IS 6973

1
IS 6973

• Chapter Eleven
• Supporting-Technology Design Considerations

2
Security Design Considerations

• Content focus on caching and content
  distribution networks (CDN)
• Load Balancing
• WLAN
• IP Telephony

3
Content - Caching

• Caching storing data from servers in an
  intermediary device
• Purpose lower bandwidth utilization and improve
  response time
• Security considerations rogue cache or
  compromised cache

4
Content Distribution and Routing

• Content Distribution Networks (CDN) improve
  scalability and reliability while improving
  web-page response time for users
• Concern efficient delivery of content to
  geographically dispersed clients.
• Multiple copies geographically stored and
  dispersed
• Security Concerns
• Location of original content (need secure storage
  and transmission
• Location of copies (same as above) BUT, probably
  have to rely on vendor
• Decision-Making entity attacker could take
  system out of service or direct user to false
  information

5
Load Balancing

• Balancing the load across several server or
  network security devices
• Purpose increase performance
• Usually deployed only when a single server cant
  deal with the client load (Fig. 11-1)
• Security considerations about the same as for
  router or switch

6
SSL Offload

• Secure Socket Layer protocol that provides
  security services to users worldwide.
• It provides confidentiality, message integrity,
  authentication, and key exchange services
• SSL traffic is terminated and decrypted at the
  server load balancing (SLB) device. (Fig. 11-2)
• Hardware device focuses on decryption
• Allows NIDS to receive cleartext copies of
  traffic (thus improves ability to detect an
  attack)
• Deliberately introducing a security vulnerability

7
Security Device Placement

• Generally, firewall is placed before (closer to
  the external network) the SLB device and NIDS is
  placed close to the servers
• Same placement of firewall and NIDS in
  traditional design (Fig. 11-3)

8
Security Device Load Balancing

• May have to load balance a security device at the
  Internet edge (site usually where performance
  constrained by upstream B/W to the ISP)
• Load Balance as the last option! Try these
  before
• Buy a faster box
• Modify the network design to eliminate
  bottlenecks (add firewalls, etc.)

9
Wireless LANs

• Goal of WLAN security ensure that only
  authorized users can gain access to the network
  by authorized devices and that unauthorized users
  cannot decipher the messages

10
Securing WLANs

• AP hardening typically have no OOB security
  features enabled
• Ensure that management traffic is encrypted and
  authenticated
• Encrypt ALL traffic
• Rogue APs
• Physically roam your location, searching for
  rogues use a sniffer such as NetStumbler
  www.netstumbler.com
• Use tools to automate detection AP tools
• Use port security to limit number of MAC
  addresses on a port
• Apply 802.1X on switches

11
Securing WLANs (cont.)

• Denial of Service an attacker can flood the
  network with legitimate traffic OR can do
  frequency jamming at L1, using phones,
  microwaves, Bluetooth, etc.
• Physical Isolation cannot physically isolate
  the Pringles can antenna could transmit data over
  10 miles. www.oreillynet.com/cs/weblog/view/wlg/44
  8

12
WLAN Technology Options 802.11

• Default is 802.11, but WEP can be quickly cracked
• WEP only provides for static WEP keys, meaning
  they need to be provided prior to connectivity
  (Fig. 11-7).
• Consider this type of WLAN as untrusted and
  require some form of identity control
• Partition WLAN as much as possible
• May require all security at application level

13
802.11 Security Enhancements

• Dynamic Key Management keys are determined for
  each individual client based on the
  authentication information gathered at first
  connect.
• Improved cryptographic mechanisms improved
  encryption and improved packet integrity/authentic
  ation checks
• 802.11 Task Group address additional security
  needs (TBD)
• 802.1X and EAP for authorization
• TKIP - temporal key integrity protocol for
  encryption
• Provide basic security in ad hoc networks
• Enable users to pre-authenticate with multiple
  APs (better performance)
• Provide secure handling of management frames

14
802.11 Security Enhancements (Cont.)

• Wi-Fi protected access Wi-Fi Alliance Group
  www.wi-fi.org
• WPA is intended to be
• A software/firmware upgrade to existing access
  points and NICs
• Inexpensive in terms of time and cost to
  implement
• Cross-vendor compatible
• WPA is a subset of the 802.11i draft standard and
  is
• expected to maintain forward compatibility with
  the standard

15
L3 Cryptography of WLANs

• Can forgo security at L1 and L2 and concentrate
  on L3
• IPsec, VPN, SSL, SSH
• DoS attacks at the WLAN layer still possible
  (e.g. spoofed messages)

16
IPsec

• Can establish a VPN to the wired network
• Need IP connectivity before the IPsec tunnel can
  be established
• DHCP server must be reachable by the entire
  network before IPsec is established (Fig. 11-9)

17
SSH/SSL

• Must first establish connection to an SSH/SSL
  server
• These servers may provide limited VPN function or
  allow a single application to function
• Best for small number of applications
• SSL was originally designed to secure web
  applications front ends http to give you https
  also works with SMTP, IMAP, POP3, etc. need
  an application to drive SSL
• SSH was originally designed to replace Telnet and
  FTP. creates an encrypted tunnel between two
  hosts, enabling a user to run http, FTP, POP3,
  etc.

18
Unique Deployment Options

• Offer internet access to WLAN users without going
  through wired network (Fig. 11-14)
• Note still depend upon firewalls and IPsec
• WLAN that serves multiple groups
  differentiation occurs at the application level
  not the network level
• Could also establish VLANs (Fig. 11-15)

19
IP Telephony

• Call can originate, transfer from the WAN, and
  terminate, all over IP
• Cheap, convenient, but not secure
• Most deployed voice protocols have no mechanism
  for secure authentication, confidentiality, and
  integrity of phone conversations
• Potential problems listen in on others
  conversations, place unauthorized phone calls,
  cause a DOS condition on the network, MITM attack
  injecting words in conversation with speaker
  being aware of it, spam over VoIP mailboxes

20
Security Options

• Encrypt call signaling so phone addresses dont
  run in the clear
• Encrypt voice packets, making it virtually
  impossible to insert words
• Working on including digital certificates in VoIP
  devices to verify security, prevent or decrease
  multicasting conversations to rogue phones
• Deploy firewalls
• Focus on layered security

21
Chapter 11 Review Questions

• Discuss the primary design considerations for
  content, load balancing, WLANs, and IP telephony
  (VoIP)
• What are the primary advantages of caching? Why
  is it a potential security concern?
• What is a content distribution network (CDN)?
  Discuss the security concerns of a CDN.

22
Chapter 11 Review Questions

• What is load balancing? What is its purpose? Why
  is it considered the choice of last resort? What
  other choices do you have?
• What is SSL offload? Discuss the proper
  placement of a firewall and NIDS with SSL
  offload.
• What is the primary goal of WLAN security?
• What are the major security concerns of WLANs?

23
Chapter 11 Review Questions

• Discuss the primary drawbacks of WEP
• Discuss the major concerns of the 802.11 Task
  Group
• Discuss the primary features of WPA
• Discuss the major features the following L3
  protocols IPsec, SSL, SSH
• Compare and contrast SSL with SSH
• Discuss the major IP telephony security concerns
• Discuss the IP telephony security options