Security+ Guide to Network Security Fundamentals, …preselected Web sites (virus-infected, hacking,...
Transcript of Security+ Guide to Network Security Fundamentals, …preselected Web sites (virus-infected, hacking,...
Security+ Guide to Network
Security Fundamentals, Third
Edition
Chapter 5
Network Defenses
Security+ Guide to Network Security Fundamentals, Third Edition
Objectives
• List the different types of network security devices
(Firewall, Proxy servers, Honeypots, Network
Intrusion/Prevention Detection Systems) and explain
how they can be used.
• Present technology Network Address Translation
(NAT) technology, used to enhance network security.
• Discuss security through network design
(Subnetting, VLAN, DMZ).
2
Security+ Guide to Network Security Fundamentals, Third Edition
Applying Network Security Devices
Several network security devices can be used to
protect the network from attacks. These include:
• Firewalls
• Proxy servers
• Honeypots
• Host and network intrusion detection systems
• Host and network intrusion prevention systems
3
Firewall
Firewall
– Typically used to filter packets
– Sometimes called a packet filter
– Designed to prevent malicious packets from entering
the network
– A firewall can be software-based or hardware-based
Security+ Guide to Network Security Fundamentals 4
Security+ Guide to Network Security Fundamentals, Third Edition
Firewall (continued)
The basis of a firewall is a rule base. It establishes what
action the firewall should take when it receives a packet
(allow, block, and prompt)
Packets can be filtered in one of two ways:
1. Stateless packet filtering
• Looks at the incoming packet and permits or denies it
based strictly on the rule base
2. Stateful packet filtering
• Keeps a record of the state of a connection between an
internal computer and an external server
• Then makes decisions based on the connection as well
as the rule base 5
6 6 6 6
Here is the page you
asked for
198.146.118.20
The requested
webpage is
delivered
Internet
CNN.com Request a
web page
1
2 3
User
Rule Source IP Source
Port
Destination IP Destination
Port
Action Time
1 Any 80 198.146.118.20 80 Allow Any
Rule base table in the firewall
Stateless Packet firewall
7
Rule Source IP Source
Port
Destination IP Destination
Port
Action Time
1 Any 80 198.146.118.20 80 Allow Any
Hacker
Here is the file you
asked for
Destination address:
198.146.118.20
198.146.118.20
Stateless Packet firewall
1
The received file is
virus
2 Internet
Rule base table in the firewall
User
8 8 8
Rule Source IP Source
Port
Destination IP Destination
Port
Action Time
1 Any 80 198.146.118.20 80 Allow Any
Here is the page you
asked for
198.146.118.20
Statefull Packet firewall
The requested
webpage is
delivered
Internet
Source IP Destination IP
198.146.118.20 206.23.19.4
CNN.com Request a
web page
1
2 3
Current State:
User
9 9
Rule Source IP Source
Port
Destination IP Destination
Port
Action Time
1 Any 80 198.146.118.20 80 Allow Any
Hacker
Here is the file you
asked for
Destination address:
198.146.118.20
198.146.118.20
Statefull Packet firewall
1
Denied Packet because it
is not requested by the
user 2
Internet
Source IP Destination IP
198.146.118.20 206.23.19.4 No current relationship
between 198.146.118.20
and 216.249.118.20
216.249.118.20
Current State:
User
Security+ Guide to Network Security Fundamentals, Third Edition
Firewall (continued)
• Personal software firewalls
– Improved their functionality:
• Most personal software firewalls today also filter
outbound traffic as well as inbound traffic
• Protects users by preventing malware from
connecting to other computers and spreading
– Disadvantage: It is only as strong as the operating
system of the computer
10
Firewall (continued)
• Personal software firewalls
11
Firewall (continued)
• Personal software firewalls
12
Security+ Guide to Network Security Fundamentals, Third Edition
Firewall (continued)
• Hardware firewalls
– Run their own OS
– Usually located outside the network security perimeter
as first line of defense
– Disadvantage: Can be expensive
13
Security+ Guide to Network Security Fundamentals, Third Edition 14
Firewall (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Proxy Server
Proxy server
– A computer system (or an application program) that
intercepts internal user requests and then processes that
request on behalf of the user
– Goal is to hide the IP address of client systems inside the
secure network (Similar to NAT)
– Can alter the client’s request or the server’s response to
prevent unauthorized Web pages from being displayed
15
Security+ Guide to Network Security Fundamentals, Third Edition
Honeypot
Honeypot
– Intended to trap or trick attackers
– A computer typically located in a DMZ that is loaded
with software and data files that appear to be
authentic
• Yet they are actually imitations of real data files
– Three primary purposes of a honeypot:
• Deflect attention
• Early warnings of new attacks
• Examine attacker techniques
16
Security+ Guide to Network Security Fundamentals, Third Edition
Host and Network Intrusion Detection
Systems (HIDS/NIDS)
Intrusion Detection System (IDS)
– It attempts to identify inappropriate activity in the
network.
– Two types of IDS:
1. Host Intrusion Detection Systems (HIDS)
2. Network Intrusion Detection Systems (NIDS)
17
Security+ Guide to Network Security Fundamentals, Third Edition
Host and Network Intrusion Detection
Systems (HIDS/NIDS)
Host Intrusion Detection Systems (HIDS)
– Attempt to monitor and possibly prevent attempts to
intrude into a system and network resources
– HIDS are software-based and run on a local computer
and can be divided into four groups:
• File system monitors
• Logfile analyzers
• Connection analyzers
• Kernel analyzers
– HIDS work on the principle of comparing new
behavior against normal behavior
18
Security+ Guide to Network Security Fundamentals, Third Edition
Network intrusion detection system (NIDS)
– Watches for attempts to penetrate a network
– NIDS work on the principle of comparing new behavior
against normal or acceptable behavior
– A NIDS looks for suspicious patterns
19
Host and Network Intrusion Detection
Systems (HIDS/NIDS)
Host and Network Intrusion Detection
Systems (HIDS/NIDS)
Security+ Guide to Network Security Fundamentals, 2e 20
Security+ Guide to Network Security Fundamentals, Third Edition
Network Intrusion Detection Systems
(NIDS) (continued)
• Functions a NIDS can perform:
– Configure the firewall to filter out the IP address of the
intruder
– Launch a separate program to handle the event
– Play an audio file that says “Attack is taking place”
– Save the packets in a file for further analysis
– Send an entry to a system log file
– Send e-mail, page, or a cell phone message to alert
the network administrator
– Force a TCP session to terminate
21
Security+ Guide to Network Security Fundamentals, Third Edition
Host and Network Intrusion Prevention
Systems (HIPS/NIPS)
Intrusion prevention system (IPS)
– Finds malicious traffic and deals with it immediately
– A typical IPS response may be to block all incoming
traffic on a specific port
– Two types of IPS:
1. Host intrusion prevention systems (HIPS)
2. Network intrusion prevention systems (NIPS)
22
Security+ Guide to Network Security Fundamentals, Third Edition
Host and Network Intrusion Prevention
Systems (HIPS/NIPS)
Host intrusion prevention systems (HIPS)
– Installed on each system that needs to be protected
– Work closely with the operating system, monitoring
and intercepting requests in order to prevent attacks
– Most HIPS monitor desktop functions such as:
• System calls
• File system access
– HIPS are designed to integrate with existing antivirus,
anti-spyware, and firewalls
– HIPS provide an additional level of security that is
proactive instead of reactive
23
Security+ Guide to Network Security Fundamentals, Third Edition
Host and Network Intrusion Prevention
Systems (HIPS/NIPS) (continued)
Network intrusion prevention systems (NIPS)
– Work to protect the entire network and all devices that
are connected to it
– By monitoring network traffic, NIPS can immediately
react to block a malicious attack
– NIPS are special-purpose hardware platforms that
analyze, detect, and react to security-related events
• Can drop malicious traffic based on their
configuration or security policy
24
Security+ Guide to Network Security Fundamentals, Third Edition 25
Internet Content Filters
Internet content filters
– Monitor Internet traffic and block access to
preselected Web sites (virus-infected, hacking, adults
Web sites) and files (e.g.: executable programs,
audio, video, archive files)
– A requested Web page is only displayed if it complies
with the specified filters
– Unapproved Web sites can be restricted based on the
Uniform Resource Locator (URL) or by matching
keywords
25
Security+ Guide to Network Security Fundamentals, Third Edition
Security through Network
Technologies
Network Address Translation (NAT)
– Hides the IP addresses of network devices from
attackers
– In a network using NAT, computers are assigned
special IP addresses known as private addresses:
• IP addresses not assigned to any specific user or
organization
• Function as regular IP addresses on an internal network
• Non-routable addresses
26
Security+ Guide to Network Security Fundamentals, Third Edition
Security through Network
Technologies (continued)
Network Address Translation (NAT) (Cont.)
– NAT removes the private IP address from the
sender’s packet
• And replaces it with an alias IP address
– When a packet is returned to NAT, the process is
reversed
– An attacker who captures the packet on the Internet
cannot determine the actual IP address of the sender
27
Security+ Guide to Network Security Fundamentals, Third Edition
Security through Network
Technologies (continued)
28
Security+ Guide to Network Security Fundamentals, Third Edition
Security through Network
Technologies (continued)
Network Address Translation (NAT) (Cont.)
– Port address translation (PAT)
A variation of NAT
Each packet is given the same IP address but a
different TCP port number
29
Security+ Guide to Network Security Fundamentals, Third Edition
Crafting a Secure Network
A common mistake in network security
– Attempt to patch vulnerabilities in a weak network that
was poorly conceived and implemented from the start
Securing a network rests on the design of the
network and includes secure network technologies
(cited in the beginning of the chapter), as well as
network security devices
30
Security+ Guide to Network Security Fundamentals, Third Edition
Security through Network Design
Subnetting
– IP addresses are actually two addresses: one part is a
network address and one part is a host address
– Two addressing techniques:
1. Classful addressing
• The split between the network and host portions of
the IP address originally was set on the boundaries
between the bytes
2. Subnetting or subnet addressing
• Allows an IP address to be split anywhere
• Networks can essentially be divided into three parts:
network, subnet, and host
31
Security+ Guide to Network Security Fundamentals, Third Edition 32
Security+ Guide to Network Security Fundamentals, Third Edition
Security through Network Design
(continued)
• Security advantages of subnetting:
Security is enhanced by subnetting a single network
- Multiple smaller subnets isolates groups of hosts
Network administrators can utilize network security
tools
- Makes it easier to regulate who has access in and out of
a particular subnetwork
Subnets also allow network administrators to hide the
internal network layout
33
Security+ Guide to Network Security Fundamentals, Third Edition
Security through Network Design
(continued)
Virtual LANs (VLAN)
– Segment a network with switches to divide the
network into a hierarchy
– A VLAN allows scattered users to be logically grouped
together even though they may be attached to
different switches
• Core switches reside at the top of the hierarchy
and carry traffic between switches
• Workgroup switches are connected directly to the
devices on the network
34
Security+ Guide to Network Security Fundamentals, Third Edition
Security through Network Design
(continued)
• Virtual LAN (Cont.)
• Core switches must work faster than workgroup
switches because core switches must handle the
traffic of several workgroup switches
– Can reduce network traffic and provide a degree of
security similar to subnetting:
• VLANs can be isolated so that sensitive data is
transmitted only to members of the VLAN
35
Security+ Guide to Network Security Fundamentals, Third Edition 36
Security+ Guide to Network Security Fundamentals, Third Edition 37
Security+ Guide to Network Security Fundamentals, Third Edition
Security through Network Design
(continued)
Demilitarized Zone (DMZ)
– A separate network that sits outside the secure
network perimeter
– Outside users can access the DMZ but cannot enter
the secure network
– Two configurations:
• Single firewall with three network interfaces: Internet,
DMZ, Secure internal LAN (single point of failure for
the network)
• Two firewalls (more secure)
38
Security+ Guide to Network Security Fundamentals, Third Edition 39
Security through Network Design
(continued)
Security+ Guide to Network Security Fundamentals, Third Edition 40
Security through Network Design
(continued)
41
Security through Network Design
(continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Summary
• Different network security devices can be installed to
make a network more secure
• Network technologies can also help secure a network
– Network address translation (NAT)
• Network intrusion detection systems (NIDS) monitor
the network for attacks and if one is detected will alert
personnel or perform limited protection activities
42
Security+ Guide to Network Security Fundamentals, Third Edition
Summary (continued)
• Subnetting involves dividing a network into subnets
that are connected through a series of routers
• Similar to subnetting, a virtual LAN (VLAN) allows
users who may be scattered across different floors of
a building or campuses to be logically grouped
• Internet content filters monitor Internet traffic and
block attempts to visit restricted sites
43
44
Reference
[1]http://www.bestsecuritytips.com/xfsection+articl
e.articleid+2.htm