Chapter 10: Public versus Private Networks 1. On the Test a. 2.10: Identify the differences between public vs. private networks. b. 3.8: Identify the purpose, benefits, and characteristics of using a firewall. c. 3.9: Identify the purpose, benefits, and characteristics of using a proxy. d. 3.10: Given a scenario, predict the impact of a particular security implementation on network functionality (e.g. blocking port numbers, encryption, etc.) 2. Public versus Private Networks a. The most precious assets of a company are the data it has amassed by doing business, and those assets must be protected. b. The boundary between the private network and the public network (Internet) is defined as the point where the LAN may access the Internet. That might be through a router or some kind of telephony device. 3. Assessing Risk a. Many people within a company have a stake in protection of the company’s assets. Those stakeholders include network administrators, IT managers, security managers, technicians, financial managers, and upper management. b. Before any kind of boundary protection may be put into place for a network, the business organization must build a set of documents that identify two types of risk: internal risk and external risk. c. Internal risk includes any threat by those who use the private network resources: employees, contractors, and consultants. d. External risk includes any threat from people or devices that exist outside the physical boundary of the LAN. The term used to describe those entities is “hacker.” e. The value of the private network resources must be clarified. The value includes the cost of data loss as well as service interruption for employees and customers. f. Once the risks and value of assets have been determined, a security policy can be written to protect the network. All stakeholders in the organization must agree to enforce this policy from top down and bottom up. All employees must be subject to the same policy. g. After the policy has been written, a series of recommendations is made to enforce the policy. These may include training for new and existing employees, identification of external resources and Web sites that are unacceptable to the business, and what types of remote access the network will support (VPN using the public infrastructure, modem connections to a central gateway, or individual modem installations on individual workstations within the private network). h. All policies must be tested before they are implemented to assure that employees can still do the job for the company. 4. 5. 6. 7. i. After the implementation of the security policies takes place, the boundaries must be continuously monitored for attempted invasion. The Firewall a. A firewall is defined as a system (or group of systems) that prevents unauthorized access to private network resources by Internet users. b. Firewalls are often a combination of hardware and software that form the boundary. c. All firewalls implement some kind of access control list or policy. d. The most common firewall is the router. e. Routers have the ability to make decisions about whether a packet may enter the network based on: i. Source and destination addresses ii. Source and destination port iii. The TCP, IP, UDP, or ICMP protocol type iv. Status of the packet as inbound or outbound from the network f. This decision-making is known as packet filtering. g. The business security policy is the foundation of the access control list on the router. What the Firewall Can Do a. The firewall takes one of two actions against a packet that does not comply with the access control list on a particular interface: it silently discards the packet or it generates an error message that is sent back to the source address on the packet. b. If the packet is discarded silently, a would-be hacker concludes that the device he or she was trying to attack is not available on the network. c. When an error message is sent back to the source address, the would-be hacker is alerted to the fact that the system is indeed alive, but does not exist at the IP address in the destination portion of the header. The hacker now will try other IP addresses to get into the network. d. Firewalls can protect the network by maintaining a list of ports that may not be accessed by inbound packets. Only those ports that are necessary for services will remain open, such as mail (port 25) or http services (port 80). e. Firewalls are often called the “choke point” for the network because all incoming and outgoing traffic must be scrutinized in one central location. What the Firewall Cannot Do a. A firewall cannot protect from an internally generated attack against resources. b. A firewall cannot protect against any attack that is initiated through a modem connected to an individual workstation within the private network. c. Firewalls cannot protect against social engineering attacks like password giveaway or impersonation to a helpdesk representative. d. Firewalls cannot protect against viruses. Certain types of traffic may be denied because of the access control list, but many viruses are not using extraordinary protocol types to do damage. Types of Firewalls a. The Network Layer Firewall i. The Network layer firewall makes decisions to allow or deny packets on the basis of source and destination address, and port address. ii. The Network layer firewall cannot explore content within the payload of the packet. iii. The “screened host firewall” is a single device through which all traffic passes on its way to a single host within the private network. iv. The “screened subnet firewall” is usually a router (or two routers) through which all traffic passes on its way to the private network (allowed traffic) or to a subnet that is not part of the private network, but holds resources belonging to the network (Web servers, mail servers, etc.). v. Both types of screening firewalls use a bastion host. This machine will have two or more NICs. b. Application Layer Firewalls i. Application layer firewalls use some type of software as well as hardware to screen incoming requests and packets to the network. ii. An advantage to Application layer firewalls is that they often provide extensive logging and auditing of traffic as well as payload scrutiny for incoming packets. Additional services may include proxy services, NAT, and content caching. iii. A proxy firewall creates a table of outgoing packets with source addresses belonging to the private network that are mapped (or assigned) to a public IP address for routing on the Internet. This type of firewall acts on behalf of the internal client. iv. Proxy firewalls require additional configuration at the client workstation by an administrator or technician. v. Another type of Application layer firewall is the dual-homed host. Two NICs are installed on the host machine and traffic is routed between the two NICs. vi. Site-blocking firewalls have the capacity to prevent packets from using certain public resources. This may include specific IP addresses or DNS names, or sites with certain key words in the site name. vii. Proxy Application layer firewalls are application-specific and require that a proxy exist for the application type. Examples include maintaining proxies for services such as HTTP, FTP, and SMPT. Most proxy services include the code to build additional proxies. c. The Demilitarized Zone (DMZ) i. Many network administrators choose to create a subnet that contains an organization’s resources, but is outside the boundary of the private network. This is referred to as the demilitarized zone or DMZ. ii. When using a DMZ, resources such as Web servers, FTP servers, and mail servers can be placed where they will create no harm to the private network should there be an attack to the resources. 8. The Extranet a. The extranet is a section of the private network that is outside the boundary of the private network but contains resources owned by the private network. b. The extranet differs from the DMZ in that it offers shared resources to known business partners, suppliers, vendors, other businesses, or customers. Typically those services include data, storage for collaborative projects, and/or technical reference material. c. The extranet requires additional resources that a DMZ does not require. In addition to the routers acting as firewalls, digital certificates for authentication must be distributed to external hosts using the services. Encryption facilities may be required to protect the data during transit. Or VPN technology may be used to further protect messages passed between hosts. 9. Types of Network Attacks a. Denial of service attacks are sometimes called the “Ping of Death.” A normal PING packet is a packet that uses ICMP to determine the viability of a host. Four return messages are generated that track the response from the destination host. i. With denial of service attacks, one very large ICMP packet is sent from the source host to the destination host. This packet floods the buffer, causing any other requests to be blocked. Often the destination host will hang or reboot, causing service disruption to other requests coming into the machine. ii. Many administrators block ICMP packets to prevent this attack. b. IP Spoofing i. IP spoofing occurs when a hacker uses a false source address to get into a network. The source address is often one that belongs to the private network. ii. A packet-filtering firewall cannot determine that this is an unwanted packet because the source address seems in order. iii. Some types of firewalls can block this type of attack. c. SYN Flood i. A SYN flood looks like a denial of service attack. ii. The first packet in a conversation between two hosts has the SYN flag set to on. This signals the request for a new conversation. In a SYN flood, huge numbers of packets will be sent to a destination host. The host will attempt to answer all incoming requests, thus preventing the machine from answering valid requests. This creates a type of denial of service. iii. Some operating systems provide patches to prevent this type of attack. 10. Implementations of Network Security a. The implementation of firewall technology and other security policies can have adverse as well as beneficial results. b. Access control lists, if written incorrectly, may prevent private network users from doing their jobs adequately. The lists must also be maintained for changes in the network. c. Proxy firewalls are really gateways or translators. All gateway mechanisms impact network performance negatively. A certain amount of performance degradation should be anticipated and compensated for when using a proxy firewall. d. All firewall implementations require constant monitoring, logging, auditing, maintenance, and updating to keep performance at the best levels possible.