* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Slide 1
Extensible Authentication Protocol wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Computer security wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Airborne Networking wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wireless security wikipedia , lookup
Distributed firewall wikipedia , lookup
UniPro protocol stack wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Internet protocol suite wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Security Network Architecture & Design Domain Objectives • Discuss the concepts of network security • Understand security risks • Provide the business context for network security 2 Information Security TRIAD Availability Information Security Integrity Confidentiality 3 Domain Agenda • Basic Concepts • OSI Framework 4 Network & Telecommunications • Network Security • • • • Network Structures Transmission Methods Transport Formats Security Measures • Network Security is the cornerstone for business operations 5 Network Models • Models • OSI Reference Model • TCP/IP Model 6 OSI Reference Model • Layer 1: Physical Layer • Layer 2: Data Link Layer • Layer 3: Network Layer • Layer 4: Transport Layer • Layer 5: Session Layer • Layer 6: Presentation Layer • Layer 7: Application Layer 7 OSI Reference Model • Encapsulation • Layering Application Layer Application Layer Presentation Layer Presentation Layer Session Layer Session Layer Transport Layer Transport Layer Network Layer Network Layer Data Link Layer Data Link Layer Host 1 Physical Layer Host 2 Physical Layer 8 OSI Model Layer 1: Physical Layer • Bits are converted into signals • All signal processing • Physical Topologies 9 OSI Model Layer 2: Data Link Layer • Connects layer 1 and 3 • Converts information • Transmits frames to devices • Link Layer encryption 10 OSI Model Layer 3: Network Layer • Moves information between two hosts that are not physically connected • Uses logical addressing • Internet Protocol (IP) 11 OSI Model Layer 4: Transport Layer • End-to-end Transport between Peer Hosts • Connection Oriented and Connectionless Protocols 12 OSI Model Layer 5: Session Layer • Manages logical persistent connection • Three Modes • Full Duplex • Half Duplex • Simplex 13 OSI Model Layer 6: Presentation Layer • Ensures a common format to data • Services for encryption and compression 14 OSI Model Layer 7: Application Layer • The application layer is not the application • Performs communication between peer applications • Least control of network security 15 TCP/IP Model • Originated by the U.S. Department of Defense • Functions like the OSI Model • Supports the TCP/IP Protocol • Application layer is unique 16 TCP/IP Model 17 TCP/IP Protocol Stack Application TCP, UDP IP, IGMP, ICMP ARP, Hardware Interface, PPP Network Connection 18 Network Security and Risks • Network is the key asset in many organizations • Network Attacks 19 Network-based Attacks • Network as a Channel for Attacks • Network as the Target of Attack 20 Network as a Bastion of Defense • Security controls built around social, organizational, procedural and technical activities • Based on the organization's security policy 21 Network Security Objectives and Attacks • Business Risk versus Security Solutions • Attacks Scenarios • Network Entry Point - in Both Directions • Outside-in • Inside-out 22 Methodology of an Attack • Attack Trees • Path of Least Resistance Methodology of an Attack Target 1 Acquisition Target 2 Analysis Target 3 Target 4 Access Appropriation 23 Target Acquisition • Attacks start by intelligence gathering 1 • Means of intelligence gathering • Countermeasures • Limit information on a network • Distract an attacker 24 Target Analysis • Analyze identified target for security weaknesses 2 • Tools available • Target analysis 25 Target Access • Obtain access to the system 3 • Manage user privileges • Monitor access 26 Target Appropriation • Escalate privileges 4 • Attacker may seek sustained control of the system • Countermeasures against privilege escalation 27 Network Security Tools • Tools automate processes • Network security is more than just technical implementations 28 Network Scanners • Discovery Scanning • Compliance Scanning • Vulnerability Scanning 29 Domain Agenda • Basic Concepts • OSI Framework • Layer 1: Physical Layer 30 Layer 1: Physical Layer • Basic Concepts • Communications Technology • Network Topology • Technology and Implementation 31 Communication Technology • Analog and Digital Communications • Digital communication brings quantitative and qualitative enhancements 32 Analog Communication • Analog signals use electronic properties • Transmitted on wires or with wireless devices 33 Digital Communication • Uses two electronic states • Can be transmitted over most media • Integrity of digital communication less difficult 34 Layer 1: Physical Layer • Basic Concepts • Communications Technology • Network Topology • Technology and Implementation 35 Network Topology • Even small networks are complex Mesh • Network topology and layout affects scalability and security Ring Star Network Topology • Wireless networks have a topology Tree Bus 36 Bus • LAN with a central cable to which all nodes connect • Advantages • Scalable • Permits node failure • Disadvantages • Bus failure 37 Tree • Devices connect to a branch on the network • Advantages • Scalable • Permits node failure • Disadvantages • Failures will split the network 38 Ring • Closed-loop Topology • Advantages • Deterministic • Disadvantages • Single Point of Failure 39 Mesh • All nodes are connected with each other • Advantages • Redundancy • Disadvantages • Expensive • Complex • Scalability 40 Star • All of the nodes connected to a central device • Advantages • Permits node/cable failure • Scalable • Disadvantages • Single point of failure 41 Security Perimeter • The first line of defense between trusted and untrusted networks • No direct physical connection between trusted and untrusted networks • Security perimeter most widely used implementation of network partitioning 42 Layer 1: Physical Layer • Basic Concepts • Communications Technology • Network Topology • Technology and Implementation 43 Technology and Implementation • Physical networks employ a wide variety of cabling technologies and components • Wireless networks use frequency ranges and encryption/authentication 44 Cable • Cable Selection Considerations • • • • Throughput Distance between Devices Data Sensitivity Environment Cable 45 Twisted Pair • One of the Simplest and Cheapest Cabling Technologies • Unshielded (UTP) or Shielded (STP) 46 Unshielded Twisted Pair (UTP) Category Transmission Rate Category 1 < 1 Mbps Category 2 Category 3 Category 4 < 4Mbps 16 Mbps 20 Mbps Category 5 100 Mbps Category 5e Category 6 1000 Mbps 1000 Mbps Use Analog voice and basic interface rate (BRI) in Integrated Services Digital Network (ISDN) 4 Mbps IBM Token Ring LAN 10Base-T Ethernet 16 Mbps Token Ring 100 Base-TX and Asynchronous Transfer Mode (ATM) 1000 Base-T Ethernet 1000 Base-T Ethernet 47 Coaxial Cable (Coax) • Conducting wire is thicker than twisted pair • Bandwidth • Length • Expensive and physically stiff 48 Fiber Optics • Three Components • Light Source • Optical Fiber Cable • Light Detector • Advantages • Disadvantages 49 Patch Panels • Provides physical cross-connect point for devices • Alternative to directly connecting devices • Centralized management 50 Modem • Converts a digital signal to analog • Provides little security • Unauthorized modems 51 Wireless Transmission Technologies • Include WLANs, Bluetooth and Mobile Telephony 52 Wireless Transmission Technologies 0 100 200 300 400 500 600 700 800 900 1GHz 3GHz 5GHz 10GHz 28GHz 38GHz 802.11a/h, Phones (5 GHz) 802.11b/g, Bluetooth, Phones (2.4 GHz) Digital Cellular (1850-1900 MHz) Cordless Phones, Baby Monitors, Toys (900 MHz) Analog Cellular (824-894 MHz) UHF TV (512 – 806 MHz) FM Radio – 108 MHz) VHF TV(88 (174 – 216MHz) VHF TV (174(88 – 216 MHz) FM Radio – 108 MHz) AM Radio (535 – 1605 KHz) Unlicensed Radio Frequencies Licensed Radio Frequencies 53 Wireless Multiplexing Technologies Technology Direct Sequence Spread Spectrum (DSSS) Principle Objective Spread transmission Signal less susceptible over a wider frequency to noise band Frequency Hopping Spread Spectrum (FHSS) Spread signal over rapidly changing frequencies Interference at one frequency will only have short term effect Orthogonal Frequency Division Multiplexing (OFDM) Signal is subdivided into sub frequencies bands Split high bandwidth transmission into low BW transmissions 54 Other Multiplexing Technologies Technology Principle Objective Frequency Division Multiple Access (FDMA) Divide Frequency into sub bands Open several low bandwidth channels Time Division Multiple Access (TDMA) Split transmission by time slices Multiplexing between participants Code Division Multiple Multiplex several Access (CDMA) signals into one signal Multiplexing is performed on a digital level 55 Mobile Telephony • Mobile telephony is undergoing a rapid development • Most common mobile phone technology is still GSM Global Service for Mobile Communications (GSM) 56 Domain Agenda • Basic Concepts • OSI Framework • Layer 2: Data Link Layer 57 Layer 2: Data Link Layer • Concerned with sending frames to the next link • Determines network transmission format 58 Synchronous/Asynchronous Communications • Synchronous • Timing mechanism synchronizes data transmission • Robust Error Checking • Practical for High-speed, High-volume Data • Asynchronous • Clocking mechanism is not used • Surrounds each byte with bits that mark the beginning and end of transmission 59 Unicast, Multicast, and Broadcast Transmissions • Multicasts • Broadcasts • Do not use reliable sessions • Unicast 60 Circuit-switched vs. Packet-switched Networks • Circuit-switched • Dedicated circuit between endpoints • Endpoints have exclusive use of the circuit and its bandwidth • Packet-switched • Data is divided into packets and transmitted on a shared network • Each packet can be independently routed on the network 61 Switched vs. Permanent Virtual Circuits • Permanent Virtual Circuits • Switched Virtual Circuits 62 Carrier Sense Multiple Access • Only one device may transmit at a time • There are two variations • Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) • Carrier Sense Multiple Access with Collision Detection (CSMA/CD) 63 Polling • Slave device needs permission from a master device • Used mostly in Mainframe Protocols • Optional Function of the IEEE 802.11 Standard 64 Token Passing • Special frame circulates through the ring • Device must possess the token to transmit • Token passing is used in Token Ring (IEEE 802.5) and FDDI 65 Ethernet (IEEE 802.3) • Most Popular LAN Architecture • Supports bus, star, and point-to-point topologies • Currently supports speeds up to 1000Mbps 66 Hubs and Repeaters • Hubs • Used to implement a physical star topology • All devices can read and potentially modify the traffic of other devices • Repeaters • Allows longer distances 67 Bridges • Layer 2 Devices that filter traffic between segments based on MAC addresses • Can connect LANs with unlike media types • Simple bridges do not reformat frames 68 Switches • Multi-port devices to connect LAN hosts • Forwards frames only to the specified MAC address • Becoming more sophisticated 69 Wireless Local Area Networks • Allows mobile users to remain connected • Extends LANs beyond physical boundaries 70 Access Points • Access Point Placement • Do not count on hiding Access Points • Rogue Access Points 71 Authentication • Paramount to the Security of Wireless LANs • Open Systems Authentication • Shared Key Authentication • MAC Address Filtering • Extensible Authentication Protocol 72 Wireless Encryption • Wired Equivalent Privacy (WEP) • WiFi Protected Access (WPA) • WiFi Protected Access 2 (WPA2) 73 Wireless Encryption Access Control Authentication Encryption Integrity 802.1x Dynamic WEP Wi-Fi Protected Access Wi-Fi Protected Access 2 802.1X 802.1X or PreShared Key 802.1X or PreShared Key EAP methods EAP methods or Pre-Shared Key EAP methods or Pre-Shared Key WEP TKIP (RC4) CCMP (AES Counter Mode) Michael MIC CCMP (AES CBCMAC) None 74 Wireless Standards • IEEE 802.11b • IEEE 802.11a • IEEE 802.11g • Bluetooth 75 Address Resolution Protocol (ARP) / RARP • ARP • RARP (Reverse ARP) 76 Password Authentication Protocol (PAP) • Identification and Authentication of Remote Entity • Uses a clear text, reusable (static) password • Supported by most network devices 77 Challenge Handshake Authentication Protocol (CHAP) • Periodically re-validates users • Standard password database is unencrypted • Password is sent as a one-way hash 78 Domain Agenda • Basic Concepts • OSI Framework • Layer 3: Network Layer 79 Layer 3: Network Layer • Architectures Classified by Scale (size) • TCP/IP at the Network Layer 80 Local Area Network (LAN) • LANs service a relatively small area • Most LANs have connectivity to other networks • VLANs are software based LAN segments implemented by switching technology 81 Wide Area Network (WAN) Description • A WAN is a network connecting local networks or access points • Connections are often shared and tunneled through other connections 82 Public Switched Telephone Network (PSTN) • PSTN is a circuit switched network • The PSTN may be subject to attacks Regional Toll Center Prim aryToll Centers Tandam Offices Central Offices Callers 1 2 3 83 Integrated Services Digital Network (ISDN) • Uses two types of channels • Comes in two varieties B (Bearer) Channel 64kBit/s D (Delta) Channel 16kBit/s BRI (Basic Rate Interface) 2*B+1*D = 144kBit/s PRI (Primary Rate Interface) North America 23*B+1*D = 1.55MBit/s (T1) 30*B+1*D = 2MBit/s (E1) PRI Europe and Australia 84 “T” Carrier Channel Multiplex Ratio Bandwidth T1 1xT1 1.544 Mbps T2 4xT1 6.312 Mbps T3 7xT2 = 28xT1 44.736 Mbps T4 6xT3 =168xT2 274.176 Mbps 85 “E” Carrier Channel Multiplex Ratio Bandwidth E1 1xE1 2.048 Mbps E2 4xE1 8.848 Mbps E3 4xE2 = 16xE1 34.304 Mbps E4 4xE3 = 64xE2 139.264 Mbps 86 Digital Subscriber Lines (DSL) • Uses CAT-3 cables and the local loop • • • • Asymmetric Digital Subscriber Line (ADSL) Rate-adaptive DSL (RADSL) Symmetric Digital Subscriber Line (SDSL) Very High Bit-rate DSL (VDSL) Customer Central Office ADSL Modem Splitter Voice NID + Splitter DSLAM To ISP 87 Cable Modem • PC Ethernet NIC connects to a cable modem • The modem and head-end exchange cryptographic keys • Cable modems increase the requirement to observe good security practices 88 X.25 • Protocol developed for unreliable networks • Has a strong focus on error correction • Users and hosts connect through a packet-switched network 89 Frame Relay • FR network cloud of switches • FR customers share resources Router with DTE Frame Relay Cloud Router with DTE • Customers are charged for used bandwidth only 90 Asynchronous Transfer Mode (ATM) • ATM is a connection-oriented protocol • Uses virtual circuits • Guarantees QoS but not the delivery of cells 91 Multi-Protocol Label Switching (MPLS) • Permits traffic engineering • Provides quality of service (QoS) and defense against network attacks • Operates at Layer 2 and 3 92 Broadband Wireless • WiMAX allows the implementation of wireless Metropolitan Area Networks (MANs) • Improved access when a base station and user are not in line of sight • Security is based on AES and EAP 93 Wireless Optics • Two laser transceivers communicate at speeds comparable to SONET • Wireless optics transmissions are hard to intercept • Wireless optics can be unreliable during inclement weather 94 Global Area Network (GAN) • Intranet • Extranet • Granting access to external organizations • Internet 95 TCP/IP at the Network Layer • TCP/IP protocol suite is the de-facto standard • Need to provide private communications services over public networks 96 Internet Protocol (IP) • Internet Protocol (IP) is responsible for sending packets over a network • Unreliable Protocol • IP will subdivide packets • IPv4 Address Structure 1 1 0 1 10 0 0 216 00011001 01101000 11001111 . 25 . 104 . 207 97 Internet Protocol (IP) • Internet Protocol Address Structure Number of Range of Class Octets for First Octet Network Number Number of Hosts in Network A 1-127 1 16777216 B 128-191 2 65536 C 192-223 3 256 D 224-239 Multicast E 240-255 Reserved 98 Risks and Attacks • Key shortcoming in IP is its lack of authentication • Shortcomings in implementation 99 IP Fragmentation Attacks • Teardrop Attack • Overlapping Fragment Attacks 100 IP Addressing Spoofing • Packets are sent with a bogus source address • SYN Flood • Takes advantage of a protocol flaw 101 Source Routing Exploitation • IP allows the sender to specify the path • Attacker can abuse source routing • Could allow an external attacker access to an internal network 102 Smurf and Fraggle Attacks • Smurf attack mis-uses the ICMP Echo Request • Fraggle attack uses UDP instead of ICMP • Ping of Death 103 IPv6 • A larger IP address field • Improved security • A more concise IP packet header • Improved quality of service 104 Routers • Routers forward packets to other networks • Routers can be used to interconnect different technologies 105 Firewalls • Enforce administrative security policies • Separate trusted networks from untrusted networks Engeering LAN Engineering Dept. Domain of Trust • Firewalls should be placed between security domains General LAN Domain of Trust 106 Firewalls • Filtering • Filtering by Address • Filtering by Service • Static Packet Filtering • Stateful Inspection or Dynamic Packet Filtering • Personal Firewalls 107 Network Address Translation / Port Address Translation Network and Port Address Translation Source IP – 192.168.1.50 Destination IP – 206.121.73.5 Source Port – 1037 Destination Port - 80 Source IP – 199.53.72.2 Destination IP – 206.121.73.5 Source Port – 1058 Destination Port - 80 108 Proxy Firewalls • Circuit Level Proxy • Application Level Proxy 109 Firewalls Firewall Type OSI Model Layer Packet Filtering Network layer Characteristics Routers using ACLs dictate acceptable access to a network Looks at destination and source addresses, ports and services requested Applicationlevel Proxy Application layer Deconstructs packets and makes granular access control decisions Requires one proxy per service 110 Firewalls Firewall Type Circuit-level Proxy Stateful OSI Model Layer Session layer Network layer Characteristics Deconstructs packets Protects wider range of protocols and services than app-level proxy, but not as detailed as a level of control Keeps track of each conversation using a state table Looks at state and context of packets 111 Network Partitioning • Boundary Routers • Dual-homed Host Host Computer With Two Network Cards 112 Network Partitioning • Bastion Host Bastion Host Network Router • Demilitarized Zone (DMZ) DMZ Firewall Network Firewall Switch 113 Network Partitioning • Three-legged Firewall DMZ Firewall Network 114 End Systems • Servers and Mainframes • Operating Systems • Notebooks • Workstations • Smart Phones • Personal Digital Assistants 115 Virtual Private Network (VPN) • Remote access through VPN Telecommuter Network Access Server Branch Office Mobile User • LAN to LAN configuration VPN Server Internet DMZ VPN Server Encrypted LAN Firewall VPN Server is behind the firewall Firewall LAN VPN Server is on DMZ 116 Virtual Private Network (VPN) • Secure Shell (SSH) • IPSEC Authentication and Confidentiality for VPNs • SSL/TLS VPNs • SOCKS 117 IPSEC Authentication & Confidentiality for VPNs • Authentication Header (AH) • Encapsulating Security Payload (ESP) • Security Associations • Transport Mode / Tunnel Mode • Internet Key Exchange (IKE) IPSEC Key Exchange 118 Tunneling • Point-to-Point Tunneling Protocol (PPTP) • Layer 2 Tunneling Protocol (L2TP) 119 Dynamic Host Configuration Protocol (DHCP) • Dynamically assigns IP addresses to hosts • Client does not request a new lease every time 120 Internet Control Message Protocols (ICMP) • ICMP Redirect Attacks • Ping of Death • Traceroute Exploitation • Ping Scanning 121 Internet Group Management Protocol (IGMP) • Used for Multicast Messages • Sets up Multicast Groups 122 Routing Protocols • Routing Information Protocol (RIP) • Virtual Router Redundancy Protocol (VRRP) 123 Domain Agenda • Basic Concepts • OSI Framework • Layer 4: Transport Layer • Layer 5: Session Layer 124 Layer 4: Transport Layer • Transmission Control Protocol (TCP) • Well-known Ports • Registered Ports • Dynamic and/or Private Ports • User Datagram Protocol (UDP) 125 Transmission Control Protocol (TCP) Session Host A Active open Host B SYN(1000) Passive open SYN(2000), ACK(1001) ACK(2001) Connection established Host Aclose ACK, data Connection established ACK(2300), FIN(1500) ACK(1501) ACK(1501), FIN(2400) Connection closed ACK(2401) Host Bclose Connection closed 126 Technology and Implementation • Port Scanning • • • • FIN, NULL and XMAS Scanning SYN Scanning TCP Sequence Number Attacks Session Hijacking • Denial of Service 127 Transport Layer Security (TLS) • Functions of TLS • Mutual authentication • Encryption 128 Layer 5: Session Layer • Remote Procedure Calls 129 Directory Services • Domain Name Service (DNS) • Lightweight Directory Access Protocol (LDAP) • Network Basic Input Output System (NetBios) • Network Information Service (NIS)/NIS+ 130 Access Services • Common Internet File System (CIFS)/Server Message Block (SMB) • Network File System (NFS) • Secure NFS (SNFS) 131 Domain Agenda • Basic Concepts • OSI Framework • Layer 7: Application Layer 132 Data Exchange (World Wide Web) • Trivial File Transfer Protocol (TFTP) • File Transfer Protocol (FTP) • Hypertext Transfer Protocol (HTTP) • HTTP over TLS (HTTPS) • Secure Hypertext Transfer Protocol (S-HTTP) • Passive and Active Content (HTML, ActiveX, Java, JavaScript) • Peer-to-peer Applications and Protocols 133 Messaging Services • Instant Messaging • Asynchronous Messaging • • • • • • • • Email Spoofing Open Mail Relay Servers Spam Post Office Protocol (POP) Internet Message Access Protocol (IMAP) Network News Transfer Protocol (NNTP) Internet Relay Chat (IRC) Spam over Instant Messaging (SPIM) 134 Administrative Services • Remote Authentication Dial-In User Service (RADIUS) • Simple Network Management Protocol (SNMP) 135 Remote Authentication Dial-In User Service (RADIUS) • Network Access Server sends authentication requests to the Centralized Authentication Server. 136 Remote Access Services • TCP/IP Terminal Emulation Protocol (TELNET) • Remote Login (RLOGIN), Remote Shell (RSH), Remote Copy (RCP) • X Window System (X11) 137 Information Services • Finger User Information Protocol • Network Time Protocol (NTP) 138 Traditional Telephony and Network Layouts 139 Voice over IP (VoIP) • Session Initiation Protocol (SIP) • Proprietary Applications and Services 140 Voice over IP (VoIP) • IP Telephony Network Issues • IP Telephony Vulnerabilities Internet Router Corporate LAN Server PSTN Telephony Server Access Points IP Phones Wireless LAN Phones 141 Voice over IP (VoIP) X Alert 142 Voice over IP (VoIP) 143 Voice over IP (VoIP) 144 Domain Summary • Provides the foundation for IT security • OSI – TCP/IP Models • Ports and Protocols • Network Devices 145 Domain Summary • Discuss the concepts of network security • Understand security risks • Provide a business context on network security 146 “Security Transcends Technology”