Chapter 11 Network Security 1 Security Assessment What is at risk Consider effects of risks Different organization types have different risk levels Posture assessment Thorough network examination ID: 542999
Download Presentation The PPT/PDF document "CEG 2400 FALL 2012" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
CEG 2400 FALL 2012 Chapter 11Network Security
1Slide2
Security AssessmentWhat is at risk?Consider effects of risksDifferent organization types have different risk levels
Posture assessmentThorough network examination Determine possible compromise pointsPerformed in-house by IT staff
Performed by third party called security audit
2Slide3
Security Risks TermsHackerIndividual who gains unauthorized access to systemsVulnerabilityWeakness of a system, process, or architectureExploit
Means of taking advantage of a vulnerabilityZero-day exploitTaking advantage of undiscovered software vulnerability
3Slide4
Risks Associated with PeopleHalf of all security breaches caused by peopleSocial engineering, strategy to gain passwordGlean access, authentication information
Pose as someone needing informationWeb pagesEasiest way to circumvent network securityTake advantage of human error
Default passwords
Writing passwords,
etc
on paper
Overlooking security flaws
4Slide5
Transmission and Hardware RisksRisks inherent in network hardware and designTransmission interceptionMan-in-the-middle attack
EavesdroppingNetworks connecting to Internet via leased public linesSniffingRepeating devices broadcast traffic over entire segment
5Slide6
Transmission and Hardware RisksRisks inherent in network hardware and design (cont’d.)Port access via port scannerPrivate address availability to outside
Router attackRouters not configured to drop suspicious packetsAccess servers not secured, monitoredComputers hosting sensitive data:
Coexist
on same subnet as public computers
Insecure passwords
Easily guessable or default values
6Slide7
Protocols and Software RisksIncludes Transport, Session, Presentation, and Application layersNetworking protocols and software risksTCP/IP security flaws
Invalid trust relationshipsNOS back doors, security flawsBuffer overflowAdministrators default security options
7Slide8
Internet Access RisksOutside threats Web browsers permit scripts to access systemsUsers provide information to sites
Common Internet-related security issuesImproperly configured firewallTelnets or FTPs
Transmit user ID and password in plain text
Denial-of-service
attack
Smurf attack: hacker issues flood of broadcast ping messages
8Slide9
Forming an Effective Security PolicySecurity policyIdentifies security goals, risks, authority levels, designated security coordinator, and team members
Responsibilities of each employeeHow to address security breachesNot included in policy:
Hardware, software, architecture, and protocols used
A general policy
9Slide10
Security Policy GoalsTypical goalsEnsure authorized users have appropriate resource access
Prevent unauthorized user accessProtect unauthorized sensitive data accessPrevent accidental and intentional hardware and software damage
Create secure environment
Communicate employees’ responsibilities
10Slide11
Security Policy GoalsStrategy used to form goalsForm committeeInvolve as many decision makers as possible
Understand risksConduct posture assessmentAssign person responsible for addressing threats
11Slide12
Security Policy ContentOutline policy contentDefine policy subheadingsEx. Password policy, sensitive data policy, remote access policy, etc
Explain to users:What they can and cannot doHow these measures protect network’s security
Define what confidential means to the organization
12Slide13
Response PolicyWhat happens after security breach occurrenceProvide planned responseIdentify response team members
DispatcherManagerTechnical support specialist
Public
relations specialist
After
problem resolution
Review process
Regularly rehearse defense
Threat drill
13Slide14
Physical SecurityRestrict physical access to network componentsLock computer rooms, telco rooms, wiring closets, and equipment cabinetsLocks can be physical or electronic
14Slide15
Physical SecurityPhysical barriersGates, fences, walls, and landscapingSurveillance cameras
Central security office capabilitiesDisplay several camera views at onceVideo footage can be used in investigation and prosecutionConsider losses from salvaged and discarded computers hard disks
Solutions
Run specialized disk sanitizer program
Remove disk and use magnetic hard disk eraser
Pulverize or melt disk
15Slide16
Security in Network DesignPreventing external LAN security breachesRestrict access at every point where LAN connects to rest of the world
Router Access ListsControl traffic through routersRouter’s main functionsExamine packets
Determine
destination based
on Network layer addressing information
ACL (access control list)
Routers
can decline to forward certain packets
16Slide17
Router Access ListsACL variables used to permit or deny trafficNetwork layer protocol (IP, ICMP)Transport layer protocol (TCP, UDP)
Source or destination IP addressSource or destination netmask
TCP or UDP port number
Access list
examples
Deny all traffic from source address with
netmask
255.255.255.255
Deny all traffic destined for TCP port 23
Separate ACL’s for:
Interfaces; inbound and outbound traffic
17Slide18
Intrusion Detection and PreventionProactive security measureDetecting suspicious network activityTwo Types – IDS and IPS
IDS (intrusion detection system)Software monitoring trafficIDS software detects many suspicious traffic patternsExamples: denial-of-service, smurf
attacks
IDS can only detect and log suspicious activity
18Slide19
Intrusion Detection and PreventionIPS (intrusion-prevention system)Can react to suspicious activity when alertedDetects threat and prevents traffic from flowing to network
NIPS (network-based intrusion prevention)Protects entire networksHIPS (host-based intrusion prevention)Protects certain hosts
19Slide20
20
Placement of an IDS/IPS on a networkSlide21
FirewallsFirewallsSelectively filters and blocks traffic between networksInvolves hardware and software combination
Packet-filtering firewallSimplest firewallExamines header of every entering packetCan block traffic entering or exiting a LAN
Cannot
distinguish user trying to breach firewall from authorized user
Common
packet-filtering firewall criteria
Source, destination IP addresses
Source, destination
ports
21Slide22
22
Placement of a firewall between a private network and the InternetSlide23
Proxy ServersProxy serverNetwork host running proxy serviceProxy service
Network host software application Intermediary between external and internal networksFundamental functionPrevent outside world from discovering internal network addresses
Improves performance for external users
File caching
23Slide24
24
A proxy server used on a WANSlide25
Scanning ToolsUsed during posture assessmentDuplicate hacker methodsNMAP (Network Mapper)Designed to scan large networksProvides information about network and hosts
NessusPerforms more sophisticated scans than NMAPThere are other scanning toolshttp://sectools.org/
25Slide26
NOS (Network Operating System) SecurityRestrict user authorizationAccess to server files and directoriesLogon restrictions to strengthen security
Time of dayTotal time logged onSource addressUnsuccessful logon attempts
26Slide27
PasswordsChoose secure passwordCommunicate password guidelines and reasons to usersTips
Change system default passwordsDo not use familiar information or dictionary wordsUse long passwordsLetters, numbers, special characters
Do not write down or share
Change frequently
Do not
reuse
27Slide28
EncryptionUse of algorithm to scramble dataDesigned to keep information privateMany encryption forms existProvides assurances
Data not modified between being sent and receivedData can be viewed only by intended recipientData was not forged by an intruder
28Slide29
Key EncryptionKey – one type of encryptionRandom string of charactersWoven into original data’s bits
Generates unique data blockCiphertextScrambled data block
29Slide30
30
Key encryption and decryptionSlide31
Key Encryption Private key encryption *Data encrypted using single key
Known only by sender and receiverDrawback - Sender must somehow share key with recipient
Symmetric encryption
Same key used during both encryption and decryption
DES (Data Encryption Standard)
56-bit
key: secure at the time
Triple DES - Weaves 56-bit key three times
AES (Advanced Encryption Standard)
Weaves 128, 160, 192, 256 bit keys through data multiple
times
31Slide32
Key EncryptionPublic key encryption *Data encrypted using two keys
Key pairCombination of public key and private key
Private key: user knows
Public key: anyone may request
Public key server
Publicly accessible
host that freely
provides users’ public keys
Key
E
ncryption Types
Diffie
-Hellman (1975
) (first)
RSA (most popular)
RC4 (more secure,
Weaves key
multiple times)
32Slide33
Key EncryptionDigital certificates *Key management systemHolds identification informationIncludes public key
CA (certificate authority)Issues and maintains digital certificatesExample:
Verisign
PKI (public key infrastructure)
Use of certificate authorities to associate public keys with certain
users
33Slide34
PGP (Pretty Good Privacy)SSL (Secure Sockets Layer)PGP - Secures e-mail transmissionsDeveloped by Phil Zimmerman (1990s)
Public key encryption systemSSL - Encrypts TCP/IP transmissionsWeb pages and Web form data between client and server
Uses public key encryption technology
Web pages using HTTPS
HTTP over Secure Sockets Layer, HTTP Secure
Uses TCP port 443
34Slide35
SSH (Secure Shell)Collection of protocolsSecure Shell Client - Provides Telnet capabilities with security, SCP (Secure CoPy
) and SFTP (Secure File Transfer Protocol)Guards against security threatsEncryption algorithm (depends on version)DES, Triple DES, RSA, Kerberos, others
Open source versions available:
OpenSSH
Secure connection requires SSH running on both machines
Requires public and private key generation
35Slide36
IPSec (Internet Protocol Security)Defines encryption, authentication, key management for TCP/IP transmissionsEnhancement to IPv4Native in IPv6
Difference from other methodsEncrypts data and adds security information to all IP packet headers
36Slide37
IPSecTwo phase authenticationFirst Phase - Key management
Two nodes agree on common parameters for key useIKE (Internet Key Exchange) – negotiate and authenticate keysISAKMP (internet security association and key management protocol) – policies for verification
Second Phase - Encryption
Uses AH (authentication header) or ESP (Encapsulating Security Payload)
Used with any TCP/IP transmission
Most commonly used in a VPN context
37Slide38
Authentication ProtocolsAuthenticationProcess of verifying user’s credentialsAuthentication protocols
Rules computers follow to accomplish authenticationSeveral authentication protocol typesVary by encryption scheme and steps taken to verify credentials
38Slide39
AAAAAA (authentication, authorization, and accounting)AAA is a category of protocols that provide serviceEstablish client’s identity
Examine credentials and allow or deny accessTrack client’s system or network usage
39Slide40
RADIUSRADIUS (Remote Authentication Dial-In User Service)Can operate as application on remote access serverOr on dedicated RADIUS server
Highly scalableMay be used to authenticate wireless connectionsCan work in conjunction with other network serversCentralized service
Often used to manage resource
access
40Slide41
41
A RADIUS server on a networkSlide42
PAP (Password Authentication Protocol)PAP authentication protocolPlays a role in AAAOperates over PPP
Uses two-step authentication process SimpleNot secureSends client’s credentials in clear text
42Slide43
43
Two step authentication used in PAPSlide44
CHAPCHAP (Challenge Handshake Authentication Protocol)Operates over PPPEncrypts user names, passwords
Uses three-way handshakeBenefit over PAPPassword never transmitted alonePassword never transmitted in clear text
44Slide45
45
Three-way handshake used in CHAPSlide46
MS-CHAPMS-CHAP (Microsoft Challenge Authentication Protocol)Used on Windows-based computersMS-CHAPv2 (Microsoft Challenge Authentication Protocol, version 2)
Uses stronger encryptionDoes not use same encryption strings for transmission, receptionCHAP, MS-CHAP vulnerabilityEavesdropping could capture character string encrypted with password, then decrypt
46Slide47
EAP (Extensible Authentication Protocol)Another authentication protocolOperates over PPPWorks with/needs other encryption and authentication schemes to work
EAP’s advantages: flexibility, adaptability
47Slide48
802.1x802.1x Specifies use of one of many authentication methods plus EAP
Grant access to and dynamically generate and update authentication keys for transmissions to a particular portPrimarily used with wireless networksOriginally designed for wired LAN
EAPoL (EAP over LAN)
Only defines process for authentication
Commonly used with RADIUS authentication
48Slide49
KerberosCross-platform authentication protocolUses key encryption to verifies client identityProvides significant security advantages over simple NOS authentication
TermsKDC (Key Distribution Center), issues keysAS (authentication service), KDC runs on it
Ticket, issued by AS to client
Principal,
kerberos
client
Kerberos is a single sign-on
Single authentication to access multiple systems or resources
49Slide50
Wireless Network SecurityWireless transmissionsSusceptible to eavesdroppingTechniques for encrypting wireless data
NoneWEPWPAWPA2 (replaced WPA)
50Slide51
WEP (Wired Equivalent Privacy)802.11 standard securityNone by defaultAccess points
No client authentication required prior to communicationSSID: only item requiredWEPUses keys, same for all users (WEP flaw
)
Encrypts data in transit
First: 64-bit
keys Current
: 128-bit, 256-bit keys
51Slide52
IEEE 802.11i and WPA (Wi-Fi Protected Access)802.11i uses 802.1x Authenticate devicesDynamically
assign every transmission its own keyRelies on TKIP (Temporal Key Integrity Protocol) to generate keysUses AES encryptionWPA (Wi-Fi Protected Access), Now WPA2
Subset of 802.11i
Same authentication as 802.11i
Uses RC4 encryption instead of AES
52Slide53
53
Notable encryption and authentication methodsSlide54
SummaryPosture assessment used to evaluate security risksRouter’s access control list directs forwarding or dropping packets based on certain criteriaIntrusion detection and intrusion prevention systems used to monitor, alert, and respond to intrusions
Firewalls selectively filter or block traffic between networksVarious encryption algorithms Wireless security solutions
54Slide55
MiscSecurity Policieshttp://www.sans.org/resources/policiesPassword Securityhttp://
www.microsoft.com/security/online-privacy/passwords-create.aspxWiFi Security http://www.wi-fi.org/discover-and-learn/security
55Slide56
End of Chapter 11
Questions
56