* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Network Architectures - Computing Sciences
Computer security wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Internet protocol suite wikipedia , lookup
Wireless security wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Packet switching wikipedia , lookup
Deep packet inspection wikipedia , lookup
UniPro protocol stack wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Network Security Revisited ITEC 370 George Vaughan Franklin University 1 Sources for Slides • Material in these slides comes primarily from course text, Guide to Networking Essentials,Tomsho, Tittel, Johnson (2007). • Other sources are cited in line and listed in reference section. 2 TCP/IP and OSI Models TCP/IP and OSI Models (OSI-Model, n.d.) and (Tomsho, 2007) TCP/IP Layers Application PDU Data OSI Layers 7 Application 6 5 Transport Segments 4 Network Packets 3 Link Frames 2 Function Network process to application, Initiates or accepts a request to transfer data Presentation Adds formatting, display, and encryption of information Session Adds communication session control information, Login/Logout Transport Adds End-to-end connections and reliability, re-sequencing, flow control Network Path determination and logical addressing (IP), translates MAC address to logical address LLC Data Adds error checking and physical Link addressing (MAC & LLC) Devices - Apps Browsers, servers, Gateways Gateways DNS, Gateways Gateways Routers Switches, Bridges, NICs Standards HTTP, SNMP, FTP, Telnet ASCII, MPEG, SSH, SSL NetBIOS TCP, UDP IP, ICMP, ARP, NetBEUI, IPSec 802.3, 802.11, FDDI MAC Bits 1 Physical Media, signal and binary transmission, Hubs, sends data as a bit stream Repeaters 10Base-T, T1, E1 3 VPN Wikipedia-VPN • VPN – Virtual Private Network • A virtual (logical) private network running on top of a public network (e.g. Internet). • Useful for providing remote access without using dedicated lines. • 2 parts: – ‘inside’ network which is trusted – ‘outside’ part which is not trusted. • VPN Server manages authentication • When active, all access from client to outside must pass through a firewall – makes client act as if it was in the ‘inside’ network. 4 VPN Advantages and Disadvantages Tomsho, Tittel, Johnson (2007) • Advantages: – Significantly cheaper than leasing private lines. – Usable almost anywhere in the world. • Disadvantages – Security risk if not properly configured – May be slower than leased lines (but often ‘fast enough’) 5 Transmission Using Leased Line IP Header Dest=M2 Switch/ Router 1 (R1) LAN 1 Data Switch/ Router 2 (R2) WAN – Leased Line ($) IP Header Dest=M2 Data IP Header Dest=M2 Data LAN 2 Trusted Area Machine 1 (M1) Machine 2 (M2) 6 Terminology • Encapsulation: – Act of placing a packet (header and data) inside the data section of another packet. – Similar to placing an envelope containing a letter inside another envelope (which may have a different address). – sometimes the encapsulating packet is of a different protocol. • Encryption: – The process of obscuring information • Tunneling (Tunneling, 2005.): – Also known as "port forwarding" – the transmission of data intended for use only within a private network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network. 7 Transmission Using VPN on Public Network VPN Server/Firewall De-encapsulates and decrypts original packet and sets destination = M2 IP Header Dest=VPN1 IP Header Dest=M2 Switch/ Router 1 (R1) IP Header Dest=M2 Data Data Data Switch/ Router 2 (R2) Tunnel Public Internet LAN 1 IP Header Dest=VPN1 VPN Server (VPN1) Data IP Header Dest=M2 LAN 2 Data IP Header Dest=M2 Data Trusted Area Machine 1 (M1) VPN Client Machine 1 encapsulates and encrypts original packet and wraps inside new packet with destination = VPN1 Machine 2 (M2) 8 Examples of VPN Tunneling Protocols • IPSec – IP Security • PPTP – Point-to-Point Tunneling Protocol • L2TP – Layer 2 Tunneling Protocol 9 IPSec Wikipedia-IPSec (n.d). • IP Security • A set of protocols operating at the Network layer (layer 3). • Often used for LAN-to-LAN VPNs • 2 Modes – Transport Mode: • Only payload in packet is encrypted (header is not) • Host to Host communication – Tunnel Mode: • Entire IP packet is encrypted, including header • Encapsulated in another packet for routing across internet. • Network to Network communication • Optional in IPv4, obligatory in IPv6 10 PPTP Wikipedia-PPTP (n.d). • Often used for Client-to-LAN VPNs. • Establishes a regular PPP session with peer – Uses Generic Routing Encapsulation protocol (GRE) • Establishes a second TCP session which is used to manage the GRE session • First implemented by Cisco an later licensed to Microsoft. • Easy to configure. • First VPN protocol supported by Microsoft Dialup Networking. 11 L2TP • Often used for Client-to-LAN VPNs. • An extension of PPTP (Microsoft) and LTF (Cisco). • Developed by Cisco • Doesn’t require registered IP addresses • Does not contain encryption. • Often used in conjunction with IPSec. 12 Protecting Networks with Firewalls Tomsho, Tittel, Johnson (2007) • Firewall: HW device or SW program that inspects packets going into or out of a network or computer, and then discards/forwards them based on rules – Protects against outside attempts to access unauthorized resources, and against malicious network packets intended to disable or cripple a corporate network and its resources – If placed between Internet and corporate network, can restrict users’ access to Internet resources • Firewalls can attempt to determine the context of a packet (stateful packet inspection (SPI)) 13 Types of Firewalls Wikipedia-firewall (n.d.) • Packet Filter Firewall: – Stateless – Rules are static • Circuit Level Firewall: – Stateful – Can determine if packet is a new or part of an existing connection. • Application Layer Firewall: – Also known as proxy based firewalls 14 Using a Router as a Firewall Tomsho, Tittel, Johnson (2007) • A firewall is just a router with specialized SW that facilitates creating rules to permit or deny packets • Many routers have capabilities similar to firewalls – After a router is configured, by default, all packets are permitted both into and out of the network – Network administrator must create rules (access control lists) that deny certain types of packets • Typically, an administrator builds access control lists so that all packets are denied, and then creates rules that make exceptions 15 NAT Wikipedia-NAT (n.d.) • Network Address Translation (IP-masquerading) • Router/Firewall replaces internal IP source address in IP packet with its own IP address when sending packets out. • Router/Firewall reverses process for incoming packets. • Useful for hiding the Identify of real IP addresses behind the firewall • Can be used for IP address reuse – – – – multiple machines share same IP address Common in home routers ISP assigns single public IP address Router maps to multiple private IP addresses 16 PAT Wikipedia-NAT (n.d.) • • • A variation of NAT is PAT (Port address translation) Port addresses can be used for multiplexing Using ports, a single external IP address can map up to 65,000 internal network addresses (as big as a class B network) 17 Using Network Address Translation to Improve Security Tomsho, Tittel, Johnson (2007) • A benefit of NAT is that the real address of an internal network resource is hidden and inaccessible to the outside world – Because most networks use NAT with private IP addresses, those devices configured with private addresses can’t be accessed directly from outside the network – An external device can’t initiate a network conversation with an internal device, thus limiting an attacker’s options to cause mischief 18 Implementing Wireless Security Tomsho, Tittel, Johnson (2007), Wikipedia • Attackers who drive around looking for wireless LANs to intercept are called wardrivers • Wireless security methods – SSID (not easy to guess and not broadcast) • Service Set Identifier – identifies network – Wired Equivalency Protocol (WEP) • 1999 – Can be cracked in 2 minutes w available software – Wi-Fi Protected Access (WPA) • 2003 – Stronger than WEP. Not supported by all access points. – 802.11i • 2004 – same as WPA2, superset of WPA. – MAC address filtering • Access control list based on MAC address • You should also set policies: limit AP signal access, change encryption key regularly, etc. 19 References Tomsho, Tittel, Johnson (2007). Guide to Networking Essentials. Boston: Thompson Course Technology. Odom, Knott (2006). Networking Basics: CCNA 1 Companion Guide. Indianapolis: Cisco Press Tunneling (2005). Tunniling. Retreived 03/26/2007 from http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213230,00.html Wikipedia (n.d.). OSI Model. Retrieved 09/12/2006 from http://en.wikipedia.org/wiki/OSI_Model Wikipedia-IPSec (n.d). IPsec. Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Ipsec Wikipedia-VPN (n.d.). Virtual Private Network. Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Vpn Wikipedia-firewall (n.d.) Firewall (Networking). Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Firewall Wikipedia-NAT (n.d.) Network Address Translation. Retrieved 01/30/2007 from: http://en.wikipedia.org/wiki/Network_address_translation 20