Securing The Network Infrastructure

Securing the Network Infrastructure

Security+ Guide to Network Security Fundamentals, 2e

ObjectivesWork with the network cable plantSecure removable mediaHarden network devicesDesign network topologies


Working with the Network Cable PlantCable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipmentThree types of transmission media:Coaxial cablesTwisted-pair cablesFiber-optic cables


Coaxial CablesCoaxial cable was main type of copper cabling used in computer networks for many yearsHas a single copper wire at its center surrounded by insulation and shieldingCalled coaxial because it houses two (co) axes or shaftsthe copper wire and the shieldingThick coaxial cable has a copper wire in center surrounded by a thick layer of insulation that is covered with braided metal shielding


Coaxial Cables (continued)Thin coaxial cable looks similar to the cable that carries a cable TV signalA braided copper mesh channel surrounds the insulation and everything is covered by an outer shield of insulation for the cable itselfThe copper mesh channel protects the core from interferenceBNC connectors: connectors used on the ends of a thin coaxial cable


Coaxial Cables (continued)


Twisted-Pair CablesStandard for copper cabling used in computer networks today, replacing thin coaxial cable Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket


Twisted-Pair Cables (continued)Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interferenceUnshielded twisted-pair (UTP) cables do not have any shieldingTwisted-pair cables have RJ-45 connectors


Fiber-Optic CablesCoaxial and twisted-pair cables have copper wire at the center that conducts an electrical signalFiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulsesA glass tube (cladding) surrounds the coreThe core and cladding are protected by a jacket


Fiber-Optic Cables (continued)Classified by the diameter of the core and the diameter of the claddingDiameters are measured in microns, each is about 1/25,000 of an inch or one-millionth of a meterTwo types:Single-mode fiber cables: used when data must be transmitted over long distancesMultimode cable: supports many simultaneous light transmissions, generated by light-emitting diodes


Securing the Cable PlantSecuring cabling outside the protected network is not the primary security issue for most organizationsFocus is on protecting access to the cable plant in the internal networkAn attacker who can access the internal network directly through the cable plant has effectively bypassed the network security perimeter and can launch his attacks at will


Securing the Cable Plant (continued)The attacker can capture packets as they travel through the network by sniffingThe hardware or software that performs such functions is called a snifferPhysical security First line of defenseProtects the equipment and infrastructure itselfHas one primary goal: to prevent unauthorized users from reaching the equipment or cable plant in order to use, steal, or vandalize it


Securing Removable MediaSecuring critical information stored on a file server can be achieved through strong passwords, network security devices, antivirus software, and door locksAn employee copying data to a floppy disk or CD and carrying it home poses two risks:Storage media could be lost or stolen, compromising the informationA worm or virus could be introduced to the media, potentially damaging the stored information and infecting the network


Magnetic MediaRecord information by changing the magnetic direction of particles on a platterFloppy disks were some of the first magnetic media developedThe capacity of todays 3 1/2-inch disks are 14 MBHard drives contain several platters stacked in a closed unit, each platter having its own head or apparatus to read and write informationMagnetic tape drives record information in a serial fashion


Optical MediaOptical media use a principle for recording information different from magnetic media A high-intensity laser burns a tiny pit into the surface of an optical disc to record a one, but does nothing to record a zeroCapacity of optical discs varies by typeA Compact Disc-Recordable (CD-R) disc can record up to 650 MB of dataData cannot be changed once recorded


Optical Media (continued)A Compact Disc-Rewriteable (CD-RW) disc can be used to record data, erase it, and record againA Digital Versatile Disc (DVD) can store much larger amounts of dataDVD formats include Digital Versatile Disc-Recordable (DVD-R), which can record once up to 395 GB on a single-sided disc and 79 GB on a double-sided disc


Electronic MediaElectronic media use flash memory for storageFlash memory is a solid state storage device everything is electronic, with no moving or mechanical partsSmartMedia cards range in capacity from 2 MB to 128 MBThe card itself is only 45 mm long, 37 mm wide, and less than 1 mm thick


Electronic Media (continued)CompactFlash card Consists of a small circuit board with flash memory chips and a dedicated controller chip encased in a shellCome in 33 mm and 55 mm thicknesses and store between 8MB and 192 MB of dataUSB memory stick is becoming very popular Can hold between 8 MB and 1 GB of memory


Keeping Removable Media SecureProtecting removable media involves making sure that antivirus and other security software are installed on all systems that may receive a removable media device, including employee home computers


Hardening Network DevicesEach device that is connected to a network is a potential target of an attack and must be properly protectedNetwork devices to be hardened categorized as:Standard network devicesCommunication devicesNetwork security devices


Hardening Standard Network DevicesA standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or routerThis equipment has basic security features that you can use to harden the devices


Workstations and ServersWorkstation: personal computer attached to a network (also called a client)Connected to a LAN and shares resources with other workstations and network equipment Can be used independently of the network and can have their own applications installedServer: computer on a network dedicated to managing and controlling the network


Switches and RoutersSwitchMost commonly used in Ethernet LANsReceives a packet from one network device and sends it to the destination device onlyLimits the collision domain (part of network on which multiple devices may attempt to send packets simultaneously)A switch is used within a single networkRouters connect two or more single networks to form a larger network


Switches and Routers (continued)Switches and routers must also be protected against attacksSwitches and routers can be managed using the Simple Network Management Protocol (SNMP), part of the TCP/IP protocol suiteSoftware agents are loaded onto each network device to be managed


Switches and Routers (continued)Each agent monitors network traffic and stores that information in its management information base (MIB)A computer with SNMP management software (SNMP management station) communicates with software agents on each network device and collects the data stored in the MIBs


Hardening Communication DevicesA second category of network devices are those that communicate over longer distancesInclude:ModemsRemote access serversTelecom/PBX SystemsMobile devices


ModemsMost common communication deviceBroadband is increasing in popularity and can create network connection speeds of 15 Mbps and higherTwo popular broadband technologies:Digital Subscriber Line (DSL) transmits data at 15 Mbps over regular telephone linesAnother broadband technology uses the local cable television system


Modems (continued) A computer connects to a cable modem, which is connected to the coaxial cable that brings cable TV signals to the homeBecause cable connectivity is shared in a neighborhood, other users can use a sniffer to view trafficAnother risk with DSL and cable modem connections is that broadband connections are charged at a set monthly rate, not by the minute of connect time


Remote Access ServersSet of technologies that allows a remote user to connect to a network through the Internet or a wide area network (WAN)Users run remote access client software and initiate a connection to a Remote Access Server (RAS), which authenticates users and passes service requests to the network


Remote Access Servers (continued)


Remote Access Servers (continued)Remote access clients can run almost all network-based applications without modificationPossible because remote access technology supports both drive letters and universal naming convention (UNC) names


Telecom/PBX SystemsTerm used to describe a Private Branch eXchangeThe definition of a PBX comes from the words that make up its name:PrivateBrancheXchange


Mobile DevicesAs cellular phones and personal digital assistants (PDAs) have become increasingly popular, they have become the target of attackersSome defenses against attacks on these devices use real-time data encryption and passwords to protect the system so that an intruder cannot beam a virus through a wireless connection


Hardening Network Security DevicesThe final category of network devices includes those designed and used strictly to protect the networkInclude:FirewallsIntrusion-detection systemsNetwork monitoring and diagnostic devices


FirewallsTypically used to filter packetsDesigned to prevent malicious packets from entering the network or its computers (sometimes called a packet filter)Typically located outside the network security perimeter as first line of defenseCan be software or hardware configurations


Firewalls (continued)Software firewall runs as a program on a local computer (sometimes known as a personal firewall)Enterprise firewalls are software firewalls designed to run on a dedicated device and protect a network instead of only one computerOne disadvantage is that it is only as strong as the operating system of the computer


Firewalls (continued)Filter packets in one of two ways:Stateless packet filtering: permits or denies each packet based strictly on the rule baseStateful packet filtering: records state of a connection between an internal computer and an external server; makes decisions based on connection and rule baseCan perform content filtering to block access to undesirable Web sites


Firewalls (continued)An application layer firewall can defend against worms better than other kinds of firewallsReassembles and analyzes packet streams instead of examining individual packets


Intrusion-Detection Systems (IDSs)Devices that establish and maintain network securityActive IDS (or reactive IDS) performs a specific function when it senses an attack, such as dropping packets or tracing the attack back to a sourceInstalled on the server or, in some instances, on all computers on the networkPassive IDS sends information about what happened, but does not take action


Intrusion-Detection Systems (IDSs) (continued)Host-based IDS monitors critical operating system files and computers processor activity and memory; scans event logs for signs of suspicious activityNetwork-based IDS monitors all network traffic instead of only the activity on a computer Typically located just behind the firewallOther IDS systems are based on behavior:Watch network activity and report abnormal behaviorResult in many false alarms


Network Monitoring and Diagnostic DevicesSNMP enables network administrators to:Monitor network performanceFind and solve network problemsPlan for network growthManaged device:Network device that contains an SNMP agentCollects and stores management information and makes it available to SNMP


Designing Network TopologiesTopology: physical layout of the network devices, how they are interconnected, and how they communicateEssential to establishing its securityAlthough network topologies can be modified for security reasons, the network still must reflect the needs of the organization and users


Security ZonesOne of the keys to mapping the topology of a network is to separate secure users from outsiders through:Demilitarized Zones (DMZs) IntranetsExtranets


Demilitarized Zones (DMZs)Separate networks that sit outside the secure network perimeterOutside users can access the DMZ, but cannot enter the secure networkFor extra security, some networks use a DMZ with two firewallsThe types of servers that should be located in the DMZ include:Web servers E-mail serversRemote access servers FTP servers


Demilitarized Zones (DMZs) (continued)


IntranetsNetworks that use the same protocols as the public Internet, but are only accessible to trusted inside usersDisadvantage is that it does not allow remote trusted users access to information


ExtranetsSometimes called a cross between the Internet and an intranetAccessible to users that are not trusted internal users, but trusted external users Not accessible to the general public, but allows vendors and business partners to access a company Web site


Network Address Translation (NAT)You cannot attack what you do not see is the philosophy behind Network Address Translation (NAT) systemsHides the IP addresses of network devices from attackersComputers are assigned special IP addresses (known as private addresses)


Network Address Translation (NAT) (continued)These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal networkPort address translation (PAT) is a variation of NATEach packet is given the same IP address, but a different TCP port number


HoneypotsComputers located in a DMZ loaded with software and data files that appear to be authenticIntended to trap or trick attackersTwo-fold purpose:To direct attackers attention away from real servers on the networkTo examine techniques used by attackers


Honeypots (continued)


Virtual LANs (VLANs)Segment a network with switches to divide the network into a hierarchyCore switches reside at the top of the hierarchy and carry traffic between switchesWorkgroup switches are connected directly to the devices on the networkCore switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches


Virtual LANs (VLANs) (continued)


Virtual LANs (VLANs) (continued)Segment a network by grouping similar users togetherInstead of segmenting by user, you can segment a network by separating devices into logical groups (known as creating a VLAN)


SummaryCable plant: physical infrastructure (wire, connectors, and cables that carry data communication signals between equipment) Removable media used to store information include:Magnetic storage (removable disks, hard drives)Optical storage (CD and DVD)Electronic storage (USB memory sticks, FlashCards)


Summary (continued)Network devices (workstations, servers, switches, and routers) should all be hardened to repel attackersA networks topology plays a critical role in resisting attackersHiding the IP address of a network device can help disguise it so that an attacker cannot find it


Securing The Network Infrastructure

Documents

Transcript of Securing The Network Infrastructure