Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Deep packet inspection wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Computer network wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Airborne Networking wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Wireless security wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Network tap wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives • List the different types of network security devices and explain how they can be used • Define network address translation and network access control • Explain how to enhance security through network design Security+ Guide to Network Security Fundamentals, Fourth Edition 2 Security Through Network Devices • Not all applications designed, written with security in mind – Network must provide protection • Networks with weak security invite attackers • Aspects of building a secure network – Network devices – Network technologies – Design of the network itself Security+ Guide to Network Security Fundamentals, Fourth Edition 3 Standard Network Devices • Security features found in network hardware – Provide basic level of security • Open systems interconnection (OSI) model – Network devices classified based on function – Standards released in 1978, revised in 1983, still used today – Illustrates: • How network device prepares data for delivery • How data is handled once received Security+ Guide to Network Security Fundamentals, Fourth Edition 4 Standard Network Devices (cont’d.) • OSI model breaks networking steps into seven layers – Each layer has different networking tasks – Each layer cooperates with adjacent layers Security+ Guide to Network Security Fundamentals, Fourth Edition 5 Table 6-1 OSI reference model Security+ Guide to Network Security Fundamentals, Fourth Edition 6 Standard Network Devices (cont’d.) • Hubs – Connect multiple Ethernet devices together: • To function as a single network segment – – – – – Use twisted-pair copper or fiber-optic cables Work at Layer 1 of the OSI model Do not read data passing through them Ignorant of data source and destination Rarely used today because of inherent security vulnerability Security+ Guide to Network Security Fundamentals, Fourth Edition 7 Standard Network Devices (cont’d.) • Switches – – – – Network switch connects network segments Operate at Data Link Layer (Layer 2) Determine which device is connected to each port Can forward frames sent to that specific device • Or broadcast to all devices – Use MAC address to identify devices – Provide better security than hubs Security+ Guide to Network Security Fundamentals, Fourth Edition 8 Standard Network Devices (cont’d.) • Network administrator should be able to monitor network traffic – Helps identify and troubleshoot network problems • Traffic monitoring methods – Port mirroring – Network tap (test access point) • Separate device installed between two network devices Security+ Guide to Network Security Fundamentals, Fourth Edition 9 Figure 6-1 Port mirroring © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 10 Figure 6-2 Network tap © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 11 Table 6-2 Protecting the switch Security+ Guide to Network Security Fundamentals, Fourth Edition 12 Standard Network Devices (cont’d.) • Routers – Forward packets across computer networks – Operate at Network Layer (Layer 3) – Can be set to filter out specific types of network traffic • Load balancers – Help evenly distribute work across a network – Allocate requests among multiple devices Security+ Guide to Network Security Fundamentals, Fourth Edition 13 Standard Network Devices (cont’d.) • Advantages of load-balancing technology – Reduces probability of overloading a single server – Optimizes bandwidth of network computers – Reduces network downtime • Load balancing is achieved through software or hardware device (load balancer) Security+ Guide to Network Security Fundamentals, Fourth Edition 14 Standard Network Devices (cont’d.) • Security advantages of load balancing – Can stop attacks directed at a server or application – Can detect and prevent denial-of-service attacks – Some can deny attackers information about the network • Hide HTTP error pages • Remove server identification headers from HTTP responses Security+ Guide to Network Security Fundamentals, Fourth Edition 15 Network Security Hardware • Specifically designed security hardware devices – Greater protection than standard networking devices • Firewalls – Hardware-based network firewall inspects packets – Can either accept or deny packet entry – Usually located outside network security perimeter Security+ Guide to Network Security Fundamentals, Fourth Edition 16 Figure 6-3 Firewall location © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 17 Network Security Hardware (cont’d.) • Firewall actions on a packet – Allow (let packet pass through) – Block (drop packet) – Prompt (ask what action to take) • Rule-based firewall settings – Set of individual instructions to control actions • Settings-based firewall – Allows administrator to create parameters Security+ Guide to Network Security Fundamentals, Fourth Edition 18 Table 6-3 Rule for Web page transmission Security+ Guide to Network Security Fundamentals, Fourth Edition 19 Network Security Hardware (cont’d.) • Methods of firewall packet filtering – Stateless packet filtering • Inspects incoming packet and permits or denies based on conditions set by administrator – Stateful packet filtering • Keeps record of state of connection • Makes decisions based on connection and conditions Security+ Guide to Network Security Fundamentals, Fourth Edition 20 Network Security Hardware (cont’d.) • Web application firewall – Looks deeply into packets that carry HTTP traffic • Web browsers • FTP • Telnet – Can block specific sites or specific known attacks – Can block XSS and SQL injection attacks Security+ Guide to Network Security Fundamentals, Fourth Edition 21 Network Security Hardware (cont’d.) • Proxies – Devices that substitute for primary devices • Proxy server – Computer or application that intercepts and processes user requests – If a previous request has been fulfilled: • Copy of the Web page may reside in proxy server’s cache – If not, proxy server requests item from external Web server using its own IP address Security+ Guide to Network Security Fundamentals, Fourth Edition 22 Figure 6-4 Proxy server © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 23 Figure 6-5 Configuring access to proxy servers © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 24 Network Security Hardware (cont’d.) • Proxy server advantages – Increased speed (requests served from the cache) – Reduced costs (cache reduces bandwidth required) – Improved management • Block specific Web pages or sites – Stronger security • Intercept malware • Hide client system’s IP address from the open Internet Security+ Guide to Network Security Fundamentals, Fourth Edition 25 Network Security Hardware (cont’d.) • Reverse proxy – Does not serve clients – Routes incoming requests to correct server – Reverse proxy’s IP address is visible to outside users • Internal server’s IP address hidden Security+ Guide to Network Security Fundamentals, Fourth Edition 26 Figure 6-6 Reverse proxy © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 27 Network Security Hardware (cont’d.) • Spam filters – Enterprise-wide spam filters block spam before it reaches the host • Email systems use two protocols – Simple Mail Transfer Protocol (SMTP) • Handles outgoing mail – Post Office Protocol (POP) • Handles incoming mail Security+ Guide to Network Security Fundamentals, Fourth Edition 28 Network Security Hardware (cont’d.) • Spam filters installed with the SMTP server – Filter configured to listen on port 25 – Pass non-spam e-mail to SMTP server listening on another port – Method prevents SMTP server from notifying spammer of failed message delivery Security+ Guide to Network Security Fundamentals, Fourth Edition 29 Figure 6-7 Spam filter with SMTP server © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 30 Network Security Hardware (cont’d.) • Spam filters installed on the POP3 server – All spam must first pass through SMTP server and be delivered to user’s mailbox – Can result in increased costs • Storage, transmission, backup, deletion • Third-party entity contracted to filter spam – All email directed to third-party’s remote spam filter – E-mail cleansed before being redirected to organization Security+ Guide to Network Security Fundamentals, Fourth Edition 31 Figure 6-8 Spam filter on POP3 server © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 32 Network Security Hardware (cont’d.) • Virtual private network (VPN) – Uses unsecured network as if it were secure – All data transmitted between remote device and network is encrypted • Types of VPNs – Remote-access • User to LAN connection – Site-to-site • Multiple sites can connect to other sites over the Internet Security+ Guide to Network Security Fundamentals, Fourth Edition 33 Network Security Hardware (cont’d.) • Endpoints – – – – Used in communicating VPN transmissions May be software on local computer May be VPN concentrator (hardware device) May be integrated into another networking device • VPNs can be software-based or hardware-based – Hardware-based generally have better security – Software-based have more flexibility in managing network traffic Security+ Guide to Network Security Fundamentals, Fourth Edition 34 Network Security Hardware (cont’d.) • Internet content filters – Monitor Internet traffic – Block access to preselected Web sites and files – Unapproved sites identified by URL or matching keywords Security+ Guide to Network Security Fundamentals, Fourth Edition 35 Table 6-4 Internet content filter features Security+ Guide to Network Security Fundamentals, Fourth Edition 36 Network Security Hardware (cont’d.) • Web security gateways – Can block malicious content in real time – Block content through application level filtering • Examples of blocked Web traffic – – – – ActiveX objects Adware, spyware Peer to peer file sharing Script exploits Security+ Guide to Network Security Fundamentals, Fourth Edition 37 Network Security Hardware (cont’d.) • Passive and active security can be used in a network – Active measures provide higher level of security • Passive measures – Firewall – Internet content filter • Intrusion detection system (IDS) – Active security measure – Can detect attack as it occurs Security+ Guide to Network Security Fundamentals, Fourth Edition 38 Network Security Hardware (cont’d.) • Monitoring methodologies – Anomaly-based monitoring • Compares current detected behavior with baseline – Signature-based monitoring • Looks for well-known attack signature patterns – Behavior-based monitoring • Detects abnormal actions by processes or programs • Alerts user who decides whether to allow or block activity – Heuristic monitoring • Uses experience-based techniques Security+ Guide to Network Security Fundamentals, Fourth Edition 39 Table 6-5 Methodology comparisons to trap port-scanning application Security+ Guide to Network Security Fundamentals, Fourth Edition 40 Network Security Hardware (cont’d.) • Host intrusion detection system (HIDS) – Software-based application that can detect attack as it occurs – Installed on each system needing protection – Monitors system calls and file system access – Can recognize unauthorized Registry modification – Monitors all input and output communications • Detects anomalous activity Security+ Guide to Network Security Fundamentals, Fourth Edition 41 Network Security Hardware (cont’d.) • Disadvantages of HIDS – Cannot monitor network traffic that does not reach local system – All log data is stored locally – Resource-intensive and can slow system Security+ Guide to Network Security Fundamentals, Fourth Edition 42 Network Security Hardware (cont’d.) • Network intrusion detection system (NIDS) – Watches for attacks on the network – NIDS sensors installed on firewalls and routers: • Gather information and report back to central device – Passive NIDS will sound an alarm – Active NIDS will sound alarm and take action • Actions may include filtering out intruder’s IP address or terminating TCP session Security+ Guide to Network Security Fundamentals, Fourth Edition 43 Table 6-6 NIDS evaluation techniques Security+ Guide to Network Security Fundamentals, Fourth Edition 44 Network Security Hardware (cont’d.) • Network intrusion prevention system (NIPS) – Similar to active NIDS – Monitors network traffic to immediately block a malicious attack – NIPS sensors located in line on firewall itself Security+ Guide to Network Security Fundamentals, Fourth Edition 45 Network Security Hardware (cont’d.) • All-in-one network security appliances – One integrated device replaces multiple security devices • Recent trend: – Combining multipurpose security appliances with traditional device such as a router – Advantage of approach • Network devices already process all packets • Switch that contains anti-malware software can inspect all packets Security+ Guide to Network Security Fundamentals, Fourth Edition 46 Security Through Network Technologies • Internet routers normally drop packet with a private address • Network address translation (NAT) – Allows private IP addresses to be used on the public Internet – Replaces private IP address with public address • Port address translation (PAT) – Variation of NAT • Outgoing packets given same IP address but different TCP port number Security+ Guide to Network Security Fundamentals, Fourth Edition 47 Table 6-7 Private IP addresses Figure 6-9 Network address translation (NAT) © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 48 Security Through Network Technologies (cont’d.) • Advantages of NAT – Masks IP addresses of internal devices – Allows multiple devices to share smaller number of public IP addresses • Network access control – Examines current state of system or network device: • Before allowing network connection – Device must meet set of criteria • If not met, NAC allows connection to quarantine network until deficiencies corrected Security+ Guide to Network Security Fundamentals, Fourth Edition 49 Figure 6-10 Network access control framework © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 50 Security Through Network Design Elements • Elements of a secure network design – – – – Demilitarized zones Subnetting Virtual LANs Remote access Security+ Guide to Network Security Fundamentals, Fourth Edition 51 Demilitarized Zone (DMZ) • Separate network located outside secure network perimeter • Untrusted outside users can access DMZ but not secure network Security+ Guide to Network Security Fundamentals, Fourth Edition 52 Figure 6-11 DMZ with one firewall © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 53 Figure 6-12 DMZ with two firewalls © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 54 Subnetting • IP address may be split anywhere within its 32 bits • Network can be divided into three parts – Network – Subnet – Host • Each network can contain several subnets • Each subnet can contain multiple hosts Security+ Guide to Network Security Fundamentals, Fourth Edition 55 Subnetting (cont’d.) • Improves network security by isolating groups of hosts • Allows administrators to hide internal network layout Security+ Guide to Network Security Fundamentals, Fourth Edition 56 Table 6-8 Advantages of subnetting Security+ Guide to Network Security Fundamentals, Fourth Edition 57 Figure 6-13 Subnets © Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition 58 Virtual LANs (VLAN) • Allow scattered users to be logically grouped together: – Even if attached to different switches • Can isolate sensitive data to VLAN members • Communication on a VLAN – If connected to same switch, switch handles packet transfer – Special “tagging” protocol used for communicating between switches Security+ Guide to Network Security Fundamentals, Fourth Edition 59 Remote Access • Working away from the office commonplace today – Telecommuters – Traveling sales representatives – Traveling workers • Strong security for remote workers must be maintained – Transmissions are routed through networks not managed by the organization • Provides same functionality as local users – Through VPN or dial-up connection Security+ Guide to Network Security Fundamentals, Fourth Edition 60 Summary • Standard network security devices provide a degree of security – Hubs, switches, router, load balancer • Hardware devices specifically designed for security give higher protection level – Hardware-based firewall, Web application firewall • Proxy server intercepts and processes user requests • Virtual private network uses unsecured public network and encryption to provide security Security+ Guide to Network Security Fundamentals, Fourth Edition 61 Summary (cont’d.) • Intrusion detection system designed to detect attack as it occurs • Network technologies can help secure a network – Network address translation – Network access control • Methods for designing a secure network – Demilitarized zones – Virtual LANs Security+ Guide to Network Security Fundamentals, Fourth Edition 62