWALL
• Working with a PIX firewall is similar to working with any other Cisco router
• Login promptIf you are not authorized to be in this XYZ Hawaii network device,
log out immediately!
User Access Verification
Password:
• This banner serves a legal purpose
• General prompt example:Type help or '?' for a list of available commands.
xyz>
31
CONFIGURATION OF THE PIX FIREWALL (CONTINUED)
• You should enter privileged mode to configure the PIX firewall
• To enter configuration mode in PIX, you use the same command as on a Cisco routerxyz# configure terminal
xyz(config)# ?
• Nameif is a PIX command to name an interface
• PIX allows the administrator to assign values to an interface that designate its security level
• Values can be from 0 to 100
32
CONFIGURATION OF THE PIX FIREWALL (CONTINUED)
• Access lists
• PIX enables an administrator to use descriptive names for the access list instead of numbers
• PIX also uses the implicit deny rule
33
UNDERSTANDING MICROSOFT ISA• Microsoft’s software approach to firewalls
• Microsoft Internet Security and Acceleration (ISA) Server
• Functions as a software router, firewall, and IDS
• ISA has the same functionality as any hardware router
• Packet filtering to control incoming traffic
• Application filtering through the examination of protocols
• Intrusion detection filters
• Access policies to control outgoing traffic
34
IP PACKET FILTERS• ISA enables administrators to filter IP traffic
based on the following:
• Source and destination IP address
• Network protocol, such as HTTP
• Source port or destination port
• ISA provides a GUI for these configurations
• A network segment can be denied or allowed HTTP access in the Remote Computer tab
35
APPLICATION FILTERS
• Can accept or deny data from specific applications or data containing specific content
• SMTP filter can restrict
• E-mail with specific attachments
• E-mail from a specific user or domain
• E-mail containing specific keywords
• SMTP commands
• SMTP Filter Properties dialog box
• Administrator can filter a specific e-mail attachment based on a rule he or she configures
36
APPLICATION FILTERS (CONTINUED)
• Users/Domains tab in the SMTP Filter Properties dialog box
• Administrator can filter e-mail messages sent from a user or from specific domains
• As a security professional, you might be asked to restrict e-mails containing certain keywords
• SMTP Commands tab
• Administrator can prevent a user from running SMTP commands
37
INTRUSION DETECTION FILTERS
• Analyze all traffic for possible known intrusions
• DNS intrusion detection filter
• POP intrusion detection filter
• FTP Access filter
• H.323 filter
• HTTP Redirector filter
• RPC filter
• SMTP filter
• SOCKSV4 filter
• Streaming Media filter
38
ACCESS POLICIES
• Allow administrators to control outgoing traffic
• An access policy consists of the following
• Policy rules
• Site and content rules
• IP filter rules
39
UNDERSTANDING INTRUSION DETECTION SYSTEMS (IDSS)
• Monitor network devices so that security administrators can identify attacks in progress and stop them
• An IDS look at the traffic and compare it with known exploits
• Similar to virus software using a signature file to identify viruses
• Types
• Network-based IDSs
• Host-based IDSs
40
NETWORK-BASED AND HOST-BASED IDSS
• Network-based IDSs
• Monitor activity on network segments
• They sniff traffic and alert a security administrator when something suspicious occurs
• Host-based IDSs
• Used to protect a critical network server or database server
• The software is installed on the server you’re attempting to protect
41
NETWORK-BASED AND HOST-BASED IDSS (CONTINUED)
• IDSs are categorized by how they react when they detect suspicious behavior
• Passive systems
• Send out an alert and log the activity
• Active systems
• Log events and send out alerts
• Can also interoperate with routers and firewalls
42
UNDERSTANDING HONEYPOTS
• Honeypot
• Computer placed on the perimeter of a network
• Contains information intended to lure and then trap hackers
• Computer is configured to have vulnerabilities
• Goal
• Keep hackers connected long enough so they can be traced back
43
HOW THEY WORK• A honeypot appears to have important data or
sensitive information stored on it
• Could store fake financial data that tempts hackers to attempt browsing through the data
• Hackers will spend time attacking the honeypot
• And stop looking for real vulnerabilities in the company’s network
• Honeypots also enable security professionals to collect data on attackers
• Honeypots are available commercially and through open-source avenues
44
HOW THEY WORK (CONTINUED)
• Virtual honeypots
• Honeypots created using software solutions instead of hardware devices
• Example: Honeyd
45
SUMMARY• Security devices
• Routers
• Firewalls
• IDSs
• Routers use access lists to accept or deny traffic through their interfaces
• Firewalls can be hardware devices or software installed on computer systems
• Firewalls use NAT, IP filtering, and access control lists to filter incoming and outgoing network traffic
46
SUMMARY (CONTINUED)• Firewall examples
• Cisco PIX (hardware)
• Microsoft ISA (software)
• Stateful packet filters vs. stateless packet filters
• PGP is a free public key encryption program to encrypt e-mail messages
• Demilitarized zones (DMZs)
• Add a layer of defense between the Internet and a company’s internal network
47
SUMMARY (CONTINUED)• Intrusion detection systems (IDSs)
• Network-based IDSs
• Host-based IDSs
• Passive IDSs vs. active IDSs
• Honeypots