Docstoc

IS 3423 – Secure Network Design

Document Sample
IS 3423 – Secure Network Design Powered By Docstoc
					IS 3423 – Secure Network Design


Chapter Three

Applying Security
Technologies to Real
Networks

                       UTSA       1
VPN – Virtual Private Network

• Used to secure end-to-end private network
  connections over a public network infrastructure
• Data is tunneled, but it appears as if information is
  sent over a dedicated private line
• More secure than traditional Internet transport
• Inexpensive substitute for leased lines




                          UTSA                            2
VPN Technology

• Basic Premise – secure transfer of data across a public network
• Security of tunnel requires that its endpoints are authentic (must
  have accurate authentication scheme)
• Must ensure that data has not been modified in transit (integrity)
• Must be able to manage both the establishment and operation of
  VPN tunnels
• Must be able to restrict unauthorized access to your network
  (access control)
• Must be able to prevent viewing or copying of data as it traverses
  the network (confidentiality)



                                 UTSA                                  3
Why Invest in a VPN?

• Cost saving of Internet VPN as compared to
  traditional private network of leased lines
• Flexibility
• Scalability




                        UTSA                    4
Types of VPNs

• Remote access for the mobile workforce
  (telecommuters, travelers, etc.)
• Intranet connectivity or site-to-site (link remote
  offices, customers, etc.)
• Extranet connectivity or B2B (allow access to
  users outside the enterprise) Enables
  simultaneous access from multiple remote users
• Refer to Figures 3-1, 3-2, 3-3

                          UTSA                         5
Figure 3.1 Corporate VPN                            Telecommuter
                                                    (DSL, Cable Modem or ISDN)


                        Mobile User
                                                                                  Branch
                                             Access VPN                           Office

                                                                  Router
                    Router                                       w/ Firewall
       VPN         w/ Firewall
    Concentrator



                                                                            Intranet VPN
                                         INTERNET
   Corporate Network                                        Router
                                                           w/ Firewall             Remote
                                                                                   Office

                                       Router
                                      w/ Firewall            Extranet VPN




                                          UTSA      Business Partner                        6
  Figure 3-2. Site-to-Site VPN

              VPN Tunnel End-Point             VPN Tunnel End-Point




                       Single Secure VPN Tunnel

                                                              Host 1   Host 2   Host 3
File Server




                                        UTSA                                             7
Figure 3-3. Client-to-Site VPN


                                   VPN Tunnel 1

      VPN Tunnel
       End-Point



                Mobile User 1
                                                  VPN Tunnel End-Point

  VPN Tunnel
   End-Point



         Mobile User 2

                                VPN Tunnel 2                    Corporate
                                                                 Network



                                         UTSA                               8
Security Policies for VPNs

• Access privileges vary among the different types of
  VPNs
• Authentication generally more stringent on VPN for
  intranet than VPN for extranet




                         UTSA                       9
VPN Features

• Security – encryption, key management, tunneling, traffic
  separation, packet authentication, user authentication,
  and access control
• Reliability
• Manageability – network monitoring (central control is
  critical)
• Scalability
• Usability
• Interoperability – standardized protocols such as IPSEC,
  but different vendors may have different methods of
  implementation
• Multi-protocol Support

                            UTSA                              10
Tunneling Protocols – Table 3

• IPsec – provide integrity and device (not user)
  authentication
• PPTP –point-to-point tunneling protocol - provides device
  and user authentication, no integrity (older protocol)
• L2TP – layer 2 tunneling protocol – device and user
  authentication and multi-protocol support, but does not
  provide message integrity or data confidentiality
• L2Tp/IPsec – best of both worlds – strong integrity,
  privacy, interoperability, multi-protocol support, etc.


                            UTSA                          11
Authentication

• User – typically prompt for user name and
  password
• Device – authenticates device, but the user of the
  device




                         UTSA                          12
How to Select a VPN

• Review your security policies
• Compare vendor responses based on security policies
   – Do you need remote access?
   – Who are you connecting with? How secure does this system
     need to be?
   – How secure are data streams?
   – What bandwidth is required?
   – What about latency?
   – How will this integrate with existing or planned systems?




                               UTSA                              13
Wireless Networks

• Provide mobility to network users
• Available virtually anywhere




                    UTSA              14
Primary Types of Wireless
Technology
• 802.11 – IEEE wireless standard.
  – 802.11B (WI-FI) – up to 11 Mbps (most widely
    deployed)
  – 802.11a – up to 54 Mbps at 5.8 Ghz
  – 802.11g – up to 54 Mbps at 2.4 Ghz, backward
    compatible with 802.11a
  – Bluetooth – personal area network (PAN) – low
    power, short range wireless connectivity (usually
    no more than 2 meters – up to speed of 780
    kbps)

                         UTSA                       15
Wireless LAN Components

• Access point – associates and authenticates
  wireless clients to the network
• NIC – enables a PC or workstation to connect to
  the wireless network
• Bridge – may be used to connect multiple WLANs
• Antenna – radiates or receives modulated signal
• Amplifier – increases strength of transmissions



                        UTSA                        16
Peer-to-Peer WLAN

• Wireless clients with compatible NICS
  can communicate without an AP (access
  point) (Fig. 3-8)
• Coverage area is limited
• No access to wired resources.



                  UTSA                17
Figure 3.8 Peer-to-Peer WLAN




                  Wireless Client




Wireless Client
                                    Wireless Client




                                      UTSA            18
Infrastructure Mode WLAN

• All wireless clients connect through an
  AP (fig. 3-9)
• Can extend use of wired network
• If have multiple APs, clients can roam if
  the AP coverage overlaps (fig. 3-10)



                     UTSA                     19
Figure 3.9 Infrastructure Mode WLAN




                                               Wireless
             Corporate                        Access Point
              Network




                            Wireless Client    Wireless Client




                                      UTSA                       20
Figure 3.10 WLAN Roaming


                      Corporate
                       Network




                            New Association
   Old Association




             Roaming User


                                    UTSA      21
802.11 Media Access Control

• CSMA/CA – carrier sense multiple
  access with collision avoidance




                   UTSA              22
802.11 Spread Spectrum
Radio Technology
• DSSS – Direct sequencing spread spectrum – best
  suited for high-speed, client/server applications
  where radio interference is minimal (fig. 3-11)
• FHSS – Frequency hopping spread spectrum –
  minimal interference, but max speed of 2 Mbps
  (fig. 3-12)
• OFDM – Orthogonal frequency division
  multiplexing – (802.11a) available bandwidth
  divided into multiple data carriers, without
  guardbands (fig. 3-13)
                        UTSA                      23
Figure 3.11 Direct Sequencing


2400     1   2   3   4   5   6   7   8   9 10 11    2483




       22 MHz




                                             UTSA          24
Figure 3.12 Frequency Hopping



                                                    9
                     8
                                     7
                          6
 Time




             5
                                          4
                 3
                                                2
         1
        2.400 GHz                             2.483 GHz
                         Frequency




                                         UTSA             25
Figure 3.13 OFDM




                          Frequency




                   UTSA               26
802.11 MAC

• CSMA/CA – carrier sense multiple
  access/collision avoidance




                   UTSA              27
Wireless Roaming

• Capability to connect to multiple APs
• Method varies among vendors – usually
  done because client is getting out of
  range of current AP




                   UTSA                   28
SSID – Service Set Identifier

• The name of the WLAN
• All devices on the WLAN must employ the same SSID in
  order to communicate. Client can have multiple SSIDs
• Wardrivers scan for SSIDs being broadcast by wireless
  LANs, then set that SSID on their client to attempt to join
  that WLAN
• Knowing the SSID name does not necessarily mean that
  rogue clients will be able to join the network. It depends
  on how the network administrator has configured their
  WLAN.

                              UTSA                              29
Ways to Avoid Rogue Clients

• Change SSID default (Linksys is lynksys, Cisco is
  tsunami)
• Don’t broadcast SSID
• Associate clients by MAC address. If incorrect
  MAC, connection not allowed – generally suitable
  for smaller networks
• WEP encryption – wired equivalent privacy – link
  level encryption between client and AP
  (symmetric) – vulnerable to attack
• Cryptographic authentication
                         UTSA                         30
    Physical Security Concerns of
    Wireless

• Many wireless devices are mobile, meaning they
  are used outside the network perimeter
• These devices are small and easily stolen
• Need to be concerned about data stored on these
  mobile devices




                        UTSA                        31
     Limitations of PDAs and Mobile
     Phones

•   Battery life
•   Small displays
•   Limited input methods
•   Reduce memory
•   Slower CPU processing speeds




                        UTSA          32
Bluetooth

• Communications protocol designed for use in personal
  area networks (PANs) that require short-range
  communication
• Provides physical and data link layer connectivity to the
  network
• Usage:
   – Internet Bridge – PC uses a mobile phone to access Internet.
     PC communicates with phone via Bluetooth protocol. Mobile
     phone dials Internet. Bluetooth protocol support Point-to-Point
     protocol (PPP), which in turn can transport IP packets
   – Synchronization – create a PAN for purpose of synchronizing
     email, calendar, and contact data
   – Three-in-one phone – function as 1) cordless phone, 2) intercom
     phone for device-to-device communications, and 3) regular cell 33
                                 UTSA
     phone
Bluetooth Limitations

• Primary limitation - Devices, not users, are trusted
• Small storage and RAM prohibit security checks
  on each packet – so upper level applications are
  responsible for security after initial connection




                          UTSA                           34
VoIP – Voice Over IP

• Also known as IP telephony
• Convergence of voice and data
• Voice traffic carried over a packet switch data
  network via IP




                          UTSA                      35
Tips for Securing VOIP Traffic


• Encrypt VOIP traffic and run it over a VPN
• Properly configure your firewalls
• Consider segmenting voice and data traffic by using a virtual LAN.
  This will limit the threat posed by packet-sniffing tools and minimize
  disruption in the event of an attack.

• Consider using proxy servers in front of corporate firewalls to
  process incoming and outgoing voice data.

•   Make sure that server-based IP PBXs are locked down and
    protected against viruses and denial-of-service attacks.



                                  UTSA                                 36
For CASE

• Do you foresee a need for Bluetooth? How, where? What
  level of security will you need? How will you achieve it?
• Where? What level of security will you need? How will
  you achieve it?
• Do you foresee a need for WLANs? What level of security
  will you need? How will you achieve it?
• What about VoIP?
• What are your risks? How will you mitigate them?
• What new policies will you need? Why?
• What potential regulations are impacted? How do you
  address them?
                            UTSA                          37
Chapter 3 Review Questions

• What is a VPN? Describe how it is used.
• Why would anyone invest in a VPN?
• Compare and contrast the 3 primary VPN classifications.
• Describe the basic features of a VPN
• Compare and contrast the major tunneling protocols.
  Why is the combination of L2TP/IPsec considered best?
• Compare and contrast the 3 primary 802.11X IEEE
  wireless standards
• Compare and contrast peer-to-peer WLANs with
  Infrastructure Mode WLANs.

                            UTSA                            38
Chapter 3 Review Questions (cont.)


• Compare and contrast DSSS, FHSS, and OFDM
• Describe the MAC utilized by 802.11
• What is wireless roaming?
• What is the significance of the SSID?
• How can you avoid rogue wireless clients?
• Describe Bluetooth. What are its similarities and
  differences with 802.11?
• What is VoIP? Provide tips for securing a VoIP
  network

                         UTSA                         39

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:7/14/2012
language:English
pages:39