Network Guide to Networks, Fourth Edition

1
Network Guide to Networks, Fourth Edition

• Chapter 14
• Network Security

2
Objectives

• Identify security risks in LANs and WANs and
  design security policies that minimize risks
• Explain how physical security contributes to
  network security
• Discuss hardware- and design-based security
  techniques
• Use network operating system techniques to
  provide basic security

3
Objectives (continued)

• Understand methods of encryption, such as SSL and
  IPSec, that can secure data in storage and in
  transit
• Describe how popular authentication protocols,
  such as RADIUS, TACACS, Kerberos, PAP, CHAP, and
  MS-CHAP, function
• Understand wireless security protocols, such as
  WEP, WPA, and 802.11i

4
Security Audits

• Every organization should assess security risks
  by conducting a security audit
• Thorough examination of each aspect of network to
  determine how it might be compromised
• At least annually, preferably quarterly
• The more devastating a threats effects and the
  more likely it is to happen, the more rigorously
  your security measures should address it
• In-house or third-party audits

5
Security Risks

• Not all security breaches result from
  manipulation of network technology
• Staff members purposely or inadvertently reveal
  passwords
• Undeveloped security policies
• Malicious and determined intruders may cascade
  their techniques

6
Risks Associated with People

• Human errors, ignorance, and omissions cause
  majority of security breaches
• Risks associated with people
• Social engineering or snooping to obtain
  passwords
• Incorrectly creating or configuring user IDs,
  groups, and their associated rights on file
  server
• Overlooking security flaws in topology or
  hardware configuration
• Overlooking security flaws in OS or application
  configuration
• Lack of documentation and communication

7
Risks Associated with People (continued)

• Risks associated with people (continued)
• Dishonest or disgruntled employees
• Unused computer or terminal left logged on
• Easy-to-guess passwords
• Leaving computer room doors open or unlocked
• Discarding disks or backup tapes in public waste
  containers
• Neglecting to remove access and file rights when
  required
• Writing passwords on paper

8
Risks Associated with Transmission and Hardware

• Risks inherent in network hardware and design
• Transmissions can be intercepted
• Networks using leased public lines vulnerable to
  eavesdropping
• Network hubs broadcast traffic over entire
  segment
• Unused hub, router, or server ports can be
  exploited and accessed by hackers
• Not properly configuring routers to mask internal
  subnets

9
Risks Associated with Transmission and Hardware
(continued)

• Risks inherent in network hardware and design
  (continued)
• Modems attached to network devices may be
  configured to accept incoming calls
• Dial-in access servers may not be carefully
  secured and monitored
• Computers hosting very sensitive data may coexist
  on the same subnet with computers open to public
• Passwords for switches, routers, and other
  devices may not be sufficiently difficult to
  guess, changed frequently, or may be left at
  default value

10
Risks Associated with Protocols and Software

• Networked software only as secure as it is
  configured to be
• Risks pertaining to networking protocols and
  software
• TCP/IP contains several security flaws
• Trust relationships between one server and
  another may allow hackers to access entire
  network
• NOSs may contain back doors or security flaws
  allowing unauthorized access to system

11
Risks Associated with Protocols and Software
(continued)

• Risks pertaining to networking protocols and
  software (continued)
• If NOS allows server operators to exit to a
  command prompt, intruders could run destructive
  command-line programs
• Administrators might accept the default security
  options after installing an OS or application
  (often not optimal)
• Transactions that take place between applications
  may be open to interception

12
Risks Associated with Internet Access

• Common Internet-related security issues
• Firewall may not be adequate protection, if not
  configured properly
• IP spoofing
• When user Telnets or FTPs to site over Internet,
  user ID and password transmitted in plain text
• Hackers may obtain information about user IDs
  from newsgroups, mailing lists, forms filled out
  on Web
• Flashing
• Denial-of-service attack

13
An Effective Security Policy

• Security policy identifies security goals, risks,
  levels of authority, designated security
  coordinator and team members, responsibilities
  for team members, responsibilities for each
  employee
• Specifies how to address security breaches
• Should not state exact hardware, software,
  architecture, or protocols used to ensure
  security
• Nor how hardware or software will be installed
  and configured
• Details change occasionally

14
Security Policy Goals

• Typical goals for security policies
• Ensure authorized users have appropriate access
  to resources
• Prevent unauthorized users from gaining access to
  network, systems, programs, or data
• Protect sensitive data from unauthorized access
• Prevent accidental or intentional damage to
  hardware or software
• Create environment in which network and systems
  can withstand and recover from any type of threat
• Communicate each employees responsibilities

15
Security Policy Content

• After risks identified and responsibilities
  assigned, policys outline should be generated
• Possible subheadings Passwords Software
  installation Confidential and sensitive data
  Network access E-mail use Internet use Modem
  use Remote access Connecting to remote
  locations, Internet, and customers and vendors
  networks Use of laptops and loaner machines
  Computer room access

16
Security Policy Content (continued)

• Explain to users what they can and cannot do and
  how these measures protect networks security
• Create separate section of policy that applies
  only to users
• Define what confidential means to organization

17
Response Policy

• Security response team should regularly rehearse
  defense strategy
• Suggestions for team roles
• Dispatcher
• Manager
• Technical support specialist
• Public relations specialist
• After resolving a problem, team reviews what
  happened, determines how it might have been
  prevented, implements measures to prevent future
  problems

18
Physical Security

• Restrict physical access to components
• Computer room, hubs, routers, switches, etc.
• Locks may be physical or electronic
• Electronic access badges
• Numeric key codes
• Bio-recognition access
• Closed-circuit TV systems
• Most important way to ensure physical security is
  to plan for it

19
Physical Security (continued)
Figure 14-1 Badge access security system
20
Security in Network Design Firewalls

• Selectively filter or block traffic between
  networks
• Hardware-based, software-based, or combination
• Packet-filtering firewall examines header of
  every packet of data received
• Common filtering criteria
• IP addresses
• Ports
• Flags set in IP header
• Transmissions that use UDP or ICMP
• First packet in new data stream?
• Inbound or outbound?

21
Security in Network Design Firewalls (continued)

• Factors when choosing a firewall
• Supports encryption?
• Supports user authentication?
• Allows central management?
• Easily establishes rules for access?
• Supports filtering at highest layers of OSI
  Model?
• Provides logging, auditing, alerting
  capabilities?
• Protects identity of internal LANs addresses?
• Cannot distinguish between user trying to breach
  firewall and user authorized to do so

22
Proxy Servers

• Proxy service software that acts as intermediary
  between external and internal networks
• Screen all incoming and outgoing traffic
• Manage security at Application layer
• May be combined with Firewall for greater
  security
• Improve performance for users accessing resources
  external to network by caching files

23
Proxy Servers (continued)
Figure 14-4 A proxy server used on a WAN
24
Remote Access

• Must remember that any entry point to a LAN or
  WAN creates potential security risk
• Remote control
• Can present serious security risks
• Most remote control software programs offer
  features that increase security
• Desirable security features
• User name and password requirement
• Ability of host system to call back
• Support for data encryption

25
Remote Access (continued)

• Remote control (continued)
• Desirable security features (continued)
• Ability to leave host systems screen blank while
  remote user works
• Ability to disable host systems keyboard and
  mouse
• Ability to restart host system when remote user
  disconnects

26
Remote Access (continued)

• Dial-up networking
• Effectively turns remote workstation into node on
  network
• Secure remote access server package should
  include at least
• User name and password authentication
• Ability to log all dial-up connections, their
  sources, and their connection times
• Ability to perform callbacks to users
• Centralized management of dial-up users and their
  rights on network

27
Network Operating System Security

• Regardless of NOS, can implement basic security
  by restricting what users authorized to do
• Limit public rights
• Administrators should group users according to
  security levels

28
Logon Restrictions

• Additional restrictions that network
  administrators can use to strengthen security of
  network
• Time of day
• Total time logged on
• Source address
• Unsuccessful logon attempts

29
Passwords

• Tips for making and keeping passwords secure
• Always change system default passwords
• Do not use familiar information
• Do not use dictionary words
• Make password longer than eight characters
• Choose combination of letters and numbers
• Do not write down or share passwords
• Change password at least every 60 days
• Do not reuse passwords

30
Encryption

• Use of algorithm to scramble data into format
  that can be read only by reversing the algorithm
• Encryption provides following assurances
• Data not modified after sender transmitted it and
  before receiver picked it up
• Data can only be viewed by intended recipient
• All data received at intended destination truly
  issued by stated sender and not forged by an
  intruder

31
Key Encryption

• Key random string of characters
• Weaves key into original datas bits to generate
  unique data block
• Ciphertext
• Longer keys make it more difficult to decrypt
• Hackers may attempt to crack a key by using brute
  force attack
• Keys randomly generated by encryption software

32
Key Encryption (continued)
Figure 14-5 Key encryption and decryption
33
Private Key Encryption

• Data encrypted using single key that only sender
  and receiver know
• Data Encryption Standard (DES) 56-bit key
• Triple DES (3DES) weaves 56-bit key through data
  three times
• Advanced Encryption Standard (AES) weaves 128-,
  160-, 192-, or 256-bit keys through data multiple
  times
• Used in military communication
• Sender must share key with recipient

34
Private Key Encryption (continued)
Figure 14-6 Private key encryption
35
Public Key Encryption

• Data encrypted using two keys
• Private key
• Public key associated with user
• Public key server publicly accessible host that
  freely provides list of users public keys
• Key pair combination of public key/private key
• Public keys more vulnerable than private keys
• Use longer keys
• RSA most popular public key algorithm
• Digital certificate password-protected,
  encrypted file that holds identification
  information

36
Public Key Encryption (continued)
Figure 14-7 Public key encryption
37
PGP (Pretty Good Privacy)

• Typical e-mail communication is highly insecure
• PGP public key encryption system that can verify
  authenticity of an e-mail sender and encrypt
  e-mail data in transmission
• Freely available
• Most popular tool for encrypting e-mail
• Can be used to encrypt data on storage devices or
  with applications other than e-mail

38
SSL (Secure Sockets Layer)

• Method of encrypting TCP/IP transmissions en
  route between client and server
• Public key encryption
• HTTPS (HTTP over Secure Sockets Layer) uses TCP
  port 443, rather than port 80
• SSL session association between client and
  server defined by agreement on specific set of
  encryption techniques
• Created by SSL handshake protocol
• IETF has attempted to standardize SSL with
  Transport Layer Security (TLS)

39
SSH (Secure Shell)

• Provides remote connections to hosts
• With authentication and security for transmitting
  data
• Guards against unauthorized access to host, IP
  spoofing, interception of data in transit, and
  DNS spoofing
• Variety of encryption algorithms can be used
• To form secure connection, must be running on
  client and server
• Must first generate public and private keys on
  client workstation
• ssh keygen command

40
SCP (Secure CoPy) and SFTP (Secure File Transfer
Protocol)

• SCP allows secure copying of files from one host
  to another
• Replaces FTP
• SFTP slightly different from SCP
• Used with proprietary version of SSH
• Does more than copy files

41
IPSec (Internet Protocol Security)

• Defines encryption, authentication, and key
  management for TCP/IP transmissions
• Encrypts data by adding security information to
  header of IP packets
• Operates at Network layer
• Accomplishes authentication in two phases
• Key management Internet Key Exchange (IKE)
• Encryption authentication header (AH) or
  Encapsulating Security Payload (ESP)
• Can be used with any type of TCP/IP transmission

42
Authentication Protocols RADIUS and TACACS

• Authentication protocols rules that computers
  follow to accomplish authentication
• RADIUS provides centralized network
  authentication and accounting for multiple users
• Runs over UDP
• Can operate as software application on remote
  access server or on a RADIUS server
• Often used with dial-up networking connections
• Terminal Access Controller Access Control System
  (TACACS) similar to RADIUS

43
Authentication Protocols RADIUS and TACACS
(continued)
Figure 14-8 A RADIUS server providing
centralized authentication
44
PAP (Password Authentication Protocol)

• Authentication protocol that works over PPP
• Simple, not very secure
• Does not protect against possibility of malicious
  intruder attempting to guess users password
  through brute force attack

Figure 14-9 Two-step authentication used in PAP
45
CHAP and MS-CHAP

• Challenge Handshake Authentication Protocol
  (CHAP) operates over PPP
• Encrypts user names and passwords
• Three-way handshake
• Password never transmitted alone or as clear text
• Microsoft Challenge Authentication Protocol
  (MS-CHAP) similar to CHAP
• Used on Windows systems
• MS-CHAPv2 uses stronger encryption
• Mutual authentication both computers verify
  credentials of the other

46
CHAP and MS-CHAP (continued)
Figure 14-10 Three-way handshake used in CHAP
47
EAP (Extensible Authentication Protocol)

• Another extension to PPP protocol suite
• Does not perform encryption or authentication
• Requires authenticator to initiate authentication
  process by asking connected computer to verify
  itself
• Flexible supported by most OSs and can be used
  with any authentication method
• Works with biorecognition and wireless protocols

48
Kerberos

• Cross-platform authentication protocol
• Uses key encryption to verify identity of clients
  and to securely exchange information
• Significant advantages over NOS authentication
• Does not automatically trust clients
• Requires client to prove identity through third
  party
• Key Distribution Center (KDC) server that issues
  keys
• authentication service (AS) authenticates a
  principal
• Issues a ticket

49
Kerberos (continued)

• Purpose of Kerberos is to connect valid user with
  a service
• User and service must register keys with
  authentication service
• AS issues session key to both
• Randomly generated
• AS creates ticket allowing user to use service
• Contains key that can only be decrypted by
  service
• Users computer creates time stamp for request
• Encrypts with session key (authenticator)

50
Wireless Network Security WEP (Wired Equivalent
Privacy)

• Wireless transmissions susceptible to
  eavesdropping
• War driving
• By default, 802.11 standard does not offer
  security
• Allows for optional encryption using WEP
• Uses keys to authenticate network clients and
  encrypt data in transit
• Network key
• On Windows XP, network key can be saved as part
  of wireless connections properties
• Current versions of WEP allow 28-bit network keys

51
IEEE 802.11i and WPA (Wi-Fi Protected Access)

• Uses EAP with strong encryption scheme
• Dynamically assigns every transmission own key
• Logging on to wireless network more complex than
  with WEP
• AP acts as proxy between remote access server and
  station until station successfully authenticates
• Requires mutual authentication
• After authentication, remote access server
  instructs AP to allow traffic from client into
  network
• Client and server agree on encryption key

52
IEEE 802.11i and WPA (continued)

• 802.11i specifies AES encryption method
• Mixes each packet in data stream with different
  key
• WPA subset of 802.11i standard
• Main difference from 802.11i is that WPA
  specifies RC4 encryption rather than AES

53
Summary

• Every organization should assess its security
  risks by conducting a security audit at least
  annually
• One of the most common methods by which an
  intruder gains access to a network is to simply
  ask a user for his password
• There are many security risks that a network
  administrator must guard against, including risks
  associated with people, network transmission and
  design, and network protocols and software

54
Summary (continued)

• A security policy identifies an organizations
  security goals, risks, levels of authority,
  designated security coordinator and team members,
  responsibilities for each team member and each
  employee, and strategies for addressing security
  breaches
• A firewall is a specialized device that
  selectively filters or blocks traffic between
  networks
• A proxy service is a software application on a
  network host that acts as an intermediary between
  the external and internal networks, screening all
  incoming and outgoing traffic

55
Summary (continued)

• Every NOS provides at least some security by
  allowing you to limit users access to files and
  directories on the network
• Choosing secure passwords is one of the easiest
  and least expensive ways to guard against
  unauthorized access
• Encryption is the use of an algorithm to scramble
  data into a format that can be read only by
  reversing the algorithm
• Key encryption comes in two forms public and
  private key encryption

56
Summary (continued)

• Popular methods of encryption include PGP, SSL,
  SSH and OpenSSH, and IPSec
• Authentication protocols used with PPP
  connections include RADIUS, TACACS, PAP, CHAP,
  and MS-CHAP
• Because WEP uses the same key for all stations
  attaching to an AP and for all transmissions, it
  is not very secure
• In 802.11i, the EAP authentication method is
  combined with AES encryption