CIST 1601 Information Security Fundamentals
Download
Report
Transcript CIST 1601 Information Security Fundamentals
CIST 1601 Information Security Fundamentals
Chapter 2 Infrastructure and Connectivity
Collected and Compiled
By JD Willard
MCSE, MCSA, Network+,
Microsoft IT Academy Administrator
Computer Information Systems Technology
Albany Technical College
Mastering TCP/IP - Working with the TCP/IP Suite
The Application Layer
The Application layer is the highest layer of the suite.
It allows applications to access services or protocols to exchange data. Most
programs, such as web browsers, interface with TCP/IP at this level.
The most commonly used Application layer protocols are as follows:
Hypertext Transfer Protocol is the protocol that is used by a web browser to
communicate with web servers.
File Transfer Protocol is a common application used to transfer files between
hosts on the Internet.
Simple Mail Transfer Protocol is the standard protocol used for sending e-mail
messages.
Telnet is a terminal emulation protocol that provides a remote logon to another
host over the network.
Domain Name Service allows hosts to resolve hostnames to an IP address.
Routing Information Protocol allows routing information to be exchanged
between routers on an IP network.
Simple Network Management Protocol is an application layer protocol whose
purpose is to collect statistics from TCP/IP devices. Most routers, bridges, and
intelligent hubs can communicate using SNMP.
Post Office Protocol and IMAP4 transmit e-mail between the e-mail client and the
e-mail server.
Mastering TCP/IP - Working with the TCP/IP Suite
The Transport Layer
The Transport layer provides the Application layer with session
and datagram communications services.
The TCP and User Datagram Protocol (UDP) operate at this layer.
These two protocols provide a huge part of the functionality of
the TCP/IP network:
TCP is responsible for providing a reliable one-to-one, connectionoriented persistent session. TCP establishes a connection and
ensures reliable data transfer through sequencing and
acknowledgements. When the session ends, the connection is
broken.
UDP provides an unreliable connectionless communication
method between hosts. UDP protocol is considered a best-effort
protocol, but it’s considerably faster than TCP. The sessions don’t
establish a synchronized session like the kind used in TCP, and UDP
doesn’t guarantee error-free communications. The primary purpose
of UDP is to send small packets of information. The application is
responsible for acknowledging the correct reception of the data.
Mastering TCP/IP - Working with the TCP/IP Suite
The Internet Layer
The Internet layer is responsible for:
Routing
IP addressing
packets
Here are the four standard protocols of the Internet layer:
Internet Protocol (IP) is a routable protocol, and it’s responsible for IP addressing.
IP only routes information; it doesn’t verify it for accuracy. IP determines if a
destination is known and, if so, routes the information to that destination. If the
destination is unknown, IP sends the packet to the router, which sends it on.
Address Resolution Protocol (ARP) is responsible for resolving IP addresses to
hardware (MAC) addresses. MAC addresses are used to identify hardware devices
such as a NIC.
Internet Control Message Protocol (ICMP) provides maintenance and reporting
functions. It’s used by the Ping program. When a user wants to test connectivity to
another host, they can enter the PING command with the IP address, and the user’s
system will test connectivity to the other host’s system. If connectivity is good, ICMP
will return data to the originating host. ICMP will also report if a destination is
unreachable. Routers and other network devices report path information between
hosts with ICMP.
Internet Group Management Protocol (IGMP) is responsible primarily for
managing IP multicast groups. IP multicasts can send messages or packets to a
specified group of hosts.
Mastering TCP/IP - Working with the TCP/IP Suite
The Network Interface Layer
The lowest level of the TCP/IP suite is the Network
Interface layer.
This layer is responsible for placing and removing packets
on the physical network through communications with the
network adapters in the host.
This process allows TCP/IP to work with virtually any type
of network topology or technology with little modification.
If a new physical network topology were installed—say, a
10GB Fiber Ethernet connection—TCP/IP would only need
to know how to communicate with the network controller
in order to function properly.
TCP/IP can also communicate with more than one network
topology simultaneously. This allows the protocol to be
used in virtually any environment.
IPv4 vs. IPv6
The current numbering system, known as IP
version 4 (IPv4) is what is described throughout
this chapter and still widely used today. IP version
6 (IPv6) was introduced several years ago to
replace IPv4 but has failed to do so, and most
systems currently support both at the Internet
layer.
IPv6 supports 128-bit addresses, while IPv4
supports 32-bit addresses, and IPv6 includes
mandatory IPSec security
Understanding Encapsulation
Encapsulation allows a transport protocol to be sent across
the network and utilized by the equivalent service or protocol
at the receiving host.
The figure to the right shows how e-mail is encapsulated as it
moves from the application protocols through the transport
and Internet protocols.
Each layer adds header information as the e-mail moves down
the layers.
The encapsulation process of an e-mail message
After it is encapsulated, the message is sent to the server.
Transmission of the packet between the two hosts occurs
through the physical connection in the network adapter.
Notice that in The figure to the right the message is sent via
the Internet; it could have just as easily been sent locally.
The e-mail client doesn’t know how the message is delivered,
and the server application doesn’t care how the message got
there.
This makes designing and implementing services such as
e-mail possible in a global or Internet environment.
An e-mail message that an e-mail client sent to
an e-mail server across the Internet
Working with Protocols and Services
Well-Known Ports
Overview of Network Ports (5:29)
Ports identify how a communication
process occurs.
A port is nothing more than a bit of
additional information added to either
the TCP or UDP message. This information
is added in the header of the packet. The
layer below it encapsulates the message
with its header.
Well-known ports are special addresses
that allow communication between hosts.
A port number is added from the
originator, indicating which port to
communicate with on a server.
If a server has this port defined and
available for use, it will send back a
message accepting the request. If the port
isn’t valid, the server will refuse the
connection.
All the ports allow access to your
network; even if you establish a firewall,
you must have some of these ports open
if you want to provide services such as
e-mail or web services.
Common Network Ports (4:01)
TCP Three-Way Handshake
TCP, which is a connection-oriented protocol, establishes a session using a
three-way handshake. A host called a client originates this connection.
The client sends a TCP segment, or message, to the server. This client segment
includes an Initial Sequence Number (ISN) for the connection and a window
size. The server responds with a TCP segment that contains its ISN and a value
indicating its buffer, or window size. The client then sends back an
acknowledgment of the server’s sequence number. After this occurs, the two
systems communicate with each other.
A server can handle many requests simultaneously. Each session has a different
sequence number even though all sessions use the same port. All the
communications in any given session use this sequence number to keep the
sessions from becoming confused.
Application Programming Interface
Application Programming Interfaces (APIs) allow programmers to create interfaces to
the protocol.
When a programmer writes an application, they can call or use one of these APIs to:
Make the connection
Send or receive data
End the connection
Microsoft uses an API called a Windows socket (WinSock) to interface to the protocol. It
can access either TCP or UDP. A Windows socket is the combination of the IP address and
the port number separated by a colon. For example, 190.10.5.1:80 would be a WinSock
connection to HTTP.
Distinguishing between Security Topologies
Setting Design Goals
Sending data across an insecure network, such as the
Internet, affects confidentiality and integrity.
It is the responsibility of the sender to ensure that
proper security controls are in place.
Confidentiality and integrity should be implemented to
ensure the accuracy of the data and its accessibility to
authorized personnel.
The three core security objectives for the protection of
the information assets of an organization are:
Confidentiality
Integrity
Availability
These three objectives are also referred to as the CIA
triad.
Most computer attacks result in the violation of the CIA
triad.
Confidentiality
Confidentiality, Integrity, and Availability (5:10)
Meeting the goal of confidentiality is to prevent or minimize unauthorized
access to and disclosure of data and information.
Confidentiality is the minimum level of secrecy that is maintained to protect
sensitive information from unauthorized disclosure.
In many instances, laws and regulations require specific information
confidentiality.
Confidentiality can be implemented through encryption, access control data
classification, and security awareness.
Maintaining the confidentiality of information prevents an organization from
attacks, such as shoulder surfing and social engineering, which can lead to
disclosure of confidential information and disrupt business operations.
Lack of sufficient security controls to maintain confidentiality leads to the
disclosure of information.
Integrity
Ensuring the integrity of information implies that the information is
protected from unauthorized modification and that the contents have
not been altered.
To meet the goal of integrity, you must verify that information being
used is accurate and hasn’t been tampered with.
Integrity ensures the following conditions:
The data is accurate and reliable.
The data and the system are protected from unauthorized alteration.
Attacks and user mistakes do not affect the integrity of the data and
the system.
Integrity is coupled with accountability to ensure that data is accurate
and that a final authority exists to verify this, if needed.
Availability
To meet the goal of availability, you must protect
data and prevent its loss.
Data that can’t be accessed is of little value.
If a mishap or attack brings down a key server or
database, that information won’t be available to the
people who need it. This can cause havoc in an
organization.
Your job is to provide maximum availability to your
users while ensuring integrity and confidentiality.
The hardest part of this process is determining the
balance you must maintain between these three
aspects to provide acceptable security for the
organization’s information and resources.
Accountability
The final and often overlooked goal of design concerns accountability.
Accountability involves identifying who owns or is responsible for the
accuracy of certain information in an organization.
Many of the resources used by an organization are shared between
departments and individuals.
The department or individual that is accountable for certain information
would also be responsible for verifying accuracy in the event of a datatampering incident.
You should also be able to track and monitor data changes to detect and
repair the data in the event of loss or damage.
Most systems will track and store logs on system activities and data
manipulation, and they will also provide reports on problems.
TS2
Creating Security Zones
It’s common for a network to have connections among departments,
companies, countries, and public access using private communication
paths and through the Internet.
Not everyone in a network needs access to all the assets in the network.
The term security zone describes design methods that isolate systems
from other systems or networks. You can isolate networks from each
other using hardware and software.
The Internet creates a challenge for security.
Security zones allow you to isolate systems from unauthorized users.
Here are the four most common security zones you’ll encounter:
Internet
Intranet
Extranet
Demilitarized zone (DMZ)
By implementing intranets, extranets, and DMZs, you can create a
reasonably secure environment for your organization.
Internet
The Internet is a global network connecting computers and individual networks
together.
In this environment, you should have a low level of trust in the people who use
the Internet.
You must always assume that the people visiting your website may have bad
intentions; they may want:
To buy your product
To hire your firm
To bring your servers to a screaming halt
Because the Internet involves such a high level of anonymity, you must always
safeguard your data with the utmost precautions
Intranets
Intranets are private networks implemented
and maintained by an individual company or
organization.
An intranet is the private network of the
company that contains most of the private
resources and network infrastructure
equipment of the company.
An intranet belongs to and is controlled by the
company.
Intranets use the same technologies used by
the Internet.
You can think of an intranet as an Internet that
doesn’t leave your company:
It’s internal to the company.
Access is limited to systems within the intranet.
Access to the intranet is granted to trusted
users inside the corporate network or to users
in remote locations.
Extranets
Extranets extend intranets to include outside
connections to partners.
An extranet is the public area of the company
network infrastructure that enables resources
to be accessed by external users.
An extranet is a semi-secure zone that allows
partners of the organization to access specific
resources.
The partners can be vendors, suppliers, or
similar parties who need access to your data for
legitimate reasons.
Extranet connections involve connections
between trustworthy organizations.
Security for the extranet security zone can
include a number of strategies:
Using VPN connections
Regularly auditing all services
Removing all unnecessary services
Limiting the number of services provided
Demilitarized Zone (DMZ)
A demilitarized zone (DMZ), or perimeter network, provides a layer of security and privacy between the
company infrastructure and the Internet.
A DMZ might contain Internet accessible servers such as access web servers, FTP servers, and mail-relay
servers for restrictive access by people you might not trust otherwise.
By isolating a server in a DMZ, you can hide or remove access to other areas of your network.
The internal network isn’t visible to external users lowering the threat of intrusion in the internal network.
A DMZ is a separate subnet coming off a separate router interface. Most organizations deploy, at a
minimum, two firewalls.
The first firewall is placed in front of the DMZ to allow requests from the external public interface destined for
servers in the DMZ or to route requests to an authentication proxy.
The second firewall is placed to allow outbound requests and denies public traffic to pass through the interface
that connects to the internal private network.
From there, you can decide what traffic goes where; for example, HTTP traffic would be sent to the DMZ,
and e-mail would go to the internal network.
All initial necessary connections are located on the DMZ machines. For example, a RADIUS server may be
running in the DMZ for improved performance and enhanced security, even though its database resides
inside the company intranet.
Demilitarized Zone (DMZ)
A typical DMZ
Working with Newer Technologies
Virtualization Technology
Virtualization (2:20)
Virtual environments are available to run on just about everything from servers and
routers to USB thumb drives. Hardware vendors are rapidly embracing virtualization and
developing new features to simplify virtualization techniques.
Virtual environments can be used to improve security by:
Allowing unstable applications to be used in an isolated environment.
Providing better disaster recovery solutions.
Virtual environments are also used for cost-cutting measures.
One well-equipped server can host several virtual servers, reducing the need for power and
equipment.
Forensic analysts often use virtual environments as a method of viewing the environment the same
way the criminal did.
A hypervisor or virtual machine monitor (VMM) is a virtualization platform that provides
multiple operating systems running on a host computer at the same time.
A Type 1 native or bare-metal hypervisor is software that runs directly on a hardware platform. The
guest operating systems runs at the second level above the hardware. This technique allows full
guest systems to be run in a relatively efficient manner. The guest OS is not aware it is being
virtualized and requires no modification.
A Type 2 or hosted hypervisor is software that runs within an operating system environment, and
the guest operating system runs at the third level above the hardware. The hypervisor runs as an
application or shell on another already running operating system.
Working with Newer Technologies
Virtualization Technology
Virtualization (9:22)
Security policy should address virtual environment vulnerabilities. Software without a defined business
need should not be allowed on systems, including virtual environments.
If a virtual machine is compromised, an intruder can gain control of all the guest operating systems.
In addition, because hardware is shared, most virtual machines run with very high privileges, allowing an
intruder who compromises a virtual machine to compromise the host machine, too.
Segmenting virtual machines by the information they handle.
The organization should have a policy in place that states that high-security virtual machines never share the same
hardware as virtual machines for testing or lower security applications.
Also:
Be cognizant of share files among guest and host operating systems.
Use standard locked-down virtual images.
Other areas that present issues for a virtualized environment and need special consideration are:
Deploying financial applications on virtualized shared hosting
Secure storage on storage-area network (SAN) technologies
Virtual machine environments need to be patched just like host environments and are susceptible to the
same issues as a host operating system.
Virtual Local
Area
Networks
VLANs (1:55)
A virtual local area network (VLAN) allows you to create groups of users and systems
and segment them on the network. This segmentation lets you hide segments of the
network from other segments and thereby control access.
VLANs enable you to unite network nodes logically into the same broadcast domain
regardless of their physical attachment to the network. Networks can coexist on the
same wiring and be unaware of each other.
VLANs enable administrators to segment one broadcast domain into two or multiple
domains, segmenting groups of users that have similar data sensitivity levels together
and thereby increasing security.
VLAN advantages include:
Reducing the scope of broadcasts
Improving performance and manageability
Decreased dependence on the physical topology
Switches are used to create VLANs.
A router or other routing-type device would be needed to connect these VLANs.
When a switch is compromised, the attacker could next compromise the VLANs created
by the switch.
Virtual Local Area Networks
A typical segmented VLAN
Network
Address
Translation
Network Address Translation (3:48)
Network Address Translation (NAT) acts as a liaison
between an internal network and the Internet.
NAT effectively hides your network from the world,
making it much harder to determine what systems exist
on the other side of the router.
Most new routers and current Microsoft Server operating
systems support NAT
The NAT server effectively operates as a firewall for the
network.
Typically, the router or NAT server acts as the interface
between a local area network and the Internet using one
IP address.
The router or NAT server maps all inbound and outbound
requests and maintains a table for returned messages.
NAT allows the organization to use publicly assigned IP
addresses over the Internet that is different from its
private IP addresses. In this way, NAT hides the private
network from the public.
There are specific reserved, non-Internet-routable, private
IP addresses for use on an internal network.
In Class C the range is 192.168.0.1 to 192.168.255.254.
In Class B the range is 172.16.0.1 to 172.31.255.254
In Class A the range is 10.0.0.1 to 10.255.255.254.
Port Address Translation
In addition to NAT, Port Address Translation
(PAT) is possible.
Tunneling
Tunneling refers to creating a virtual
dedicated secure connection between two
systems or networks.
Tunneling sends private data across a public
network (the Internet) by placing
(encapsulating) that data into other packets
(to prevent sniffing over the public network).
Tunnels are usually secure and present
themselves as extensions of both networks.
You create the tunnel between the two ends
by encapsulating the data in a mutually
agreed upon protocol for transmission.
Tunneling protocols usually include data
security as well as encryption.
Most tunnels are virtual private networks
(VPNs).
Several popular standards have emerged for
tunneling, with the most popular being the
Layer 2 Tunneling Protocol (L2TP).
A connection being made between
two networks across the Internet. To
each end of the network, this
appears to be a single connection.
TS3
Telephony
The combination of telephone technology with
information technology is telephony.
Voice over IP (VOIP) can be easily sniffed and is
susceptible to Denial of Service attacks because it rides
on UDP. There is also the outage issue with VoIP in
cases where the data network goes down and you lose
the telephony as well.
SecureLogix markets a voice firewall, and Cisco has
published a paper titled “IP Telephony Security in
Depth.
From a security standpoint, the biggest problem with
VoIP and data being on the same line is that they are
then both vulnerable in the event of a PBX attack.
Understanding Infrastructure Security
Infrastructure security deals with the most basic aspect of how information flows and how work occurs in
your network and systems. This includes servers, networks, network devices, workstations, and the
processes in place to facilitate work.
Your network is composed of a variety of media and devices that both facilitate communications and
provide security.
Some of these devices (such as routers, modems, and PBX systems) provide external connectivity from
your network to other systems and networks.
Some of the devices (such as CD-Rs, disks, USB thumb drives, and tape) provide both internal archival
storage and working storage for your systems.
Networks are tied together using the Internet and other network technologies, thereby making them
vulnerable to any number of attacks.
To provide reasonable security, you must know how these devices work and how they
provide, or fail to provide, security.
Each time you add a device, change configurations, or switch technologies, you’re potentially altering the
fundamental security capabilities of your network.
The job of a security professional is to eliminate the obvious threats, to anticipate how the next creative
assault on your infrastructure might occur, and to be prepared to neutralize it before it happens.
A network is no more secure than its weakest node.
Working with Hardware Components
Network hardware
components include
physical devices such as
routers, servers, firewalls,
workstations, and switches.
From a security perspective
you must evaluate your
network from the
standpoint of each and
every device within it.
It cannot be overstated: The
complexity of most
networks makes securing
them extremely
Network Separation (2:52)
complicated.
To provide reasonable
security, you must evaluate
This network has Internet connections. Internet
every device to determine
connections expose your network to the highest
its unique strengths and
number of external threats. These threats can
vulnerabilities.
come from virtually any location worldwide.
Working with Software Components
Hardware exists to run software. The software is intended to make the
hardware components easy to configure and easy to support, however, that
software can also make the hardware easy to bypass.
Network infrastructure includes servers and workstations running operating
systems, routers, firewalls, and dedicated devices that have their own
communications and control programs. This situation leaves networks open to
attacks and security problems because many of these systems work
independently.
Many larger organizations have built a single area for network monitoring and
administrative control of systems called a Network Operations Center (NOC).
This centralization lets you see a larger overall picture of the network, and it lets
you take actions on multiple systems or network resources if an attack is under
way. Using a NOC makes it easier to see how an attack develops and to provide
countermeasures.
NOCs are expensive and require a great deal of support: factors beyond the
economy or scale of all but the largest businesses. After a NOC is developed and
implemented it must be constantly evaluated and changed as needed.
Understanding the Different Network
Infrastructure Devices - Firewalls
Firewalls, Routers, and Switches (7:47) All-in-one Security Appliances and Spam Filters
(2:36)
A firewall is a component placed on computers and networks to help eliminate
undesired access by the outside world. It can be composed of hardware, software, or a
combination of both.
Firewalls are the front line defense devices for networks that are connected to the
Internet.
A firewall protects hosts on a internal private network from attackers on a external public
network by:
Packet filtering
Port filtering
IP address filtering
A software firewall is a program that runs within an OS, such as Linux, Unix, or Windows.
With a software firewall, adding interfaces is as easy as adding and configuring another
NIC. It is easier to make configuration errors in a software firewall.
A hardware firewall is also referred to as an appliance firewall. Appliance firewalls are
often designed as stand-alone black box solutions that can be plugged in to a network
and operated with minimal configuration and maintenance. A hardware firewall is
purchased with a fixed number of interfaces available. Hardware firewalls outperform
and generally provide increased security over software firewalls.
Packet Filter Firewalls
Firewall Rules (7:57)
A packet-filtering firewall is typically a router and operate at the network layer of the
OSI model.
A packet filtering firewall only looks at a data packet to obtain the source and destination
addresses and the protocol and port used. This information is then compared to the
configured packet filtering rules to decide if the packet will be dropped or forwarded to
its destination. A packet filtering firewall only examines the packet header information,
not the data or payload.
Packet filters examine each incoming (and usually outgoing) packet then pass or discard
it based on network data packet fields:
Source and destination IP address
Specified port numbers
Specific protocols (TCP, UDP, ICMP)
Packet-filtering solutions are generally considered less-secure firewalls because they still
allow packets inside the network, regardless of communication pattern within the
session.
The packet-filtering firewall provides high performance.
Proxy Firewalls
Proxy firewalls serve as go-betweens for the network
and the Internet by processing requests received from
external networks and reprocessing them for use
internally.
This type of firewall has a set of rules that the packets
must pass to get in or out.
The primary security feature of a proxy firewall is that
it hides the client information.
It can be used to hide the internal addresses from the
outside would through Network Address Translation,
which does not allow the computers on the network
to directly access the Internet.
NAT hides a packet’s IP address before sending it
through another network. It is the only computer on a
network that communicates with mistrusted
computers.
If the organization is using the proxy server for both
Internet connectivity and web content caching, the
proxy server should be placed between the internal
network and the Internet, with access for users who
are requesting the web content.
A proxy-based firewall provides greater network
isolation than a stateful firewall.
A proxy firewall blocking network
access from external networks
Proxy Firewalls
Web Application Firewalls (3:05)
An application firewall is typically integrated into another type of firewall to
filter traffic that is traveling at the Application layer of the OSI model.
The proxy function can occur at either the application level or the circuit level.
An application firewall creates a virtual circuit between the firewall clients.
Each protocol has its own dedicated portion of the firewall that is concerned
only with how to properly filter that protocol’s data.
This type of server is advanced and must know the rules and capabilities of the
protocol used.
A unique application-level proxy server must exist for each protocol supported.
Unlike a circuit-level firewall, an application-level firewall does not examine the
IP address and port of the data packet.
An application-level proxy firewall is most detrimental to network performance
because it requires more processing per packet.
Proxy Firewalls
A proxy firewall typically uses two
network interface cards (NICs). This
type of firewall is referred to as a
dual-homed firewall.
Dual-homed computers have two
NICs installed, each connected to a
separate network.
A dual-homed firewall has two
network interfaces.
One interface connects to the public
network, usually the Internet.
The other interface connects to the
private network.
The forwarding and routing function
should be disabled on the firewall to
ensure that network segregation
occurs.
A dual-homed firewall segregating two
networks from each other
Stateful Inspection Firewalls
Stateful inspection is also referred to as stateful packet filtering.
A stateful-inspection firewall, a combination of all types of firewalls, is suited for main
perimeter security. Stateful-inspection firewalls can thwart port scanning by closing off
ports until a connection to the specific port is requested.
Stateful inspection firewalls work at the Network Layer to provide an additional layer of
security and also monitor the state of each connection.
Most of the devices used in networks don’t keep track of how information is routed or
used. After a packet is passed, the packet and path are forgotten. In stateful packet
filtering records are kept using a state table that tracks every communications channel.
Stateful inspections provide additional security, especially in connectionless protocols
such as UDP and ICMP.
Denial-of-service (DoS) attacks present a challenge because flooding techniques are used
to overload the state table and effectively cause the firewall to shut down or reboot.
Stateful and circuit-level proxy firewalls, while slower than packet-filtering firewalls, offer
better performance than application-level firewalls.
Firewalls and DMZs
Firewalls can be used to create demilitarized
zones (DMZs).
A DMZ is a network segment placed between
an internal (private) network and an external
(public) network, such as the Internet.
Typically, either one or two firewalls are used to
create a DMZ.
A DMZ implemented with one firewall
connected to a public network, a private
network and a DMZ segment is cheaper to
implement than a DMZ implemented with two
firewalls.
A DMZ with a firewall on each end is typically
more secure than a single-firewall DMZ.
The main objective for the placement of
firewalls is to allow only traffic that the
organization deems necessary and provide
notification of suspicious behavior.
Hubs
Physical Port Security (5:24)
Hubs act as a central connection point for network devices on one
network segment. Hubs are used to extend the length of network
beyond the cable’s maximum segment distance. They work at the
Physical layer of the OSI model.
Hubs are network devices that allow many hosts to inter-communicate
through the usage of physical ports. This makes hubs central connectivity
devices and prone to being attacked. Traffic sent to one port is
regenerated it to all other ports.
Hubs do not provide data isolation between endpoint ports, allowing any
node to observe data traffic to and from all other nodes on the same
device providing attackers with access to inspect network traffic for
interception of user credentials, security encryption traffic, and other
forms of sensitive transmitted data.
Hubs are considered highly unsecure.
Modems
A modem is a hardware device that connects the digital signals from a computer to the
analog telephone line. It allows these signals to be transmitted longer distances than are
possible with digital signals.
The word "modem" is an amalgam of the words "modulator" and "demodulator," which
are the two functions that occur during transmission.
Modems present a unique set of challenges from a security perspective.
Leaving modems open for incoming calls with little to no authentication for users dialing
in can be a clear security vulnerability in the network. For example, war-dialing attacks
take advantage of this situation. War-dialing is the process by which an automated
software application is used to dial numbers in a given range to determine whether any
of the numbers are serviced by modems that accept dial-in requests.
Setting the callback features to have the modem call the user back at a preset number
and using encryption and firewall solutions will help keep the environment safe from
attacks.
Monitor computers that have modems to check whether they have been compromised
Check for software updates for computers that have modems.
Remove all unnecessary modems from computers.
Remote Access Services
Remote access servers (RAS) allow clients to use dial-up
connections and network technologies to access servers and
internal networks. RAS connections are achieved through dialup DSL, VPNs, cable modems and ISDN.
Remote Access (2:50)
Client systems with a modem can connect using normal dialup connections to a properly equipped remote-access service
server, which functions as a gateway through which the
remote user may access local resources or gain connectivity to
the Internet.
The RAS environment is vulnerable to public PBX
infrastructure vulnerabilities, RAS software bugs, buffer
overflows, and social engineering. You should apply vendor
security patches as soon as they are available to protect
against RAS software bugs. Social engineering and the public
PBX infrastructure is a common method used by intruders to
access your RAS environment.
Typical methods of securing remote access servers:
Implementing a strong authentication method or two-factor
authentication
Limiting which users are allowed to dial-in and limiting the dialin hours
Implementing account lockout and strict password policies
Implementing a real-time alerting system
Allowing dial-in only and forcing callback to a preset number
are strategies for securing remote access servers (RAS).
A RAS connection between a remote
workstation and a Windows server
Routers
Routers enable connectivity between two or more networks and can
connect multiple network segments into one network.
Routers operate at the Network Layer (Layer 3) by using IP addresses to
route packets to their destination along the most efficient path.
Routers store information about network destinations in routing tables.
Routing tables contain information about known hosts on both sides of
the router.
Routers can be configured in many instances to act as packet-filtering
firewalls. When configured properly, they can prevent unauthorized
ports from being opened.
Routers are the first line of defense and should therefore be configured
to forward only traffic that is authorized by the network administrator.
Access entries can be specified to allow only authorized traffic and deny
unauthorized traffic.
Methods for securing routers:
Routers should be kept in locked rooms
You should use complex passwords for administrative consoles
Routers should be kept current with the latest available vendor security
patches
Configure access list entries to prevent unauthorized connections and
routing of traffic
Use monitoring equipment to protect connection points and devices
Secure Router Configuration (2:38)
Routers
Routers, in conjunction with a CSU/DSU) are also used to translate LAN to WAN framing. Such routers are
referred to as border routers. Border routers decide who can come in and under what conditions.
Dividing internal networks into two or more subnets is a common use for routers.
Routers can also be connected internally to other routers, effectively creating autonomouslzones. This type
of connection keeps local network traffic off the network backbone and provides additional security
internally.
Routers establish routing tables. A router contains information about the networks connected to it and
where to send requests if the destination is unknown. These tables grow as connections are made through
the router.
Routers communicate routing information using three standard protocols:
Routing Information Protocol (RIP) is a simple protocol that is part of the TCP/IP protocol suite. Routers that use
RIP routinely broadcast the status and routing information of known routers. RIP also attempts to find routes
between systems using the smallest number of hops or connections.
Border Gateway Protocol (BGP) allows groups of routers to share routing information.
Open Shortest Path First (OSPF) allows routing information to be updated faster than with RIP.
Switches
Switch Port Security and 802.1X (5:35)
Switches can be used to connect multiple LAN segments. Switches operate at the Data
Link layer of the OSI model (Layer 2), using the MAC address to send packets to their
destination.
Switches create virtual circuits between systems in a network. These virtual circuits are
somewhat private and reduce network traffic when used. Virtual circuits are more
difficult to examine with network monitors.
Only packets destined for the computer on a particular port of a switch can be seen.
With computers connected through a switch, eventually any individual computer would
be exposed to only traffic destined for that particular computer or for all computers.
Therefore, any port would be able to see only traffic destined for it and broadcasts.
Switches are used to create security segments on a LAN through the implementation of
VLANs.
VLAN Management (3:44)
Physical access control to the networking closet is critical to protect switched networks
against any exposed supervisory ports that can be exploited by an attacker.
Methods for securing switches:
Switches should be kept in locked rooms
You should use complex passwords for administrative consoles
Switches should be kept current with the latest a
Use monitoring equipment to protect connection points and device available vendor security
patches
Telecom/PBX Systems
Many modern PBX (private branch exchange) systems integrate voice
and data onto a single data connection to your phone service provider.
These connections are made using existing network connections such
as a T1 or T3 network.
A PBX provides a connection to the public switched telephone network
(PSTN) and provides telephone extensions for employees. A PBX is a
programmable telephone switch that is typically located on a
company’s premises. A PBX can usually be remotely administered.
For years, PBX-type systems have been targeted by hackers, mainly to
get free long-distance service. The vulnerabilities that phone networks
are subject to include social engineering, long-distance toll fraud, and
breach of data privacy.
To protect a PBX from hacker attacks:
Make sure the PBX is in a secure area
Limit the number of entry points
Change default passwords
Only allow authorized maintenance
Remote PBX administration should require user names and passwords
The telephone number used to remotely administer a PBX should be
unlisted
Block all toll numbers and limit long-distance calling
Implement a PBX password change and audit policy
Many times, hackers can gain access to the phone system via social
engineering because this device is usually serviced through a remote
maintenance port.
A modern digital PBX system
integrating voice and data onto a
single network connection
Virtual Private Networks
VPNs are used to make
connections between private
networks across a public
network.
VPN connections provide a
mechanism for the creation of
a secured “tunnel” through a
public network such as the
Internet using a tunneling
protocol, such as L2TP or PPTP.
These connections are not
guaranteed to be secure
unless, and an encryption
system, such as IPSec, is used.
VPN Concentrators (2:06)
VPN Server in Front of the Firewall
With the VPN server in front of the firewall
attached to the Internet you need to add packet
filters to the Internet interface that only allow VPN
traffic to and from the IP address of the VPN
server's interface on the Internet.
For inbound traffic, when the tunneled data is
decrypted by the VPN server it is forwarded to the
firewall, which employs its filters to allow the traffic
to be forwarded to intranet resources.
Because the only traffic that is crossing the VPN
server is traffic generated by authenticated VPN
clients, firewall filtering in this scenario can be used
to prevent VPN users from accessing specific
intranet resources.
Because the only Internet traffic allowed on the
intranet must go through the VPN server, this
approach also prevents the sharing of File Transfer
Protocol (FTP) or Web intranet resources with nonVPN Internet users.
For the Internet interface on the VPN server, configure
the input and output filters using the Routing and
Remote Access snap-in.
VPN Server Behind the Firewall
More commonly, the firewall is connected to the
Internet and the VPN server is another intranet
resource connected to a DMZ. The VPN server has an
interface on the DMZ and an interface on the intranet.
In this approach, the firewall must be configured with
input and output filters on its Internet interface to allow
the passing of tunnel maintenance traffic and tunneled
data to the VPN server. Additional filters can allow the
passing of traffic to Web servers, FTP servers, and other
types of servers on the DMZ.
The firewall does not have the encryption keys for each
VPN connection so it can only filter on the plaintext
headers of the tunneled data, meaning that all
tunneled data passes through the firewall. No problem,
because the VPN connection requires an authentication
process that prevents unauthorized access beyond the
VPN server.
When you deploy a VPN gateway in its own DMZ behind
the external firewall, you receive the following benefits:
The firewall can protect the VPN gateway
The firewall can inspect plain text from the VPN
Internet connectivity does not depend on the VPN
gateway
In this deployment, the following drawbacks are
experienced:
The firewall will need special routes to the VPN gateway
configured
Roaming client support is hard to achieve
For the Internet interface on the firewall, input
and output filters need to be configured using the
firewall's configuration software.
Web Security Gateway
A web security gateway can be thought of as a proxy server with web
protection software built in.
Web protection can range from a standard virus scanner on incoming
packets to also monitoring outgoing user traffic for red flags.
Potential red flags the gateway can detect/prohibit include:
Inappropriate content
Trying to establish a peer-to-peer connection with a file-sharing site
Instant messaging
Unauthorized tunneling
You can configure most web security gateways to block known
HTTP/HTML exploits, strip ActiveX tags, strip Java applets, and
block/strip cookies.
Spam Filters
Spam filters can be added to catch unwanted email and
filter it out before it gets delivered internally.
The filtering is done based on rules that are established:
Block email coming from certain IP addresses
Block email that contains particular words in the subject
line
Spam filters can scan both incoming and outgoing
messages and thus act as a quick identifier of internal
PCs that may have contracted a virus.
A number of vendors make all-in-one devices that
combine spam filters with firewalls, load balancers, and
a number of other services.
Understanding Remote Access
Using Point-to-Point Protocol
Point-to-Point Protocol PPP offers multiple protocol
support including AppleTalk, IPX, and DECnet, and is widely
used today as a transport protocol for dial-up connections.
PPP is a protocol for communicating between two points
using a serial interface, provides service at layer 2 of the
OSI model. PPP can handle both synchronous and
asynchronous connections.
PPP provides no security. PPP is primarily intended for dialup connections and should never be used for VPN
connections.
PPP works with POTS, Integrated Services Digital Network
(ISDN), and other faster connections such as T1.
PPP does not provide data security, but it does provide
authentication using Challenge Handshake Authentication
Protocol (CHAP). CHAP can be used to provide on-demand
authentication within an ongoing data transmission.
A dial-up connection using PPP works well because it isn’t
common for an attacker to tap a phone line. You should
make sure all your PPP connections use secure channels,
dedicated connections, or dial-up connections.
PPP using a single B channel on
an ISDN connection. In the case
of ISDN, PPP would normally use
one 64Kbps B channel for
transmission.
Understanding Remote Access
Working with Tunneling Protocols
Tunneling protocols add a capability to the
network:
The ability to create tunnels between networks that
can be more secure, support additional protocols, and
provide virtual paths between systems.
The three primary tunneling protocols are PPTP
(Point-to-Point Tunneling Protocol), L2TP (Layer 2
Tunneling Protocol) and L2F (Layer 2 Forwarding
protocol).
Working with Tunneling Protocols
Point-to-Point Tunneling Protocol
Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to work with the
Point-to-Point (PPP) protocol to create a virtual Internet connection so that networks can
use the Internet as their WAN link.
PPTP is known as a tunneling protocol because the PPTP protocol dials through the PPP
connection, which results in a secure connection between client and server.
This connectivity method creates a virtual private network (VPN), allowing for private
network security. In effect PPTP creates a secure WAN connection using dial-up access.
PPTP supports encapsulation in a single point-to-point environment. PPTP encapsulates
and encrypts PPP packets. This makes PPTP a favorite low-end protocol for networks.
The negotiation between the two ends of a PPTP connection is done in the clear. Once
the negotiation is performed, the channel is encrypted. A packet-capture device, such as
a sniffer, that captures the negotiation process can potentially use that information to
determine the connection type and information about how the tunnel works.
Working with Tunneling Protocols
Layer 2 Forwarding
L2F was created by Cisco as a method of creating tunnels primarily for dial-up
connections. L2F is similar in capability to PPP and should not be used over WANs. L2F
does provide authentication, but it does not provide encryption.
Layer 2 Tunneling Protocol
Layer Two Tunneling Protocol (L2TP) is an enhancement of PPTP that can be used
between LANs and can also be used to create a VPN.
L2TP is primarily a point-to-point protocol.
Relatively recently, Microsoft and Cisco agreed to combine their respective tunneling
protocols into one protocol: the Layer Two Tunneling Protocol (L2TP). L2TP is a hybrid of
PPTP and L2F.
L2TP supports multiple network protocols and can be used in networks besides TCP/IP.
L2TP works over IPX, SNA, and IP.
L2TP isn’t secure, and you should use IPSec with it to provide encryption of the data.
L2TP operates at the Data Link layer of the OSI model and uses UDP for sending packets
as well as for maintaining the connection. L2TP uses UDP port number 1701.
Working with Tunneling Protocols
Secure Shell
Secure Shell (SSH) is a type of tunneling protocol that allows access to remote systems in a secure manner.
SSH was originally designed for UNIX systems. SSH is a program that allows connections to be secured by
encrypting the session between the client and the server. SSH also provides security equivalent programs
such as Telnet, FTP, and many of the other communications-oriented programs under UNIX.
SSH transmits both authentication information and data securely during terminal connections with UNIX
computers. SSH uses port 22.
Internet Protocol Security
IPSec (Internet Protocol Security) is not a tunneling protocol, but it is used in conjunction with tunneling
protocols to provide network security. IPSec is oriented primarily toward LAN-to-LAN connections, rather
than dial-up connections.
IPSec can be used to digitally sign headers and to encrypt and encapsulate packets. IPSec provides both
authentication and encryption, and is regarded as one of the strongest security standards.
When the Authentication Header (AH) protocol is used, IPSec digitally signs packet headers, and when the
Encapsulating Security Payload (ESP) is used, IPSec encrypts packets.
Working with Tunneling Protocols
IPSec can be used with many different protocols besides TCP/IP, and it has two
modes of security:
Tunneling mode is used for VPNing over an unsecured public network. In
Tunneling mode, packets are encapsulated within other packets and both the
payload and message headers are encrypted. Two routers that require secure
communications should use IPSec in tunnel mode to encrypt packets.
Transport mode is used only when the data portion needs to be encrypted over
owner-controlled networks like LAN. In Transport mode, only the payload is
encrypted. When transport mode is used, packets are not encapsulated.
The End