Lecture 10
Asst.Prof.Supakorn Kungpisdan, Ph.D.
supakorn@mut.ac.th

NETE4630 Advanced Network Security and
Implementation
4.
5.
6.
1.
2.
3.
7.
Identify network assets
Analyze security risks
Analyze security requirements and tradeoffs
Develop a security plan
Define a security policy
Develop procedures for applying security policies
Develop a technical implementation strategy
7.
8.
Achieve buy-in from users, managers, and technical staff
Train users, managers, and technical staff
9.
Implement the technical strategy and security procedures
10.
Test the security and update it if any problems are found
11.
Maintain security
2

NETE4630 Advanced Network Security and
Implementation
 Hardware
 Software
 Applications
 Data
 Intellectual property
 Trade secrets
 Company’s reputation
3

NETE4630 Advanced Network Security and
Implementation
 Hacked network devices
 Data can be intercepted, analyzed, altered, or deleted
 User passwords can be compromised
 Device configurations can be changed
 Reconnaissance attacks
 Denial-of-service attacks
4

NETE4630 Advanced Network Security and
Implementation
 Tradeoffs must be made between security goals and other goals:
 Affordability
 Usability
 Performance
 Availability
 Manageability
5

NETE4630 Advanced Network Security and
Implementation
 High-level document that proposes what an organization is going to do to meet security requirements
 It specifies time, people, and other resources that will be required to develop a security policy and achieve implementation of the policy
6

NETE4630 Advanced Network Security and
Implementation
 Per RFC 2196, “The Site Security Handbook,” a security policy is a
 “Formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”
 The policy should address
 Access, accountability, authentication, privacy, and computer technology purchasing guidelines
7

NETE4630 Advanced Network Security and
Implementation
 Physical security
 Authentication
 Authorization
 Accounting (Auditing)
 Data encryption
 Packet filters
 Firewalls
 Intrusion Detection Systems (IDSs)
8

NETE4630 Advanced Network Security and
Implementation

 Network security should be multilayered with many different techniques used to protect the network

 Don’t get caught with your pants down
9

NETE4630 Advanced Network Security and
Implementation

 Internet connections
 Public servers and e-commerce servers
 Remote access networks and VPNs
 Network services and network management
 Server farms
 User services
 Wireless networks
10

NETE4630 Advanced Network Security and
Implementation
Enterprise Campus
Building
Access
Enterprise Edge
Service
Provider
Edge
E-Commerce
ISP A
Network
Management
Building
Distribution
Edge
Distribution
Internet
Connectivity
ISP B
Campus
Backbone
PSTN
VPN/ Remote
Access
Frame
Relay,
ATM
WAN
Server Farm
11

NETE4630 Advanced Network Security and
Implementation
 Cisco SAFE Blueprint addresses security in every module of a modular network architecture.
12

NETE4630 Advanced Network Security and
Implementation
13

NETE4630 Advanced Network Security and
Implementation
14

NETE4630 Advanced Network Security and
Implementation
15

NETE4630 Advanced Network Security and
Implementation
 The primary goal of the management module is to facilitate the secure management of all devices and hosts within the enterprise SAFE architecture.
 Logging and reporting information flow from the devices through to the management hosts, while content, configurations, and new software flow to the devices from the management hosts.
16

NETE4630 Advanced Network Security and
Implementation
 SNMP Management host – provides
SNMP management for devices
 NIDS host – provides alarm aggregation for all NIDS devices in the network
 Syslog host(s) – aggregates log information for Firewall and NIDS hosts
 Access Control Server – delivers onetime, two-factor authentication services to the network devices
 One-Time Password (OTP) Server – authorizes one-time password information relayed from the access control server
 System Admin host – provides configuration, software, and content changes on devices
 NIDS appliance – provides Layer 4 to Layer 7 monitoring of key network segments in the module
 Cisco IOS Firewall – allows granular control for traffic flows between the management hosts and the managed devices
 Layer 2 switch (with private VLAN support) – ensures data from managed devices can only cross directly to the IOS firewall
17

NETE4630 Advanced Network Security and
Implementation
18

NETE4630 Advanced Network Security and
Implementation
 Unauthorized Access – filtering at the IOS firewall stops most unauthorized traffic in both directions
 Man-in-the-Middle Attacks – management data is crossing a private network making man-in-the-middle attacks difficult
 Network Reconnaissance – because all management traffic crosses this network, it does not cross the production network where it could be intercepted
 Password Attacks – the access control server allows for strong two-factor authentication at each device
 IP Spoofing – spoofed traffic is stopped in both directions at the IOS firewall
 Packet Sniffers – a switched infrastructure limits the effectiveness of sniffing
 Trust Exploitation – private VLANs prevent a compromised device from masquerading as a management host
19

NETE4630 Advanced Network Security and
Implementation
20

NETE4630 Advanced Network Security and
Implementation
 Key Device:
 Layer 3 switching – route and switch production network data from one module to another
 Threats Mitigated:
 Packet Sniffers – a switched infrastructure limits the effectiveness of sniffing
21

NETE4630 Advanced Network Security and
Implementation
 To provide distribution layer services to the building switches; these include routing, quality of service (QoS), and access control.
 Key Device: Layer 3 switches – aggregate
Layer 2 switches in building module and provide advanced services
 Threats Mitigated
 Unauthorized Access – attacks against server module resources are limited by
Layer 3 filtering of specific subnets
 IP Spoofing
 Packet Sniffers – a switched infrastructure limits the effectiveness of sniffing
22

NETE4630 Advanced Network Security and
Implementation
 SAFE defines the building module as the extensive network portion that contains end-user workstations, phones, and their associated Layer 2 access points.
Its primary goal is to provide services to end users.
 Key Devices
 Layer 2 switch – provides Layer 2 services to phones and user workstations
 User workstation – provides data services to authorized users on the network
 IP phone – provides IP telephony services to users on the network
Threats Mitigated
 Packet sniffers – a switched infrastructure and default VLAN services limit the effectiveness of sniffing
 Virus and Trojan horse applications – host-based virus scanning prevents most viruses and many Trojan horses
23

NETE4630 Advanced Network Security and
Implementation
 To provide application services to end users and devices. Traffic flows on the server module are inspected by on-board intrusion detection within the Layer 3 switches.
 Key Devices
 L3 Switch – provides layer three services to the servers and inspects data crossing the server module with
NIDS
 Call Manager – performs call routing functions for IP telephony devices in the enterprise
 Corporate and Department Servers – delivers file, print, and DNS services to workstations in the building module
 E-Mail Server – provide SMTP and
POP3 services to internal users
 Threats Mitigated
 Unauthorized Access
 Application Layer Attacks
 IP Spoofing
 Packet Sniffers
 Trust Exploitation
 Port Redirection
24

NETE4630 Advanced Network Security and
Implementation
 To aggregate the connectivity from the various elements at the edge.
 Key Devices: Layer 3 switches – aggregate edge connectivity and provide advanced services
 Threats Mitigated
 Unauthorized Access – filtering provides granular control over specific edge subnets and their ability to reach areas within the campus
 IP Spoofing – RFC 2827 filtering limits locally initiated spoof attacks
 Network Reconnaissance – filtering limits nonessential traffic from entering the campus limiting a hackers ability to perform network recon
 Packet Sniffers – a switched infrastructure limits the effectiveness of sniffing
25

NETE4630 Advanced Network Security and
Implementation
26

NETE4630 Advanced Network Security and
 Key Devices
 SMTP server – acts as a relay between the Internet and the Internet mail servers – inspects content
 Threats Mitigated


Unauthorized Access – mitigated through filtering at the ISP, edge router, and corporate firewall
Application Layer Attacks – mitigated through
IDS at the host and network levels  DNS server – serves as authoritative external DNS server for the enterprise, relays internal requests to the Internet
 FTP/HTTP server – provides public information about the organization


Virus and Trojan Horse – mitigated through e-mail content filtering and host IDS
Password Attacks – limited services available to brute force, OS and IDS
 Firewall – provides network-level protection of resources and stateful filtering of traffic
 Denial of Service
 IP Spoofing –at ISP edge and enterprise edge router
 NIDS appliance – provides Layer 4 to
Layer 7 monitoring of key network segments in the module
 URL Filtering Server – filters unauthorized
URL requests from the enterprise
 Packet Sniffers – switched infrastructure and host
IDS limits exposure
 Network Reconnaissance – IDS detects recon, protocols filtered to limit effectiveness
 Trust Exploitation – restrictive trust model and private VLANs limit trust-based attacks
 Port Redirection – restrictive filtering and host IDS limit attack
27

NETE4630 Advanced Network Security and
Implementation
28

NETE4630 Advanced Network Security and
Implementation
 The primary objective of this module is three-fold:
 Terminate the VPN traffic from remote users
 Provide a hub for terminating VPN traffic from remote sites, and
 Terminate traditional dial-in users.
29

NETE4630 Advanced Network Security and
Implementation
 Key Devices
 VPN Concentrator – authenticate individual remote users using
Extended Authentication (XAUTH) and terminate their IPSec tunnels
 VPN Router – authenticate trusted remote sites and provide connectivity using GRE/IPSec tunnels
 Dial-In Server – authenticate individual remote users using
TACACS+ and terminate their analog connections
 Firewall – provide differentiated security for the three different types of remote access
 NIDS appliance – provide Layer 4 to Layer 7 monitoring of key network segments in the module
 Threats Mitigated
 Network Topology Discovery – only Internet Key Exchange (IKE) and Encapsulating Security
Payload (ESP) are allowed into this segment from the Internet
 Password Attack – OTP authentication reduces the likelihood of a successful password attack
 Unauthorized Access – firewall services after packet decryption prevent traffic on unauthorized ports
 Man-in-the-Middle – mitigated through encrypted remote traffic
 Packet Sniffers – a switched infrastructure limits the effectiveness of sniffing
30

NETE4630 Advanced Network Security and
Implementation
31

NETE4630 Advanced Network Security and
Implementation
 Rather than being all-inclusive of potential WAN designs, this module shows resilience and security for WAN termination.
 Key Devices: IOS Router – using routing, access-control,
QoS mechanisms
 Threats Mitigated
 IP Spoofing – mitigated through L3 filtering
 Unauthorized Access – simple access control on the router can limit the types of protocols to which branches have access
32

NETE4630 Advanced Network Security and
Implementation
33

NETE4630 Advanced Network Security and
Implementation
 Physical security
 Firewalls and packet filters
 Audit logs, authentication, authorization
 Well-defined exit and entry points
 Routing protocols that support authentication
34

NETE4630 Advanced Network Security and
Implementation
 Place servers in a DMZ that is protected via firewalls
 Run a firewall on the server itself
 Enable DoS protection
 Limit the number of connections per timeframe
 Use reliable operating systems with the latest security patches
 Maintain modularity
 Front-end Web server doesn’t also run other services
35

NETE4630 Advanced Network Security and
Implementation
DMZ
Enterprise
Network
Web, File, DNS, Mail Servers
Internet
36

NETE4630 Advanced Network Security and
Implementation
Internet
DMZ
Web, File, DNS, Mail Servers
Firewall
Enterprise Network
37

NETE4630 Advanced Network Security and
Implementation
 Physical security
 Firewalls
 Authentication, authorization, and auditing
 Encryption
 One-time passwords
 Security protocols
 CHAP
 RADIUS
 IPSec
38

NETE4630 Advanced Network Security and
Implementation
 Treat each network device (routers, switches, and so on) as a high-value host and harden it against possible intrusions
 Require login IDs and passwords for accessing devices
 Require extra authorization for risky configuration commands
 Use SSH rather than Telnet
 Change the welcome banner to be less welcoming
39

NETE4630 Advanced Network Security and
Implementation
 Deploy network and host IDSs to monitor server subnets and individual servers
 Configure filters that limit connectivity from the server in case the server is compromised
 Fix known security bugs in server operating systems
 Require authentication and authorization for server access and management
 Limit root password to a few people
 Avoid guest accounts
40

NETE4630 Advanced Network Security and
Implementation
 Specify which applications are allowed to run on networked PCs in the security policy
 Require personal firewalls and antivirus software on networked PCs
 Implement written procedures that specify how the software is installed and kept current
 Encourage users to log out when leaving their desks
 Consider using 802.1X port-based security on switches
41

NETE4630 Advanced Network Security and
Implementation
 Place wireless LANs (WLANs) in their own subnet or VLAN
 Simplifies addressing and makes it easier to configure packet filters
 Require all wireless (and wired) laptops to run personal firewall and antivirus software
 Disable beacons that broadcast the SSID, and require
MAC address authentication
 Except in cases where the WLAN is used by visitors
42

NETE4630 Advanced Network Security and
Implementation
 Wired Equivalent Privacy (WEP)
 IEEE 802.11i
 Wi-Fi Protected Access (WPA)
 IEEE 802.1X Extensible Authentication Protocol (EAP)
 Lightweight EAP or LEAP (Cisco)
 Protected EAP (PEAP)
 Virtual Private Networks (VPNs)
 Any other acronyms we can think of?
43

NETE4630 Advanced Network Security and
Implementation
 Defined by IEEE 802.11
 Users must possess the appropriate WEP key that is also configured on the access point
 64 or 128-bit key (or passphrase)
 WEP encrypts the data using the RC4 stream cipher method
 Infamous for being crackable
44

NETE4630 Advanced Network Security and
Implementation
 Vendor enhancements to WEP
 Temporal Key Integrity Protocol (TKIP)
 Every frame has a new and unique WEP key
 Advanced Encryption Standard (AES)
 IEEE 802.11i
 Wi-Fi Protected Access (WPA) from the Wi-Fi Alliance
 Realistic parts of IEEE 802.11i now!
45

NETE4630 Advanced Network Security and
Implementation
 Safest way to do wireless networking for corporations
 Wireless client requires VPN software
 Connects to VPN concentrator at HQ
 Creates a tunnel for sending all traffic
 VPN security provides:
 User authentication
 Strong encryption of data
 Data integrity
46

NETE4630 Advanced Network Security and
Implementation
 How does a security plan differ from a security policy?
 Why is it important to achieve buy-in from users, managers, and technical staff for the security policy?
 How can a network manager secure a wireless network?
47