Download Transcript: Network Hardening Techniques Part 1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Dynamic Host Configuration Protocol wikipedia, lookup

AppleTalk wikipedia, lookup

Computer network wikipedia, lookup

Piggybacking (Internet access) wikipedia, lookup

Internet protocol suite wikipedia, lookup

Deep packet inspection wikipedia, lookup

Wake-on-LAN wikipedia, lookup

Wireless security wikipedia, lookup

Airborne Networking wikipedia, lookup

Network tap wikipedia, lookup

Distributed firewall wikipedia, lookup

Computer security wikipedia, lookup

Recursive InterNetwork Architecture (RINA) wikipedia, lookup

Zero-configuration networking wikipedia, lookup

Cracking of wireless networks wikipedia, lookup

Transcript
Good day, I'm Brian Ferrill, and welcome to PACE-IT's session on network hardening
techniques part I. Today, I'm going to discuss using secure protocols, using anti-malware
software, and I'm going to conclude with implementing switch and router security. There is a
whole lot of information to impart, but not a whole lot of time, so let's go ahead and begin this
session.
Of course I'm going to begin by talking about using secure protocols.
Network security is always an ongoing process because the threats to it keep changing.
Although security threats are continually evolving, administrators can use some techniques to
harden the base network structure to help ease the ever shifting security landscape. These
hardening techniques establish a good security foundation that can be further built upon making
the network that much harder to crack. One of these hardening techniques is to use secure
protocols whenever possible.
Let's discuss some of those protocols. First up is Secure Shell or SSH. It's a protocol that is
used to create an encrypted communications session between devices. It's commonly used to
create a secure virtual terminal session. It should be used in place of Telnet whenever possible.
Then there is SNMP version 3, that's Simple Network Management Protocol version 3. It's a
protocol that is used to manage and configure devices remotely on the network. It's more
secure than the prior two versions because it supports encryption.
Secure File Transfer Protocol, or SFTP, should always be used in place of FTP. It's a protocol
that's used to transfer data in managed file structures in a secure manner through the use of an
SSH session. As I said just a moment ago, it is a better option than FTP, which requires user
authentication but does not encrypt their communication. SFTP encrypts the whole process.
Then there is TLS, or Transport Layer Security. It's a cryptographic protocol that is used to
encrypt online communications. It uses certificates and asymmetrical cryptography to
authenticate hosts and exchange security keys. It is a better option than SSL, or Secure Socket
Layer, which functions in a similar manner.
When performing sensitive online business, you should use HTTPS, Hypertext Transfer
Protocol Secure. It's a protocol that is used to secure the communications channel between a
Web browser and a Web server. HTTPS uses either TLS or SSL technology.
IPsec is a network layer IP security protocol suite that can use multiple methods to mutually
authentic both ends of the communication channel. It also will encrypt all data transmissions.
Unlike most other protocols, it can provide end-to-end security for any application.
Let's move to using anti-malware software.
Anti-malware applications help to protect networks and network resources against malware
intrusions as in spyware, viruses, and worms. There are three main options for using antimalware applications. There is post based anti-malware. The application is installed on the
individual machines and only protects those nodes on which it resides. It's easily tuned to the
needs of the individual host, but requires that the user keep it up to date. Then there is network
based anti-malware. The application is installed within the local network and served to the
individual clients that require it. It is easily administered, but harder to tune for the individual
host. But the network administrator can ensure that it remains up to date. Finally, there is cloud
based anti-malware. The application resides in the cloud; it is outside of the local network and it
is served to the clients inside the local network, as needed. This service has a very small
footprint on the local machine and tends to be kept more current than the other options, but it is
an added cost that must be evaluated.
Let's conclude with talking about implementing switch and router security.
When is using a password not secure? The answer is when the password is kept in clear text.
One solution to this is to save passwords and other sensitive information as hashes. Hashing is
a cryptographic process that uses an algorithm to derive a set value (also known as the hash
value) from the sensitive data. A hash can be used to verify that data is coming from where it is
supposed to and that it has not been intercepted or changed in transit. The most popular
hashing algorithms are MD5 and S-H-A, or SHA. Of the two, SHA is the more secure. And the
wise network administrator makes sure that all passwords and usernames are kept as hash
values.
Under implementing switch security measures, switch port security measures are vital. First off,
switch port security should be enabled. All enterprise switches are capable of having security
measures enabled at the port level and that should happen. Also, the native VLAN should be
changed from its default value. All active ports should be assigned to non-native VLANs. All
non-active switch ports should be assigned to an unused non-native VLAN. Also VLANs should
be created to clearly segment the network into logical secure areas.
A switch port security measure that should be considered is MAC address filtering. This will only
allow specific MAC addresses to connect to specific ports. DHCP snooping should be enabled.
This will only allow DHCP responses from an administrator defined switch port. This means that
all DHCP responses will come from the same port. In addition to DHCP snooping, dynamic ARP
inspection, or DAI, should also be enabled. This process is combined with DHCP snooping to
restrict to the opportunity for ARP cache poisoning to occur. All address resolution protocol
requests are compared against the ARP table contained in the administratively defined DHCP
server. Implementing these measures will greatly increase the security of your switches.
Let's move on to router security measures. Each interface on a router should have an access
control list, or ACL, in place to control and filter traffic. Each interface can actually have two
ACLs, one ACL on the inbound side of the interface and one ACL on the outbound side of the
interface. An ACL is a set of rules that is used to govern and filter the flow of network traffic into
and out of a network. The ACL examines packets against its established rules, beginning from
the first rule at the top of the list and continuing down through all the rules.
The rules either allow or deny that packet from continuing. Once the packet matches a rule, the
rule is enforced and the ACL process is exited. ACL rules can be based on protocols and ports,
IP addresses, source addresses, destination addresses, etc. All ACLs end with an implicit deny
statement, meaning that, if it isn't specifically allowed, then the packet is discarded. The ACL
can be time based, as in day of the week or time of day, and it can fulfill a specific function
based on the reason that it is created, as in an ACL can be used to filter out websites or Web
content.
That concludes this session on network hardening techniques part I. I talked about using secure
protocols, then we moved on to using anti-malware software, and we concluded with a brief
discussion on implementing switch and router security. On behalf of PACE-IT, thank you for
watching this session, and I hope to do another one soon.