Lecture Security+ Certification: Chapter 7 - Trung tâm Athena

Chapter 7 - Quản trị bảo mật cho hệ thống (Security management system). After studying this chapter you will be able to: Understand the purpose of a network firewall and the kinds of firewall technology available on the market; understand the role of routers, switches, and other networking hardware in security; determine when VPN or RAS technology works to provide a secure network connection.

Chương 7 Quản Trị Bảo Mật Cho Hệ Thống

Tóm tắt nội dung

Objectives in this Chapter

and the kinds of firewall technology available

on the market

other networking hardware in security

to provide a secure network connection

and the kinds of firewall technology available

on the market

other networking hardware in security

to provide a secure network connection

means of securing a computer or network fromunwanted intrusion

• Dedicated physical device that protects network from intrusion

• Software feature added to a router, switch, or other device that prevents traffic to or from part of a

network

means of securing a computer or network fromunwanted intrusion

• Dedicated physical device that protects network from intrusion

• Software feature added to a router, switch, or other device that prevents traffic to or from part of a

network

Three firewall technolog

Packet filtering firewall

layer of the Open Systems Interconnection(OSI) model and is designed to operate rapidly

by either allowing or denying packets

layer of the Open Systems Interconnection(OSI) model and is designed to operate rapidly

by either allowing or denying packets

Application layer gateways

Application layer of the OSI model, analyzingeach packet and verifying that it contains thecorrect type of data for the specific application

it is attempting to communicate with

Application layer of the OSI model, analyzingeach packet and verifying that it contains thecorrect type of data for the specific application

it is attempting to communicate with

Stateful inspection firewall

 A stateful inspection firewall checks each packet

to verify that it is an expected response to acurrent communications session This type offirewall operates at the Network layer, but isaware of the Transport, Session, Presentation,and Application layers and derives its state

table based on these layers of the OSI model

 A stateful inspection firewall checks each packet

to verify that it is an expected response to acurrent communications session This type offirewall operates at the Network layer, but isaware of the Transport, Session, Presentation,and Application layers and derives its state

table based on these layers of the OSI model

Management Cycle for

Firewall Protection

1 Draft a written security policy

2 Design the firewall/network to implement the policy

3 Implement the design by installing selected hardware

and software

4 Test the firewall

5 Review new threats, requirements for additional

security, and updates to systems and software; repeat process from first step

1 Draft a written security policy

2 Design the firewall/network to implement the policy

3 Implement the design by installing selected hardware

and software

4 Test the firewall

5 Review new threats, requirements for additional

security, and updates to systems and software; repeat process from first step

Drafting a Security Policy

over the network?

over the network?

Available Targets and

Who Is Aiming at Them

Services and Security

know how your network will be used

 Don’t install/use any service you don’t

absolutely need

know how your network will be used

 Don’t install/use any service you don’t

absolutely need

A Warning

security, and vice versa

 If something is too difficult, users will find away to circumvent it

security, and vice versa

 If something is too difficult, users will find away to circumvent it

Who Gets Access to Which Resources?

with files and file servers and databases anddatabase servers they need to access

the network

with files and file servers and databases anddatabase servers they need to access

the network

Who Gets Access to Which Resources?

internal users, remote users, etc

network to accomplish

site, access internal database server, remoteaccess, etc

internal users, remote users, etc

network to accomplish

site, access internal database server, remoteaccess, etc

Who Administers the Network?

management control

Designing the Firewall

to Implement the Policy

firewall

What Do Firewalls Protect Against?

How Do Firewalls Work?

• Network address translation (NAT)

• Basic packet filtering

• Stateful packet inspection (SPI)

• Application gateways

• Access control lists (ACL)

• Network address translation (NAT)

• Basic packet filtering

• Stateful packet inspection (SPI)

• Application gateways

• Access control lists (ACL)

Network Address Translation (NAT)

 Only technique used by basic firewalls

 Enables a LAN to use one set of IP addresses for

internal traffic and a second set for external traffic

 Each active connection requires a unique external

address for duration of communication

 Port address translation (PAT)

• Derivative of NAT

• Supports thousands of simultaneous connections on a single public IP address

 Only technique used by basic firewalls

 Enables a LAN to use one set of IP addresses for

internal traffic and a second set for external traffic

 Each active connection requires a unique external

address for duration of communication

 Port address translation (PAT)

• Derivative of NAT

• Supports thousands of simultaneous connections on a single public IP address

Basic Packet Filtering

 Firewall system examines each packet that enters it and allows through only those packets that match a predefined set of rules

 Can be configured to screen information based on many data fields:

• Protocol type

• IP address

• TCP/UDP port

• Source routing information

Routers can also do this

 Firewall system examines each packet that enters it and allows through only those packets that match a predefined set of rules

 Can be configured to screen information based on many data fields:

• Protocol type

• IP address

• TCP/UDP port

• Source routing information

Routers can also do this

Stateful Packet Inspection (SPI)

 Stateful packet filters record specific

information about network connections,including which ports are being used on theclient and the server

 Enhances security by allowing the filter todistinguish on which side of firewall a

connection was initiated

allowed

 Stateful packet filters record specific

information about network connections,including which ports are being used on theclient and the server

 Enhances security by allowing the filter todistinguish on which side of firewall a

connection was initiated

allowed

Access Control Lists (ACL)

 Packet filtering is made possible by the use ofACLs

 ACLs are lists of rules built according to

organizational policy that defines who canaccess portions of the network

 access-list 101 permit tcp any 111.222.111.222

 ACLs are lists of rules built according to

organizational policy that defines who canaccess portions of the network

 access-list 101 permit tcp any 111.222.111.222

0.0.0.0 eq 80

 Access-list 101 deny ip any 111.222.111.222

0.0.0.0 – r u

Access Control Lists (ACL)

until it matches one

 There is an implicit deny at the end of the list (ifthere’s not a match by then, throw the packet

away)

until it matches one

 There is an implicit deny at the end of the list (ifthere’s not a match by then, throw the packet

away)

between network segments and routes trafficfrom one network to another

another

 Act as digital traffic cop (with addition of

packet filtering)

between network segments and routes trafficfrom one network to another

another

 Act as digital traffic cop (with addition of

packet filtering)

How a Router Moves Information

packet; compares destination IP address to list

of IP addresses contained in router’s lookup(routing) tables

next, based on changing network conditions

packet; compares destination IP address to list

of IP addresses contained in router’s lookup(routing) tables

next, based on changing network conditions

How a Router Moves Information

Beyond the Firewall

that are publicly accessible, but still need asmuch protection as possible

 Bastion hosts (potentially) – a server that

resides on the DMZ and hosts Web, mail, DNS,and/or ftp services

that are publicly accessible, but still need asmuch protection as possible

 Bastion hosts (potentially) – a server that

resides on the DMZ and hosts Web, mail, DNS,and/or ftp services

Demilitarized Zone

 Area set aside for servers that are publicly accessible

or have lower security requirements

 Sits between the Internet and internal network’s line

of defense

• Stateful device fully protects other internal systems

• Packet filter allows external traffic only to services provided

by DMZ servers

 Allows a company to host its own Internet services without sacrificing unauthorized access to its private

 Area set aside for servers that are publicly accessible

or have lower security requirements

 Sits between the Internet and internal network’s line

of defense

• Stateful device fully protects other internal systems

• Packet filter allows external traffic only to services provided

by DMZ servers

 Allows a company to host its own Internet services without sacrificing unauthorized access to its private

Application Gateways

 Also known as proxy servers (actually reverse proxies)

 Monitor specific applications (FTP, HTTP, Telnet)

 Traffic destined for web server goes to web proxy

instead

 Web proxy forwards packet to the web server, and

relays the reply back to the requesting browser

 Also known as proxy servers (actually reverse proxies)

 Monitor specific applications (FTP, HTTP, Telnet)

 Traffic destined for web server goes to web proxy

instead

 Web proxy forwards packet to the web server, and

relays the reply back to the requesting browser

Application Gateways

and filtered by the proxy

 Proxy itself is not running web service and isnot vulnerable to exploit

and filtered by the proxy

 Proxy itself is not running web service and isnot vulnerable to exploit

Application Gateways

• Information hiding

• Robust authentication and logging

• Simpler filtering rules

• Protects actual server from exploits

• Robust authentication and logging

• Simpler filtering rules

• Protects actual server from exploits

• Two steps are required to connect inbound or outbound traffic; can increase processor overhead

OSI Reference Model

 Architecture that classifies most network functions

The OSI Stack

Limitations of

Packet-Filtering Routers

knowledge of required network traffic

difficult to manage and comprehend

being processed increases

knowledge of required network traffic

difficult to manage and comprehend

being processed increases

Limitations of

Packet-Filtering Routers

of packets at layers 3 through 5

 Packet filtering is typically all or none

 No concept of state, of connections initiated

on the inside

of packets at layers 3 through 5

 Packet filtering is typically all or none

 No concept of state, of connections initiated

on the inside

 Provide same function as bridges (divide collision

domains), but employ application-specific integrated circuits (ASICs) that are optimized for the task

 Reduce collision domain to two nodes (switch and host)

 Broadcasts are still forwarded to all ports

 Main benefit over hubs

• Separation of collision domains limits the possibility of sniffing

 Provide same function as bridges (divide collision

domains), but employ application-specific integrated circuits (ASICs) that are optimized for the task

 Reduce collision domain to two nodes (switch and host)

 Broadcasts are still forwarded to all ports

 Main benefit over hubs

• Separation of collision domains limits the possibility of sniffing

Switches

Switch Security

 ACLs

 Separation of collision domains limits sniffing(but remember dsniff)

Virtual Local Area Network

“virtual” LAN

– limits broadcasts to members of VLANs

• Increases security from hackers

• Reduces possibility of broadcast storm

“virtual” LAN

– limits broadcasts to members of VLANs

• Increases security from hackers

• Reduces possibility of broadcast storm

Security Problems with Switches

person is able to obtain administrative access to

a switch

• Try default passwords which may not have been changed

• Sniff network to get administrator password via SNMP or Telnet

person is able to obtain administrative access to

a switch

• Try default passwords which may not have been changed

• Sniff network to get administrator password via SNMP or Telnet

Securing a Switch

serial port or through secure shell (SSH) orother encrypted method

physically isolate them from the network andprevent VLAN jumping

serial port or through secure shell (SSH) orother encrypted method

physically isolate them from the network andprevent VLAN jumping

Securing a Switch

 Maintain the switch; install latest version ofsoftware and security patches

 Maintain the switch; install latest version ofsoftware and security patches

Example of a Compromised VLAN

network communication

communicating with wireless technology

enough

network communication

communicating with wireless technology

enough

Modems

DSL versus Cable Modem Security

 DSL

• Direct connection between computer/network and the Internet

 Cable modem

• Connected to a shared segment; party line

• Most have basic firewall capabilities to prevent files from being viewed or downloaded

• Most implement the Data Over Cable Service Interface Specification (DOCSIS) for authentication and packet filtering

 DSL

• Direct connection between computer/network and the Internet

 Cable modem

• Connected to a shared segment; party line

• Most have basic firewall capabilities to prevent files from being viewed or downloaded

• Most implement the Data Over Cable Service Interface Specification (DOCSIS) for authentication and packet filtering

Dynamic versus Static IP Addressing

 Static IP addresses

• Provide a fixed target for potential hackers

 Dynamic IP addresses

• Provide enhanced security

• By changing IP addresses of client machines, DHCP server makes them moving targets for potential hackers

• Assigned by the Dynamic Host Configuration Protocol (DHCP)

 Static IP addresses

• Provide a fixed target for potential hackers

 Dynamic IP addresses

• Provide enhanced security

• By changing IP addresses of client machines, DHCP server makes them moving targets for potential hackers

• Assigned by the Dynamic Host Configuration Protocol (DHCP)

Dynamic versus Static IP Addressing

get the same IP address

• Always on

• High bandwidth

• Users not thinking about security

• Favorite target of hackers

get the same IP address

• Always on

• High bandwidth

• Users not thinking about security

• Favorite target of hackers

Remote Access Service (RAS)

securely dial in to another computer

the network

you to open up a hole in your firewall

securely dial in to another computer

the network

you to open up a hole in your firewall

Security Problems with RAS

to be compromised

as features to enhance security

Telecom/Private Branch Exchange

(PBX)

 PBX

• Private phone system that offers features such as voicemail, call forwarding, and conference calling

• Failure to secure a PBX can result in toll fraud, theft

of information, denial of service, and enhanced susceptibility to legal liability

 PBX

• Private phone system that offers features such as voicemail, call forwarding, and conference calling

• Failure to secure a PBX can result in toll fraud, theft

of information, denial of service, and enhanced susceptibility to legal liability