IS3220 Information Technology Infrastructure Security Unit 4 Network Security Tools and Techniques © ITT Educational Services, Inc. All rights reserved. Class Agenda 1 Learning Objectives Discussion of Project Lesson Presentation and Discussions. Discussion on Assignments. Discussion on Lab Activities. Break Times. 10 Minutes break in every 1 Hour. Note: Submit all Assignment and labs due today. IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 2 Class Agenda 2 Theory: 6:00pm -8:00pm Lab: 8:15pm to 11:00pm IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 3 Reading Assignment Chapter 5: Network Security Implementation Chapter 7: Exploring the Depths of Firewalls Chapter 15: Perspectives, Resources, and the Future IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 4 Learning Objective and Key Concepts Learning Objective Identify network security tools and discuss techniques for network protection Key Concepts Securing the LAN-to-WAN Domain – Internet ingress/egress point Mitigating risk with IDSs and IPSs Intrusion detection and intrusion prevention strategies Automated network scanning and vulnerability assessment tools Data protection strategies IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 5 Network Security Implementation Seven domains are commonly found in the typical IT infrastructure Hackers look for every opportunity to exploit a target. No aspect of an IT infrastructure is without risk or immune to the scrutiny of hackers. Each of the seven domains of a typical IT infrastructure has unique aspects that need security improvements IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 6 Seven Domains of IT Infrastructure Risk associated to the every Seven Domains of IT Infrastructure User Domain- training, strong authentication, granular authorization, and detailed accounting. Workstation Domain- require security countermeasures such as antivirus, anti-spyware, and vulnerability software patch management Local Area Network (LAN) Domain-Protocols, addressing, topology, and communication encryption provide security for this domain. IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 7 LAN-to-Wide Area Network (WAN) Domain- Switches, routers, firewalls, proxies, and communication encryption are important aspects of security for this domain. Remote Access Domain- involve SSL 128-bit encrypted remote browser access or encrypted VPN tunnels for secure remote communications. WAN Domain- Protocol selection, addressing schemes, and communication encryption are elements of securing this domain. Systems/Applications Domain -Network design, authentication, authorization, accounting, and node security are important security concerns for this domain. IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 8 EXPLORE: CONCEPTS IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 9 Vulnerability Assessment Scanners Network Scanners Web Application Scanners IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 10 Nmap and Zenmap Network mapper (Nmap) runs at command line Zenmap is the graphical user interface to Nmap Originally intended as a network mapping utility Port scanning and host detection features • Identify access points to a network • Identify holes in access controls Highly configurable Open source IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 11 Zenmap: Nmap Output Tab IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 12 Nessus Commercial security scanner developed by Tenable Network Security UNIX based Network-centric with Web-based consoles and a central server Offers a comprehensive set of tools Useful tool for larger networks Reports indicate which ports are open on which hosts and any security threats to those ports IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 13 Retina Proprietary vulnerability scanner Deep-scan a network looking for known issues that have not been patched in existing applications Also scans for open ports Output report indicates network vulnerabilities and the state of the environment Easy-to-understand graphically intensive format IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 14 SAINT SAINT = System Administrator’s Integrated Network Tool Commercial vulnerability assessment tool UNIX based Full suite of tools like Nessus Saint Corporation sells SAINT and other security tools IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 15 EXPLORE: PROCESS IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 16 Network Analysis Also referred to as “network forensic analysis” Analysis of network data to reconstruct network activity over a specific period of time Common uses • Detect vulnerabilities and threats • Reconstruct the sequence of events that took place during a network-based security incident • Discover the source of security policy violations or information assurance breaches IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 17 Network Analysis (Continued) Able to Reveal • Vulnerabilities • Probing • Denial of service (DoS) attacks • User-to-root attacks • Remote-to-local attacks IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 18 Overview of Network Analysis Tools Packet Capture Tools Intrusion Detection Systems (IDSs) Data Collector IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 19 EXPLORE: ROLES IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 20 Data Loss/Data Leak Prevention Tools Detect and block sensitive data from exiting a network Enforce policies across file shares, databases, e-mail systems and on stored data Two basic types • Perimeter-based and client-based • Some product combine the types Cloud products are coming IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 21 EXPLORE: CONTEXT IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 22 The LAN-to-WAN Domain IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 23 Ingress and Egress Ingress = Inbound traffic Egress = Outbound traffic IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 24 The Boundary Router Functions at the network perimeter in the DMZ Accepts traffic from the Internet Filters unapproved traffic and passes approved traffic to firewall Protects the internal network against IP address spoofing and directed IP broadcasts IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 25 Ingress Filtering Excludes or rejects all data packets that have an internal host address Drops non-routable IP addresses Note: Non-routable IP addresses are specified in RFC 1918 (Private Network Addresses) IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 26 Egress Filtering Stops packets from leaving the internal (company) network that have non-company addresses as their source address IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 27 Intrusion Detection System (IDS) Monitors internal hosts or networks Seeks symptoms of compromise or intrusion Upon detection of an intruder, an IDS can: • Send commands or requests to the firewall to break a connection • Block an IP address • Block a port/protocol Some IPSs provide basic data loss/leak prevention capabilities IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 28 Intrusion Prevention System (IPS) Monitors internal hosts or networks watching for symptoms of compromise or intrusion Detects attempts to attack or intrude before they are successful Upon detection of an intruder, an IPS can respond by preventing the success of the attempt IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 29 IDS vs. IPS IDS IPS Detects and Acts Prevents Reacts to events that IPS misses First layer of proactive defense IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 30 Host-Based vs. Network-Based IDSs/IPSs IDSs and IPSs • IDSs and IPSs look for attack signatures—specific patterns that usually indicate malicious or suspicious intent • Can be anomaly-based or behavioral-based Host-based and Network-based IDSs/IPSs • Network-based IDSs/IPSs look for patterns in network traffic • Host-based IDSs/IPSs look for attack signatures in log files IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 31 Summary Securing the LAN-to-WAN Domain ~ • Internet ingress and egress point Mitigating risk with IDSs and IPSs Intrusion detection and intrusion prevention strategies Automated network scanning and vulnerability assessment tools Data protection strategies IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 32 Unit 4 Assignments Discussion 4.1 Host-Based vs. Network-Based IDSs/IPSs Lab 4.2 Configuring a pfSense Firewall on the Server Assignment 4.3 Identify Unnecessary Services From a Saved Vulnerability Scan Project 4.4 Network Survey IS3220 Information Technology Infrastructure Security © ITT Educational Services, Inc. All rights reserved. Page 33