Chapter 10: Public versus Private Networks

advertisement
Chapter 10: Public versus Private Networks
1. On the Test
a. 2.10: Identify the differences between public vs. private networks.
b. 3.8: Identify the purpose, benefits, and characteristics of using a firewall.
c. 3.9: Identify the purpose, benefits, and characteristics of using a proxy.
d. 3.10: Given a scenario, predict the impact of a particular security
implementation on network functionality (e.g. blocking port numbers,
encryption, etc.)
2. Public versus Private Networks
a. The most precious assets of a company are the data it has amassed by
doing business, and those assets must be protected.
b. The boundary between the private network and the public network
(Internet) is defined as the point where the LAN may access the Internet.
That might be through a router or some kind of telephony device.
3. Assessing Risk
a. Many people within a company have a stake in protection of the
company’s assets. Those stakeholders include network administrators, IT
managers, security managers, technicians, financial managers, and upper
management.
b. Before any kind of boundary protection may be put into place for a
network, the business organization must build a set of documents that
identify two types of risk: internal risk and external risk.
c. Internal risk includes any threat by those who use the private network
resources: employees, contractors, and consultants.
d. External risk includes any threat from people or devices that exist outside
the physical boundary of the LAN. The term used to describe those
entities is “hacker.”
e. The value of the private network resources must be clarified. The value
includes the cost of data loss as well as service interruption for employees
and customers.
f. Once the risks and value of assets have been determined, a security policy
can be written to protect the network. All stakeholders in the organization
must agree to enforce this policy from top down and bottom up. All
employees must be subject to the same policy.
g. After the policy has been written, a series of recommendations is made to
enforce the policy. These may include training for new and existing
employees, identification of external resources and Web sites that are
unacceptable to the business, and what types of remote access the network
will support (VPN using the public infrastructure, modem connections to a
central gateway, or individual modem installations on individual
workstations within the private network).
h. All policies must be tested before they are implemented to assure that
employees can still do the job for the company.
4.
5.
6.
7.
i. After the implementation of the security policies takes place, the
boundaries must be continuously monitored for attempted invasion.
The Firewall
a. A firewall is defined as a system (or group of systems) that prevents
unauthorized access to private network resources by Internet users.
b. Firewalls are often a combination of hardware and software that form the
boundary.
c. All firewalls implement some kind of access control list or policy.
d. The most common firewall is the router.
e. Routers have the ability to make decisions about whether a packet may
enter the network based on:
i. Source and destination addresses
ii. Source and destination port
iii. The TCP, IP, UDP, or ICMP protocol type
iv. Status of the packet as inbound or outbound from the network
f. This decision-making is known as packet filtering.
g. The business security policy is the foundation of the access control list on
the router.
What the Firewall Can Do
a. The firewall takes one of two actions against a packet that does not
comply with the access control list on a particular interface: it silently
discards the packet or it generates an error message that is sent back to the
source address on the packet.
b. If the packet is discarded silently, a would-be hacker concludes that the
device he or she was trying to attack is not available on the network.
c. When an error message is sent back to the source address, the would-be
hacker is alerted to the fact that the system is indeed alive, but does not
exist at the IP address in the destination portion of the header. The hacker
now will try other IP addresses to get into the network.
d. Firewalls can protect the network by maintaining a list of ports that may
not be accessed by inbound packets. Only those ports that are necessary
for services will remain open, such as mail (port 25) or http services (port
80).
e. Firewalls are often called the “choke point” for the network because all
incoming and outgoing traffic must be scrutinized in one central location.
What the Firewall Cannot Do
a. A firewall cannot protect from an internally generated attack against
resources.
b. A firewall cannot protect against any attack that is initiated through a
modem connected to an individual workstation within the private network.
c. Firewalls cannot protect against social engineering attacks like password
giveaway or impersonation to a helpdesk representative.
d. Firewalls cannot protect against viruses. Certain types of traffic may be
denied because of the access control list, but many viruses are not using
extraordinary protocol types to do damage.
Types of Firewalls
a. The Network Layer Firewall
i. The Network layer firewall makes decisions to allow or deny
packets on the basis of source and destination address, and port
address.
ii. The Network layer firewall cannot explore content within the
payload of the packet.
iii. The “screened host firewall” is a single device through which all
traffic passes on its way to a single host within the private network.
iv. The “screened subnet firewall” is usually a router (or two routers)
through which all traffic passes on its way to the private network
(allowed traffic) or to a subnet that is not part of the private
network, but holds resources belonging to the network (Web
servers, mail servers, etc.).
v. Both types of screening firewalls use a bastion host. This machine
will have two or more NICs.
b. Application Layer Firewalls
i. Application layer firewalls use some type of software as well as
hardware to screen incoming requests and packets to the network.
ii. An advantage to Application layer firewalls is that they often
provide extensive logging and auditing of traffic as well as payload
scrutiny for incoming packets. Additional services may include
proxy services, NAT, and content caching.
iii. A proxy firewall creates a table of outgoing packets with source
addresses belonging to the private network that are mapped (or
assigned) to a public IP address for routing on the Internet. This
type of firewall acts on behalf of the internal client.
iv. Proxy firewalls require additional configuration at the client
workstation by an administrator or technician.
v. Another type of Application layer firewall is the dual-homed host.
Two NICs are installed on the host machine and traffic is routed
between the two NICs.
vi. Site-blocking firewalls have the capacity to prevent packets from
using certain public resources. This may include specific IP
addresses or DNS names, or sites with certain key words in the site
name.
vii. Proxy Application layer firewalls are application-specific and
require that a proxy exist for the application type. Examples
include maintaining proxies for services such as HTTP, FTP, and
SMPT. Most proxy services include the code to build additional
proxies.
c. The Demilitarized Zone (DMZ)
i. Many network administrators choose to create a subnet that
contains an organization’s resources, but is outside the boundary of
the private network. This is referred to as the demilitarized zone or
DMZ.
ii. When using a DMZ, resources such as Web servers, FTP servers,
and mail servers can be placed where they will create no harm to
the private network should there be an attack to the resources.
8. The Extranet
a. The extranet is a section of the private network that is outside the
boundary of the private network but contains resources owned by the
private network.
b. The extranet differs from the DMZ in that it offers shared resources to
known business partners, suppliers, vendors, other businesses, or
customers. Typically those services include data, storage for collaborative
projects, and/or technical reference material.
c. The extranet requires additional resources that a DMZ does not require. In
addition to the routers acting as firewalls, digital certificates for
authentication must be distributed to external hosts using the services.
Encryption facilities may be required to protect the data during transit. Or
VPN technology may be used to further protect messages passed between
hosts.
9. Types of Network Attacks
a. Denial of service attacks are sometimes called the “Ping of Death.” A
normal PING packet is a packet that uses ICMP to determine the viability
of a host. Four return messages are generated that track the response from
the destination host.
i. With denial of service attacks, one very large ICMP packet is sent
from the source host to the destination host. This packet floods the
buffer, causing any other requests to be blocked. Often the
destination host will hang or reboot, causing service disruption to
other requests coming into the machine.
ii. Many administrators block ICMP packets to prevent this attack.
b. IP Spoofing
i. IP spoofing occurs when a hacker uses a false source address to get
into a network. The source address is often one that belongs to the
private network.
ii. A packet-filtering firewall cannot determine that this is an
unwanted packet because the source address seems in order.
iii. Some types of firewalls can block this type of attack.
c. SYN Flood
i. A SYN flood looks like a denial of service attack.
ii. The first packet in a conversation between two hosts has the SYN
flag set to on. This signals the request for a new conversation. In a
SYN flood, huge numbers of packets will be sent to a destination
host. The host will attempt to answer all incoming requests, thus
preventing the machine from answering valid requests. This
creates a type of denial of service.
iii. Some operating systems provide patches to prevent this type of
attack.
10. Implementations of Network Security
a. The implementation of firewall technology and other security policies can
have adverse as well as beneficial results.
b. Access control lists, if written incorrectly, may prevent private network
users from doing their jobs adequately. The lists must also be maintained
for changes in the network.
c. Proxy firewalls are really gateways or translators. All gateway
mechanisms impact network performance negatively. A certain amount of
performance degradation should be anticipated and compensated for when
using a proxy firewall.
d. All firewall implementations require constant monitoring, logging,
auditing, maintenance, and updating to keep performance at the best levels
possible.
Download