2. Objectives
What are the goals of network security, and what sorts of
attacks do you need to defend against?
What best practices can be implemented to defend
against security threats?
What are the characteristics of various remote-access
security technologies?
3. Objectives
How can firewalls be used to protect an organization’s
internal network, while allowing connectivity to an
untrusted network, such as the Internet?
How can virtual private networks (VPN) be used to
secure traffic as that traffic flows over an untrusted
network?
What is the difference between intrusion prevention
and intrusion detection systems, and how do they
protect an organization form common security threats?
4. Securing a Network
Today’s networks are increasingly dependent on
connectivity with other networks.
However, connecting an organization’s trusted
network to untrusted network’s such as the
Internet, introduces security risks.
To protect your organization’s data from
malicious users, you need to understand the
types of threats against which you might have to
defend.
5. For most of today’s corporate networks, the
demands of e-commerce and customer contact
require connectivity between internal corporate
networks and the outside world.
All networks require network security
Security Fundamentals
6. Confidentiality – keeping the data private
Integrity – ensures that data has not been
modified
Availability – the data is accessible when
needed
Three Primary Goals of Network Security
8. Confidentiality can be provided by encryption.
Encryption has two basic forms:
Symmetric encryption -- implies that the same key
is used by both the sender and receiver to encrypt
and decrypt a packet.
DES is an old, insecure protocol
3DES and AES are much better
Asymmetric encryption -- uses different keys for
the sender and receiver of a packet
RSA is the most common system, used by HTTPS
Security Fundamentals
9. Integrity can be provided by hashing
Hash value is like a fingerprint of the data
Any alteration in data changes the hash
Ethernet uses CRC32 to detect transmission errors
MD5 is an old, insecure hash function
SHA-1, SHA-2, and SHA-3 are newer and more
secure
Security Fundamentals
10. Availability can be provided by fault tolerance
Attacks on availability are called Denial of Service
(DoS) attacks
A DoS attack from many machines is called a
Distributed Denial of Service (DDoS) attack
Security Fundamentals
13. Security Fundamentals
Categories of Network Attacks
Confidentiality Attacks
Makes confidential data visible to an
attacker
Integrity Attacks
Alters data in transit or at rest
Availability Attacks
Makes system unavailable to
authorized users
14. Security Fundamentals
Figure 12-3 Confidentiality Attack Example
Attacker compromises the Web server, then pivots to attack the database server
17. Security Fundamentals
Integrity Attack Methods
Salami attack (many small alterations)
Data diddling (changes data before it is stored)
Virus (attached to an EXE file)
Worm (travels through a network)
Trojan (masquerades as innocent software)
Trust relationship exploitation
Botnet
Session hijacking
18. Security Fundamentals
Password attacks
Keylogger (steal keypresses)
Packet capture
Brute force (guess all possible passwords)
Dictionary (try passwords from a dictionary)
23. Security Fundamentals
Electrical Disturbances
At a physical level, an attacker could launch an availability attack
by interrupting or interfering with electrical service available to a
system, such as the following:
Power Spikes
Electrical surges
Power faults
Blackouts
Power sag
Brownout
To combat these threats, you might want to install
uninterruptable power supplies (UPS) and generator backup
for strategic devices in your network.
24. Security Fundamentals
Attacks on a System’s Physical Environment
Attackers could also intentionally damage computing equipment by
influencing the equipment’s physical environment.
Temperature
Humidity
Gas
Consider the following recommendations to mitigate such
environmental threats:
Computing facilities should be locked.
Access should require access credentials
Access point should be visually monitored.
Climate control system should be monitored.
Fire detection and suppression systems should not do damage to computer
equipment if possible.
25. Defending Against Attacks
Now that we have an understanding of security
fundamentals, it is now time to talk about how to defend
against security threats using network devices.
User Training
Many attacks require user intervention in order to be carried out.
For example a user needs to execute an application
containing a virus before the virus takes any actions.
Similarly, social engineering requires a user to give sensitive
information to an attacker in order for the attacker to access the
user’s account.
26. Defending Against Attacks
User Training (cont.)
As a result, several potential attacks can be thwarted through
effective user training.
As a few examples, users could be trained on using polices such
as the following:
Never give your password to anyone, even if they claim to be from IT.
Do not open e-mail attachments from unknown sources.
Select strong passwords, consisting of at least eight characters and
containing a mixture of alphabetical (upper- and lowercase), numeric,
and special characters.
Change your password monthly (or more often)
27. Defending Against Attacks
Patching
Some attacks are directed at vulnerabilities known to exist in
various Oss and applications.
As these are discovered, the vendors of the OSs, or application
often respond by releasing a patch.
A patch is designed to correct a known bug of fix a know vulnerability
in a piece of software
A network administrator should have a plan for
implementing patches as they become available.
28. Defending Against Attacks
Security Policies
One of the main reasons security breaches occur within an
organization is the lack of a security policy or, if a security policy
is in place, the lack of effectively communicating/enforcing that
security policies to all concerned.
A security policy is a continually changing document that dictates
a set of guidelines for network use.
The main purpose of a security policy is to protect the asset of an
organization.
Asset – intellectual property, processes and procedures, sensitive customer
data, and specific server functions.
30. Security Fundamentals
Incident Response
Everyone will get hacked
Respond effectively
Contain damage
Reverse harm
Improve security to prevent repeated attack
31. Defending Against Attacks
Vulnerability Scanners
After you deploy your network-security solution, components of
that solution might not behave as expected.
Additionally, you might not be aware of some of the vulnerabilities
in your network devices.
You should periodically test your network for weakness.
These test can be performed using application designed to check
for a variety of known weakness.
These application are known as vulnerability scanners.
Nessus is a full vulnerability scanner
Nmap (actually just a port scanner, not a full vulnerability
scanner)
34. Defending Against Attacks
Honey Pots and Honey Nets
A honey pot acts as a distracter. Specifically, a system
designated as a honey pot appears to be an attractive target.
The attacker then use their resources attacking the honey pot, the
end result of which is the they leave the real servers alone.
honey pot -- signal machine that draws they attacker attention.
Honey net -- multiple machines that draw the attacker attention.
A honey pot/net can also be used to study how attackers conduct
their attacks.
35. Defending Against Attacks
Access Control List (ACL)
ACLs are rules, typically applied to router interfaces,
that specify permit or deny traffic.
ACL’s filtering criteria:
Source IP
Destination IP
Source Port
Destination Port
Source MAC
Destination MAC
37. Defending Against Attacks
Remote Access Security
Although ACLs can be used to permit of deny specific connection
flowing through a router, you also need to control connections to
network devices.
Many of these remote-access security methods have been
introduced in preceding chapters
39. Defending Against Attacks
Firewalls
At this point, we have introduced various security
threats, along with best practices to protect your
network form those threats.
Now we are going to cover three additional layers of
security that can be applied to a network.
The additional layers consist of firewalls, virtual
private networks, and intrusion detection and
prevention systems.
40. Defending Against Attacks
Firewall Types
A firewall defines a set of rules to dictate which types of traffic are
permitted of denied as that traffic enters of exits a firewall
interface.
Software firewall -- can be used to protect a signal system or can
be software loaded in a computer with more that one NIC, controlling
traffic between them.
Hardware firewall – is an appliance that acts as the firewall.
Firewall Inspection Types
Packet-filtering firewall (stateless) -- inspect traffic solely on a
packet’s header. One at a time.
Stateful firewall – recognize that a packet is part of a session
that might have originated inside the LAN or outside the LAN
43. Defending Against Attacks
Firewall Zones
A firewalls interface can be defined as belonging to
different firewall zones.
After the zones are created, you then set up rules based on
those zones.
Typical zones names:
Inside
Outside
DMZ
45. Defending Against Attacks
Virtual Private Networks (VPN).
Much of today’s workforce is located outside of a corporate
headquarters location.
Some employees work in remote offices, while other
telecommute, and other travel as part of their job.
These employees need a secure method to connect back to the
headquarters (HQ).
WAN technologies could be used but would be expensive to
implement.
A VPN supports secure communication between two sites over an
untrusted network.
46. Defending Against Attacks
VPN (cont.)
There are two primary categories of VPNs
Site to Site -- interconnects two sites, as an
alternative to a leased line, at a reduced cost.
Client to Site – interconnects a remote user with a
site, as an alternative to dial-up or ISDN
connectivity, at a reduced cost.
49. Defending Against Attacks
Overview of IPsec
Broadband technologies, such as cable and DSL, in addition to
other VPN transport mechanisms, often traverse and untrusted
network, such as the Internet.
IPsec VPNs offer strong security features, such as the following:
Confidentiality
Integrity
Authentication
IKE Modes and Phase
IPsec use a collection of protocols to provide features. One of
the primary protocols the IPsec uses is the Internet Key
Exchange
52. Defending Against Attacks
VPN Protocols
SSL/TLS
Strong, used by HTTPS
L2TP / IPSec
L2F
Old tunneling protocol from Cisco, no encryption
PPTP
Old Microsoft VPN protocol, weak encryption
53. Defending Against Attacks
Intrusion Detection and Prevention
When an attacker launches an attack against a network,
intrusion detection systems (IDS), and intrusion prevention
systems (IPS) technologies are often able to recognize the attack
and respond appropriately.
Attacks might be recognizable by comparing incoming data
streams against a database of well-known attack signatures.
IDS Versus IPS
IDS, sits parallel to the network, is a passive device, that monitors
all traffic and sends alerts.
IPS, sits in-line to the network, is an active device, that monitors
all traffic and sends alerts and deals with the offending traffic.
55. Defending Against Attacks
IDS and IPS Device Categories
IDS and IPS device can be categorized based on how they detect
malicious traffic.
Detection Methods
Signature-based detection
Policy-based detection
Anomaly-based detection
Deploying Network-Based and Host-Based Solutions
NIPS and HIPS solutions can work in tandem. This help further
protect the system.
