Network Security Fundamentals
Chapter 2:
Network and Server
Security
Understanding Protocols
• Protocol: Formal set of rules that describe how
computers transmit data and communicate across
network
• Layered architecture
– Protocols arranged in stack of layers (network stack)
– Data passed from highest to lowest layer when sending
transmission
– Data passed from lowest to highest layer when receiving
transmission
• Data encapsulation: Protocols and standards at
each layer attach information to data as it passes
through layer
Network Stack and Data Encapsulation
OSI Model
• Open Systems Interconnect (OSI)
reference model
– Provides basis for communication among
computers over networks
• Seven layers: Application, Presentation,
Session, Transport, Network, Data Link,
Physical
• Mnemonic: All People Seem To Need
Data Processing
OSI Model
• Application layer
– Provides services such as email, file
transfers, and file servers
– Protocols include: FTP,DNS, SMTP
• Presentation layer
– Provides encryption, code conversion,
data formatting
– Standards include: MPEG, HTTP, JPEG
OSI Model
• Session layer
– Negotiates and establishes connection
with another computer
– Protocols include: ASP, NFS, RPC
• Transport layer
– Supports reliable end-to-end delivery of
data
– Protocols include: TCP, SCTP, UDP,
SPX
OSI Model
• Network layer
– Performs packet routing across networks
– Protocols include: IP, ICMP, RIP, ARP
• Data Link layer
– Provides error checking and transfer of
message frames
– Two sublayers:
• Media Access layer
• Logical Link layer
– Protocols include: SLIP, PPP
OSI Model
• Physical layer
– Defines standards for:
• Transmission media
• Physical connection to media
• How data should be sent over network
– Addressed in IEEE 802 LAN/WAN standards,
e.g.:
• 802.2 Logical Link Control
• 802.3 Ethernet (CSMA/CD)
• 802.5 Token Ring
TCP/IP Model
• Uses packets that can be routed around broken
connections and reassembled at receiving end
• TCP: Verifies correct delivery, provides error
correction
• IP: Responsible for sending packets from node to
node to destination
• IP addresses
– Used for routing
– Two standards
• IPv4
• IPv6
TCP/IP Model
• IPv4 address: 4-byte destination IP
address, e.g.: 160.192.226.135
– Two portions
• Network portion: Network class (A – E) determines
portion of IP address used for network address
• Host (node) portion
• IPv6 address: 128-bit addressing
– 8 sets of 4 hexadecimal numbers
– Provides additional security features
TCP/IP Model Layers
• Layer 4: Application
– Equivalent to OSI Application,
Presentation, and Session layers
• Layer 3: Host-to-Host (Transport)
– Similar to OSI Transport
– Performs packet sequencing, supports
reliable end-to-end communications,
ensures data integrity, provides for
error-free delivery
TCP/IP Model Layers
• Layer 2: Internet
– Same function as OSI Network layer
– Manages connections across network
– Provides for logical transmission of packets over
network, assigns IP addresses to host
• Layer 1: Network Access
– Combines OSI Data Link and Physical layers
– Functions include mapping IP addresses to MAC
addresses, encapsulation of IP datagrams into frames
– Concerned with hardware, software, physical
transmission of data
TCP/IP Encapsulation
TCP/IP Ports
• Ports: Number included in packet header
– Used by TCP/IP protocols when transmitting
data
– Recipient computer uses port number to
identify service that should process packet
• Well-known ports
– Ports 0 – 1024
– Assigned to specific service, i.e. HTTP uses
port 80
• Ports 1025-65000 can be assigned to
custom applications
Viewing Ports with netstat -a
Best Practices for Network Security
• Basic guidelines for securing servers
on network
– Designing applications with security in
mind
– Maintaining security mindset
– Defense-in-depth
Security by Design
• Much more costly, time-consuming to build
in security after application deployment
• Difficulties in incorporating security in
design phase
– Community differences between software
designers and security professionals
– Lack of publicity of security threats
– Each application is essentially new coding
– Lack of justification for costs, time from
managerial perspective
– Rush-to-market approach
Maintaining a Security Mindset
• Base security decisions on risk
• Use defense-in-depth, using many
security controls
• Keep things simple
• Respect (do not underestimate)
adversary
• Work on security awareness
• Be paranoid
Defense-in-Depth
• Multiple lines of defense
– Series of protective measures that,
taken as whole, secure the environment
• All security resources should not be
concentrated on single protection
• Protective measure (security control)
is worth implementing even if
seemingly redundant
Securing Servers
• To operate server securely,
organization must establish plan that
addresses key security aspects
– Controlling server configuration
– Controlling users and access
– Monitoring, auditing, and logging
Controlling Server Configuration
• Most important considerations in
securing host system
– Physically secure system in locked
room and limit access
– Limit attack surface: Minimize risk by
removing unneeded services, ports,
input/output devices
– Back up host system to mitigate risk
Controlling Server Configuration
• Physical security of system
–
–
–
–
–
–
Uninterruptible power supply (UPS)
Fire protection
Cooling, ventilation
Adequate lighting, workspace in server space
Restrict physical access
Includes protection of other critical devices
(cabling, routers)
Controlling Server Configuration
• Minimizing services
– Attackers look to break in through services
– Separation of services: Each major service
should run on own protected host when
possible
– Many operating systems enable services by
default
– Typical services to disable include: Telnet,
SMTP, TFTP, Finger, Netstat, Systat, Chargen,
Echo, DNS, RPC
Controlling Server Configuration
• Managing Windows services
– Services utility: Configures enabling or
disabling services on startup
– Service dependencies: Some services depend
on others to operate
– Attackers may replace legitimate service, so
use account with most restrictive permissions
to permit service to operate
• Three built-in accounts
– Local System, Local Service, Network Service
Managing Windows Services
Dependencies of World Wide Web
Publishing Service
Setting a Service’s Log On Account
Controlling Server Configuration
• System backups
– Regularly scheduled as part of normal
operation of server
– Frequency determined by how critical
data or service is
• Determined by risk and business impact
analysis
– Failover system: Identical copy of server
and data
Border Security
• Border security: Implementing security for
different network segments
• Devices used for regulation and control
–
–
–
–
Routers
Switches
Bridges
Multi-homed gateways
Segmenting a Network
• Key network segments
– Public networks
• Allow access to everyone, e.g. Internet
– Semi-private networks
• Sit between public and private networks
• Typically exclusive subnets of large public networks
– Private networks
• Organizational networks handling confidential and
proprietary data
• May have exclusive addressing and protocols
Perimeter Defense
• Typical defenses
– Firewalls: Placed at terminal ends of every network
segment
– Specialized application proxies
• Demilitarized zones (DMZ)
– Perimeter or screened network
– Noncritical yet secure region generally designed at
periphery of internal and external networks
– Typical location for resources that must be accessed
from both Internet and internal network, i.e. Web servers
and FTP servers
Perimeter Defense Between
Private Network and Internet
Web Server in a DMZ
Firewalls
• Firewalls
– Used to secure connections to
unsecured network such as Internet
– Provide defense against:
•
•
•
•
Poor authentication
Weak software
Spoofing
Scanners and crackers
Firewalls
Firewalls
• Packet-filtering firewalls
– Use filters (rules) to determine which packets should be
allowed, based on metrics such as: IP addresses,
contained protocols
• Stateful packet-filtering (inspection) firewalls
– Connection information maintained in state tables
– Validated packets forwarded based on rule set defined
for particular connection
• Application proxy firewalls
– Shielding and filtering mechanism between public and
private networks, allowing complete shielding of
applications
Comparison of Firewall Technologies
Network Address Translation
• Network Address Translation (NAT)
– Service that translates internal, private
addresses into routable addresses on
public network
– Translation table: Allows single public IP
address to be mapped to multiple
private IP address
• Outside packets require public address and
port number to reach particular host on
private network
NAT Methodology
Summary
• Protocol: Formal set of rules describing how
computers transmit data and communicate across
network.
• Network stack: Stack of layers that divide network
functions; with protocols and standards
performing specific functions at each layer.
• As data passed through each layer, data
encapsulation process attaches information to
data packets.
• OSI reference model: Framework for network
communication with seven layers: Application,
Presentation, Session, Transport, Network, Data
Link, and Physical.
Summary
• TCP/IP Network Model has four layers:
Application, Host-to-Host (Transport),
Internet, and Network Access.
• TCP verifies correct delivery of data and
provides error detection capabilities. IP is
responsible for routing packets, using IP
addresses.
• General guidelines for implementing best
security practices include: Designing
applications with security in mind,
maintaining security mindset, and
implementing defense-in-depth.
Summary
• Key aspects of securing network servers include
controlling server configuration, controlling users
and access, and monitoring, auditing, and
logging.
• Three important considerations in controlling
server configuration include (1) physically
securing and protecting server, (2) minimizing risk
by removing unneeded services, ports, and
input/output devices, and (3) performing regular
backups of host system.
• Border security: Implementing security for
different network segments by erecting borders
that can only be crossed by certain types of traffic.
Summary
• Types of network segments include public, semiprivate, and private networks.
• Firewalls: Devices used to prevent unwanted
traffic and secure network perimeter; placed at
connection point of insecure network and internal
network.
• Types of firewalls: Packet-filtering firewalls,
stateful packet filtering (stateful inspection)
firewalls, and application proxy firewalls.
• Network Address Translation (NAT): Translates
private addresses into routable addresses on
public networks.
Key Terms
• Address Resolution Protocol
(ARP)
• American Standard Code
for Information Interchange
(ASCII)
• AppleTalk Session Protocol
(ASP)
• Application layer (OSI
model)
• Application layer (TCP/IP
model)
• Application proxy firewall
• Berkeley Internet Name
Domain (BIND)
• BootP
• Border security
• Broadcast packet
• Chargen
• Connectionless protocol
• Connection-oriented
protocol
• Crackers
• Data encapsulation
Key Terms
•
•
•
•
•
•
•
•
Data Link layer
Defense-in-depth
Demilitarized zone (DMZ)
Digital Network Architecture
Session
Control Protocol (DNA-SCP)
Domain Name System
(DNS)
Echo
Extended Binary-Coded
Decimal Interchange Code
(EBCDIC)
• Failover system
• File Transfer Protocol
(FTP)
• Filter
• Finger
• Headless server
• Host-to-Host layer
• Hypertext Transfer
Protocol (HTTP)
• Internet Control Message
Protocol (ICMP)
• Internet layer
Key Terms
• Internet Protocol (IP)
• Internet Protocol Security
(IPsec)
• Internetwork Packet
Exchange (IPX)
• IP address
• Joint Photographic Experts
Group (JPEG)
• Layered architecture
• Limiting the attack surface
• Local Service account
• Local System account
• Logical Link layer
• Media Access Control
(MAC) address
• Media Access layer
• Motion Picture Experts
Group (MPEG)
• Multicasting
• Multicast packet
• Multipurpose Internet Mail
Extensions (MIME)
• Need-to-access
environment
Key Terms
• Need-to-know environment
Netstat
• Network Access layer
• Network Address
Translation (NAT)
• Network File System (NFS)
• Network layer
• Network Service account
• Network stack
• Open Shortest Path First
(OSPF)
• Open Systems
Interconnect (OSI) model
• Packet filtering
• Packet sniffer
• Perimeter network
• Personal firewall
• Physical entry point
• Physical layer
• Ping
• Ping of death
Key Terms
• Point-to-Point Protocol
(PPP)
• POP3
• Port
• Port scanner
• Post Office Protocol (POP)
• Presentation layer
• Private network
• Promiscuous mode
• Protocol
• Protocol analyzer
• Proxy agents
•
•
•
•
•
•
•
•
Public network
Remote access server
Remote login
Remote Procedure Call
(RPC)
Reverse Address
Resolution Protocol
(RARP)
Rlogin
Routing Information
Protocol (RIP)
Rule base
Key Terms
• Ruleset
• Screened subnet
• Secure File Transfer
Protocol (SFTP)
• Secure Shell (SSH)
• Semi-private network
• Separation of services
• Sequenced Packet
Exchange (SPX)
• Serial Line Internet Protocol
(SLIP)
• Session Control Protocol
(SCP) Session layer
• Simple Mail Transfer
Protocol (SMTP)
• Simple Network
Management Protocol
(SNMP)
• Slogin
• Sockets
• SSH-2
• Stateful inspection
Key Terms
•
•
•
•
•
•
•
•
Stateful packet filtering
State table
Systat
Tagged Information
File Format (TIFF)
TCP/IP model
Telnet
Translation table
Transmission Control
Protocol (TCP)
• Transport layer (OSI
model)
• Transport layer
(TCP/IP model)
• Trivial File Transfer
Protocol (TFTP)
• Unicast packet
• User Datagram
Protocol (UDP)
• Well-known ports
Copyright Notice
Copyright 2008 John Wiley & Sons, Inc.
All rights reserved. Reproduction or translation of this
work beyond that permitted in section 117 of the 1976
United States Copyright Act without express
permission of the copyright owner is unlawful.
Requests for further information should be addressed
to the Permissions Department, John Wiley & Sons,
Inc. The purchaser may make back-up copies for
his/her own use only and not for distribution or resale.
The Publisher assumes no responsibility for errors,
omissions, or damages caused by the use of these
programs or from the use of the information herein.