Contents Overview 1 Lesson: Determining Threats and Analyzing Risks to Data Transmission 2 Lesson: Designing Security for Data Data Transmission... Instructor Notes In this module, s
Trang 1Contents
Overview 1
Lesson: Determining Threats and
Analyzing Risks to Data Transmission 2
Lesson: Designing Security for Data
Data Transmission
Trang 2and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
2002 Microsoft Corporation All rights reserved
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries
The names of actual companies and products mentioned herein may be the trademarks of their respective owners
Trang 3Instructor Notes
In this module, students will learn how to determine threats and analyze risks to data transmission in an organization Students will also learn how to design security for different types of data transmission, including traffic on local area networks (LANs), wide area networks (WANs), virtual private networks (VPNs), wireless networks, and the Internet
After completing this module, students will be able to:
Determine threats and analyze risks to data transmission
Design security for data transmission
To teach this module, you need Microsoft® PowerPoint® file 2830A_10.ppt
It is recommended that you use PowerPoint version 2002 or later to display the slides for this course If you use PowerPoint Viewer or an earlier version of PowerPoint, all of the features of the slides may not be displayed correctly
To prepare for this module:
Read all of the materials for this module
Complete the practices
Complete the lab and practice discussing the answers
Read the additional reading for this module, located under Additional Reading on the Web page on the Student Materials CD
Visit the Web links that are referenced in the module
Trang 4How to Teach This Module
This section contains information that will help you to teach this module
Lesson: Determining Threats and Analyzing Risks to Data
Transmission
This section describes the instructional methods for teaching this lesson
Use the slide, repeated from earlier modules, to reinforce where the items in the bulleted list on the slide exist on the network diagram This is a very simple diagram that is intended to generate class discussion
This page is intended simply to give examples of vulnerabilities To elaborate attacks, draw upon your own experiences The next page deals with common vulnerabilities, so try not to skip ahead
Explain the threats, but do not discuss how to secure against them The second lesson in the module covers that topic
Use the practice to generate discussion
Lesson: Designing Security for Data Transmission
This lesson contains numerous Web links that you will find valuable in preparing to teach this module
Business or technical requirements may include standards such as HIPAA, the Health Insurance Portability and Accountability Act of 1996 When discussing encryption requirements and restrictions, mention that government encryption standards vary from country to country and could be a security concern for international organizations and corporations
Use this page to introduce the topics that will follow in the lesson The layer Department of Defense Internet model is one of many Internet models Others, such as the Open Systems Interconnection (OSI), use seven-layers We chose the Department of Defense model for the sake of simplicity
four-Answers may vary Use the rankings provided and the security responses that students give to generate classroom discussion
Use this page to review the content of the module Students can use the checklist as a basic job aid The phases mentioned on the page are from Microsoft Solutions Framework (MSF) Use this page to emphasize that students must perform threat analysis and risk assessment on their own networks for the topic covered in this module Students must then design security responses to protect the networks
Assessment
There are assessments for each lesson, located on the Student Materials compact disc You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning
for Data Transmission
Overview of Methods for
Trang 5Lab A: Designing Security for Data Transmission
To begin the lab, open Microsoft Internet Explorer and click the name of the lab Play the video interviews for students, and then instruct students to begin the lab with their lab partners Give students approximately 20 minutes to complete this lab, and spend about 10 minutes discussing the lab answers as a class
Use the lab answers provided in the Lab section of the module to answer student questions about the scope of Ashley Larson’s e-mail request, and to lead classroom discussion after students complete the lab
For general lab suggestions, see the Instructor Notes in Module 2, “Creating a Plan for Network Security.” Those notes contain detailed suggestions for
facilitating the lab environment used in this course
Customization Information
This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware
This module includes only computer-based interactive lab exercises, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization
The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for Course 2830A, Designing Security for Microsoft Networks
Trang 7Overview
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
In this module, you will learn how to determine threats and analyze risks to data transmission in an organization You will also learn how to design security for different types of data transmission, including traffic on local area networks (LANs), wide area networks (WANs), virtual private networks (VPNs), wireless networks, and the Internet
After completing this module, you will be able to:
Determine threats and analyze risks to data transmission
Design security for data transmission
Introduction
Objectives
Trang 8Lesson: Determining Threats and Analyzing Risks to Data Transmission
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
You can protect data that is stored on your network by securing access to it, but when you transmit data across the network in your organization, the data becomes vulnerable to a variety of additional threats Attackers can potentially intercept transmitted data, depending on how and where the data is transmitted After completing this lesson, you will be able to:
Describe data transmission methods
Explain why securing data transmission is important
List common vulnerabilities that threaten transmitted data
Introduction
Lesson objectives
Trang 9Overview of Data Transmission
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
Data travels over many types of networks in an organization, with different levels of trust associated with them For example, LANs are generally associated with a high degree of trust because they are located within an organization’s physical facilities Web server traffic is generally associated with
a low level of trust because it crosses public links that are outside your organization’s control
When designing security for data transmission, determine the types of networks that your organization uses to transmit data Common networks include LANs, wireless networks, WANs for branch offices and trusted partners, virtual private networks (VPNs) for remote users, and the Internet
Key points
Trang 10Why Securing Data Transmission Is Important
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
An attacker sits in a car across the street from an organization and uses a powered antenna to intercept packets from the organization’s wireless network After intercepting packets, he performs an offline attack on the packets that were transmitted over the wireless network to obtain the Wired Equivalent Privacy (WEP) key The attacker configures his portable computer with the WEP key for the organization’s WAN and then connects to the organization’s network
high-An attacker forges e-mail from another employee and sends a message to the company president The message contains links to Web sites that contain offensive content The company terminates the employee who appeared to have sent the offensive e-mail message
External attacker
scenario
Internal attacker
scenario
Trang 11Common Vulnerabilities to Data Transmission
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
Threats and vulnerabilities to data transmission differ, depending on the mode
of transmission and the goals of the attacker Threats can range from passive monitoring to malicious disruption of traffic For example, an attacker who wants to gain knowledge about data as it is transmitted can passively monitor the network from within an organization This type of attack reveals data but does not interrupt data transmission
However, an attacker who wants to stop the transmission of traffic entirely can attempt a denial of service (DoS) attack over the Internet that prevents
legitimate traffic from flowing to and from a network
For more information about threats to data transmission, see the white paper,
Security Threats, at: http://www.microsoft.com/technet/security/
bestprac/bpent/sec1/secthret.asp
Key points
Additional reading
Trang 12Practice: Analyzing Risks to Data Transmission
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
Northwind Traders is implementing a Web site so that customers can view their order histories over the Internet Management has asked you to help design a strategy for securing data transmission To add security to Web transactions, one of the network administrators recommends using Secure Sockets Layer (SSL) on all sessions to the Web site She also recommends purchasing and installing an SSL hardware accelerator card
Management is reluctant to purchase the SSL certificate that is required for using SSL, which costs $2,500 You determine that the SSL hardware accelerator card costs approximately $1,500 After discussing the issue with the other network administrators, you determine that management does not
understand the possible threats to the information that will be transmitted How would you explain the threats to management to justify the cost of the SSL certificate and SSL hardware accelerator card?
Compile data to show that the cost of the certificate and accelerator card is less than the Annual Loss Expectancy (ALE) from exposing customer information to attackers
The potential ALE from such attacks is significant The Web connection over the Internet is a public network, which has a low degree of trust Customer information that could be threatened by network monitoring and other attacks includes addresses, telephone and credit card numbers, and information about the order If an attacker compromises customer information that is not protected by using SSL, the negative publicity could cause customers to leave Northwind Traders
Introduction
Question
Trang 13Lesson: Designing Security for Data Transmission
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
Designing security for data transmission requires that you secure communication across the network at the different layers of the four-layer Department of Defense Internet model Each layer is vulnerable to different threats and therefore requires different methods for securing transmitted data After completing this lesson, you will be able to:
Determine security requirements for data transmission
List methods for securing communication channels
Describe considerations for securing communication at the application layer
Describe how Internet Protocol Security (IPSec) secures communication at the network layer
List guidelines for securing communication at the data link and physical layers
Choose a VPN tunneling protocol
Introduction
Lesson objectives
Trang 14How to Determine Security Requirements for Data Transmission
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
To determine security requirements for data transmission:
1 Analyze business and technical requirements for securing data transmission Your organization may have specific security requirements for
data For example, you may require encryption of all customer data when it
is transmitted over public networks
2 Determine what network traffic to secure Not all data transmissions require
the same level of security Determine what types of network traffic must be secured, the level of security that they require, and the networks that you use
4 Identify methods for securing data transmission There are often several
methods that you can use to secure data transmission Identify the method that is cost effective and provides the level of security that your organization requires
5 Determine encryption requirements and restrictions Transmission protocols
may use a variety of encryption methods Determine what encryption algorithms to use and the level of encryption strength that is necessary to secure data transmissions Government or industry regulations for using encryption algorithms may also affect your decision
6 Create an implementation strategy After you complete your design, ensure
that you create an implementation strategy for the security methods, so that your organization deploys and implements them correctly
Key points
Trang 15Overview of Methods for Securing Communication Channels
***************************** ILLEGAL FOR NON - TRAINER USE ******************************
A convenient way to understand data transmission security is to categorize where security can be applied at different layers of the Department of Defense Internet model
You can use different methods of security to secure data transmission at the application, network, data link, and physical layers
Consider using software that detects network adapters that are running in promiscuous mode
Key points
Note