Transcript Slide 1

Security Network Architecture
& Design
Domain Objectives
• Discuss the concepts of network security
• Understand security risks
• Provide the business context for network
security
2
Information Security TRIAD
Availability
Information
Security
Integrity
Confidentiality
3
Domain Agenda
• Basic Concepts
• OSI Framework
4
Network & Telecommunications
• Network Security
•
•
•
•
Network Structures
Transmission Methods
Transport Formats
Security Measures
• Network Security is the cornerstone
for business operations
5
Network Models
• Models
• OSI Reference Model
• TCP/IP Model
6
OSI Reference Model
• Layer 1: Physical Layer
• Layer 2: Data Link Layer
• Layer 3: Network Layer
• Layer 4: Transport Layer
• Layer 5: Session Layer
• Layer 6: Presentation Layer
• Layer 7: Application Layer
7
OSI Reference Model
• Encapsulation
• Layering
Application Layer
Application Layer
Presentation Layer
Presentation Layer
Session Layer
Session Layer
Transport Layer
Transport Layer
Network Layer
Network Layer
Data Link Layer
Data Link Layer
Host 1
Physical Layer
Host 2
Physical Layer
8
OSI Model Layer 1: Physical Layer
• Bits are converted into signals
• All signal processing
• Physical Topologies
9
OSI Model Layer 2: Data Link Layer
• Connects layer 1 and 3
• Converts information
• Transmits frames to devices
• Link Layer encryption
10
OSI Model Layer 3: Network Layer
• Moves information between two hosts
that are not physically connected
• Uses logical addressing
• Internet Protocol (IP)
11
OSI Model Layer 4: Transport Layer
• End-to-end Transport between Peer
Hosts
• Connection Oriented and
Connectionless Protocols
12
OSI Model Layer 5: Session Layer
• Manages logical persistent connection
• Three Modes
• Full Duplex
• Half Duplex
• Simplex
13
OSI Model Layer 6: Presentation Layer
• Ensures a common format to data
• Services for encryption and
compression
14
OSI Model Layer 7: Application Layer
• The application layer is
not the application
• Performs
communication
between peer
applications
• Least control of network
security
15
TCP/IP Model
• Originated by the U.S. Department of
Defense
• Functions like the OSI Model
• Supports the TCP/IP Protocol
• Application layer is unique
16
TCP/IP Model
17
TCP/IP Protocol Stack
Application
TCP, UDP
IP, IGMP, ICMP
ARP, Hardware
Interface, PPP
Network
Connection
18
Network Security and Risks
• Network is the key asset in many
organizations
• Network Attacks
19
Network-based Attacks
• Network as a Channel for Attacks
• Network as the Target of Attack
20
Network as a Bastion of Defense
• Security controls built around social,
organizational, procedural and technical
activities
• Based on the organization's security
policy
21
Network Security Objectives and Attacks
• Business Risk versus Security Solutions
• Attacks Scenarios
• Network Entry Point - in Both Directions
• Outside-in
• Inside-out
22
Methodology of an Attack
• Attack Trees
• Path of Least Resistance
Methodology
of an Attack
Target 1
Acquisition
Target 2
Analysis
Target 3
Target 4
Access
Appropriation
23
Target Acquisition
• Attacks start by intelligence gathering
1
• Means of intelligence gathering
• Countermeasures
• Limit information on a network
• Distract an attacker
24
Target Analysis
• Analyze identified target for security
weaknesses
2
• Tools available
• Target analysis
25
Target Access
• Obtain access to the system
3
• Manage user privileges
• Monitor access
26
Target Appropriation
• Escalate privileges
4
• Attacker may seek sustained control of
the system
• Countermeasures against privilege
escalation
27
Network Security Tools
• Tools automate processes
• Network security is more than just
technical implementations
28
Network Scanners
• Discovery Scanning
• Compliance Scanning
• Vulnerability Scanning
29
Domain Agenda
• Basic Concepts
• OSI Framework
• Layer 1: Physical Layer
30
Layer 1: Physical Layer
• Basic Concepts
• Communications Technology
• Network Topology
• Technology and Implementation
31
Communication Technology
• Analog and Digital Communications
• Digital communication brings
quantitative and qualitative
enhancements
32
Analog Communication
• Analog signals use electronic properties
• Transmitted on wires or with wireless
devices
33
Digital Communication
• Uses two electronic states
• Can be transmitted over most media
• Integrity of digital communication less
difficult
34
Layer 1: Physical Layer
• Basic Concepts
• Communications Technology
• Network Topology
• Technology and Implementation
35
Network Topology
• Even small networks are
complex
Mesh
• Network topology and
layout affects scalability and
security
Ring
Star
Network
Topology
• Wireless networks have a
topology
Tree
Bus
36
Bus
• LAN with a central cable to which all
nodes connect
• Advantages
• Scalable
• Permits node failure
• Disadvantages
• Bus failure
37
Tree
• Devices connect to a branch on the
network
• Advantages
• Scalable
• Permits node failure
• Disadvantages
• Failures will split the network
38
Ring
• Closed-loop Topology
• Advantages
• Deterministic
• Disadvantages
• Single Point of Failure
39
Mesh
• All nodes are connected with each other
• Advantages
• Redundancy
• Disadvantages
• Expensive
• Complex
• Scalability
40
Star
• All of the nodes connected to a central
device
• Advantages
• Permits node/cable failure
• Scalable
• Disadvantages
• Single point of failure
41
Security Perimeter
• The first line of defense
between trusted and untrusted networks
• No direct physical connection
between trusted and
untrusted networks
• Security perimeter most widely used
implementation of network partitioning
42
Layer 1: Physical Layer
• Basic Concepts
• Communications Technology
• Network Topology
• Technology and Implementation
43
Technology and Implementation
• Physical networks employ a wide
variety of cabling technologies and
components
• Wireless networks use frequency
ranges and encryption/authentication
44
Cable
• Cable Selection Considerations
•
•
•
•
Throughput
Distance between Devices
Data Sensitivity
Environment
Cable
45
Twisted Pair
• One of the Simplest and Cheapest
Cabling Technologies
• Unshielded (UTP) or Shielded (STP)
46
Unshielded Twisted Pair (UTP)
Category
Transmission
Rate
Category 1
< 1 Mbps
Category 2
Category 3
Category 4
< 4Mbps
16 Mbps
20 Mbps
Category 5
100 Mbps
Category 5e
Category 6
1000 Mbps
1000 Mbps
Use
Analog voice and basic interface
rate (BRI) in Integrated Services
Digital Network (ISDN)
4 Mbps IBM Token Ring LAN
10Base-T Ethernet
16 Mbps Token Ring
100 Base-TX and Asynchronous
Transfer Mode (ATM)
1000 Base-T Ethernet
1000 Base-T Ethernet
47
Coaxial Cable (Coax)
• Conducting wire is thicker than twisted pair
• Bandwidth
• Length
• Expensive and physically stiff
48
Fiber Optics
• Three Components
• Light Source
• Optical Fiber Cable
• Light Detector
• Advantages
• Disadvantages
49
Patch Panels
• Provides physical
cross-connect point
for devices
• Alternative to
directly connecting
devices
• Centralized
management
50
Modem
• Converts a digital signal to analog
• Provides little security
• Unauthorized modems
51
Wireless Transmission Technologies
• Include WLANs, Bluetooth and Mobile
Telephony
52
Wireless Transmission Technologies
0
100
200
300
400
500
600
700
800
900
1GHz
3GHz
5GHz
10GHz
28GHz
38GHz
802.11a/h, Phones (5 GHz)
802.11b/g, Bluetooth, Phones (2.4 GHz)
Digital Cellular (1850-1900 MHz)
Cordless Phones, Baby Monitors, Toys (900 MHz)
Analog Cellular (824-894 MHz)
UHF TV (512 – 806 MHz)
FM
Radio
– 108
MHz)
VHF
TV(88
(174
– 216MHz)
VHF
TV (174(88
– 216
MHz)
FM Radio
– 108
MHz)
AM Radio (535 – 1605 KHz)
Unlicensed Radio Frequencies
Licensed Radio Frequencies
53
Wireless Multiplexing Technologies
Technology
Direct Sequence
Spread Spectrum
(DSSS)
Principle
Objective
Spread transmission
Signal less susceptible
over a wider frequency
to noise
band
Frequency Hopping
Spread Spectrum
(FHSS)
Spread signal over
rapidly changing
frequencies
Interference at one
frequency will only
have short term effect
Orthogonal Frequency
Division Multiplexing
(OFDM)
Signal is subdivided
into sub frequencies
bands
Split high bandwidth
transmission into low
BW transmissions
54
Other Multiplexing Technologies
Technology
Principle
Objective
Frequency Division
Multiple Access
(FDMA)
Divide Frequency into
sub bands
Open several low
bandwidth channels
Time Division Multiple
Access (TDMA)
Split transmission by
time slices
Multiplexing between
participants
Code Division Multiple
Multiplex several
Access (CDMA)
signals into one signal
Multiplexing is
performed on a digital
level
55
Mobile Telephony
• Mobile telephony is undergoing a rapid
development
• Most common mobile phone
technology is still GSM
Global Service for Mobile
Communications (GSM)
56
Domain Agenda
• Basic Concepts
• OSI Framework
• Layer 2: Data Link Layer
57
Layer 2: Data Link Layer
• Concerned with sending frames to the
next link
• Determines network transmission format
58
Synchronous/Asynchronous Communications
• Synchronous
• Timing mechanism synchronizes data
transmission
• Robust Error Checking
• Practical for High-speed, High-volume Data
• Asynchronous
• Clocking mechanism is not used
• Surrounds each byte with bits that mark the
beginning and end of transmission
59
Unicast, Multicast, and Broadcast Transmissions
• Multicasts
• Broadcasts
• Do not use reliable sessions
• Unicast
60
Circuit-switched vs. Packet-switched Networks
• Circuit-switched
• Dedicated circuit between endpoints
• Endpoints have exclusive use of the circuit
and its bandwidth
• Packet-switched
• Data is divided into packets and transmitted
on a shared network
• Each packet can be independently routed on
the network
61
Switched vs. Permanent Virtual Circuits
• Permanent Virtual Circuits
• Switched Virtual Circuits
62
Carrier Sense Multiple Access
• Only one device may transmit at a time
• There are two variations
• Carrier Sense Multiple Access with
Collision Avoidance (CSMA/CA)
• Carrier Sense Multiple Access with
Collision Detection (CSMA/CD)
63
Polling
• Slave device needs permission from a
master device
• Used mostly in Mainframe Protocols
• Optional Function of the IEEE 802.11
Standard
64
Token Passing
• Special frame
circulates through the
ring
• Device must possess
the token to transmit
• Token passing is used
in Token Ring (IEEE
802.5) and FDDI
65
Ethernet (IEEE 802.3)
• Most Popular LAN Architecture
• Supports bus, star, and point-to-point
topologies
• Currently supports speeds up to
1000Mbps
66
Hubs and Repeaters
• Hubs
• Used to implement a physical star topology
• All devices can read and potentially modify
the traffic of other devices
• Repeaters
• Allows longer distances
67
Bridges
• Layer 2 Devices that
filter traffic between
segments based on
MAC addresses
• Can connect LANs
with unlike media
types
• Simple bridges do
not reformat frames
68
Switches
• Multi-port devices to connect
LAN hosts
• Forwards frames only to the
specified MAC address
• Becoming more sophisticated
69
Wireless Local Area Networks
• Allows mobile users to remain
connected
• Extends LANs beyond physical
boundaries
70
Access Points
• Access Point Placement
• Do not count on hiding Access Points
• Rogue Access Points
71
Authentication
• Paramount to the Security of Wireless
LANs
• Open Systems Authentication
• Shared Key Authentication
• MAC Address Filtering
• Extensible Authentication Protocol
72
Wireless Encryption
• Wired Equivalent Privacy (WEP)
• WiFi Protected Access (WPA)
• WiFi Protected Access 2 (WPA2)
73
Wireless Encryption
Access
Control
Authentication
Encryption
Integrity
802.1x
Dynamic
WEP
Wi-Fi
Protected
Access
Wi-Fi
Protected
Access 2
802.1X
802.1X or PreShared Key
802.1X or PreShared Key
EAP
methods
EAP methods or
Pre-Shared Key
EAP methods or
Pre-Shared Key
WEP
TKIP (RC4)
CCMP (AES
Counter Mode)
Michael MIC
CCMP (AES CBCMAC)
None
74
Wireless Standards
• IEEE 802.11b
• IEEE 802.11a
• IEEE 802.11g
• Bluetooth
75
Address Resolution Protocol (ARP) / RARP
• ARP
• RARP (Reverse ARP)
76
Password Authentication Protocol (PAP)
• Identification and Authentication of Remote Entity
• Uses a clear text, reusable (static) password
• Supported by most network devices
77
Challenge Handshake Authentication Protocol (CHAP)
• Periodically re-validates users
• Standard password database is unencrypted
• Password is sent as a one-way hash
78
Domain Agenda
• Basic Concepts
• OSI Framework
• Layer 3: Network Layer
79
Layer 3: Network Layer
• Architectures Classified by Scale (size)
• TCP/IP at the Network Layer
80
Local Area Network (LAN)
• LANs service a relatively small area
• Most LANs have connectivity to other
networks
• VLANs are software based LAN
segments implemented by switching
technology
81
Wide Area Network (WAN) Description
• A WAN is a network connecting local
networks or access points
• Connections are often shared and
tunneled through other connections
82
Public Switched Telephone Network (PSTN)
• PSTN is a
circuit
switched
network
• The PSTN
may be
subject to
attacks
Regional Toll Center
PrimaryToll Centers
Tandam Offices
Central
Offices
Callers
1
2
3
83
Integrated Services Digital Network (ISDN)
• Uses two types of channels
• Comes in two varieties
B (Bearer) Channel
64kBit/s
D (Delta) Channel
16kBit/s
BRI (Basic Rate Interface)
2*B+1*D = 144kBit/s
PRI (Primary Rate Interface) North
America
23*B+1*D = 1.55MBit/s
(T1)
30*B+1*D = 2MBit/s
(E1)
PRI Europe and Australia
84
“T” Carrier
Channel
Multiplex Ratio
Bandwidth
T1
1xT1
1.544 Mbps
T2
4xT1
6.312 Mbps
T3
7xT2 = 28xT1
44.736 Mbps
T4
6xT3 =168xT2
274.176 Mbps
85
“E” Carrier
Channel
Multiplex Ratio
Bandwidth
E1
1xE1
2.048 Mbps
E2
4xE1
8.848 Mbps
E3
4xE2 = 16xE1
34.304 Mbps
E4
4xE3 = 64xE2
139.264 Mbps
86
Digital Subscriber Lines (DSL)
• Uses CAT-3 cables and the local loop
•
•
•
•
Asymmetric Digital Subscriber Line (ADSL)
Rate-adaptive DSL (RADSL)
Symmetric Digital Subscriber Line (SDSL)
Very High Bit-rate DSL (VDSL)
Custom er
Central Office
ADSL
Modem
Splitter
Voice
NID +
Splitter
DSLAM
To ISP
87
Cable Modem
• PC Ethernet NIC connects to a cable modem
• The modem and head-end exchange
cryptographic keys
• Cable modems increase the requirement to
observe good security practices
88
X.25
• Protocol developed for unreliable
networks
• Has a strong focus on error correction
• Users and hosts connect through a
packet-switched network
89
Frame Relay
• FR network cloud
of switches
• FR customers
share resources
Router w ith DTE
Frame Relay
Cloud
Router w ith DTE
• Customers are
charged for used
bandwidth only
90
Asynchronous Transfer Mode (ATM)
• ATM is a connection-oriented protocol
• Uses virtual circuits
• Guarantees QoS but not the delivery
of cells
91
Multi-Protocol Label Switching (MPLS)
• Permits traffic engineering
• Provides quality of service (QoS) and
defense against network attacks
• Operates at Layer 2 and 3
92
Broadband Wireless
• WiMAX allows the implementation of
wireless Metropolitan Area Networks
(MANs)
• Improved access when a base station
and user are not in line of sight
• Security is based on AES and EAP
93
Wireless Optics
• Two laser transceivers communicate at speeds
comparable to SONET
• Wireless optics transmissions are hard to
intercept
• Wireless optics can be unreliable during
inclement weather
94
Global Area Network (GAN)
• Intranet
• Extranet
• Granting access to external organizations
• Internet
95
TCP/IP at the Network Layer
• TCP/IP protocol suite is the de-facto standard
• Need to provide private communications
services over public networks
96
Internet Protocol (IP)
• Internet Protocol (IP) is responsible for
sending packets over a network
• Unreliable Protocol
• IP will subdivide packets
• IPv4 Address Structure
1 1 0 1 10 0 0
216
00011001 01101000 11001111
.
25
.
104
.
207
97
Internet Protocol (IP)
• Internet Protocol Address Structure
Number of
Range of
Class
Octets for
First Octet
Network Number
Number of
Hosts in
Network
A
1-127
1
16777216
B
128-191
2
65536
C
192-223
3
256
D
224-239
Multicast
E
240-255
Reserved
98
Risks and Attacks
• Key shortcoming in IP is its lack of
authentication
• Shortcomings in implementation
99
IP Fragmentation Attacks
• Teardrop Attack
• Overlapping Fragment Attacks
100
IP Addressing Spoofing
• Packets are sent with a bogus source
address
• SYN Flood
• Takes advantage of a protocol flaw
101
Source Routing Exploitation
• IP allows the sender
to specify the path
• Attacker can
abuse source
routing
• Could allow an
external attacker
access to an
internal network
102
Smurf and Fraggle Attacks
• Smurf attack mis-uses the ICMP Echo
Request
• Fraggle attack uses UDP instead of
ICMP
• Ping of Death
103
IPv6
• A larger IP address field
• Improved security
• A more concise IP packet header
• Improved quality of service
104
Routers
• Routers forward packets to other
networks
• Routers can be used to interconnect
different technologies
105
Firewalls
• Enforce administrative
security policies
• Separate trusted
networks from untrusted
networks
Engeering LAN
Engineering Dept. Domain
of Trust
• Firewalls should be
placed between
security domains
General LAN Domain of
Trust
106
Firewalls
• Filtering
• Filtering by Address
• Filtering by Service
• Static Packet Filtering
• Stateful Inspection or Dynamic Packet
Filtering
• Personal Firewalls
107
Network Address Translation / Port Address Translation
Network and Port
Address Translation
Source IP – 192.168.1.50
Destination IP – 206.121.73.5
Source Port – 1037
Destination Port - 80
Source IP – 199.53.72.2
Destination IP – 206.121.73.5
Source Port – 1058
Destination Port - 80
108
Proxy Firewalls
• Circuit Level Proxy
• Application Level Proxy
109
Firewalls
Firewall Type
OSI Model
Layer
Packet Filtering Network
layer
Characteristics
Routers using ACLs dictate
acceptable access to a network
Looks at destination and source
addresses, ports and services
requested
Applicationlevel Proxy
Application
layer
Deconstructs packets and makes
granular access control decisions
Requires one proxy per service
110
Firewalls
Firewall Type
Circuit-level
Proxy
Stateful
OSI Model
Layer
Session
layer
Network
layer
Characteristics
Deconstructs packets
Protects wider range of protocols
and services than app-level proxy, but
not as detailed as a level of control
Keeps track of each conversation
using a state table
Looks at state and context of
packets
111
Network Partitioning
• Boundary Routers
• Dual-homed Host
Host Computer
With Two Network Cards
112
Network Partitioning
• Bastion Host
Bastion Host
Network
Router
• Demilitarized Zone (DMZ)
DMZ
Firewall
Network
Firewall
Switch
113
Network Partitioning
• Three-legged Firewall
DMZ
Firewall
Network
114
End Systems
• Servers and Mainframes
• Operating Systems
• Notebooks
• Workstations
• Smart Phones
• Personal Digital Assistants
115
Virtual Private Network (VPN)
• Remote access through VPN
Telecommuter
Network
Access
Server
Branch
Office
Mobile
User
• LAN to LAN configuration
VPN
Server
Internet
DMZ
VPN
Server
Encrypted
LAN
Firewall
VPN Server is behind
the firewall
Firewall
LAN
VPN Server is
on DMZ
116
Virtual Private Network (VPN)
• Secure Shell (SSH)
• IPSEC Authentication and
Confidentiality for VPNs
• SSL/TLS VPNs
• SOCKS
117
IPSEC Authentication & Confidentiality for VPNs
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
• Security Associations
• Transport Mode / Tunnel Mode
• Internet Key Exchange (IKE)
IPSEC Key Exchange
118
Tunneling
• Point-to-Point Tunneling Protocol
(PPTP)
• Layer 2 Tunneling Protocol (L2TP)
119
Dynamic Host Configuration Protocol (DHCP)
• Dynamically assigns IP addresses to
hosts
• Client does not request a new lease
every time
120
Internet Control Message Protocols (ICMP)
• ICMP Redirect Attacks
• Ping of Death
• Traceroute Exploitation
• Ping Scanning
121
Internet Group Management Protocol (IGMP)
• Used for Multicast Messages
• Sets up Multicast Groups
122
Routing Protocols
• Routing Information Protocol (RIP)
• Virtual Router Redundancy Protocol
(VRRP)
123
Domain Agenda
• Basic Concepts
• OSI Framework
• Layer 4: Transport Layer
• Layer 5: Session Layer
124
Layer 4: Transport Layer
• Transmission Control Protocol (TCP)
• Well-known Ports
• Registered Ports
• Dynamic and/or Private Ports
• User Datagram Protocol (UDP)
125
Transmission Control Protocol (TCP) Session
Host A
Active open
Host B
SYN(1000)
Passive open
SYN(2000), ACK(1001)
ACK(2001)
Connection
established
Host Aclose
ACK, data
Connection
established
ACK(2300), FIN(1500)
ACK(1501)
ACK(1501), FIN(2400)
Connection closed
ACK(2401)
Host Bclose
Connection closed
126
Technology and Implementation
• Port Scanning
•
•
•
•
FIN, NULL and XMAS Scanning
SYN Scanning
TCP Sequence Number Attacks
Session Hijacking
• Denial of Service
127
Transport Layer Security (TLS)
• Functions of TLS
• Mutual authentication
• Encryption
128
Layer 5: Session Layer
• Remote Procedure Calls
129
Directory Services
• Domain Name Service (DNS)
• Lightweight Directory Access Protocol (LDAP)
• Network Basic Input Output System (NetBios)
• Network Information Service (NIS)/NIS+
130
Access Services
• Common Internet File System (CIFS)/Server
Message Block (SMB)
• Network File System (NFS)
• Secure NFS (SNFS)
131
Domain Agenda
• Basic Concepts
• OSI Framework
• Layer 7: Application Layer
132
Data Exchange (World Wide Web)
• Trivial File Transfer Protocol (TFTP)
• File Transfer Protocol (FTP)
• Hypertext Transfer Protocol (HTTP)
• HTTP over TLS (HTTPS)
• Secure Hypertext Transfer Protocol (S-HTTP)
• Passive and Active Content (HTML, ActiveX, Java,
JavaScript)
• Peer-to-peer Applications and Protocols
133
Messaging Services
• Instant Messaging
• Asynchronous Messaging
•
•
•
•
•
•
•
•
Email Spoofing
Open Mail Relay Servers
Spam
Post Office Protocol (POP)
Internet Message Access Protocol (IMAP)
Network News Transfer Protocol (NNTP)
Internet Relay Chat (IRC)
Spam over Instant Messaging (SPIM)
134
Administrative Services
• Remote Authentication Dial-In User
Service (RADIUS)
• Simple Network Management Protocol
(SNMP)
135
Remote Authentication Dial-In User Service (RADIUS)
• Network Access Server sends
authentication requests to the
Centralized Authentication Server.
136
Remote Access Services
• TCP/IP Terminal Emulation Protocol
(TELNET)
• Remote Login (RLOGIN), Remote Shell
(RSH), Remote Copy (RCP)
• X Window System (X11)
137
Information Services
• Finger User Information Protocol
• Network Time Protocol (NTP)
138
Traditional Telephony and Network Layouts
139
Voice over IP (VoIP)
• Session Initiation Protocol (SIP)
• Proprietary Applications and Services
140
Voice over IP (VoIP)
• IP Telephony Network Issues
• IP Telephony Vulnerabilities
Internet
Router
Corporate
LAN
Server
PSTN
Telephony
Server
Access
Points
IP Phones
Wireless
LAN
Phones
141
Voice over IP (VoIP)
X
Alert
142
Voice over IP (VoIP)
143
Voice over IP (VoIP)
144
Domain Summary
• Provides the foundation for IT security
• OSI – TCP/IP Models
• Ports and Protocols
• Network Devices
145
Domain Summary
• Discuss the concepts of network
security
• Understand security risks
• Provide a business context on network
security
146
“Security Transcends Technology”