1
2
(OSI-Model, n.d.) and (Tomsho, 2007)
TCP/IP PDU
Layers
Application Data
Function
7 Application Network process to application,
Initiates or accepts a request to transfer data
6 Presentation Adds formatting, display, and encryption of information
5 Session Adds communication session control information, Login/Logout
Transport Segments 4 Transport
Network
Link
Packets
Frames
OSI Layers
3 Network
2 Data
Link
LLC
Adds End-to-end connections and reliability, re-sequencing, flow control
Path determination and logical addressing (IP), translates MAC address to logical address
Adds error checking and physical addressing (MAC & LLC)
MAC
Devices - Apps Standards
Browsers, servers,
Gateways
Gateways
DNS,
Gateways
Gateways
Routers
Switches,
Bridges, NICs
HTTP, SNMP,
FTP, Telnet
ASCII, MPEG,
SSH, SSL
NetBIOS
TCP, UDP
IP, ICMP,
ARP, NetBEUI,
IPSec
802.3, 802.11,
FDDI
Bits 1 Physical Media, signal and binary transmission, sends data as a bit stream
Hubs,
Repeaters
10Base-T, T1,
E1
3
Developing a Network Security Policy
Tomsho, Tittel, Johnson (2007)
• A network security policy describes the rules governing access to a company’s information resources, the enforcement of those rules, and the steps taken if rules are breached
– Should also describe the permissible use of those resources after they’re accessed
– Should be easy for ordinary users to understand and reasonably easy to comply with
– Should be enforceable
– Should clearly state the objective of each policy so that everyone understands its purpose
4
Determining Elements of a Network Security Policy
Tomsho, Tittel, Johnson (2007)
• Elements (minimum for most networks)
– Privacy policy
– Acceptable use policy
– Authentication policy
– Internet use policy
– Access policy
– Auditing policy
– Data protection
• Security policy should protect organization legally
• Security policy should be continual work in progress
5
Understanding Levels of Security
Tomsho, Tittel, Johnson (2007)
• Security doesn’t come without a cost
• Before deciding on a level of security, answer:
– What must be protected?
– From whom should data be protected?
– What costs are associated with security being breached and data being lost or stolen?
– How likely is it that a threat will actually occur?
– Are the costs to implement security and train users to use a secure network outweighed by the need to provide an efficient, user-friendly environment?
• Levels: highly restrictive, moderately restrictive, open
6
Highly Restrictive Security Policies
Tomsho, Tittel, Johnson (2007)
• Include features such as:
– Data encryption, complex password requirements, detailed auditing and monitoring of computer and network access, intricate authentication methods, and policies that govern use of the Internet/e-mail
• Might require third-party hardware and software
• High implementation expense
– High design and configuration costs for SW and HW
– Staffing to support the security policies
– Lost productivity (high learning curve for users)
• Used when cost of a security breach is high
7
Moderately Restrictive Security Policies
Tomsho, Tittel, Johnson (2007)
• Most organizations can opt for this type of policy
• Requires passwords, but not overly complex ones
• Auditing detects unauthorized logon attempts, network resource misuse, and attacker activity
– Most NOSs contain authentication, monitoring, and auditing features to implement the required policies
• Infrastructure can be secured with moderately priced offthe-shelf HW and SW (firewalls, ACLs)
• Costs are primarily in initial configuration and support
8
Open Security Policies
Tomsho, Tittel, Johnson (2007)
• Policy might have simple or no passwords, unrestricted access to resources, and probably no monitoring and auditing
• Makes sense for a small company with the primary goal of making access to network resources easy
• Internet access should probably not be possible via the company LAN
– If Internet access is available company-wide, a more restrictive policy is probably warranted
• Sensitive data, if it exists, might be kept on individual workstations that are backed up regularly and are physically inaccessible to other employees
9
Common Elements of Security Policies
Tomsho, Tittel, Johnson (2007)
• Virus protection for servers and desktop computers is a must
• There should be policies aimed at preventing viruses from being downloaded or spread
• Backup procedures for all data that can’t be easily reproduced should be in place, and a disaster recovery procedure must be devised
• Security is aimed not only at preventing improper use of or access to network resources, but also at safeguarding the company’s information
10
Securing Physical Access to the Network
Tomsho, Tittel, Johnson (2007)
• If there’s physical access to equipment, there is no security
– A computer left alone with a user logged on is particularly vulnerable
• If an administrator account is logged on, a person can even give his/her account administrator control
– If no user is logged on
• People could log on to the computer with their own accounts and access files to which they wouldn’t normally have access
• Computer could be restarted and booted from removable media, bypassing the normal OS security
• Computer or HDs could be stolen and later cracked
11
Physical Security Best Practices
Tomsho, Tittel, Johnson (2007)
• When planning your network, ensure that rooms are available to house servers and equipment
– Rooms should have locks and be suitable for the equipment being housed
• If a suitable room isn’t available, locking cabinets, freestanding or wall mounted, can be purchased to house servers and equipment in public areas
• Wiring from workstations to wiring cabinets should be inaccessible to eavesdropping equipment
• Physical security plan should include procedures for recovery from natural disasters (e.g., fire or flood)
12
Physical Security of Servers
Tomsho, Tittel, Johnson (2007)
• May be stashed away in lockable wiring closet along with switch to which the server is connected
• Often require more tightly controlled environmental conditions than patch panels, hubs, and switches
• Server rooms should be equipped with power that’s preferably on a circuit separate from other devices
• If you must put servers accessible to people who should not have physical access to them, use locking cabinets
– You can purchase rack-mountable servers
13
Security of Internetworking Devices
Tomsho, Tittel, Johnson (2007)
• Routers and switches contain critical configuration information and perform essential network tasks
– Internetworking devices, such as hubs, switches, and routers, should be given as much attention in terms of physical security as servers
• A room with a lock is the best place for these devices
• Wall-mounted enclosure with a lock is second best
– Some cabinets come with a built-in fan or have a mounting hole for a fan
– They also come with convenient channels for wiring
14
Securing Access to Data
Tomsho, Tittel, Johnson (2007)
• Facets
– Authentication and authorization
– Encryption/decryption
– Virtual Private Networks (VPNs)
– Firewalls
– Virus and worm protection
– Spyware protection
– Wireless security
15
– Login process, certificates, shared keys
– Applies to both clients and servers
– Only applies after party has been authenticated
– Access Control (file permissions, Access
Control Lists, etc.)
16
Implementing Secure Authentication and Authorization
Tomsho, Tittel, Johnson (2007)
• Administrators must control who has access to the network ( authentication ) and what logged on users can do to the network ( authorization )
– NOSs have tools to specify options and restrictions on how/when users can log on to network
• Password complexity requirements
• Logon hours
• Logon locations
• Remote logons, among others
– File system access controls and user permission settings determine what a user can access on a network and what actions a user can perform
17
Configuring Password Requirements in a Windows Environment
Tomsho, Tittel, Johnson (2007)
• Specify if passwords are required for all users, how many characters a password must be, and whether they should meet certain complexity requirements
• XP allows passwords up to 128 characters
– Minimum of five to eight characters is typical
– If minimum length is 0, blank passwords are allowed
• Other options include Maximum/Minimum password age, and Enforce password history
• When a user fails to enter a correct password, a policy can be set to lock the user account
18
Configuring Password Requirements in a Linux Environment
Tomsho, Tittel, Johnson (2007)
• Linux password configuration can be done globally or on a user-by-user basis
• Options in a standard Linux Fedora Core 4 include maximum/minimum password age, and number of days’ warning a user has before password expires
– Linux system must be using shadow passwords , a secure method of storing user passwords
– Options can be set by editing /etc/login.defs
• Use Pluggable Authentication Modules (PAM) to set other options like account lockout, password history, and complexity tests
19
Reviewing Password Dos and Don’ts
Tomsho, Tittel, Johnson (2007)
• Use a combination of uppercase letters, lowercase letters, and numbers
• Include one or more special characters
• Try using a phrase, e.g., NetW@rk1ng !s C00l
• Don’t use passwords based on your logon name, family members’ names, or even your pet’s name
• Don’t use common dictionary words unless they are part of a phrase
• Don’t make your password so complex that you forget it or need to write it down somewhere
20
Authorizing Access to Files and Folders
Tomsho, Tittel, Johnson (2007)
• Windows OSs have two options for file security
– Sharing permissions are applied to folders (and only folders) shared over the network
• Don’t apply to files/folders if user is logged on locally
• These are the only file security options available in a FAT or FAT32 file system
– NTFS permissions allow administrators to assign permissions to files as well as folders
• Apply to file access by a locally logged-on user too
• Enable administrators to assign permissions to user accounts and group accounts
• Six standard permissions are available for folders
21
Authorizing Access to Files and Folders (continued)
Tomsho, Tittel, Johnson (2007)
22
Authorizing Access to Files and Folders (continued)
Tomsho, Tittel, Johnson (2007)
23
Securing Data with Encryption
Tomsho, Tittel, Johnson (2007)
• Use encryption to safeguard data as it travels across the Internet and within the company network
– Prevents somebody using eavesdropping technology, such as a packet sniffer, from capturing packets and using the data for malicious purposes
• Data on disks can be secured with encryption
24
Using IPSec to Secure Network Data
Tomsho, Tittel, Johnson (2007)
• The most popular method for encrypting data as it travels network media is to use an extension to the IP protocol called IP Security (IPSec)
– Establishes an association between two communicating devices
• Association is formed by two devices authenticating their identities via a preshared key,
Kerberos authentication, or digital certificates
– After the communicating parties are authenticated, encrypted communication can commence
25
Wikipedia-IPSec (n.d).
• IP Security
• A set of protocols operating at the Network layer
(layer 3).
• 2 Modes
– Transport Mode:
• Only payload in packet is encrypted (header is not)
• Host to Host communication
– Tunnel Mode:
• Entire IP packet is encrypted, including header
• Encapsulated in another packet for routing across internet.
• Network to Network communication
26
Securing Data on Disk
– Can optional include subfolders
– Based on owner of file
– Groups of users can be defined
– GPG (GNU Privacy Guard) from FSF.
– GPG is available for Windows also
27
VPN
Wikipedia-VPN
• VPN – Virtual Private Network
• A virtual (logical) private network running on top of a public network (e.g. Internet).
• Useful for providing remote access without using dedicated lines.
• 2 parts: ‘inside’ network which is trusted and ‘outside’ part which is not trusted.
• VPN Server manages authentication
• When active, all access from client to outside must pass through a firewall – makes client act as if it was in the
‘inside’ network.
28
Securing Communication with Virtual Private Networks
Tomsho, Tittel, Johnson (2007)
29
VPN Benefits
Tomsho, Tittel, Johnson (2007)
• Advantages of using VPNs
– Installing several modems on an RRAS server so that users can dial up the server directly isn’t necessary; instead, users can dial up any ISP
– RRAS = Windows Routing and Remote Access Server.
– Remote users can usually access an RRAS server by making only a local phone call, as long as they can access a local ISP
– When broadband Internet connectivity is available (e.g., DSL, cable modem), remote users can connect to the corporate network at high speed, making remote computing sessions more productive
• Additionally, VPNs save costs
30
Protecting Networks with Firewalls
Tomsho, Tittel, Johnson (2007)
• Firewall: HW device or SW program that inspects packets going into or out of a network or computer, and then discards/forwards them based on rules
– Protects against outside attempts to access unauthorized resources, and against malicious network packets intended to disable or cripple a corporate network and its resources
– If placed between Internet and corporate network, can restrict users’ access to Internet resources
• Firewalls can attempt to determine the context of a packet ( stateful packet inspection (SPI) )
31
Types of Firewalls
Wikipedia-firewall (n.d.)
• Packet Filter Firewall:
– Stateless
– Rules are static
• Circuit Level Firewall:
– Stateful
– Can determine if packet is a new or part of an existing connection.
• Application Layer Firewall:
– Also known as proxy based firewalls
32
Using a Router as a Firewall
Tomsho, Tittel, Johnson (2007)
• A firewall is just a router with specialized SW that facilitates creating rules to permit or deny packets
• Many routers have capabilities similar to firewalls
– After a router is configured, by default, all packets are permitted both into and out of the network
– Network administrator must create rules ( access control lists ) that deny certain types of packets
• Typically, an administrator builds access control lists so that all packets are denied, and then creates rules that make exceptions
33
Using Intrusion Detection Systems
Tomsho, Tittel, Johnson (2007)
• An IDS usually works with a firewall or router with access control lists
– A firewall protects a network from potential break-ins or DoS attacks, but an IDS must detect an attempted security breach and notify the network administrator
– May be able to take countermeasures if an attack is in progress
– Invaluable tool to help administrators know how often their network is under attack and devise security policies aimed at thwarting threats before they have a chance to succeed
– Too many false positives will result in the IDS being ignored
34
NAT
Wikipedia-NAT (n.d.)
• Network Address Translation (IP-masquerading)
• Router/Firewall replaces internal IP source address in IP packet with its own IP address when send packets out.
• Router/Firewall reverses process for incoming packets.
• Useful for hiding the Identify of real IP addresses behind the firewall
• Can be used for IP address reuse
– multiple machines share same IP address
– Common in home routers
– ISP assigns single public IP address
– Router maps to multiple private IP addresses
– TCP and UDP port numbers used for de-multiplexing
35
Using Network Address Translation to Improve Security
Tomsho, Tittel, Johnson (2007)
• A benefit of NAT is that the real address of an internal network resource is hidden and inaccessible to the outside world
– Because most networks use NAT with private IP addresses, those devices configured with private addresses can’t be accessed directly from outside the network
– An external device can’t initiate a network conversation with an internal device, thus limiting an attacker’s options to cause mischief
36
Protecting a Network from Worms, Viruses, and Rootkits
Tomsho, Tittel, Johnson (2007)
• Malware is SW designed to cause harm/disruption to a computer system or perform activities on a computer without the consent of its owner
– A virus spreads by replicating itself into other programs or documents
– A worm is similar to a virus, but it doesn’t attach itself to another program
– A backdoor is a program installed on a computer that permits access to the computer, bypassing the normal authentication process
– To help prevent spread of malware, every computer should have virus-scanning software running
37
Protecting a Network from Worms, Viruses, and Rootkits (continued)
Tomsho, Tittel, Johnson (2007)
• A Trojan Horse program appears to be something useful, but in reality contains some type of malware
• Rootkits are a form of Trojan programs that can monitor traffic to and from a computer, monitor keystrokes, and capture passwords
– Used to hide files, programs form O.S.
– Sony added rootkits to audio CDs to prevent copying
• The hoax virus is one of the worst kinds of viruses
– The flood of e-mail from people actually falling for the hoax is the virus!
• Malware protection can be expensive; however, the loss of data and productivity that can occur when a network becomes infected is much more costly
• Phishing – social engineering
– E.g. fake (web) services used to collect sensitive data
38
Protecting a Network from Spyware and Spam
Tomsho, Tittel, Johnson (2007)
• Spyware: monitors/controls part of a computer at the expense of user’s privacy and to the gain of a third party
– Is not usually self-replicating
– Many anti-spyware programs are available, and some are bundled with popular antivirus programs
• Spam is simply unsolicited e-mail
– Theft of e-mail storage space, network bandwidth, and people’s time
– Detection and prevention is an uphill battle
• For every rule or filter anti-spam software places on an e-mail account, spammers find a way around them
39
Implementing Wireless Security
Tomsho, Tittel, Johnson (2007), Wikipedia
• Attackers who drive around looking for wireless LANs to intercept are called wardrivers
• Wireless security methods
– SSID (not easy to guess and not broadcast)
• Service Set Identifier – identifies network
– Wired Equivalency Protocol (WEP)
• 1999 – Can be cracked in 2 minutes w available software
– Wi-Fi Protected Access (WPA)
• 2003 – Stronger than WEP. Not supported by all access points.
– 802.11i
• 2004 – same as WPA2, superset of WPA.
– MAC address filtering
• Access control list based on MAC address
• You should also set policies: limit AP signal access, change encryption key regularly, etc.
40
Using a Cracker’s Tools to Stop Network Attacks
Tomsho, Tittel, Johnson (2007)
• If you want to design a good, solid network infrastructure, hire a security consultant who knows the tools of the cracker’s trade
– A cracker (black hat) is someone who attempts to compromise a network or computer system for the purposes of personal gain or to cause harm
– The term hacker has had a number of meanings throughout the years
– White hats often use the term penetration tester for their consulting services
41
Discovering Network Resources
Tomsho, Tittel, Johnson (2007)
• Attackers use command-line utilities such as Ping,
Traceroute, Finger, and Nslookup to get information about the network configuration and resources
– Other tools used
• Ping scanner: automated method for pinging a range of IP addresses
• Port scanner: determines which TCP and UDP ports are available on a particular computer or device
• Protocol analyzers are also useful for resource discovery because they allow you to capture packets and determine which protocol’s services are running
42
Disabling Network Resources
Tomsho, Tittel, Johnson (2007)
• A denial-of-service (DoS) attack is an attacker’s attempt to tie up network bandwidth or network services so that it renders those resources useless to legitimate users
– Packet storms typically use the UDP protocol because it’s not connection oriented
– Half-open SYN attacks use TCP’s handshake to tie up a server with invalid TCP sessions, thereby preventing real sessions from being created
– In a ping flood, a program sends a large number of ping packets to a host
43
Tomsho, Tittel, Johnson (2007). Guide to Networking Essentials.
Boston:
Thompson Course Technology.
Odom, Knott (2006). Networking Basics: CCNA 1 Companion Guide .
Indianapolis: Cisco Press
Wikipedia (n.d.). OSI Model . Retrieved 09/12/2006 from http://en.wikipedia.org/wiki/OSI_Model
Wikipedia-IPSec (n.d). IPsec.
Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Ipsec
Wikipedia-VPN (n.d.). Virtual Private Network.
Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Vpn
Wikipedia-firewall (n.d.) Firewall (Networking) .
Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Firewall
Wikipedia-NAT (n.d.) Network Address Translation. Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Network_address_translation
44