Routers are also used to translate from LAN framing to WAN framing for example, a router that connects the 10BaseT network to the T1 network shown in Figure 3.4.. Figure 3.5 illustrates
Trang 1Message Protocol (ICMP) This process adds additional complexity to the process DoS attacks present a challenge because flooding techniques are used to overload the state table and effectively cause the firewall to shut down
or reboot
Routers
The primary instrument used for connectivity between two or more networks is the router Routers work by providing a path between the networks A router will have two connections used to join the networks Each connection will have its own address and will appear as a valid address in its respective network Figure 3.4 illustrates a router being connected between a LAN and a WAN
F I G U R E 3 4 Router connecting a LAN to a WAN
Routers are very intelligent devices, and they store information about the networks to which they are connected Most routers can be configured to operate as packet-filtering firewalls Many of the newer routers also provide advanced firewall functions
Routers are also used to translate from LAN framing to WAN framing
(for example, a router that connects the 10BaseT network to the T1 network shown in Figure 3.4) This is needed because the network protocols are
different in LANs and WANs Such routers are referred to as border routers
They serve as the outside connection of a LAN to a WAN, and they operate
at the border of your network Like the Border Patrol of many countries, they decide who can come in and under what conditions
Dividing internal networks into two or more subnetworks is a common use for routers Routers can also be connected internally to other routers,
Network 1
Network 2
Router physically isolates these two networks.
Trang 2effectively creating zones that operate autonomously Figure 3.5 illustrates a
corporate network that uses the combination of a border router for connection
to an ISP and internal routers to create autonomous networks for com-munications This type of connection keeps local network traffic off the backbone of the corporate network and provides additional security to internal users
F I G U R E 3 5 A corporate network implementing routers for segmentation and security
Routers establish communication by maintaining tables about destina-tions and local connecdestina-tions A router contains information about the systems connected to it and where to send requests if the destination is not known These tables grow as connections are made through the router
Routers communicate routing and other information using three standard
protocols (RIP, BGP, and OSPF) Routing Information Protocol (RIP) is a
simple protocol that is part of the TCP/IP protocol suite Routers that use RIP routinely broadcast the status and routing information of known routers RIP also attempts to find routes between systems using the smallest
number of hops or connections Border Gateway Protocol (BGP) is a
relatively new protocol that allows groups of routers to share routing
infor-mation Open Shortest Path First (OSPF) is a protocol that allows routing
information to be updated faster than with RIP
Routers are your first lines of defense, and they must be configured to pass only traffic that is authorized by the network administrators In effect, a router can function as a firewall if it is configured properly
Internet
Border Router
Internal Private Networks
Internal Private Networks
Internal Private Networks
Trang 3Switches are multiport devices that improve network efficiency A switch
will typically have a small amount of information about systems in a network The use of switches improves network efficiency because of the virtual circuit capability Switches also improve network security because the virtual circuits are more difficult to examine with network monitors You can think of a switch as a device that has some of the capabilities of routers and hubs The switch maintains limited routing information about systems in the internal network and allows connections to systems like a hub Many modern hubs also provide switching capabilities Figure 3.6 shows a switch
in action between two workstations in a LAN The connection is not usually secure nor is it encrypted; however, it does not leave the switched area and become part of the overall broadcast traffic as typically found on a star-based or bus-star-based LAN
F I G U R E 3 6 Switching between two systems
Wireless Access Points
The primary method of connecting a wireless device to a network is with a
wireless portal A wireless access point is a low-power transmitter/receiver, also known as a transceiver, which is strategically placed for access The portable
device and the access point communicate using one of several communications
protocols including IEEE 802.11 (also known as Wireless Ethernet).
Wireless communications, as the name implies, do not use wires as the
basis for communication Most frequently, they use a portion of the Radio Frequency (RF) spectrum called microwave Wireless communication methods
are becoming more prevalent in computing because the cost of the transmit-ting and receiving equipment has fallen drastically over the last few years Wireless also offers mobile connectivity within a campus, building, or even a city Most wireless frequencies are shared frequencies, in that more than one person may be using the same frequency for communication Figure 3.7 illustrates a wireless portal being used to connect a computer to a company
Switch Private Circuit Private Circuit
Trang 4network Notice that the portal connects to the network and is treated as any other connection used in the network
F I G U R E 3 7 Wireless access point and workstation
Wireless communications, although convenient, are not usually secure Virtually any police scanner can be used to intercept the frequencies that wireless access points use Connecting the output from the scanner to the audio port on a PC, using very inexpensive software, and decoding wireless communications is a relatively straightforward proposition If wireless portals are installed in a building, the signals will frequently radiate past the inside of the building, and they can be detected and decoded outside of the building using very inexpensive equipment Most of the newer wireless controllers use special ID numbers and must be configured in the network cards to allow communications Using ID number configurations does not necessarily prevent wireless networks from being monitored
Never assume that a wireless connection is secure The emissions from a wireless portal may be detectable through walls and for several blocks from the portal Interception is extremely easy to accomplish given that RF is the medium used for communication Newer wireless devices offer data security
If this is available, it should be used.
Internet
PC PC
Antenna Laptop PC
Network Access Portal
Wireless Server
Or
802.11 Card
LAN
RF Signal
Trang 5A modem is a hardware device that connects the digital signals from a
computer to the analog telephone line It allows these signals to be transmitted longer distances than are possible with digital signals The word “modem”
is an amalgam of the words “modulator” and “demodulator,” which are the two functions that occur during transmission
Modems present a unique set of challenges from a security perspective Most modems will answer any call made to them when connected to an outside line Once the receiving modem answers the phone, it will generally synchronize with a caller’s modem and make a connection A modem, when improperly connected to a network, can allow instant unsecured access to the data and resources in a system or network Many of the PCs being built and delivered today come standard with internal modems If a physical security breach occurs, a modem can be used as a remote connection to your network that allows unrestricted access This can occur with no knowledge on the part of the owner of the system or the network administrators Modems, unless specifically needed, should be disabled or removed completely from network workstations If this is not possible, they should be configured so as not to auto-answer incoming calls
Many preconfigured administrative systems provide modem connections for remote maintenance and diagnostics These connections should be either password-protected or have a cut-off switch so that they do not expose your network to security breaches
Remote Access Services
Remote Access Services (RAS) is a product offered by Microsoft on
Windows-based products to facilitate the process of connecting two computers via a modem or other connection over a long distance You will encounter the
term RAS used interchangeably to describe both the Microsoft product and
the process of connecting remote systems Figure 3.8 depicts a dial-up connection being made from a workstation to a network using a RAS server
on the network In this case, the connection is being made between a
Windows-based system and a Windows Server using POTS (Plain Old Telephone Service) and a modem.
Trang 6F I G U R E 3 8 A RAS connection between a remote workstation and a Windows server
The RAS connection is accomplished via dial-up or network technologies, such as VPNs, ISDN, DSL, or cable modems RAS connections may be secure
or in the clear, depending on the protocols that are used in the connection
Telecom/PBX Systems
Telecommunications or telecom capabilities have undergone radical changes
in the last 10 years The telephone systems and technologies available to deal with communications have given many small businesses fully integrated voice and data services at very reasonable prices
These changes have complicated the security issues that must be handled
One of the primary tools in communication systems is the Private Branch Exchange (PBX) system PBX systems now allow users to connect voice,
data, pagers, networks, and almost any other conceivable application into a single telecommunication system In short, a PBX system allows a company
to be its own phone company
The technology is developing to the point where all communications occur via data links to phone companies using standard data transmission technologies, such as T1 or T3 This means that both voice and data com-munications are occurring over the same network connection to a phone company or a provider This allows a single connection for all communications
to a single provider of these services
Modem Modem
POTS Connection
Workstation or Server Running Remote Access
Trang 7Potentially, your phone system is a target for attack Figure 3.9 shows a PBX system connected to a phone company using a T1 line The phone
company, in this drawing, is abbreviated CO (Central Office) The CO is
where the phone company systems that deal with routing and switching of calls and services exist
If your phone system is part of your data communication network, an attack on your network will bring down your phone system This can cause the stress level in a busy office to increase dramatically
The problems of security in this situation also increase because now you must also work to assure security for your voice communications No incidents of phone systems being attacked by malicious code have been reported yet, but such attacks will probably become a concern in the near future
F I G U R E 3 9 A modern digital PBX system integrating voice and data onto a single network
connection
Imagine if you will that someone left a voice message for the president of your
company A phreaker (someone who abuses phone systems, as opposed to
data systems) might intercept this message, alter it, and put it back The results of this prank could cause a calamity for the company (or at least you) Make sure that the default password is changed after the installation has occurred on the maintenance and systems accounts.
Digital Switch
Data Storage
T1
CO
Digital Voice Interface
Data Interface
Analog Voice Interface
Trang 8Virtual Private Network
A Virtual Private Network (VPN) is a private network connection that
occurs through a public network A private network provides security over
an otherwise unsecure environment VPNs can be used to connect LANs together across the Internet or other public networks A VPN requires either special hardware to be installed or a VPN software package running on servers and workstations With a VPN, the remote end appears to be con-nected to the network as if it were concon-nected locally
VPNs typically use a tunneling protocol such as L2TP, IPSec, and PPTP Figure 3.10 shows a remote network being connected to a LAN using the Internet and a VPN This connection appears to be a local connection, and all message traffic and protocols are available across the VPN
F I G U R E 3 1 0 Two LANs being connected using a VPN across the Internet
VPNs are becoming the connection of choice when establishing an Extranet
or Intranet between two or more remote offices The major security concern when using a VPN is encryption PPTP offers some encryption capabilities, although it is weak IPSec offers higher security, and it is becoming the encryption system used in many secure VPN environments
Even though a VPN is created through the Internet or other public network, the connection logically appears to be a part of the local network This is why
a VPN connection used to establish a connection between two private net-works across the Internet is considered a private connection or an Extranet.
Server Client
Local Network
Internet
VPN channel appears dedicated.
Local Network
Trang 9Network Monitoring and Diagnostics
Network monitoring is an area as old as data communications Network monitoring is the process of using a data-capture device or other method to intercept information from a network Network monitors come in one of two forms This section will introduce you to network monitors, commonly
referred to as sniffers, and Intrusion Detection Systems (IDS) These tools
allow you to examine the actual activity on your network or, in the case of
an IDS, add intelligence to the process, monitor system logs, monitor suspi-cious activities, and take corrective action when needed
The concepts of network monitoring and IDS are briefly covered here, and they are covered in greater detail later in the book in Chapter 4, “Monitoring Communications Activity.”
Network Monitors
Network monitors, otherwise called sniffers, were originally introduced to help troubleshoot network problems Simple network configuration programs, like IPCONFIG, do not get down on the wire and tell you what is physically happening on a network Examining the signaling and traffic that occurs on a network requires a network monitor Early monitors were bulky and required
a great deal of expertise to use Like most things in the computer age, they have gotten simpler, smaller, and less expensive Network monitors are now available for most environments, and they are very effective and easy to use Today network-monitoring systems usually consist of a PC with a NIC card and monitoring software This monitoring software is menu-driven, is easy to use, and has a big help file The traffic displayed by sniffers can become overly technical and require additional technical materials You can buy these materials at most bookstores, or you can find it on the Internet for free With a few hours of work, most people can make network monitors work efficiently and use the data they present
Sniffer is a trade name like Kleenex It’s the most well-known network monitor, so everyone started calling network monitoring hardware “sniffers.”
Intrusion Detection Systems
Intrusion Detection Systems (IDS) have been marketed as the ultimate and
final answer to network security An IDS is software that runs on either
Trang 10individual workstations or on network devices to monitor and track network activity Using an IDS, a network administrator can configure the system to respond just like a burglar alarm in your building IDS systems can be con-figured to evaluate systems logs, look at suspicious network activity, and disconnect sessions that appear to violate security settings
The technology shows great promise, but it is still relatively new Many vendors have oversold the simplicity of these tools They are quite involved and require a great deal of planning and maintenance to work effectively Many manufacturers are selling IDS systems with firewalls, and this area shows great promise Firewalls by themselves will prevent many common attacks, but they do not usually have the intelligence or the reporting capabilities to monitor the entire network An IDS, in conjunction with a firewall, allows both a reactive posture with the firewall and a preventative posture with the IDS Figure 3.11 illustrates an IDS working in conjunction with a firewall to increase security
F I G U R E 3 1 1 An IDS and a firewall working together to secure a network
In the event the firewall is compromised or penetrated, the IDS system can react by disabling systems, ending sessions, and even potentially shutting down your network This provides a higher level of security than either device provides by itself If it helps, think of the IDS/firewall combination as
a camera and a safe The safe prevents many burglars from gaining access, and the camera catches them in the act
Prevents Access
Network
Safe
Monitors Intruders
IDS System
Internet
Router
Video Camera Firewall