SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks Public vs. Private Networks • The most precious assets of a company are the data it has amassed by doing business, and those assets must be protected. • The boundary between the private network and the public network (Internet) is defined as the point where the LAN may access the Internet. That might be through a router, or some kind of telephony device. Assessing Risk • Consider the stakeholders: – Network administrators – IT managers – Security managers – Technicians – Financial managers – Upper management. • Identify the two types of risk: internal risk and external risk. – Internal risks: employees, contractors, and consultants. – External risk: hackers (continued) Assessing Risk (continued) • The value of the private network resources must be clarified. The value includes the cost of data loss as well as service interruption for employees and customers. • Once the risks and value of assets have been determined, write a security policy to protect the network. Stakeholders in the organization must agree to enforce this policy from top down and bottom up. All employees must be subject to the same policy. (continued) Assessing Risk (continued) • Recommendations are then made to enforce the policy. These may include training, identification of unacceptable external resources and Web sites, and remote access to the network. • All policies must be tested before they are implemented to assure that employees can still do the job for the company. • After the implementation of the security policies takes place, the boundaries must be continuously monitored for attempted invasion. Firewalls • A firewall is defined as a system (or group of systems) that prevents unauthorized access to private network resources from Internet users. • Firewalls are often a combination of hardware and software that form the boundary. • All firewalls implement some kind of access control list or policy. • The most common firewall is the router. (continued) Firewalls (continued) • Routers have the ability to make decisions about whether a packet may enter the network based on: o Source and destination addresses o Source and destination port o The TCP, IP, UDP, or ICMP protocol type o Status of the packet as inbound or outbound from the network • This decision-making is known as packet filtering. • The business security policy is the foundation of the access control list on the router. What the Firewall Can Do • The firewall takes one of two actions against a packet that does not comply with the access control list on a particular interface: it silently discards the packet or it generates an error message that is sent back to the source address on the packet. • By silently discarding the packet, the intruder concludes that the device he or she was trying to attack is not available on the network. • When an error message is sent back to the source address, the intruder is alerted to the fact that the system is alive, but not at the IP address in the destination portion of the header. The hacker may try other IP addresses to get into the network. (continued) What the Firewall Can Do (continued) • With firewalls, only those ports that are necessary for services will remain open, such as mail (port 25) or http services (port 80). • Firewalls are often called the “choke point” for the network because all incoming and outgoing traffic must be scrutinized in one central location. What Firewalls Cannot Do • A firewall cannot protect from an internally generated attack against resources. • A firewall cannot protect against any attack that is initiated through a modem connected to an individual workstation within the private network. • Firewalls cannot protect against social engineering attacks like password giveaway or impersonation to a helpdesk representative. • Firewalls cannot protect against viruses. Certain types of traffic may be denied because of the access control list, but many viruses are not using extraordinary protocol types to do damage. The Network Layer Firewall • The network layer firewall makes decisions to allow or deny packets on the basis of source and destination address, and port address. • The network layer firewall cannot explore content within the payload of the packet. • The “screened host firewall” is a single device through which all traffic passes on its way to a single host within the private network. (continued) The Network Layer Firewall (continued) • The “screened subnet firewall” is usually a router (or two routers) through which all traffic passes on its way to the private network (allowed traffic) or to a subnet that is not part of the private network, but holds resources belonging to the network (Web servers, mail servers, etc.). • Both types of screening firewalls use a bastion host. This machine will have two or more NICs. Application Layer Firewalls • Use some type of software as well as hardware to screen incoming requests and packets to the network. • Often provide extensive logging and auditing of traffic as well as payload scrutiny for incoming packets. • Additional services may include proxy services, NAT, and content caching. • A proxy firewall creates a table of outgoing packets with source addresses belonging to the private network that are mapped (or assigned) to a public IP address for routing on the Internet. This type of firewall acts on behalf of the internal client. (continued) Application Layer Firewalls (continued) • Dual-homed hosts use two NICs installed on the host machine. Traffic is routed between the two NICs. • Site-blocking firewalls have the capacity to prevent packets from certain public resources, including specific IP addresses or DNS names, or sites with certain key words in the site name. • Proxy firewalls require additional configuration at the client workstation • Proxy firewalls are application-specific and require that a proxy exist for the application type. Examples include maintaining proxies for services such as HTTP, FTP, and SMTP. The Demilitarized Zone (DMZ) • Many network administrators choose to create a subnet that contains an organization’s resources, but is outside the boundary of the private network. This is referred to as the Demilitarized Zone or DMZ. • Resources such as Web servers, FTP servers, and mail servers can be placed in the DMZ, where they will create no harm to the private network should there be an attack to the resources. The Extranet • The extranet is outside the boundary of the private network but contains resources owned by the private network. • It hosts shared resources to known business partners, suppliers, vendors, other businesses, or customers. Those services include data, storage for collaborative projects, and/or technical reference material. • The extranet requires additional resources that a DMZ does not require. Routers acting as firewalls and digital certificates for authentication may be required. Other protection mechanisms may also be required. Network Attacks: Denial of Service • Denial of service attacks are called the “PING of Death.” A normal PING packet is a packet that uses ICMP to determine the viability of a host. Four return messages are generated that track the response from the destination host. • With denial of service attacks, one very large ICMP packet is sent from the source host to the destination host flooding the buffer, and causing any other requests to be blocked. The destination host will hang or reboot, causing service disruption to other requests coming into the machine. • Block ICMP packets to prevent this attack. Network Attacks: IP Spoofing • IP spoofing uses a false source address to get into a network. The source address is often one that belongs to the private network. • A packet-filtering firewall cannot determine that this is an unwanted packet because the source address seems in order. • Some types of firewalls can block this type of attack Network Attacks: SYN Flood • A SYN flood looks like a denial of service attack. • The method: – The first packet in a conversation between two hosts has the SYN flag set to on. – This signals the request for a new conversation. In a SYN flood, huge numbers of packets will be sent to a destination host. – The host will attempt to answer all incoming requests, thus preventing the machine from answering valid requests. This creates a type of denial of service. • Some operating systems provide patches to prevent this type of attack. Implementation of Network Security • The implementation of security measures can have adverse as well as beneficial results. – Access control lists, if written incorrectly, may prevent private network users from doing their jobs adequately. The lists must also be maintained for changes in the network. – Proxy firewalls are really gateways or translators. All gateway mechanisms impact network performance negatively. • All firewall implementations require constant monitoring, logging, auditing, maintenance, and updating to keep performance at the best levels possible.