Download Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network
Security Fundamentals,
Fourth Edition
Chapter 6
Network Security
Objectives
• List the different types of network security devices
and explain how they can be used
• Define network address translation and network
access control
• Explain how to enhance security through network
design
Security+ Guide to Network Security Fundamentals, Fourth Edition
2
Security Through Network Devices
• Not all applications designed, written with security
in mind
– Network must provide protection
• Networks with weak security invite attackers
• Aspects of building a secure network
– Network devices
– Network technologies
– Design of the network itself
Security+ Guide to Network Security Fundamentals, Fourth Edition
3
Standard Network Devices
• Security features found in network hardware
– Provide basic level of security
• Open systems interconnection (OSI) model
– Network devices classified based on function
– Standards released in 1978, revised in 1983, still
used today
– Illustrates:
• How network device prepares data for delivery
• How data is handled once received
Security+ Guide to Network Security Fundamentals, Fourth Edition
4
Standard Network Devices (cont’d.)
• OSI model breaks networking steps into seven
layers
– Each layer has different networking tasks
– Each layer cooperates with adjacent layers
Security+ Guide to Network Security Fundamentals, Fourth Edition
5
Table 6-1 OSI reference model
Security+ Guide to Network Security Fundamentals, Fourth Edition
6
Standard Network Devices (cont’d.)
• Hubs
– Connect multiple Ethernet devices together:
• To function as a single network segment
–
–
–
–
–
Use twisted-pair copper or fiber-optic cables
Work at Layer 1 of the OSI model
Do not read data passing through them
Ignorant of data source and destination
Rarely used today because of inherent security
vulnerability
Security+ Guide to Network Security Fundamentals, Fourth Edition
7
Standard Network Devices (cont’d.)
• Switches
–
–
–
–
Network switch connects network segments
Operate at Data Link Layer (Layer 2)
Determine which device is connected to each port
Can forward frames sent to that specific device
• Or broadcast to all devices
– Use MAC address to identify devices
– Provide better security than hubs
Security+ Guide to Network Security Fundamentals, Fourth Edition
8
Standard Network Devices (cont’d.)
• Network administrator should be able to monitor
network traffic
– Helps identify and troubleshoot network problems
• Traffic monitoring methods
– Port mirroring
– Network tap (test access point)
• Separate device installed between two network
devices
Security+ Guide to Network Security Fundamentals, Fourth Edition
9
Figure 6-1 Port mirroring
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
10
Figure 6-2 Network tap
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
11
Table 6-2 Protecting the switch
Security+ Guide to Network Security Fundamentals, Fourth Edition
12
Standard Network Devices (cont’d.)
• Routers
– Forward packets across computer networks
– Operate at Network Layer (Layer 3)
– Can be set to filter out specific types of network
traffic
• Load balancers
– Help evenly distribute work across a network
– Allocate requests among multiple devices
Security+ Guide to Network Security Fundamentals, Fourth Edition
13
Standard Network Devices (cont’d.)
• Advantages of load-balancing technology
– Reduces probability of overloading a single server
– Optimizes bandwidth of network computers
– Reduces network downtime
• Load balancing is achieved through software or
hardware device (load balancer)
Security+ Guide to Network Security Fundamentals, Fourth Edition
14
Standard Network Devices (cont’d.)
• Security advantages of load balancing
– Can stop attacks directed at a server or application
– Can detect and prevent denial-of-service attacks
– Some can deny attackers information about the
network
• Hide HTTP error pages
• Remove server identification headers from HTTP
responses
Security+ Guide to Network Security Fundamentals, Fourth Edition
15
Network Security Hardware
• Specifically designed security hardware devices
– Greater protection than standard networking devices
• Firewalls
– Hardware-based network firewall inspects packets
– Can either accept or deny packet entry
– Usually located outside network security perimeter
Security+ Guide to Network Security Fundamentals, Fourth Edition
16
Figure 6-3 Firewall location
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
17
Network Security Hardware (cont’d.)
• Firewall actions on a packet
– Allow (let packet pass through)
– Block (drop packet)
– Prompt (ask what action to take)
• Rule-based firewall settings
– Set of individual instructions to control actions
• Settings-based firewall
– Allows administrator to create parameters
Security+ Guide to Network Security Fundamentals, Fourth Edition
18
Table 6-3 Rule for Web page transmission
Security+ Guide to Network Security Fundamentals, Fourth Edition
19
Network Security Hardware (cont’d.)
• Methods of firewall packet filtering
– Stateless packet filtering
• Inspects incoming packet and permits or denies based
on conditions set by administrator
– Stateful packet filtering
• Keeps record of state of connection
• Makes decisions based on connection and conditions
Security+ Guide to Network Security Fundamentals, Fourth Edition
20
Network Security Hardware (cont’d.)
• Web application firewall
– Looks deeply into packets that carry HTTP traffic
• Web browsers
• FTP
• Telnet
– Can block specific sites or specific known attacks
– Can block XSS and SQL injection attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition
21
Network Security Hardware (cont’d.)
• Proxies
– Devices that substitute for primary devices
• Proxy server
– Computer or application that intercepts and
processes user requests
– If a previous request has been fulfilled:
• Copy of the Web page may reside in proxy server’s
cache
– If not, proxy server requests item from external Web
server using its own IP address
Security+ Guide to Network Security Fundamentals, Fourth Edition
22
Figure 6-4 Proxy server
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
23
Figure 6-5 Configuring access to proxy servers
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
24
Network Security Hardware (cont’d.)
• Proxy server advantages
– Increased speed (requests served from the cache)
– Reduced costs (cache reduces bandwidth required)
– Improved management
• Block specific Web pages or sites
– Stronger security
• Intercept malware
• Hide client system’s IP address from the open Internet
Security+ Guide to Network Security Fundamentals, Fourth Edition
25
Network Security Hardware (cont’d.)
• Reverse proxy
– Does not serve clients
– Routes incoming requests to correct server
– Reverse proxy’s IP address is visible to outside
users
• Internal server’s IP address hidden
Security+ Guide to Network Security Fundamentals, Fourth Edition
26
Figure 6-6 Reverse proxy
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
27
Network Security Hardware (cont’d.)
• Spam filters
– Enterprise-wide spam filters block spam before it
reaches the host
• Email systems use two protocols
– Simple Mail Transfer Protocol (SMTP)
• Handles outgoing mail
– Post Office Protocol (POP)
• Handles incoming mail
Security+ Guide to Network Security Fundamentals, Fourth Edition
28
Network Security Hardware (cont’d.)
• Spam filters installed with the SMTP server
– Filter configured to listen on port 25
– Pass non-spam e-mail to SMTP server listening on
another port
– Method prevents SMTP server from notifying
spammer of failed message delivery
Security+ Guide to Network Security Fundamentals, Fourth Edition
29
Figure 6-7 Spam filter with SMTP server
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
30
Network Security Hardware (cont’d.)
• Spam filters installed on the POP3 server
– All spam must first pass through SMTP server and
be delivered to user’s mailbox
– Can result in increased costs
• Storage, transmission, backup, deletion
• Third-party entity contracted to filter spam
– All email directed to third-party’s remote spam filter
– E-mail cleansed before being redirected to
organization
Security+ Guide to Network Security Fundamentals, Fourth Edition
31
Figure 6-8 Spam filter on POP3 server
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
32
Network Security Hardware (cont’d.)
• Virtual private network (VPN)
– Uses unsecured network as if it were secure
– All data transmitted between remote device and
network is encrypted
• Types of VPNs
– Remote-access
• User to LAN connection
– Site-to-site
• Multiple sites can connect to other sites over the
Internet
Security+ Guide to Network Security Fundamentals, Fourth Edition
33
Network Security Hardware (cont’d.)
• Endpoints
–
–
–
–
Used in communicating VPN transmissions
May be software on local computer
May be VPN concentrator (hardware device)
May be integrated into another networking device
• VPNs can be software-based or hardware-based
– Hardware-based generally have better security
– Software-based have more flexibility in managing
network traffic
Security+ Guide to Network Security Fundamentals, Fourth Edition
34
Network Security Hardware (cont’d.)
• Internet content filters
– Monitor Internet traffic
– Block access to preselected Web sites and files
– Unapproved sites identified by URL or matching
keywords
Security+ Guide to Network Security Fundamentals, Fourth Edition
35
Table 6-4 Internet content filter features
Security+ Guide to Network Security Fundamentals, Fourth Edition
36
Network Security Hardware (cont’d.)
• Web security gateways
– Can block malicious content in real time
– Block content through application level filtering
• Examples of blocked Web traffic
–
–
–
–
ActiveX objects
Adware, spyware
Peer to peer file sharing
Script exploits
Security+ Guide to Network Security Fundamentals, Fourth Edition
37
Network Security Hardware (cont’d.)
• Passive and active security can be used in a
network
– Active measures provide higher level of security
• Passive measures
– Firewall
– Internet content filter
• Intrusion detection system (IDS)
– Active security measure
– Can detect attack as it occurs
Security+ Guide to Network Security Fundamentals, Fourth Edition
38
Network Security Hardware (cont’d.)
• Monitoring methodologies
– Anomaly-based monitoring
• Compares current detected behavior with baseline
– Signature-based monitoring
• Looks for well-known attack signature patterns
– Behavior-based monitoring
• Detects abnormal actions by processes or programs
• Alerts user who decides whether to allow or block
activity
– Heuristic monitoring
• Uses experience-based techniques
Security+ Guide to Network Security Fundamentals, Fourth Edition
39
Table 6-5 Methodology comparisons to trap port-scanning application
Security+ Guide to Network Security Fundamentals, Fourth Edition
40
Network Security Hardware (cont’d.)
• Host intrusion detection system (HIDS)
– Software-based application that can detect attack as
it occurs
– Installed on each system needing protection
– Monitors system calls and file system access
– Can recognize unauthorized Registry modification
– Monitors all input and output communications
• Detects anomalous activity
Security+ Guide to Network Security Fundamentals, Fourth Edition
41
Network Security Hardware (cont’d.)
• Disadvantages of HIDS
– Cannot monitor network traffic that does not reach
local system
– All log data is stored locally
– Resource-intensive and can slow system
Security+ Guide to Network Security Fundamentals, Fourth Edition
42
Network Security Hardware (cont’d.)
• Network intrusion detection system (NIDS)
– Watches for attacks on the network
– NIDS sensors installed on firewalls and routers:
• Gather information and report back to central device
– Passive NIDS will sound an alarm
– Active NIDS will sound alarm and take action
• Actions may include filtering out intruder’s IP address
or terminating TCP session
Security+ Guide to Network Security Fundamentals, Fourth Edition
43
Table 6-6 NIDS evaluation techniques
Security+ Guide to Network Security Fundamentals, Fourth Edition
44
Network Security Hardware (cont’d.)
• Network intrusion prevention system (NIPS)
– Similar to active NIDS
– Monitors network traffic to immediately block a
malicious attack
– NIPS sensors located in line on firewall itself
Security+ Guide to Network Security Fundamentals, Fourth Edition
45
Network Security Hardware (cont’d.)
• All-in-one network security appliances
– One integrated device replaces multiple security
devices
• Recent trend:
– Combining multipurpose security appliances with
traditional device such as a router
– Advantage of approach
• Network devices already process all packets
• Switch that contains anti-malware software can
inspect all packets
Security+ Guide to Network Security Fundamentals, Fourth Edition
46
Security Through Network
Technologies
• Internet routers normally drop packet with a private
address
• Network address translation (NAT)
– Allows private IP addresses to be used on the public
Internet
– Replaces private IP address with public address
• Port address translation (PAT)
– Variation of NAT
• Outgoing packets given same IP address but different
TCP port number
Security+ Guide to Network Security Fundamentals, Fourth Edition
47
Table 6-7 Private IP addresses
Figure 6-9 Network address translation (NAT)
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
48
Security Through Network
Technologies (cont’d.)
• Advantages of NAT
– Masks IP addresses of internal devices
– Allows multiple devices to share smaller number of
public IP addresses
• Network access control
– Examines current state of system or network device:
• Before allowing network connection
– Device must meet set of criteria
• If not met, NAC allows connection to quarantine
network until deficiencies corrected
Security+ Guide to Network Security Fundamentals, Fourth Edition
49
Figure 6-10 Network access control framework
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
50
Security Through Network Design
Elements
• Elements of a secure network design
–
–
–
–
Demilitarized zones
Subnetting
Virtual LANs
Remote access
Security+ Guide to Network Security Fundamentals, Fourth Edition
51
Demilitarized Zone (DMZ)
• Separate network located outside secure network
perimeter
• Untrusted outside users can access DMZ but not
secure network
Security+ Guide to Network Security Fundamentals, Fourth Edition
52
Figure 6-11 DMZ with one firewall
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
53
Figure 6-12 DMZ with two firewalls
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
54
Subnetting
• IP address may be split anywhere within its 32 bits
• Network can be divided into three parts
– Network
– Subnet
– Host
• Each network can contain several subnets
• Each subnet can contain multiple hosts
Security+ Guide to Network Security Fundamentals, Fourth Edition
55
Subnetting (cont’d.)
• Improves network security by isolating groups of
hosts
• Allows administrators to hide internal network
layout
Security+ Guide to Network Security Fundamentals, Fourth Edition
56
Table 6-8 Advantages of subnetting
Security+ Guide to Network Security Fundamentals, Fourth Edition
57
Figure 6-13 Subnets
© Cengage Learning 2012
Security+ Guide to Network Security Fundamentals, Fourth Edition
58
Virtual LANs (VLAN)
• Allow scattered users to be logically grouped
together:
– Even if attached to different switches
• Can isolate sensitive data to VLAN members
• Communication on a VLAN
– If connected to same switch, switch handles packet
transfer
– Special “tagging” protocol used for communicating
between switches
Security+ Guide to Network Security Fundamentals, Fourth Edition
59
Remote Access
• Working away from the office commonplace today
– Telecommuters
– Traveling sales representatives
– Traveling workers
• Strong security for remote workers must be
maintained
– Transmissions are routed through networks not
managed by the organization
• Provides same functionality as local users
– Through VPN or dial-up connection
Security+ Guide to Network Security Fundamentals, Fourth Edition
60
Summary
• Standard network security devices provide a
degree of security
– Hubs, switches, router, load balancer
• Hardware devices specifically designed for security
give higher protection level
– Hardware-based firewall, Web application firewall
• Proxy server intercepts and processes user
requests
• Virtual private network uses unsecured public
network and encryption to provide security
Security+ Guide to Network Security Fundamentals, Fourth Edition
61
Summary (cont’d.)
• Intrusion detection system designed to detect
attack as it occurs
• Network technologies can help secure a network
– Network address translation
– Network access control
• Methods for designing a secure network
– Demilitarized zones
– Virtual LANs
Security+ Guide to Network Security Fundamentals, Fourth Edition
62