Securing the Network Infrastructure

Securing the Network Infrastructure

Objectives

Work with the network cable plant

Secure removable media

Harden network devices

Design network topologies

Working with the Network

Cable Plant

Cable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data

communication signals between equipment

Three types of transmission media:

— Coaxial cables

— Twisted-pair cables

— Fiber-optic cables

Thick coaxial cable has a copper wire in center

surrounded by a thick layer of insulation that is

covered with braided metal shielding

Coaxial Cables (continued)

Thin coaxial cable looks similar to the cable that

carries a cable TV signal

A braided copper mesh channel surrounds the

insulation and everything is covered by an outer shield

of insulation for the cable itself

The copper mesh channel protects the core from

interference

BNC connectors: connectors used on the ends of a thin coaxial cable

Coaxial Cables (continued)

Sheath Insulation (PVC, Teflon)

Figure 5-1 Thin coaxial cable

Twisted-Pair Cables

¢ Standard for copper cabling used in computer

networks today, replacing thin coaxial cable

¢ Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket

Twisted-Pair Cables (continued)

Shielded twisted-pair (STP) cables have a foil

shielding on the inside of the jacket to reduce

Fiber-Optic Cables

Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal

Fiber-optic cable uses a very thin cylinder of glass

(core) at its center instead of copper that transmit light impulses

A glass tube (cladding) surrounds the core

The core and cladding are protected by a jacket

Fiber-Optic Cables (continued)

¢ Classified by the diameter of the core and the diameter

of the cladding

— Diameters are measured in microns, each is about 1/25,000 of an inch or one-millionth of a meter

¢ Two types:

— Single-mode fiber cables: used when data must be

transmitted over long distances

— Multimode cable: supports many simultaneous light

transmissions, generated by light-emitting diodes

Securing the Cable Plant

° Securing cabling outside the protected network is not the primary security issue for most organizations

¢ Focus Is on protecting access to the cable plant in the internal network

¢ An attacker who can access the internal network

directly through the cable plant has effectively

bypassed the network security perimeter and can

launch his attacks at will

securing the Cable Plant (continued)

¢ The attacker can capture packets as they travel

through the network by sniffing

— The hardware or software that performs such functions

is called a sniffer

¢ Physical security

— First line of defense

— Protects the equipment and infrastructure itself

— Has one primary goal: to prevent unauthorized users from reaching the equipment or cable plant in order to

use, steal, or vandalize it

Securing Eemovable Media

¢ Securing critical information stored on a file server can

be achieved through strong passwords, network

security devices, antivirus software, and door locks

¢ An employee copying data to a floppy disk or CD and carrying it home poses two risks:

— Storage media could be lost or stolen, compromising the information

— Aworm or virus could be introduced to the media,

potentially damaging the stored information and

infecting the network

The capacity of today’s 3 1/2-inch disks are 1.4 MB

Hard drives contain several platters stacked ina

closed unit, each platter having its own head or

apparatus to read and write information

Magnetic tape drives record information in a serial

fashion

Optical Media

Optical media use a principle for recording information different from magnetic media

A high-intensity laser burns a tiny pit into the surface of

an optical disc to record a one, but does nothing to

record a zero

Capacity of optical discs varies by type

A Compact Disc-Recordable (CD-R) disc can record

up to 650 MB of data

Data cannot be changed once recorded

Optical Media (continued)

¢ A Compact Disc-Rewriteable (CD-RW) disc can be

used to record data, erase it, and record again

¢ A Digital Versatile Disc (DVD) can store much larger amounts of data

— DVD formats include Digital Versatile Disc-Recordable (DVD-R), which can record once up to 3.95 GB ona single-sided disc and 7.9 GB on a double-sided disc

Electronic Media

Electronic media use flash memory for storage

— Flash memory is a solid state storage device—

everything is electronic, with no moving or mechanical parts

omartMedia cards range in capacity from 2 MB to 128

MB

The card itself is only 45 mm long, 37 mm wide, and less than 1 mm thick

Electronic Media (continued)

¢ CompactFlash card

— Consists of a small circuit board with flash memory

chips and a dedicated controller chip encased in a shell

— Come in 33 mm and 55 mm thicknesses and store

between 8MB and 192 MB of data

¢ USB memory stick is becoming very popular

— Can hold between 8 MB and 1 GB of memory

Keeping Removable Media Secure

¢ Protecting removable media involves making sure that antivirus and other security software are installed on all systems that may receive a removable media

device, including employee home computers

Hardening Network Devices

¢ Each device that is connected to a network is a potential target of an attack and must be properly protected

¢ Network devices to be hardened categorized as:

— Standard network devices

— Communication devices

— Network security devices

Hardening Standard Network Devices

° A standard network device is a typical piece of

equipment that is found on almost every network, such

as a workstation, server, switch, or router

¢ This equipment has basic security features that you can use to harden the devices

Workstations and Servers

¢ Workstation: personal computer attached to a network (also called a client)

— Connected to a LAN and shares resources with other

workstations and network equipment

— Can be used independently of the network and can

have their own applications installed

¢ Server: computer on a network dedicated to managing and controlling the network

¢ Basic steps to harden these systems are outlined on page 152

Switches and Routers

¢ Switch

— Most commonly used in Ethernet LANs

— Receives a packet from one network device and sends

it to the destination device only

— Limits the collision domain (part of network on which

multiple devices may attempt to send packets

simultaneously )

¢ A switch is used within a single network

¢ Routers connect two or more single networks to form a larger network

Switches and Routers (continued)

¢ Switches and routers must also be protected against attacks

¢* Switches and routers can be managed using the

Simple Network Management Protocol (SNMP), part of the TCP/IP protocol suite

¢ Software agents are loaded onto each network device

to be managed

Switches and Routers (continued)

¢ Each agent monitors network traffic and stores that information in its management information base (MIB)

¢ A computer with SNMP management software (SNMP management station) communicates with software

agents on each network device and collects the data stored in the MIBs

°Ò Page 154 lists defensive controls that can be set for switches and routers

Hardening Communication Devices

° A second category of network devices are those that communicate over longer distances

Modems

Most common communication device

Broadband Is increasing in popularity and can create network connection speeds of 15 Mbps and higher Two popular broadband technologies:

— Digital Subscriber Line (DSL) transmits data at

15 Mbps over regular telephone lines

— Another broadband technology uses the local cable television system

Modems (continued)

¢ A computer connects to a cable modem, which is

connected to the coaxial cable that brings cable TV signals to the home

¢ Because cable connectivity is shared in a

neighborhood, other users can use a sniffer to view traffic

¢ Another risk with DSL and cable modem connections

is that broadband connections are charged ata set monthly rate, not by the minute of connect time

Remote Access Servers

¢ Set of technologies that allows a remote user to

connect to a network through the Internet or a wide area network (WAN)

¢ Users run remote access client software and initiate a connection to a Remote Access Server (RAS), which authenticates users and passes service requests to the network

Remote Access Servers (continued)

Age Remote Access

Figure 5-16 = Remote access connection

Remote Access Servers (continued)

¢ Remote access clients can run almost all network-

based applications without modification

— Possible because remote access technology supports both drive letters and universal naming convention

(UNC) names

¢ Minimum security features are listed on page 158

Telecom/PBX Systems

° [erm used to describe a Private Branch eXchange

¢ The definition of a PBX comes from the words that

make up its name:

— Private

— Branch

— eXchange

Mobile Devices

¢ As cellular phones and personal digital assistants

(PDAs) have become increasingly popular, they have become the target of attackers

¢ Some defenses against attacks on these devices use real-time data encryption and passwords to protect the system so that an intruder cannot “beam’ a virus

through a wireless connection

Hardening Network Security Devices

¢ The final category of network devices includes those designed and used strictly to protect the network

Firewalls

Typically used to filter packets

Designed to prevent malicious packets from entering the network or its computers (Sometimes called a

packet filter)

Typically located outside the network security

perimeter as first line of defense

Can be software or hardware configurations

Firewalls (continued)

° SOffWware firewall runs as a program on a local

computer (Sometimes known as a personal firewall)

— Enterprise firewalls are software firewalls designed to run on a dedicated device and protect a network instead

of only one computer

— One disadvantage is that it is only as strong as the

operating system of the computer

Firewalls (continued)

¢ Filter packets in one of two ways:

— Stateless packet filtering: permits or denies each packet based strictly on the rule base

— Stateful packet filtering: records state of a connection between an internal computer and an external server; makes decisions based on connection and rule base

¢ Can perform content filtering to block access to

undesirable Web sites

Intrusion-Detection Systems (IDSs)

¢ Devices that establish and maintain network security

¢ Active IDS (or reactive IDS) performs a specific

function when it senses an attack, such as dropping packets or tracing the attack back to a source

— Installed on the server or, in some instances, on all

computers on the network

¢ Passive IDS sends information about what happened, but does not take action

Intrusion-Detection Systems (IDSs)

(continued)

¢ Host-based IDS monitors critical operating system files and computer's processor activity and memory; scans event logs for signs of suspicious activity

¢ Network-based IDS monitors all network traffic instead

of only the activity on a computer

— Typically located just behind the firewall

¢ Other IDS systems are based on behavior:

— Watch network activity and report abnormal behavior

— Result in many false alarms

Network Monitoring and

Diagnostic Devices

¢ SNMP enables network administrators to:

— Monitor network performance

— Find and solve network problems

— Plan for network growth

¢ Managed device:

— Network device that contains an SNMP agent

— Collects and stores management information and makes it available to SNMP

Designing Network Topologies

¢ Topology: physical layout of the network devices, how they are interconnected, and how they communicate

¢ Essential to establishing its security

¢ Although network topologies can be modified for

security reasons, the network still must reflect the

needs of the organization and users

Security Zones

¢ One of the keys to mapping the topology of a network

is to separate secure users from outsiders through:

— Demilitarized Zones (DMZs)

— Intranets

— Extranets

— Remote access servers — FIP servers

Figure 5-22 Demiltarized zone (DMZ)

Intranets

Networks that use the same protocols as the public

Internet, but are only accessible to trusted inside users Disadvantage is that it does not allow remote trusted users access to information

¢ Not accessible to the general public, but allows

vendors and business partners to access a company Web site

Network Address Translation (NAT)

¢ “You cannot attack what you do not see’ is the

philosophy behind Network Address Translation (NAT) systems

¢ Hides the IP addresses of network devices from

attackers

¢ Computers are assigned special IP addresses (known

as private addresses)

Network Address Translation

(NAT) (continued)

¢ These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network

¢ Port address translation (PAT) is a variation of NAT

¢ Each packet is given the same IP address, but a

different TCP port number

Virtual LANs (VLANs)

segment a network with switches to divide the network into a hierarchy

Core switches reside at the top of the hierarchy and

carry traffic between switches

Workgroup switches are connected directly to the

devices on the network

Core switches must work faster than workgroup

switches because core switches must handle the

traffic of several workgroup switches