Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Computer network wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
Computer security wikipedia , lookup
Wireless security wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Network Security ITEC 370 George Vaughan Franklin University 1 Sources for Slides • Material in these slides comes primarily from course text, Guide to Networking Essentials,Tomsho, Tittel, Johnson (2007). • Other sources are cited in line and listed in reference section. 2 TCP/IP and OSI Models TCP/IP and OSI Models (OSI-Model, n.d.) and (Tomsho, 2007) TCP/IP Layers Application PDU Data OSI Layers 7 Application 6 5 Transport Segments 4 Network Packets 3 Link Frames 2 Function Network process to application, Initiates or accepts a request to transfer data Presentation Adds formatting, display, and encryption of information Session Adds communication session control information, Login/Logout Transport Adds End-to-end connections and reliability, re-sequencing, flow control Network Path determination and logical addressing (IP), translates MAC address to logical address LLC Data Adds error checking and physical Link addressing (MAC & LLC) Devices - Apps Browsers, servers, Gateways Gateways DNS, Gateways Gateways Routers Switches, Bridges, NICs Standards HTTP, SNMP, FTP, Telnet ASCII, MPEG, SSH, SSL NetBIOS TCP, UDP IP, ICMP, ARP, NetBEUI, IPSec 802.3, 802.11, FDDI MAC Bits 1 Physical Media, signal and binary transmission, Hubs, sends data as a bit stream Repeaters 10Base-T, T1, E1 3 Developing a Network Security Policy Tomsho, Tittel, Johnson (2007) • A network security policy describes the rules governing access to a company’s information resources, the enforcement of those rules, and the steps taken if rules are breached – Should also describe the permissible use of those resources after they’re accessed – Should be easy for ordinary users to understand and reasonably easy to comply with – Should be enforceable – Should clearly state the objective of each policy so that everyone understands its purpose 4 Determining Elements of a Network Security Policy Tomsho, Tittel, Johnson (2007) • Elements (minimum for most networks) – Privacy policy – Acceptable use policy – Authentication policy – Internet use policy – Access policy – Auditing policy – Data protection • Security policy should protect organization legally • Security policy should be continual work in progress 5 Understanding Levels of Security Tomsho, Tittel, Johnson (2007) • Security doesn’t come without a cost • Before deciding on a level of security, answer: – What must be protected? – From whom should data be protected? – What costs are associated with security being breached and data being lost or stolen? – How likely is it that a threat will actually occur? – Are the costs to implement security and train users to use a secure network outweighed by the need to provide an efficient, user-friendly environment? • Levels: highly restrictive, moderately restrictive, open 6 Highly Restrictive Security Policies Tomsho, Tittel, Johnson (2007) • Include features such as: – Data encryption, complex password requirements, detailed auditing and monitoring of computer and network access, intricate authentication methods, and policies that govern use of the Internet/e-mail • Might require third-party hardware and software • High implementation expense – High design and configuration costs for SW and HW – Staffing to support the security policies – Lost productivity (high learning curve for users) • Used when cost of a security breach is high 7 Moderately Restrictive Security Policies Tomsho, Tittel, Johnson (2007) • Most organizations can opt for this type of policy • Requires passwords, but not overly complex ones • Auditing detects unauthorized logon attempts, network resource misuse, and attacker activity – Most NOSs contain authentication, monitoring, and auditing features to implement the required policies • Infrastructure can be secured with moderately priced offthe-shelf HW and SW (firewalls, ACLs) • Costs are primarily in initial configuration and support 8 Open Security Policies Tomsho, Tittel, Johnson (2007) • Policy might have simple or no passwords, unrestricted access to resources, and probably no monitoring and auditing • Makes sense for a small company with the primary goal of making access to network resources easy • Internet access should probably not be possible via the company LAN – If Internet access is available company-wide, a more restrictive policy is probably warranted • Sensitive data, if it exists, might be kept on individual workstations that are backed up regularly and are physically inaccessible to other employees 9 Common Elements of Security Policies Tomsho, Tittel, Johnson (2007) • Virus protection for servers and desktop computers is a must • There should be policies aimed at preventing viruses from being downloaded or spread • Backup procedures for all data that can’t be easily reproduced should be in place, and a disaster recovery procedure must be devised • Security is aimed not only at preventing improper use of or access to network resources, but also at safeguarding the company’s information 10 Securing Physical Access to the Network Tomsho, Tittel, Johnson (2007) • If there’s physical access to equipment, there is no security – A computer left alone with a user logged on is particularly vulnerable • If an administrator account is logged on, a person can even give his/her account administrator control – If no user is logged on • People could log on to the computer with their own accounts and access files to which they wouldn’t normally have access • Computer could be restarted and booted from removable media, bypassing the normal OS security • Computer or HDs could be stolen and later cracked 11 Physical Security Best Practices Tomsho, Tittel, Johnson (2007) • When planning your network, ensure that rooms are available to house servers and equipment – Rooms should have locks and be suitable for the equipment being housed • If a suitable room isn’t available, locking cabinets, freestanding or wall mounted, can be purchased to house servers and equipment in public areas • Wiring from workstations to wiring cabinets should be inaccessible to eavesdropping equipment • Physical security plan should include procedures for recovery from natural disasters (e.g., fire or flood) 12 Physical Security of Servers Tomsho, Tittel, Johnson (2007) • May be stashed away in lockable wiring closet along with switch to which the server is connected • Often require more tightly controlled environmental conditions than patch panels, hubs, and switches • Server rooms should be equipped with power that’s preferably on a circuit separate from other devices • If you must put servers accessible to people who should not have physical access to them, use locking cabinets – You can purchase rack-mountable servers • Make sure there is sufficient cooling. 13 Security of Internetworking Devices Tomsho, Tittel, Johnson (2007) • Routers and switches contain critical configuration information and perform essential network tasks – Internetworking devices, such as hubs, switches, and routers, should be given as much attention in terms of physical security as servers • A room with a lock is the best place for these devices • Wall-mounted enclosure with a lock is second best – Some cabinets come with a built-in fan or have a mounting hole for a fan – They also come with convenient channels for wiring • Make sure there is sufficient cooling. 14 Securing Access to Data Tomsho, Tittel, Johnson (2007) • Facets – Authentication and authorization – Encryption/decryption – Virtual Private Networks (VPNs) – Firewalls – Virus and worm protection – Spyware protection – Wireless security 15 Authentication and Authorization • Authentication – Forcing a party to prove their true identity – Login process, certificates, shared keys – Applies to both clients and servers • Authorization: – Only applies after party has been authenticated – Access Control (file permissions, Access Control Lists, etc.) 16 Implementing Secure Authentication and Authorization Tomsho, Tittel, Johnson (2007) • Administrators must control who has access to the network (authentication) and what logged on users can do to the network (authorization) – NOSs have tools to specify options and restrictions on how/when users can log on to network • Password complexity requirements • Logon hours • Logon locations • Remote logons, among others – File system access controls and user permission settings determine what a user can access on a network and what actions a user can perform 17 Configuring Password Requirements in a Windows Environment Tomsho, Tittel, Johnson (2007) • Specify if passwords are required for all users, how many characters a password must be, and whether they should meet certain complexity requirements • XP allows passwords up to 128 characters – Minimum of five to eight characters is typical – If minimum length is 0, blank passwords are allowed • Other options include Maximum/Minimum password age, and Enforce password history • When a user fails to enter a correct password, a policy can be set to lock the user account 18 Configuring Password Requirements in a Linux Environment Tomsho, Tittel, Johnson (2007) • Linux password configuration can be done globally or on a user-by-user basis • Options in a standard Linux Fedora Core 4 include maximum/minimum password age, and number of days’ warning a user has before password expires – Linux system must be using shadow passwords, a secure method of storing user passwords – Options can be set by editing /etc/login.defs • Use Pluggable Authentication Modules (PAM) to set other options like account lockout, password history, and complexity tests 19 Reviewing Password Dos and Don’ts Tomsho, Tittel, Johnson (2007) • Use a combination of uppercase letters, lowercase letters, and numbers • Include one or more special characters • Try using a phrase, e.g., NetW@rk1ng !s C00l • Don’t use passwords based on your logon name, family members’ names, or even your pet’s name • Don’t use common dictionary words unless they are part of a phrase • Don’t make your password so complex that you forget it or need to write it down somewhere 20 Authorizing Access to Files and Folders Tomsho, Tittel, Johnson (2007) • Windows OSs have two options for file security – Sharing permissions are applied to folders (and only folders) shared over the network • Don’t apply to files/folders if user is logged on locally • These are the only file security options available in a FAT or FAT32 file system – NTFS permissions allow administrators to assign permissions to files as well as folders • Apply to file access by a locally logged-on user too • Enable administrators to assign permissions to user accounts and group accounts • Six standard permissions are available for folders 21 Authorizing Access to Files and Folders (continued) Tomsho, Tittel, Johnson (2007) 22 Authorizing Access to Files and Folders (continued) Tomsho, Tittel, Johnson (2007) 23 Securing Data with Encryption Tomsho, Tittel, Johnson (2007) • Use encryption to safeguard data as it travels across the Internet and within the company network – Prevents somebody using eavesdropping technology, such as a packet sniffer, from capturing packets and using the data for malicious purposes • Data on disks can be secured with encryption 24 Using IPSec to Secure Network Data Tomsho, Tittel, Johnson (2007) • The most popular method for encrypting data as it travels network media is to use an extension to the IP protocol called IP Security (IPSec) – Establishes an association between two communicating devices • Association is formed by two devices authenticating their identities via a preshared key, Kerberos authentication, or digital certificates – After the communicating parties are authenticated, encrypted communication can commence 25 IPSec Wikipedia-IPSec (n.d). • IP Security • A set of protocols operating at the Network layer (layer 3). • 2 Modes – Transport Mode: • Only payload in packet is encrypted (header is not) • Host to Host communication – Tunnel Mode: • Entire IP packet is encrypted, including header • Encapsulated in another packet for routing across internet. • Network to Network communication 26 Securing Data on Disk • Windows allows data to be encrypted at the folder level – Can optional include subfolders – Based on owner of file – Groups of users can be defined • Linux allows data to be encrypted: – GPG (GNU Privacy Guard) from FSF. – GPG is available for Windows also 27 VPN Wikipedia-VPN • VPN – Virtual Private Network • A virtual (logical) private network running on top of a public network (e.g. Internet). • Useful for providing remote access without using dedicated lines. • 2 parts: ‘inside’ network which is trusted and ‘outside’ part which is not trusted. • VPN Server manages authentication • When active, all access from client to outside must pass through a firewall – makes client act as if it was in the ‘inside’ network. 28 Securing Communication with Virtual Private Networks Tomsho, Tittel, Johnson (2007) 29 VPN Benefits Tomsho, Tittel, Johnson (2007) • Advantages of using VPNs – Installing several modems on an RRAS server so that users can dial up the server directly isn’t necessary; instead, users can dial up any ISP – RRAS = Windows Routing and Remote Access Server. – Remote users can usually access an RRAS server by making only a local phone call, as long as they can access a local ISP – When broadband Internet connectivity is available (e.g., DSL, cable modem), remote users can connect to the corporate network at high speed, making remote computing sessions more productive • Additionally, VPNs save costs 30 Protecting Networks with Firewalls Tomsho, Tittel, Johnson (2007) • Firewall: HW device or SW program that inspects packets going into or out of a network or computer, and then discards/forwards them based on rules – Protects against outside attempts to access unauthorized resources, and against malicious network packets intended to disable or cripple a corporate network and its resources – If placed between Internet and corporate network, can restrict users’ access to Internet resources • Firewalls can attempt to determine the context of a packet (stateful packet inspection (SPI)) 31 Types of Firewalls Wikipedia-firewall (n.d.) • Packet Filter Firewall: – Stateless – Rules are static • Circuit Level Firewall: – Stateful – Can determine if packet is a new or part of an existing connection. • Application Layer Firewall: – Also known as proxy based firewalls 32 Using a Router as a Firewall Tomsho, Tittel, Johnson (2007) • A firewall is just a router with specialized SW that facilitates creating rules to permit or deny packets • Many routers have capabilities similar to firewalls – After a router is configured, by default, all packets are permitted both into and out of the network – Network administrator must create rules (access control lists) that deny certain types of packets • Typically, an administrator builds access control lists so that all packets are denied, and then creates rules that make exceptions 33 Using Intrusion Detection Systems Tomsho, Tittel, Johnson (2007) • An IDS usually works with a firewall or router with access control lists – A firewall protects a network from potential break-ins or DoS attacks, but an IDS must detect an attempted security breach and notify the network administrator – May be able to take countermeasures if an attack is in progress – Invaluable tool to help administrators know how often their network is under attack and devise security policies aimed at thwarting threats before they have a chance to succeed – Too many false positives will result in the IDS being ignored 34 NAT Wikipedia-NAT (n.d.) • Network Address Translation (IP-masquerading) • Router/Firewall replaces internal IP source address in IP packet with its own IP address when send packets out. • Router/Firewall reverses process for incoming packets. • Useful for hiding the Identify of real IP addresses behind the firewall • Can be used for IP address reuse – – – – – multiple machines share same IP address Common in home routers ISP assigns single public IP address Router maps to multiple private IP addresses TCP and UDP port numbers used for de-multiplexing 35 Using Network Address Translation to Improve Security Tomsho, Tittel, Johnson (2007) • A benefit of NAT is that the real address of an internal network resource is hidden and inaccessible to the outside world – Because most networks use NAT with private IP addresses, those devices configured with private addresses can’t be accessed directly from outside the network – An external device can’t initiate a network conversation with an internal device, thus limiting an attacker’s options to cause mischief 36 Protecting a Network from Worms, Viruses, and Rootkits Tomsho, Tittel, Johnson (2007) • Malware is SW designed to cause harm/disruption to a computer system or perform activities on a computer without the consent of its owner – A virus spreads by replicating itself into other programs or documents – A worm is similar to a virus, but it doesn’t attach itself to another program – A backdoor is a program installed on a computer that permits access to the computer, bypassing the normal authentication process – To help prevent spread of malware, every computer should have virus-scanning software running 37 Protecting a Network from Worms, Viruses, and Rootkits (continued) Tomsho, Tittel, Johnson (2007) • A Trojan Horse program appears to be something useful, but in reality contains some type of malware • Rootkits are a form of Trojan programs that can monitor traffic to and from a computer, monitor keystrokes, and capture passwords – Used to hide files, programs form O.S. – Sony added rootkits to audio CDs to prevent copying • The hoax virus is one of the worst kinds of viruses – The flood of e-mail from people actually falling for the hoax is the virus! • Malware protection can be expensive; however, the loss of data and productivity that can occur when a network becomes infected is much more costly • Phishing – social engineering – E.g. fake (web) services used to collect sensitive data 38 Protecting a Network from Spyware and Spam Tomsho, Tittel, Johnson (2007) • Spyware: monitors/controls part of a computer at the expense of user’s privacy and to the gain of a third party – Is not usually self-replicating – Many anti-spyware programs are available, and some are bundled with popular antivirus programs • Spam is simply unsolicited e-mail – Theft of e-mail storage space, network bandwidth, and people’s time – Detection and prevention is an uphill battle • For every rule or filter anti-spam software places on an e-mail account, spammers find a way around them 39 Implementing Wireless Security Tomsho, Tittel, Johnson (2007), Wikipedia • Attackers who drive around looking for wireless LANs to intercept are called wardrivers • Wireless security methods – SSID (not easy to guess and not broadcast) • Service Set Identifier – identifies network – Wired Equivalency Protocol (WEP) • 1999 – Can be cracked in 2 minutes w available software – Wi-Fi Protected Access (WPA) • 2003 – Stronger than WEP. Not supported by all access points. – 802.11i • 2004 – same as WPA2, superset of WPA. – MAC address filtering • Access control list based on MAC address • You should also set policies: limit AP signal access, change encryption key regularly, etc. 40 Using a Cracker’s Tools to Stop Network Attacks Tomsho, Tittel, Johnson (2007) • If you want to design a good, solid network infrastructure, hire a security consultant who knows the tools of the cracker’s trade – A cracker (black hat) is someone who attempts to compromise a network or computer system for the purposes of personal gain or to cause harm – The term hacker has had a number of meanings throughout the years – White hats often use the term penetration tester for their consulting services 41 Discovering Network Resources Tomsho, Tittel, Johnson (2007) • Attackers use command-line utilities such as Ping, Traceroute, Finger, and Nslookup to get information about the network configuration and resources – Other tools used • Ping scanner: automated method for pinging a range of IP addresses • Port scanner: determines which TCP and UDP ports are available on a particular computer or device • Protocol analyzers are also useful for resource discovery because they allow you to capture packets and determine which protocol’s services are running 42 Disabling Network Resources Tomsho, Tittel, Johnson (2007) • A denial-of-service (DoS) attack is an attacker’s attempt to tie up network bandwidth or network services so that it renders those resources useless to legitimate users – Packet storms typically use the UDP protocol because it’s not connection oriented – Half-open SYN attacks use TCP’s handshake to tie up a server with invalid TCP sessions, thereby preventing real sessions from being created – In a ping flood, a program sends a large number of ping packets to a host 43 References Tomsho, Tittel, Johnson (2007). Guide to Networking Essentials. Boston: Thompson Course Technology. Odom, Knott (2006). Networking Basics: CCNA 1 Companion Guide. Indianapolis: Cisco Press Wikipedia (n.d.). OSI Model. Retrieved 09/12/2006 from http://en.wikipedia.org/wiki/OSI_Model Wikipedia-IPSec (n.d). IPsec. Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Ipsec Wikipedia-VPN (n.d.). Virtual Private Network. Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Vpn Wikipedia-firewall (n.d.) Firewall (Networking). Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Firewall Wikipedia-NAT (n.d.) Network Address Translation. Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Network_address_translation 44