Security+ Guide to Network Security Fundamentals, …preselected Web sites (virus-infected, hacking,...

Security+ Guide to Network

Security Fundamentals, Third

Edition

Chapter 5

Network Defenses

Security+ Guide to Network Security Fundamentals, Third Edition

Objectives

• List the different types of network security devices

(Firewall, Proxy servers, Honeypots, Network

Intrusion/Prevention Detection Systems) and explain

how they can be used.

• Present technology Network Address Translation

(NAT) technology, used to enhance network security.

• Discuss security through network design

(Subnetting, VLAN, DMZ).

2


Applying Network Security Devices

Several network security devices can be used to

protect the network from attacks. These include:

• Firewalls

• Proxy servers

• Honeypots

• Host and network intrusion detection systems

• Host and network intrusion prevention systems

3

Firewall

Firewall

– Typically used to filter packets

– Sometimes called a packet filter

– Designed to prevent malicious packets from entering

the network

– A firewall can be software-based or hardware-based

Security+ Guide to Network Security Fundamentals 4


Firewall (continued)

The basis of a firewall is a rule base. It establishes what

action the firewall should take when it receives a packet

(allow, block, and prompt)

Packets can be filtered in one of two ways:

1. Stateless packet filtering

• Looks at the incoming packet and permits or denies it

based strictly on the rule base

2. Stateful packet filtering

• Keeps a record of the state of a connection between an

internal computer and an external server

• Then makes decisions based on the connection as well

as the rule base 5

6 6 6 6

Here is the page you

asked for

198.146.118.20

The requested

webpage is

delivered

Internet

CNN.com Request a

web page

1

2 3

User

Rule Source IP Source

Port

Destination IP Destination

Port

Action Time

1 Any 80 198.146.118.20 80 Allow Any

Rule base table in the firewall

Stateless Packet firewall

7


Port


Port

Action Time

1 Any 80 198.146.118.20 80 Allow Any

Hacker

Here is the file you

asked for

Destination address:

198.146.118.20

198.146.118.20

Stateless Packet firewall

1

The received file is

virus

2 Internet

Rule base table in the firewall

User

8 8 8


Port


Port

Action Time

1 Any 80 198.146.118.20 80 Allow Any

Here is the page you

asked for

198.146.118.20

Statefull Packet firewall

The requested

webpage is

delivered

Internet

Source IP Destination IP

198.146.118.20 206.23.19.4

CNN.com Request a

web page

1

2 3

Current State:

User

9 9


Port


Port

Action Time

1 Any 80 198.146.118.20 80 Allow Any

Hacker

Here is the file you

asked for

Destination address:

198.146.118.20

198.146.118.20

Statefull Packet firewall

1

Denied Packet because it

is not requested by the

user 2

Internet

Source IP Destination IP

198.146.118.20 206.23.19.4 No current relationship

between 198.146.118.20

and 216.249.118.20

216.249.118.20

Current State:

User



• Personal software firewalls

– Improved their functionality:

• Most personal software firewalls today also filter

outbound traffic as well as inbound traffic

• Protects users by preventing malware from

connecting to other computers and spreading

– Disadvantage: It is only as strong as the operating

system of the computer

10



11



12



• Hardware firewalls

– Run their own OS

– Usually located outside the network security perimeter

as first line of defense

– Disadvantage: Can be expensive

13

Security+ Guide to Network Security Fundamentals, Third Edition 14



Proxy Server

Proxy server

– A computer system (or an application program) that

intercepts internal user requests and then processes that

request on behalf of the user

– Goal is to hide the IP address of client systems inside the

secure network (Similar to NAT)

– Can alter the client’s request or the server’s response to

prevent unauthorized Web pages from being displayed

15


Honeypot

Honeypot

– Intended to trap or trick attackers

– A computer typically located in a DMZ that is loaded

with software and data files that appear to be

authentic

• Yet they are actually imitations of real data files

– Three primary purposes of a honeypot:

• Deflect attention

• Early warnings of new attacks

• Examine attacker techniques

16


Host and Network Intrusion Detection

Systems (HIDS/NIDS)

Intrusion Detection System (IDS)

– It attempts to identify inappropriate activity in the

network.

– Two types of IDS:

1. Host Intrusion Detection Systems (HIDS)

2. Network Intrusion Detection Systems (NIDS)

17



Systems (HIDS/NIDS)

Host Intrusion Detection Systems (HIDS)

– Attempt to monitor and possibly prevent attempts to

intrude into a system and network resources

– HIDS are software-based and run on a local computer

and can be divided into four groups:

• File system monitors

• Logfile analyzers

• Connection analyzers

• Kernel analyzers

– HIDS work on the principle of comparing new

behavior against normal behavior

18


Network intrusion detection system (NIDS)

– Watches for attempts to penetrate a network

– NIDS work on the principle of comparing new behavior

against normal or acceptable behavior

– A NIDS looks for suspicious patterns

19


Systems (HIDS/NIDS)


Systems (HIDS/NIDS)

Security+ Guide to Network Security Fundamentals, 2e 20


Network Intrusion Detection Systems

(NIDS) (continued)

• Functions a NIDS can perform:

– Configure the firewall to filter out the IP address of the

intruder

– Launch a separate program to handle the event

– Play an audio file that says “Attack is taking place”

– Save the packets in a file for further analysis

– Send an entry to a system log file

– Send e-mail, page, or a cell phone message to alert

the network administrator

– Force a TCP session to terminate

21


Host and Network Intrusion Prevention

Systems (HIPS/NIPS)

Intrusion prevention system (IPS)

– Finds malicious traffic and deals with it immediately

– A typical IPS response may be to block all incoming

traffic on a specific port

– Two types of IPS:

1. Host intrusion prevention systems (HIPS)

2. Network intrusion prevention systems (NIPS)

22



Systems (HIPS/NIPS)

Host intrusion prevention systems (HIPS)

– Installed on each system that needs to be protected

– Work closely with the operating system, monitoring

and intercepting requests in order to prevent attacks

– Most HIPS monitor desktop functions such as:

• System calls

• File system access

– HIPS are designed to integrate with existing antivirus,

anti-spyware, and firewalls

– HIPS provide an additional level of security that is

proactive instead of reactive

23



Systems (HIPS/NIPS) (continued)

Network intrusion prevention systems (NIPS)

– Work to protect the entire network and all devices that

are connected to it

– By monitoring network traffic, NIPS can immediately

react to block a malicious attack

– NIPS are special-purpose hardware platforms that

analyze, detect, and react to security-related events

• Can drop malicious traffic based on their

configuration or security policy

24


Internet Content Filters

Internet content filters

– Monitor Internet traffic and block access to

preselected Web sites (virus-infected, hacking, adults

Web sites) and files (e.g.: executable programs,

audio, video, archive files)

– A requested Web page is only displayed if it complies

with the specified filters

– Unapproved Web sites can be restricted based on the

Uniform Resource Locator (URL) or by matching

keywords

25


Security through Network

Technologies

Network Address Translation (NAT)

– Hides the IP addresses of network devices from

attackers

– In a network using NAT, computers are assigned

special IP addresses known as private addresses:

• IP addresses not assigned to any specific user or

organization

• Function as regular IP addresses on an internal network

• Non-routable addresses

26



Technologies (continued)

Network Address Translation (NAT) (Cont.)

– NAT removes the private IP address from the

sender’s packet

• And replaces it with an alias IP address

– When a packet is returned to NAT, the process is

reversed

– An attacker who captures the packet on the Internet

cannot determine the actual IP address of the sender

27




28




Network Address Translation (NAT) (Cont.)

– Port address translation (PAT)

A variation of NAT

Each packet is given the same IP address but a

different TCP port number

29


Crafting a Secure Network

A common mistake in network security

– Attempt to patch vulnerabilities in a weak network that

was poorly conceived and implemented from the start

Securing a network rests on the design of the

network and includes secure network technologies

(cited in the beginning of the chapter), as well as

network security devices

30


Security through Network Design

Subnetting

– IP addresses are actually two addresses: one part is a

network address and one part is a host address

– Two addressing techniques:

1. Classful addressing

• The split between the network and host portions of

the IP address originally was set on the boundaries

between the bytes

2. Subnetting or subnet addressing

• Allows an IP address to be split anywhere

• Networks can essentially be divided into three parts:

network, subnet, and host

31



(continued)

• Security advantages of subnetting:

Security is enhanced by subnetting a single network

- Multiple smaller subnets isolates groups of hosts

Network administrators can utilize network security

tools

- Makes it easier to regulate who has access in and out of

a particular subnetwork

Subnets also allow network administrators to hide the

internal network layout

33



(continued)

Virtual LANs (VLAN)

– Segment a network with switches to divide the

network into a hierarchy

– A VLAN allows scattered users to be logically grouped

together even though they may be attached to

different switches

• Core switches reside at the top of the hierarchy

and carry traffic between switches

• Workgroup switches are connected directly to the

devices on the network

34



(continued)

• Virtual LAN (Cont.)

• Core switches must work faster than workgroup

switches because core switches must handle the

traffic of several workgroup switches

– Can reduce network traffic and provide a degree of

security similar to subnetting:

• VLANs can be isolated so that sensitive data is

transmitted only to members of the VLAN

35



(continued)

Demilitarized Zone (DMZ)

– A separate network that sits outside the secure

network perimeter

– Outside users can access the DMZ but cannot enter

the secure network

– Two configurations:

• Single firewall with three network interfaces: Internet,

DMZ, Secure internal LAN (single point of failure for

the network)

• Two firewalls (more secure)

38



(continued)

41


(continued)


Summary

• Different network security devices can be installed to

make a network more secure

• Network technologies can also help secure a network

– Network address translation (NAT)

• Network intrusion detection systems (NIDS) monitor

the network for attacks and if one is detected will alert

personnel or perform limited protection activities

42


Summary (continued)

• Subnetting involves dividing a network into subnets

that are connected through a series of routers

• Similar to subnetting, a virtual LAN (VLAN) allows

users who may be scattered across different floors of

a building or campuses to be logically grouped

• Internet content filters monitor Internet traffic and

block attempts to visit restricted sites

43

44

Reference

[1]http://www.bestsecuritytips.com/xfsection+articl

e.articleid+2.htm

Security+ Guide to Network Security Fundamentals, …preselected Web sites (virus-infected, hacking,...

Documents

Transcript of Security+ Guide to Network Security Fundamentals, …preselected Web sites (virus-infected, hacking,...