NETWORK+ GUIDE TO NETWORKS, FOURTH EDITION - CHAPTER 14 docx

Objectives continued• Understand methods of encryption, such as SSL and IPSec, that can secure data in storage and in transit • Describe how popular authentication protocols, such as RAD

Network+ Guide to Networks,

Fourth Edition

Chapter 14 Network Security

• Identify security risks in LANs and WANs and

design security policies that minimize risks

• Explain how physical security contributes to

network security

• Discuss hardware- and design-based security

techniques

• Use network operating system techniques to

provide basic security

Objectives (continued)

• Understand methods of encryption, such as SSL and IPSec, that can secure data in storage and in transit

• Describe how popular authentication protocols,

such as RADIUS, TACACS, Kerberos, PAP,

CHAP, and MS-CHAP, function

• Understand wireless security protocols, such as

WEP, WPA, and 802.11i

– At least annually, preferably quarterly

• The more devastating a threat’s effects and the

more likely it is to happen, the more rigorously your security measures should address it

• In-house or third-party audits

– Undeveloped security policies

• Malicious and determined intruders may “cascade” their techniques

Risks Associated with People

• Human errors, ignorance, and omissions cause

majority of security breaches

• Risks associated with people:

– Social engineering or snooping to obtain passwords – Incorrectly creating or configuring user IDs, groups, and their associated rights on file server

– Overlooking security flaws in topology or hardware configuration

– Overlooking security flaws in OS or application

configuration

Risks Associated with People

(continued)

• Risks associated with people (continued):

– Dishonest or disgruntled employees

– Unused computer or terminal left logged on

– Easy-to-guess passwords

– Leaving computer room doors open or unlocked

– Discarding disks or backup tapes in public waste

Risks Associated with Transmission

and Hardware

• Risks inherent in network hardware and design:

– Transmissions can be intercepted

– Networks using leased public lines vulnerable to

eavesdropping

– Network hubs broadcast traffic over entire segment – Unused hub, router, or server ports can be exploited and accessed by hackers

– Not properly configuring routers to mask internal

subnets

Risks Associated with Transmission

and Hardware (continued)

• Risks inherent in network hardware and design

(continued):

– Modems attached to network devices may be

configured to accept incoming calls

– Dial-in access servers may not be carefully secured and monitored

– Computers hosting very sensitive data may coexist

on the same subnet with computers open to public – Passwords for switches, routers, and other devices may not be sufficiently difficult to guess, changed

Risks Associated with Protocols

– TCP/IP contains several security flaws

– Trust relationships between one server and another may allow hackers to access entire network

– NOSs may contain “back doors” or security flaws

allowing unauthorized access to system

Risks Associated with Protocols and

– Administrators might accept the default security

options after installing an OS or application (often not optimal)

– Transactions that take place between applications may be open to interception

Risks Associated with Internet Access

• Common Internet-related security issues:

– Firewall may not be adequate protection, if not

configured properly

• IP spoofing

– When user Telnets or FTPs to site over Internet,

user ID and password transmitted in plain text

– Hackers may obtain information about user IDs from newsgroups, mailing lists, forms filled out on Web

– Flashing

An Effective Security Policy

• Security policy identifies security goals, risks, levels

of authority, designated security coordinator and

team members, responsibilities for team members, responsibilities for each employee

– Specifies how to address security breaches

– Should not state exact hardware, software,

architecture, or protocols used to ensure security

• Nor how hardware or software will be installed and configured

– Details change occasionally

Security Policy Goals

• Typical goals for security policies:

– Ensure authorized users have appropriate access to resources

– Prevent unauthorized users from gaining access to network, systems, programs, or data

– Protect sensitive data from unauthorized access

– Prevent accidental or intentional damage to

Security Policy Content

• After risks identified and responsibilities assigned, policy’s outline should be generated

• Possible subheadings: Passwords; Software

installation; Confidential and sensitive data;

Network access; E-mail use; Internet use; Modem use; Remote access; Connecting to remote

locations, Internet, and customers’ and vendors’

networks; Use of laptops and loaner machines;

Computer room access

Security Policy Content (continued)

• Explain to users what they can and cannot do and how these measures protect network’s security

• Create separate section of policy that applies only

to users

• Define what “confidential” means to organization

– Technical support specialist

– Public relations specialist

• After resolving a problem, team reviews what

happened, determines how it might have been

prevented, implements measures to prevent future problems

Physical Security

• Restrict physical access to components

– Computer room, hubs, routers, switches, etc.

• Locks may be physical or electronic

– Electronic access badges

– Numeric key codes

– Bio-recognition access

• Closed-circuit TV systems

• Most important way to ensure physical security is

to plan for it

Physical Security (continued)

Security in Network Design: Firewalls

• Selectively filter or block traffic between networks

– Hardware-based, software-based, or combination

• Packet-filtering firewall examines header of every packet of data received

– Common filtering criteria:

• IP addresses

• Ports

• Flags set in IP header

• Transmissions that use UDP or ICMP

• First packet in new data stream?

Security in Network Design: Firewalls

(continued)

• Factors when choosing a firewall:

– Supports encryption?

– Supports user authentication?

– Allows central management?

– Easily establishes rules for access?

– Supports filtering at highest layers of OSI Model?

– Provides logging, auditing, alerting capabilities?

– Protects identity of internal LAN’s addresses?

• Cannot distinguish between user trying to breach firewall and user authorized to do so

Proxy Servers

• Proxy service: software that acts as intermediary

between external and internal networks

– Screen all incoming and outgoing traffic

• Manage security at Application layer

• May be combined with Firewall for greater security

• Improve performance for users accessing

resources external to network by caching files

Proxy Servers (continued)

Figure 14-4: A proxy server used on a WAN

Remote Access

• Must remember that any entry point to a LAN or

WAN creates potential security risk

• Remote control:

– Can present serious security risks

– Most remote control software programs offer

features that increase security

– Desirable security features:

• User name and password requirement

• Ability of host system to call back

Remote Access (continued)

• Remote control (continued):

– Desirable security features (continued):

• Ability to leave host system’s screen blank while remote user works

• Ability to disable host system’s keyboard and mouse

• Ability to restart host system when remote user disconnects

Remote Access (continued)

• User name and password authentication

• Ability to log all dial-up connections, their sources, and their connection times

• Ability to perform callbacks to users

• Centralized management of dial-up users and their

Network Operating System Security

• Regardless of NOS, can implement basic security

by restricting what users authorized to do

– Limit public rights

– Administrators should group users according to

security levels

• Tips for making and keeping passwords secure:

– Always change system default passwords

– Do not use familiar information

– Do not use dictionary words

– Make password longer than eight characters

– Choose combination of letters and numbers

– Do not write down or share passwords

– Change password at least every 60 days

– Do not reuse passwords

• Use of algorithm to scramble data into format that can be read only by reversing the algorithm

• Encryption provides following assurances:

– Data not modified after sender transmitted it and

before receiver picked it up

– Data can only be viewed by intended recipient

– All data received at intended destination truly issued

by stated sender and not forged by an intruder

Key Encryption

• Key: random string of characters

• Weaves key into original data’s bits to generate

unique data block

– Ciphertext

– Longer keys make it more difficult to decrypt

– Hackers may attempt to crack a key by using brute force attack

• Keys randomly generated by encryption software

Key Encryption (continued)

Private Key Encryption

• Data encrypted using single key that only sender and receiver know

• Data Encryption Standard (DES): 56-bit key

– Triple DES (3DES): weaves 56-bit key through data three times

• Advanced Encryption Standard (AES): weaves

128-, 160-, 192-, or 256-bit keys through data

multiple times

– Used in military communication

• Sender must share key with recipient

Private Key Encryption (continued)

Public Key Encryption

• Data encrypted using two keys:

– Private key

– Public key associated with user

• Public key server: publicly accessible host that

freely provides list of users’ public keys

• Key pair: combination of public key/private key

• Public keys more vulnerable than private keys

– Use longer keys

– RSA: most popular public key algorithm

• Digital certificate: password-protected, encrypted

Public Key Encryption (continued)

PGP (Pretty Good Privacy)

• Typical e-mail communication is highly insecure

• PGP: public key encryption system that can verify authenticity of an e-mail sender and encrypt e-mail data in transmission

– Freely available

– Most popular tool for encrypting e-mail

– Can be used to encrypt data on storage devices or with applications other than e-mail

SSL (Secure Sockets Layer)

• Method of encrypting TCP/IP transmissions en

route between client and server

– Public key encryption

• HTTPS (HTTP over Secure Sockets Layer): uses TCP port 443, rather than port 80

• SSL session: association between client and server defined by agreement on specific set of encryption techniques

– Created by SSL handshake protocol

• IETF has attempted to standardize SSL with

SSH (Secure Shell)

• Provides remote connections to hosts

– With authentication and security for transmitting data – Guards against unauthorized access to host, IP

spoofing, interception of data in transit, and DNS

spoofing

– Variety of encryption algorithms can be used

• To form secure connection, must be running on

client and server

• Must first generate public and private keys on client workstation

– ssh keygen command

SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol)

• SCP: allows secure copying of files from one host

to another

– Replaces FTP

• SFTP: slightly different from SCP

– Used with proprietary version of SSH

– Does more than copy files

IPSec (Internet Protocol Security)

• Defines encryption, authentication, and key

management for TCP/IP transmissions

– Encrypts data by adding security information to

header of IP packets

– Operates at Network layer

• Accomplishes authentication in two phases:

– Key management: Internet Key Exchange (IKE)

– Encryption: authentication header (AH) or

Encapsulating Security Payload (ESP)

• Can be used with any type of TCP/IP transmission

Authentication Protocols:

RADIUS and TACACS

• Authentication protocols: rules that computers

follow to accomplish authentication

• RADIUS: provides centralized network

authentication and accounting for multiple users

– Runs over UDP

– Can operate as software application on remote

access server or on a RADIUS server

– Often used with dial-up networking connections

• Terminal Access Controller Access Control System

Authentication Protocols: RADIUS and

TACACS (continued)

Figure 14-8: A RADIUS server providing centralized authentication

PAP (Password Authentication

Protocol)

• Authentication protocol that works over PPP

– Simple, not very secure

– Does not protect against possibility of malicious

intruder attempting to guess user’s password through brute force attack

CHAP and MS-CHAP

• Challenge Handshake Authentication Protocol

(CHAP): operates over PPP

– Encrypts user names and passwords

– Three-way handshake

– Password never transmitted alone or as clear text

• Microsoft Challenge Authentication Protocol CHAP): similar to CHAP

(MS-– Used on Windows systems

– MS-CHAPv2 uses stronger encryption

• Mutual authentication: both computers verify credentials of the other

CHAP and MS-CHAP (continued)

EAP (Extensible Authentication

Protocol)

• Another extension to PPP protocol suite

– Does not perform encryption or authentication

– Requires authenticator to initiate authentication

process by asking connected computer to verify itself – Flexible: supported by most OSs and can be used with any authentication method

– Works with biorecognition and wireless protocols

• Cross-platform authentication protocol

– Uses key encryption to verify identity of clients and

to securely exchange information

– Significant advantages over NOS authentication

• Does not automatically trust clients

• Requires client to prove identity through third party

– Key Distribution Center (KDC): server that issues

keys

– authentication service (AS): authenticates a principal

– AS creates ticket allowing user to use service

• Contains key that can only be decrypted by service

– User’s computer creates time stamp for request

• Encrypts with session key (authenticator)

Wireless Network Security:

WEP (Wired Equivalent Privacy)

• Wireless transmissions susceptible to

eavesdropping

– War driving

• By default, 802.11 standard does not offer security

– Allows for optional encryption using WEP

• Uses keys to authenticate network clients and encrypt data in transit

• Network key

• On Windows XP, network key can be saved as part of wireless connection’s properties

IEEE 802.11i and WPA (Wi-Fi Protected Access)

• Uses EAP with strong encryption scheme

– Dynamically assigns every transmission own key

– Logging on to wireless network more complex than with WEP

– AP acts as proxy between remote access server and station until station successfully authenticates

– Requires mutual authentication

– After authentication, remote access server instructs

AP to allow traffic from client into network

– Client and server agree on encryption key

IEEE 802.11i and WPA (continued)

• 802.11i specifies AES encryption method

– Mixes each packet in data stream with different key

• WPA: subset of 802.11i standard

– Main difference from 802.11i is that WPA specifies RC4 encryption rather than AES

• Every organization should assess its security risks

by conducting a security audit at least annually

• One of the most common methods by which an

intruder gains access to a network is to simply ask

a user for his password

• There are many security risks that a network

administrator must guard against, including risks associated with people, network transmission and design, and network protocols and software