SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks

advertisement
SYSTEM ADMINISTRATION
Chapter 10
Public vs. Private Networks
Public vs. Private Networks
• The most precious assets of a company are the
data it has amassed by doing business, and those
assets must be protected.
• The boundary between the private network and the
public network (Internet) is defined as the point
where the LAN may access the Internet. That might
be through a router, or some kind of telephony
device.
Assessing Risk
• Consider the stakeholders:
– Network administrators
– IT managers
– Security managers
– Technicians
– Financial managers
– Upper management.
• Identify the two types of risk: internal risk and external
risk.
– Internal risks: employees, contractors, and
consultants.
– External risk: hackers
(continued)
Assessing Risk
(continued)
• The value of the private network resources must be
clarified. The value includes the cost of data loss as
well as service interruption for employees and
customers.
• Once the risks and value of assets have been
determined, write a security policy to protect the
network. Stakeholders in the organization must
agree to enforce this policy from top down and
bottom up. All employees must be subject to the
same policy.
(continued)
Assessing Risk
(continued)
• Recommendations are then made to enforce the
policy. These may include training, identification of
unacceptable external resources and Web sites, and
remote access to the network.
• All policies must be tested before they are
implemented to assure that employees can still do
the job for the company.
• After the implementation of the security policies
takes place, the boundaries must be continuously
monitored for attempted invasion.
Firewalls
• A firewall is defined as a system (or group of
systems) that prevents unauthorized access to
private network resources from Internet users.
• Firewalls are often a combination of hardware and
software that form the boundary.
• All firewalls implement some kind of access control
list or policy.
• The most common firewall is the router.
(continued)
Firewalls
(continued)
• Routers have the ability to make decisions about
whether a packet may enter the network based on:
o Source and destination addresses
o Source and destination port
o The TCP, IP, UDP, or ICMP protocol type
o Status of the packet as inbound or outbound
from the network
• This decision-making is known as packet filtering.
• The business security policy is the foundation of the
access control list on the router.
What the Firewall Can Do
• The firewall takes one of two actions against a packet
that does not comply with the access control list on a
particular interface: it silently discards the packet or it
generates an error message that is sent back to the
source address on the packet.
• By silently discarding the packet, the intruder concludes
that the device he or she was trying to attack is not
available on the network.
• When an error message is sent back to the source
address, the intruder is alerted to the fact that the system
is alive, but not at the IP address in the destination
portion of the header. The hacker may try other IP
addresses to get into the network.
(continued)
What the Firewall Can Do
(continued)
• With firewalls, only those ports that are necessary
for services will remain open, such as mail (port 25)
or http services (port 80).
• Firewalls are often called the “choke point” for the
network because all incoming and outgoing traffic
must be scrutinized in one central location.
What Firewalls Cannot Do
• A firewall cannot protect from an internally
generated attack against resources.
• A firewall cannot protect against any attack that is
initiated through a modem connected to an
individual workstation within the private network.
• Firewalls cannot protect against social engineering
attacks like password giveaway or impersonation to
a helpdesk representative.
• Firewalls cannot protect against viruses. Certain
types of traffic may be denied because of the access
control list, but many viruses are not using
extraordinary protocol types to do damage.
The Network Layer Firewall
• The network layer firewall makes decisions to allow
or deny packets on the basis of source and
destination address, and port address.
• The network layer firewall cannot explore content
within the payload of the packet.
• The “screened host firewall” is a single device
through which all traffic passes on its way to a single
host within the private network.
(continued)
The Network Layer Firewall
(continued)
• The “screened subnet firewall” is usually a router (or
two routers) through which all traffic passes on its
way to the private network (allowed traffic) or to a
subnet that is not part of the private network, but
holds resources belonging to the network (Web
servers, mail servers, etc.).
• Both types of screening firewalls use a bastion host.
This machine will have two or more NICs.
Application Layer Firewalls
• Use some type of software as well as hardware to
screen incoming requests and packets to the network.
• Often provide extensive logging and auditing of traffic
as well as payload scrutiny for incoming packets.
• Additional services may include proxy services, NAT,
and content caching.
• A proxy firewall creates a table of outgoing packets
with source addresses belonging to the private
network that are mapped (or assigned) to a public IP
address for routing on the Internet. This type of
firewall acts on behalf of the internal client.
(continued)
Application Layer Firewalls
(continued)
• Dual-homed hosts use two NICs installed on the host
machine. Traffic is routed between the two NICs.
• Site-blocking firewalls have the capacity to prevent
packets from certain public resources, including specific
IP addresses or DNS names, or sites with certain key
words in the site name.
• Proxy firewalls require additional configuration at the
client workstation
• Proxy firewalls are application-specific and require that a
proxy exist for the application type. Examples include
maintaining proxies for services such as HTTP, FTP, and
SMTP.
The Demilitarized Zone (DMZ)
• Many network administrators choose to create a subnet
that contains an organization’s resources, but is outside
the boundary of the private network. This is referred to
as the Demilitarized Zone or DMZ.
• Resources such as Web servers, FTP servers, and mail
servers can be placed in the DMZ, where they will create
no harm to the private network should there be an attack
to the resources.
The Extranet
• The extranet is outside the boundary of the private
network but contains resources owned by the private
network.
• It hosts shared resources to known business partners,
suppliers, vendors, other businesses, or customers.
Those services include data, storage for collaborative
projects, and/or technical reference material.
• The extranet requires additional resources that a DMZ
does not require. Routers acting as firewalls and digital
certificates for authentication may be required. Other
protection mechanisms may also be required.
Network Attacks: Denial of
Service
• Denial of service attacks are called the “PING of Death.”
A normal PING packet is a packet that uses ICMP to
determine the viability of a host. Four return messages
are generated that track the response from the
destination host.
• With denial of service attacks, one very large ICMP
packet is sent from the source host to the destination
host flooding the buffer, and causing any other requests
to be blocked. The destination host will hang or reboot,
causing service disruption to other requests coming into
the machine.
• Block ICMP packets to prevent this attack.
Network Attacks: IP Spoofing
• IP spoofing uses a false source address to get into a
network. The source address is often one that
belongs to the private network.
• A packet-filtering firewall cannot determine that this
is an unwanted packet because the source address
seems in order.
• Some types of firewalls can block this type of attack
Network Attacks: SYN Flood
• A SYN flood looks like a denial of service attack.
• The method:
– The first packet in a conversation between two hosts
has the SYN flag set to on.
– This signals the request for a new conversation. In a
SYN flood, huge numbers of packets will be sent to a
destination host.
– The host will attempt to answer all incoming requests,
thus preventing the machine from answering valid
requests. This creates a type of denial of service.
• Some operating systems provide patches to prevent this
type of attack.
Implementation of Network
Security
• The implementation of security measures can have
adverse as well as beneficial results.
– Access control lists, if written incorrectly, may prevent
private network users from doing their jobs
adequately. The lists must also be maintained for
changes in the network.
– Proxy firewalls are really gateways or translators. All
gateway mechanisms impact network performance
negatively.
• All firewall implementations require constant monitoring,
logging, auditing, maintenance, and updating to keep
performance at the best levels possible.
Download