Tài liệu Module 11: Creating a Security Design for Network Perimeters ppt

Contents Overview 1 Lesson: Determining Threats and Analyzing Lesson: Designing Security for Network Perimeters 8 Lab A: Designing Security for Network Module 11: Creating a Securit

Contents

Overview 1

Lesson: Determining Threats and Analyzing

Lesson: Designing Security for Network

Perimeters 8

Lab A: Designing Security for Network

Module 11: Creating a Security Design for

Network Perimeters

Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2002 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries

The names of actual companies and products mentioned herein may be the trademarks of their respective owners

Instructor Notes

In this module, students will learn how to determine threats and analyze risks to network perimeters Students will also learn how to design security for network perimeters, including screened subnets, and for computers that connect directly

to the Internet

After completing this module, students will be able to:

! Determine threats and analyze risks to network perimeters

! Design security for network perimeters

To teach this module, you need Microsoft® PowerPoint® file 2830A_11.ppt

It is recommended that you use PowerPoint version 2002 or later to display the slides for this course If you use PowerPoint Viewer or an earlier version of PowerPoint, all of the features of the slides may not be displayed correctly

To prepare for this module:

! Read all of the materials for this module

! Complete the practices

! Complete the lab and practice discussing the answers

! Read the additional reading for this module, located under Additional

Reading on the Web page on the Student Materials CD

! Visit the Web links that are referenced in the module

iv Module 11: Creating a Security Design for Network Perimeters

How to Teach This Module

This section contains information that will help you to teach this module

Lesson: Determining Threats and Analyzing Risks to Network

Perimeters

Explain that the perimeter of a network is any entry point into an organization’s network A screened subnet (which is a type of network perimeter) and a single computer on a network that is directly connected to the Internet are both examples of a network perimeter Emphasize to students that a network perimeter is more than just a DMZ, demilitarized zone, or screened subnet—it

is anything that reaches outside the network that could allow an attacker inside the network

This page is intended simply to give examples of vulnerabilities To elaborate attacks, draw upon your own experiences The next page deals with common vulnerabilities, so try not to skip ahead

Explain the vulnerabilities, but do not discuss how to secure against them The second lesson in the module covers that topic

This practice requires that students have classroom access to the Internet If students do not have classroom access, simply read the practice answers to them and then ask students if they have experienced such attacks

Lesson: Designing Security for Network Perimeters

This section describes the instructional methods for teaching this lesson Emphasize the additional reading and Web sites referenced throughout the module for additional depth on the topics provided

This page introduces screened subnets Use this page to reemphasize what the perimeter of a network is The common designs shown are known by many different names Emphasize the fact that different parts of a network may be separated from each other by perimeters; for example, a main office and a branch office, or a main network and a test network Be sure to point students to

the ISA Server Installation and Deployment Guide, under Additional Reading

on the Web page on the Student Materials CD

This page emphasizes the threats that network computers are under, and the threats to which those computers expose the network when they connect to outside networks Many students may feel that this module is or is supposed to

be about screened subnets; emphasize that an organization’s computer that is connected to an outside network is effectively on the perimeter of the organization’s network, and may present a serious risk to network security As security designers, students must be aware of the risks involved and design security measures to mitigate against those risks

Answers may vary Use the security responses that students give to generate classroom discussion

What Is the Perimeter of

Use this page to review the content of the module Students can use the checklist as a basic job aid The phases mentioned on the page are from Microsoft Solutions Framework (MSF) Use this page to emphasize that students must perform threat analysis and risk assessment on their own networks for the topic covered in this module, and then they must design security responses to protect the networks

Assessment

There are assessments for each lesson, located on the Student Materials compact disc You can use them as pre-assessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning

Lab A: Designing Security for Network Perimeters

To begin the lab, open Microsoft Internet Explorer and click the name of the lab Play the video interviews for students, and then instruct students to begin the lab with their lab partners Give students approximately 20 minutes to complete this lab, and spend about 10 minutes discussing the lab answers as a class

For general lab suggestions, see the Instructor Notes in Module 2, “Creating a Plan for Network Security.” Those notes contain detailed suggestions for

facilitating the lab environment used in this course

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

This module includes only computer-based interactive lab exercises, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization

The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Automated Classroom Setup Guide for Course 2830A, Designing

Security for Microsoft Networks

Overview

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

In this module, you will learn how to determine threats and analyze risks to network perimeters You will also learn how to design security for network perimeters, including screened subnets, and for computers that connect directly

to the Internet

After completing this module, you will be able to:

! Determine threats and analyze risks to network perimeters

! Design security for network perimeters

Introduction

Objectives

2 Module 11: Creating a Security Design for Network Perimeters

Lesson: Determining Threats and Analyzing Risks to

Network Perimeters

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

The perimeter, or boundary, of a network is where your organization ends and the area outside your organization begins Perimeters are not always easy to identify Attackers who penetrate weaknesses in your perimeter can potentially access information on your network

After completing this lesson, you will be able to:

! Describe the perimeter of a network

! Explain the importance of perimeter security

! List common vulnerabilities to perimeter security

Introduction

Lesson objectives

What Is the Perimeter of a Network?

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

A perimeter is any point that connects to networks outside of an organization

In a typical network, perimeter points can include:

organization

trusted partners, or other facilities outside of the organization

as business-to-business (B2B) services, that the organization exposes to public networks, such as the Internet

are accessing the internal network across a public network

access services running in a screened subnet

outside of an organization’s physical facilities

Key points

4 Module 11: Creating a Security Design for Network Perimeters

Why Perimeter Security Is Important

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Assets are vulnerable to threats from both external and internal attackers For example:

An external attacker runs a series of port scans on a network The attacker uses the information to create a network diagram of the perimeter, including computers in the screened subnet, operating systems of network devices and computers, services running in the screened subnet, and the level of security that is implemented on the network The attacker researches known

vulnerabilities of these network devices, computers, and services, and then attacks the network systematically

An employee receives an e-mail from a friend through an external Web-based e-mail account When the employee opens a file that is enclosed in the e-mail, a new worm virus automatically spreads to all computers on the internal network The traffic from the spreading virus slows legitimate traffic, resulting in a denial of service (DoS) for network users

Common Vulnerabilities to Perimeter Security

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Of all the areas of your network, the network perimeter has the greatest exposure to public networks and therefore is one of the areas most threatened

by attack Before Internet connectivity became common, an organization’s network often maintained only one connection to a public network

Today, Internet access, remote access, and branch office connectivity have become vital to the operation of an organization As organizations increase their requirements for connectivity, the difficulty of managing network connections increases, and so does the risk that information and computers may be exposed

to attack

For more information about common attacks to network perimeters, see:

! The Web page, Hacking Methods, on the Internet Security Systems Web

site, at: http://www.iss.net/security_center/advice/Underground/

Hacking/Methods/Technical/default.htm

! The white paper, Managing the Threat of Denial-of-Service Attacks, on the

CERT Coordination Center Web site, at: http://www.cert.org/

archive/pdf/Managing_DoS.pdf

Key points

Additional reading

6 Module 11: Creating a Security Design for Network Perimeters

Practice: Analyzing Risks to Network Perimeters

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Northwind Traders has 10,000 users who work in one facility All users have computers running Microsoft® Windows® 2000 that belong to an Active Directory® directory service domain Northwind Traders recently deployed a Web server so that employees can retrieve their e-mail messages

The IT manager has asked you to explain how a Land attack and a SYN flood attack (or SYN-ACK attack) can prevent users from retrieving their e-mail Use the Internet to locate information about how Land and SYN-ACK attacks affect perimeter security

1 What is a Land attack, and how can it prevent users from receiving their mail messages?

e-A Land attack sends SYN packets with the same source and destination

IP addresses and the same source and destination ports to a host computer This makes it appear as if the host computer sent the packet

to itself The host will continue to attempt to contact itself and prevent legitimate traffic from being processed An attacker could use a Land attack against the router, firewall, or Web server at Northwind Traders

to prevent users from retrieving their e-mail

Sources of information include:

• The Web page, CERT Advisory CA-1997-28 IP Denial-of-Service

Attacks, on the CERT Coordination Center Web site, at:

http://www.cert.org/advisories/CA-1997-28.html

• Q165005, Windows NT Slows Down Because of Land Attack

Introduction

Questions

2 What is a SYN-ACK or SYN flood attack, and how can it prevent users from receiving their e-mail messages?

At the beginning of a TCP connection, a SYN-ACK attack sends a SYN packet to the target host from a spoofed source IP address The target host responds with a SYN-ACK packet, and then leaves the TCP sessions in a half-open state while waiting for the spoofed host to respond Because the spoofed host will never respond, the session will remain half open The attacker repeatedly changes the spoofed source address on each new packet that is sent to generate additional traffic and deny legitimate traffic An attacker could use a SYN-ACK attack against the router, firewall, or Web server at Northwind Traders to prevent users from retrieving their e-mail messages

Sources of information include:

• RFC 2267, Defeating Denial of Service Attacks which employ IP

Source Address Spoofing

• Q142641, Internet Server Unavailable Because of Malicious SYN

Attacks

8 Module 11: Creating a Security Design for Network Perimeters

Lesson: Designing Security for Network Perimeters

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

A perimeter of a network is by nature a place of low trust You must ensure that your network perimeter is secure and that it provides the services that you, your customers, and your partners require Identify the perimeter, decide what services you will provide in the perimeter, and determine how you will securely manage and monitor these services You can also use firewalls and hardware devices to secure your network perimeter from attack

After completing this lesson, you will be able to:

! Describe common network perimeter designs

! Explain the steps for designing a secure screened subnet

! Explain how perimeter devices protect a network

! List guidelines for protecting computers on a perimeter

Introduction

Lesson objectives