Download Chapter 10 - Computer Science Technology

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
Document related concepts

Net bias wikipedia , lookup

Deep packet inspection wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Computer network wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Network tap wikipedia , lookup

Microsoft Security Essentials wikipedia , lookup

Computer security wikipedia , lookup

Airborne Networking wikipedia , lookup

Wireless security wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Transcript 
Guide to Networking Essentials
Fifth Edition
Chapter 10
Introduction to Network Security
Objectives
•
•
•
•
Develop a network security policy
Secure physical access to network equipment
Secure network data
Use tools to find network security weaknesses
Guide to Networking Essentials, Fifth Edition
2
Network Security Overview and
Policies
• Perceptions of network security vary depending on:
– People
– Industry
• Network security should be as unobtrusive as
possible, allowing network users to concentrate on
the tasks they want to accomplish, rather than how
to get to the data they need to perform those tasks
• A company that can demonstrate its information
systems are secure is more likely to attract
customers, partners, and investors
Guide to Networking Essentials, Fifth Edition
3
Developing a Network Security Policy
• A network security policy describes the rules
governing access to a company’s information
resources, the enforcement of those rules, and the
steps taken if rules are breached
– Should also describe the permissible use of those
resources after they’re accessed
– Should be easy for ordinary users to understand and
reasonably easy to comply with
– Should be enforceable
– Should clearly state the objective of each policy so
that everyone understands its purpose
Guide to Networking Essentials, Fifth Edition
4
Determining Elements of a Network
Security Policy
• Elements (minimum for most networks)
–
–
–
–
–
–
–
Privacy policy
Acceptable use policy
Authentication policy
Internet use policy
Access policy
Auditing policy
Data protection
• Security policy should protect organization legally
• Security policy should be continual work in progress
Guide to Networking Essentials, Fifth Edition
5
Understanding Levels of Security
• Security doesn’t come without a cost
• Before deciding on a level of security, answer:
– What must be protected?
– From whom should data be protected?
– What costs are associated with security being
breached and data being lost or stolen?
– How likely is it that a threat will actually occur?
– Are the costs to implement security and train users
to use a secure network outweighed by the need to
provide an efficient, user-friendly environment?
• Levels: highly restrictive, moderately restrictive,
open
Guide to Networking Essentials, Fifth Edition
6
Highly Restrictive Security Policies
• Include features such as:
– Data encryption, complex password requirements,
detailed auditing and monitoring of computer and
network access, intricate authentication methods,
and policies that govern use of the Internet/e-mail
• Might require third-party hardware and software
• High implementation expense
– High design and configuration costs for SW and HW
– Staffing to support the security policies
– Lost productivity (high learning curve for users)
• Used when cost of a security breach is high
Guide to Networking Essentials, Fifth Edition
7
Moderately Restrictive Security
Policies
• Most organizations can opt for this type of policy
• Requires passwords, but not overly complex ones
• Auditing detects unauthorized logon attempts,
network resource misuse, and attacker activity
– Most NOSs contain authentication, monitoring, and
auditing features to implement the required policies
• Infrastructure can be secured with moderately
priced off-the-shelf HW and SW (firewalls, ACLs)
• Costs are primarily in initial configuration and
support
Guide to Networking Essentials, Fifth Edition
8
Open Security Policies
• Policy might have simple or no passwords,
unrestricted access to resources, and probably no
monitoring and auditing
• Makes sense for a small company with the primary
goal of making access to network resources easy
• Internet access should probably not be possible via
the company LAN
– If Internet access is available company-wide, a more
restrictive policy is probably warranted
• Sensitive data, if it exists, might be kept on
individual workstations that are backed up regularly
and are physically inaccessible to other employees
Guide to Networking Essentials, Fifth Edition
9
Common Elements of Security Policies
• Virus protection for servers and desktop computers
is a must
• There should be policies aimed at preventing
viruses from being downloaded or spread
• Backup procedures for all data that can’t be easily
reproduced should be in place, and a disaster
recovery procedure must be devised
• Security is aimed not only at preventing improper
use of or access to network resources, but also at
safeguarding the company’s information
Guide to Networking Essentials, Fifth Edition
10
Securing Physical Access to the
Network
• If there’s physical access to equipment, there is no
security
– A computer left alone with a user logged on is
particularly vulnerable
• If an administrator account is logged on, a person can
even give his/her account administrator control
– If no user is logged on
• People could log on to the computer with their own
accounts and access files to which they wouldn’t
normally have access
• Computer could be restarted and booted from
removable media, bypassing the normal OS security
• Computer or HDs could be stolen and later cracked
Guide to Networking Essentials, Fifth Edition
11
Physical Security Best Practices
• When planning your network, ensure that rooms are
available to house servers and equipment
– Rooms should have locks and be suitable for the
equipment being housed
• If a suitable room isn’t available, locking cabinets,
freestanding or wall mounted, can be purchased to
house servers and equipment in public areas
• Wiring from workstations to wiring cabinets should
be inaccessible to eavesdropping equipment
• Physical security plan should include procedures for
recovery from natural disasters (e.g., fire or flood)
Guide to Networking Essentials, Fifth Edition
12
Physical Security of Servers
• May be stashed away in lockable wiring closet
along with switch to which the server is connected
• Often require more tightly controlled environmental
conditions than patch panels, hubs, and switches
• Server rooms should be equipped with power that’s
preferably on a circuit separate from other devices
• If you must put servers accessible to people who
should not have physical access to them, use
locking cabinets
– You can purchase rack-mountable servers
Guide to Networking Essentials, Fifth Edition
13
Security of Internetworking Devices
• Routers and switches contain critical configuration
information and perform essential network tasks
– Internetworking devices, such as hubs, switches,
and routers, should be given as much attention in
terms of physical security as servers
• A room with a lock is the best place for these
devices
• Wall-mounted enclosure with a lock is second best
– Some cabinets come with a built-in fan or have a
mounting hole for a fan
– They also come with convenient channels for wiring
Guide to Networking Essentials, Fifth Edition
14
Securing Access to Data
• Facets
–
–
–
–
–
–
–
Authentication and authorization
Encryption/decryption
Virtual Private Networks (VPNs)
Firewalls
Virus and worm protection
Spyware protection
Wireless security
Guide to Networking Essentials, Fifth Edition
15
Implementing Secure Authentication
and Authorization
• Administrators must control who has access to the
network (authentication) and what logged on
users can do to the network (authorization)
– NOSs have tools to specify options and restrictions
on how/when users can log on to network
•
•
•
•
Password complexity requirements
Logon hours
Logon locations
Remote logons, among others
– File system access controls and user permission
settings determine what a user can access on a
network and what actions a user can perform
Guide to Networking Essentials, Fifth Edition
16
Configuring Password Requirements
in a Windows Environment
• Specify if passwords are required for all users, how
many characters a password must be, and whether
they should meet certain complexity requirements
• XP allows passwords up to 128 characters
– Minimum of five to eight characters is typical
– If minimum length is 0, blank passwords are allowed
• Other options include Maximum/Minimum
password age, and Enforce password history
• When a user fails to enter a correct password, a
policy can be set to lock the user account
Guide to Networking Essentials, Fifth Edition
17
Configuring Password Requirements
in a Windows Environment (continued)
Guide to Networking Essentials, Fifth Edition
18
Configuring Password Requirements
in a Linux Environment
• Linux password configuration can be done globally
or on a user-by-user basis
• Options in a standard Linux Fedora Core 4 include
maximum/minimum password age, and number of
days’ warning a user has before password expires
– Linux system must be using shadow passwords, a
secure method of storing user passwords
– Options can be set by editing /etc/login.defs
• Use Pluggable Authentication Modules (PAM) to
set other options like account lockout, password
history, and complexity tests
Guide to Networking Essentials, Fifth Edition
19
Reviewing Password Dos and Don’ts
• Use a combination of uppercase letters, lowercase
letters, and numbers
• Include one or more special characters
• Try using a phrase, e.g., NetW@rk1ng !s C00l
• Don’t use passwords based on your logon name,
family members’ names, or even your pet’s name
• Don’t use common dictionary words unless they
are part of a phrase
• Don’t make your password so complex that you
forget it or need to write it down somewhere
Guide to Networking Essentials, Fifth Edition
20
Restricting Logon Hours and Logon
Location
Guide to Networking Essentials, Fifth Edition
21
Restricting Logon Hours and Logon
Location (continued)
Guide to Networking Essentials, Fifth Edition
22
Authorizing Access to Files and
Folders
• Windows OSs have two options for file security
– Sharing permissions are applied to folders (and
only folders) shared over the network
• Don’t apply to files/folders if user is logged on locally
• These are the only file security options available in a
FAT or FAT32 file system
– NTFS permissions allow administrators to assign
permissions to files as well as folders
• Apply to file access by a locally logged-on user too
• Enable administrators to assign permissions to user
accounts and group accounts
• Six standard permissions are available for folders
Guide to Networking Essentials, Fifth Edition
23
Authorizing Access to Files and
Folders (continued)
Guide to Networking Essentials, Fifth Edition
24
Authorizing Access to Files and
Folders (continued)
Guide to Networking Essentials, Fifth Edition
25
Securing Data with Encryption
• Use encryption to safeguard data as it travels
across the Internet and within the company
network
– Prevents somebody using eavesdropping
technology, such as a packet sniffer, from capturing
packets and using the data for malicious purposes
• Data on disks can be secured with encryption
Guide to Networking Essentials, Fifth Edition
26
Using IPSec to Secure Network Data
• The most popular method for encrypting data as it
travels network media is to use an extension to the
IP protocol called IP Security (IPSec)
– Establishes an association between two
communicating devices
• Association is formed by two devices authenticating
their identities via a preshared key, Kerberos
authentication, or digital certificates
– After the communicating parties are authenticated,
encrypted communication can commence
Guide to Networking Essentials, Fifth Edition
27
Using IPSec to Secure Network Data
(continued)
Guide to Networking Essentials, Fifth Edition
28
Using IPSec to Secure Network Data
(continued)
Guide to Networking Essentials, Fifth Edition
29
Securing Data on Disk Drives
Guide to Networking Essentials, Fifth Edition
30
Securing Communication with Virtual
Private Networks
Guide to Networking Essentials, Fifth Edition
31
VPNs in a Windows Environment
• Windows supports a special TCP/IP protocol called
Point-to-Point Tunneling Protocol (PPTP)
– A user running Windows can dial up a Windows
server when it’s running RRAS
– A VPN could be established permanently across the
Internet by leasing dedicated lines at each end of a
two-way link and maintaining ongoing PPTP-based
communications across that dedicated link
• Starting with Windows 2000, Windows supports
Layer 2 Tunneling Protocol (L2TP)
– Supports advanced authentication and encryption
– Requires Windows machines on both sides
Guide to Networking Essentials, Fifth Edition
32
VPNs in Other OS Environments
• Linux implementations of VPNs typically use PPTP or IPSec;
an L2TP implementation is now available
• One of the most popular VPN solutions for Linux is a free
downloadable package called OpenSwan
• Novell NetWare provides VPN server connections to
corporate networks for VPN clients
• Mac OS 9 and later supports VPN client connections to
Windows (using PPTP or IPSec)
• One method of providing VPN services to connect remote
sites is to use routers with VPN capability to form a router-torouter VPN connection
Guide to Networking Essentials, Fifth Edition
33
VPN Benefits
• Advantages of using VPNs
– Installing several modems on an RRAS server so
that users can dial up the server directly isn’t
necessary; instead, users can dial up any ISP
– Remote users can usually access an RRAS server
by making only a local phone call, as long as they
can access a local ISP
– When broadband Internet connectivity is available
(e.g., DSL, cable modem), remote users can connect
to the corporate network at high speed, making
remote computing sessions more productive
• Additionally, VPNs save costs
Guide to Networking Essentials, Fifth Edition
34
Protecting Networks with Firewalls
• Firewall: HW device or SW program that inspects
packets going into or out of a network or computer,
and then discards/forwards them based on rules
– Protects against outside attempts to access
unauthorized resources, and against malicious
network packets intended to disable or cripple a
corporate network and its resources
– If placed between Internet and corporate network,
can restrict users’ access to Internet resources
• Firewalls can attempt to determine the context of a
packet (stateful packet inspection (SPI))
Guide to Networking Essentials, Fifth Edition
35
Using a Router as a Firewall
• A firewall is just a router with specialized SW that
facilitates creating rules to permit or deny packets
• Many routers have capabilities similar to firewalls
– After a router is configured, by default, all packets
are permitted both into and out of the network
– Network administrator must create rules (access
control lists) that deny certain types of packets
• Typically, an administrator builds access control lists
so that all packets are denied, and then creates rules
that make exceptions
Guide to Networking Essentials, Fifth Edition
36
Using Intrusion Detection Systems
• An IDS usually works with a firewall or router with
access control lists
– A firewall protects a network from potential break-ins
or DoS attacks, but an IDS must detect an attempted
security breach and notify the network administrator
– May be able to take countermeasures if an attack is
in progress
– Invaluable tool to help administrators know how
often their network is under attack and devise
security policies aimed at thwarting threats before
they have a chance to succeed
Guide to Networking Essentials, Fifth Edition
37
Using Network Address Translation to
Improve Security
• A benefit of NAT is that the real address of an
internal network resource is hidden and
inaccessible to the outside world
– Because most networks use NAT with private IP
addresses, those devices configured with private
addresses can’t be accessed directly from outside
the network
– An external device can’t initiate a network
conversation with an internal device, thus limiting an
attacker’s options to cause mischief
Guide to Networking Essentials, Fifth Edition
38
Protecting a Network from Worms,
Viruses, and Rootkits
• Malware is SW designed to cause harm/disruption
to a computer system or perform activities on a
computer without the consent of its owner
– A virus spreads by replicating itself into other
programs or documents
– A worm is similar to a virus, but it doesn’t attach
itself to another program
– A backdoor is a program installed on a computer
that permits access to the computer, bypassing the
normal authentication process
– To help prevent spread of malware, every computer
should have virus-scanning software running
Guide to Networking Essentials, Fifth Edition
39
Protecting a Network from Worms,
Viruses, and Rootkits (continued)
• A Trojan program appears to be something useful,
but in reality contains some type of malware
• Rootkits are a form of Trojan programs that can
monitor traffic to and from a computer, monitor
keystrokes, and capture passwords
• The hoax virus is one of the worst kinds of viruses
– The flood of e-mail from people actually falling for the
hoax is the virus!
• Malware protection can be expensive; however, the
loss of data and productivity that can occur when a
network becomes infected is much more costly
Guide to Networking Essentials, Fifth Edition
40
Protecting a Network from Spyware
and Spam
• Spyware: monitors/controls part of a computer at
the expense of user’s privacy and to the gain of a
third party
– Is not usually self-replicating
– Many anti-spyware programs are available, and
some are bundled with popular antivirus programs
• Spam is simply unsolicited e-mail
– Theft of e-mail storage space, network bandwidth,
and people’s time
– Detection and prevention is an uphill battle
• For every rule or filter anti-spam software places on
an e-mail account, spammers find a way around them
Guide to Networking Essentials, Fifth Edition
41
Implementing Wireless Security
• Attackers who drive around looking for wireless
LANs to intercept are called wardrivers
• Wireless security methods
–
–
–
–
–
SSID (not easy to guess and not broadcast)
Wired Equivalency Protocol (WEP)
Wi-Fi Protected Access (WPA)
802.11i
MAC address filtering
• You should also set policies: limit AP signal access,
change encryption key regularly, etc.
Guide to Networking Essentials, Fifth Edition
42
Using a Cracker’s Tools to Stop
Network Attacks
• If you want to design a good, solid network
infrastructure, hire a security consultant who knows
the tools of the cracker’s trade
– A cracker (black hat) is someone who attempts to
compromise a network or computer system for the
purposes of personal gain or to cause harm
– The term hacker has had a number of meanings
throughout the years
• White hats often use the term penetration tester for
their consulting services
Guide to Networking Essentials, Fifth Edition
43
Discovering Network Resources
• Attackers use command-line utilities such as Ping,
Traceroute, Finger, and Nslookup to get information
about the network configuration and resources
– Other tools used
• Ping scanner: automated method for pinging a range
of IP addresses
• Port scanner: determines which TCP and UDP ports
are available on a particular computer or device
• Protocol analyzers are also useful for resource
discovery because they allow you to capture packets
and determine which protocol’s services are running
Guide to Networking Essentials, Fifth Edition
44
Discovering Network Resources
(continued)
Guide to Networking Essentials, Fifth Edition
45
Discovering Network Resources
(continued)
Guide to Networking Essentials, Fifth Edition
46
Discovering Network Resources
(continued)
Guide to Networking Essentials, Fifth Edition
47
Gaining Access to Network Resources
• One of the easiest resources to open is one in
which no password is set
– Check all devices that support Telnet, FTP, e-mail,
and Web services
– Verify that passwords are set on all devices and
disable any unnecessary services
• If an attackers needs to learn user name/password:
– Finger may be used to discover user names
– Linux, NetWare, and Windows servers have default
administrator names that are often left unchanged
• Attacker may then use a password-cracking tool
Guide to Networking Essentials, Fifth Edition
48
Disabling Network Resources
• A denial-of-service (DoS) attack is an attacker’s
attempt to tie up network bandwidth or network
services so that it renders those resources useless
to legitimate users
– Packet storms typically use the UDP protocol
because it’s not connection oriented
– Half-open SYN attacks use TCP’s handshake to tie
up a server with invalid TCP sessions, thereby
preventing real sessions from being created
– In a ping flood, a program sends a large number of
ping packets to a host
Guide to Networking Essentials, Fifth Edition
49
Summary
• A network security policy describes rules governing access to a
company’s information resources
– Should contain these types of policies: privacy policy, acceptable
use policy, authentication policy, Internet use policy, auditing
policy, and data protection policy
• Must secure physical access to network resources
• Securing access to data includes authentication and
authorization, encryption/decryption, VPNs, firewalls,
virus/worm/spyware protection, and wireless security
• VPNs are an important aspect of network security
– Secure remote access to private network (via Internet)
Guide to Networking Essentials, Fifth Edition
50
Summary (continued)
• Firewalls filter packets and permit or deny packets
based on a set of defined rules
• Malware can be viruses, worms, Trojans, and rootkits
• Wireless security involves attention to configuring
SSID correctly and configuring/using wireless
security protocols, such as WEP, WPA, or 802.11i
• Tools that crackers use to compromise a network can
be used to determine whether a network is secure
• DoS attacks are used to disrupt network operation
Guide to Networking Essentials, Fifth Edition
51
Related documents
market
market
The Marketing Concept
The Marketing Concept
Computer Fifth Generation
Computer Fifth Generation
Slide 1
Slide 1
networking operating system
networking operating system
John Augustine, Chief Investment Strategist, Fifth Third
John Augustine, Chief Investment Strategist, Fifth Third
Printable PDF - University of Mississippi
Printable PDF - University of Mississippi
A group of people sharing a common goal can achieve the impossible.
A group of people sharing a common goal can achieve the impossible.
The Bare Essentials of Judaism powerpoint File
The Bare Essentials of Judaism powerpoint File