Chapter 7 Presentation

Editor's Notes

• #2: CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition Chapter 7 Network Security Fundamentals
• #3: Objectives List the different types of network security devices and explain how they can be used Explain how network technologies can enhance security Describe secure network design elements
• #4: Security Through Network Devices Layered security A defense that uses multiple types of security devices to protect a network Also called defense in depth A network with layered security will make it more difficult for an attacker He must have all the tools, knowledge, and skills to break through the various layers Layered network security can be achieved by using networking devices or hardware designed for security
• #5: Standard Network Devices Security features found in network hardware Provide basic level of security Network devices can classified based on their function in the OSI model Standards released in 1978, revised in 1983, still used today Illustrates how a network prepares data for delivery and how data is handled once received
• #6: Standard Network Devices OSI model breaks networking steps into seven layers Each layer has different networking tasks Each layer cooperates with adjacent layers Standard network devices can be classified by the OSI layer at which they function Some devices include: Switches, routers, load balancers, and proxies
• #7: Standard Network Devices Table 7-1 OSI references model
• #8: Standard Network Devices Switches A network switch is a device that connects network devices together Operates at Data Link Layer (Layer 2) Can determine which device is connected to each port Can forward frames sent to that specific device (unicast) or frames sent to all devices (broadcast) Uses MAC addresses to identify devices
• #9: Standard Network Devices Switches (cont’d) An attacker attached to a switch will see only frames that are directed to that device and not others Earlier networks used hubs to connect devices to a network Hubs repeated all frames to all attached network devices Attackers could use a protocol analyzer to capture all packets Protocol analyzers could decode and analyze packet contents
• #10: Standard Network Devices Network administrators should be able to monitor network traffic Helps identify and troubleshoot network problems Traffic monitoring methods Port mirroring Allows administrator to configure the switch to copy traffic that occurs on some or all ports to a designated monitoring port on the switch Network tap (test access point) Separate device installed between two network devices
• #11: Standard Network Devices Figure 7-1 Port mirroring
• #12: Standard Network Devices Figure 7-2 Network tap
• #13: Standard Network Devices Table 7-2 Protecting the switch
• #14: Standard Network Devices Routers Forward packets across different computer networks Operate at Network Layer (Layer 3) Can be set to filter out specific types of network traffic Load balancers Help evenly distribute work across a network Allocate requests among multiple devices
• #15: Standard Network Devices Advantages of load-balancing technology Reduces probability of overloading a single server Optimizes bandwidth of network computers Reduces network downtime Load balancing is achieved through software or hardware device (load balancer) Load balancers are grouped into two categories: Layer 4 load balancers - act upon data found in Network and Transport layer protocols Layer 7 load balancers - distribute requests based on data found in Application layer protocols
• #16: Standard Network Devices Security advantages of load balancing Can detect and stop attacks directed at a server or application Can detect and prevent denial-of-service (DoS) and protocol attacks Some can deny attackers information about the network Hide HTTP error pages Remove server identification headers from HTTP responses
• #17: Standard Network Devices Proxies - there are several types of proxies used in computer networking Proxy server - a computer or an application program that intercepts user requests from the internal network and processes that request on behalf of the user Application-aware proxy - a special proxy server that “knows” the application protocols that it supports
• #18: Standard Network Devices Advantages of proxy servers: Increased speed Reduced costs Improved management Stronger security Reverse proxy Does not serve clients Routes incoming requests to the correct server
• #19: Standard Network Devices Figure 7-3 Proxy server
• #20: Network Security Hardware Specifically designed security hardware devices Provide greater protection than standard networking devices Network Firewalls Can be software-based or hardware-based Both types inspect packets and either accept or deny entry Hardware firewalls are usually located outside the network security perimeter
• #21: Network Security Hardware Methods of firewall packet filtering Stateless packet filtering Inspects incoming packet and permits or denies based on conditions set by administrator Stateful packet filtering Keeps a record of the state of a connection Makes decisions based on the connection and conditions
• #22: Network Security Hardware Firewall actions on a packet Allow (let packet pass through) Drop (prevent the packet from passing into the network and send no response to sender) Reject (prevent the packet from passing into the network but send a message to the sender) Rule-based firewalls Use a set of individual instructions to control actions, called firewall rules Each rule is a separate instruction processed in sequence telling the firewall what action to take
• #23: Network Security Hardware Application-Aware Firewalls Sometimes called a next-generation firewall (NGFW) Operate at a higher level by identifying applications that send packets through the firewall and make decisions about actions to take Web application firewall Special type of application-aware firewall that looks deeply into packets that carry HTTP traffic Can block specific sites or specific types of HTTP traffic
• #24: Network Security Hardware Spam filters Enterprise-wide spam filters block spam before it reaches the host Email systems use two protocols Simple Mail Transfer Protocol (SMTP) Handles outgoing mail Post Office Protocol (POP) Handles incoming mail
• #25: Network Security Hardware Spam filters installed with the SMTP server Filter configured to listen on port 25 Pass non-spam e-mail to SMTP server listening on another port This method prevents SMTP server from notifying spammer of failed message delivery
• #26: Network Security Hardware Figure 7-7 Spam filter with SMTP server
• #27: Network Security Hardware Spam filters installed on the POP3 server All spam must first pass through SMTP server and be delivered to user’s mailbox Can result in increased costs Storage, transmission, backup, deletion Third-party entity contracted to filter spam All email directed to third-party’s remote spam filter E-mail cleansed before being redirected to organization
• #28: Network Security Hardware Figure 7-8 Spam filter on POP3 server
• #29: Network Security Hardware Virtual private network (VPN) - enables authorized users to use an unsecured public network as if it were a secure private network All data transmitted between remote device and network is encrypted Types of VPNs Remote-access VPN - a user-to-LAN connection Site-to-site - multiple sites can connect to other sites over the Internet
• #30: Network Security Hardware Endpoints The end of the tunnel between VPN devices Used in communicating VPN transmissions May be software on local computer, a VPN concentrator (hardware device), or integrated into another networking device VPN concentrator - a dedicated hardware device that aggregates hundreds or thousands of VPN connections
• #31: Network Security Hardware Tunneling protocols enclose a packet within another packet and are used for VPN transmissions IPsec has two “subprotocols” that are used in VPN: Encapsulated Security Payload (ESP) Authentication Header (AH) A remote-access VPN generally uses either IPsec or the Layer 2 Tunneling Protocol (L2TP)
• #32: Network Security Hardware Internet Content Filters Monitor Internet traffic Block access to preselected Web sites and files Unapproved sites can be restricted based on the URL (URL filtering) or matching keywords (content inspection)
• #33: Network Security Hardware Table 7-3 Internet content filter features
• #34: Network Security Hardware Web Security Gateways Can block malicious content in real time Block content through application level filtering Examples of blocked Web traffic Adware, spyware Cookies Instant messengers P2P (peer to peer) file sharing Script exploits TCP/IP malicious code attacks
• #35: Network Security Hardware Intrusion detection system (IDS) Can detect attack as it occurs IDS systems use different methodologies for monitoring for attacks Can be installed on either local hosts or networks An extension of IDS is an intrusion prevention system (IPS)
• #36: Network Security Hardware Monitoring methodologies Anomaly-based monitoring Compares current detected behavior with baseline Signature-based monitoring Looks for well-known attack signature patterns Behavior-based monitoring Detects abnormal actions by processes or programs Alerts user who decides whether to allow or block activity Heuristic monitoring Uses experience-based techniques
• #37: Network Security Hardware Table 7-4 Methodology comparisons to trap port scanning application
• #38: Network Security Hardware Types of IDS - two basic types if IDS exist Host intrusion detection system (HIDS) A software-based application that can detect an attack as it occurs Installed on each system needing protection Monitors: System calls and file system access Can recognize unauthorized Registry modification Host input and output communications Detects anomalous activity
• #39: Network Security Hardware Disadvantages of HIDS Cannot monitor network traffic that does not reach local system All log data is stored locally Resource-intensive and can slow system
• #40: Network Security Hardware Network intrusion detection system (NIDS) Watches for attacks on the network NIDS sensors installed on firewalls and routers: Gather information and report back to central device Passive NIDS will sound an alarm An NIDS may use one or more of the evaluation techniques listed in Table 7-5 (see the following slide)
• #41: Network Security Hardware Table 7-5 NDIS evaluation techniques
• #42: Network Security Hardware Application-aware IDS A specialized IDS Capable of using “contextual knowledge” in real time It can know the version of the OS or which application is running As well as what vulnerabilities are present in the systems being protected
• #43: Network Security Hardware Intrusion Prevention System (IPS) Monitors network traffic to immediately block a malicious attack Similar to NIDS NIPS is located “in line” on the firewall Allows the NIPS to more quickly take action to block an attack Application-aware IPS Knows which applications are running as well as the underlying OS
• #44: Network Security Hardware Unified Threat Management (UTM) Security Appliances Network hardware that provides multiple security functions, such as: Antispam, antiphishing, antivirus, and antispyware Bandwidth optimization Content filtering Encryption Firewall Instant messaging control and web filtering Intrusion protection
• #45: Security Through Network Technologies Internet routers normally drop packet with a private address Network address translation (NAT) Allows private IP addresses to be used on the public Internet Replaces private IP address with public address Port address translation (PAT) Variation of NAT Outgoing packets given same IP address but different TCP port number
• #46: Security Through Network Technologies Table 7-6 Private IP addresses
• #47: Security Through Network Technologies Advantage of NAT Masks IP addresses of internal devices An attacker who captures the packet on the Internet cannot determine the actual IP address of sender Network Access Control (NAC) Examines current state of system or network device: Before allowing the network connection Device must meet set of criteria If not met, NAC allows connection to a “quarantine” network until deficiencies corrected
• #48: Security Through Network Technologies Figure 7-10 Network access control (NAC) framework
• #49: Security Through Network Design Elements Elements of a secure network design Demilitarized zones Subnetting Virtual LANs Remote access
• #50: Demilitarized Zone (DMZ) DMZ - a separate network located outside secure network perimeter Untrusted outside users can access DMZ but not secure network
• #51: Demilitarized Zone (DMZ) Figure 7-11 DMZ with one firewall
• #52: Demilitarized Zone (DMZ) Figure 7-12 DMZ with two firewalls
• #53: Subnetting An IP address is used to identify a network and a host on that network One part is a network address and one part is a host address Subnetting allows a large network to be divided into smaller subnets Each network can contain several subnets Each subnet is connected through different routers Each subnet can contain multiple hosts
• #54: Subnetting Improves network security by isolating groups of hosts Administrators can utilize network security tools to make it easier to regulate who has access in and out of a particular subnetwork Allows network administrators to hide the internal network layout Makes it more difficult for attackers to target their attacks
• #55: Subnetting Figure 7-13 Subnets
• #56: Subnetting Table 7-7 Advantages of subnetting
• #57: Virtual LANs (VLAN) Allow scattered users to be logically grouped together Even if attached to different switches Can isolate sensitive data to VLAN members Communication on a VLAN If connected to same switch, switch handles packet transfer A special “tagging” protocol is used for communicating between switches
• #58: Remote Access Working away from the office commonplace today Telecommuters, traveling sales representatives, and traveling workers Strong security for remote workers must be maintained Remote Access Any combination of hardware and software that enables remote users to access a local internal network Provides same the functionality as local users through a VPN or dial-up connection
• #59: Summary Standard network security devices provide a degree of security Switches, router, load balancer, and proxies Hardware devices specifically designed for security give higher protection level Hardware-based firewall, Web application firewall Virtual private networks (VPNs) use an unsecured public network and encryption to provide security
• #60: Summary An intrusion detection system (IDS) is designed to detect an attack as it occurs Network technologies can help secure a network Network address translation Network access control Methods for designing a secure network Demilitarized zones Virtual LANs