IS 3423 – Secure Network Design

Document Sample
IS 3423 – Secure Network Design Powered By Docstoc
					IS 3423 – Secure Network Design

Chapter Three

Applying Security
Technologies to Real

                       UTSA       1
VPN – Virtual Private Network

• Used to secure end-to-end private network
  connections over a public network infrastructure
• Data is tunneled, but it appears as if information is
  sent over a dedicated private line
• More secure than traditional Internet transport
• Inexpensive substitute for leased lines

                          UTSA                            2
VPN Technology

• Basic Premise – secure transfer of data across a public network
• Security of tunnel requires that its endpoints are authentic (must
  have accurate authentication scheme)
• Must ensure that data has not been modified in transit (integrity)
• Must be able to manage both the establishment and operation of
  VPN tunnels
• Must be able to restrict unauthorized access to your network
  (access control)
• Must be able to prevent viewing or copying of data as it traverses
  the network (confidentiality)

                                 UTSA                                  3
Why Invest in a VPN?

• Cost saving of Internet VPN as compared to
  traditional private network of leased lines
• Flexibility
• Scalability

                        UTSA                    4
Types of VPNs

• Remote access for the mobile workforce
  (telecommuters, travelers, etc.)
• Intranet connectivity or site-to-site (link remote
  offices, customers, etc.)
• Extranet connectivity or B2B (allow access to
  users outside the enterprise) Enables
  simultaneous access from multiple remote users
• Refer to Figures 3-1, 3-2, 3-3

                          UTSA                         5
Figure 3.1 Corporate VPN                            Telecommuter
                                                    (DSL, Cable Modem or ISDN)

                        Mobile User
                                             Access VPN                           Office

                    Router                                       w/ Firewall
       VPN         w/ Firewall

                                                                            Intranet VPN
   Corporate Network                                        Router
                                                           w/ Firewall             Remote

                                      w/ Firewall            Extranet VPN

                                          UTSA      Business Partner                        6
  Figure 3-2. Site-to-Site VPN

              VPN Tunnel End-Point             VPN Tunnel End-Point

                       Single Secure VPN Tunnel

                                                              Host 1   Host 2   Host 3
File Server

                                        UTSA                                             7
Figure 3-3. Client-to-Site VPN

                                   VPN Tunnel 1

      VPN Tunnel

                Mobile User 1
                                                  VPN Tunnel End-Point

  VPN Tunnel

         Mobile User 2

                                VPN Tunnel 2                    Corporate

                                         UTSA                               8
Security Policies for VPNs

• Access privileges vary among the different types of
• Authentication generally more stringent on VPN for
  intranet than VPN for extranet

                         UTSA                       9
VPN Features

• Security – encryption, key management, tunneling, traffic
  separation, packet authentication, user authentication,
  and access control
• Reliability
• Manageability – network monitoring (central control is
• Scalability
• Usability
• Interoperability – standardized protocols such as IPSEC,
  but different vendors may have different methods of
• Multi-protocol Support

                            UTSA                              10
Tunneling Protocols – Table 3

• IPsec – provide integrity and device (not user)
• PPTP –point-to-point tunneling protocol - provides device
  and user authentication, no integrity (older protocol)
• L2TP – layer 2 tunneling protocol – device and user
  authentication and multi-protocol support, but does not
  provide message integrity or data confidentiality
• L2Tp/IPsec – best of both worlds – strong integrity,
  privacy, interoperability, multi-protocol support, etc.

                            UTSA                          11

• User – typically prompt for user name and
• Device – authenticates device, but the user of the

                         UTSA                          12
How to Select a VPN

• Review your security policies
• Compare vendor responses based on security policies
   – Do you need remote access?
   – Who are you connecting with? How secure does this system
     need to be?
   – How secure are data streams?
   – What bandwidth is required?
   – What about latency?
   – How will this integrate with existing or planned systems?

                               UTSA                              13
Wireless Networks

• Provide mobility to network users
• Available virtually anywhere

                    UTSA              14
Primary Types of Wireless
• 802.11 – IEEE wireless standard.
  – 802.11B (WI-FI) – up to 11 Mbps (most widely
  – 802.11a – up to 54 Mbps at 5.8 Ghz
  – 802.11g – up to 54 Mbps at 2.4 Ghz, backward
    compatible with 802.11a
  – Bluetooth – personal area network (PAN) – low
    power, short range wireless connectivity (usually
    no more than 2 meters – up to speed of 780

                         UTSA                       15
Wireless LAN Components

• Access point – associates and authenticates
  wireless clients to the network
• NIC – enables a PC or workstation to connect to
  the wireless network
• Bridge – may be used to connect multiple WLANs
• Antenna – radiates or receives modulated signal
• Amplifier – increases strength of transmissions

                        UTSA                        16
Peer-to-Peer WLAN

• Wireless clients with compatible NICS
  can communicate without an AP (access
  point) (Fig. 3-8)
• Coverage area is limited
• No access to wired resources.

                  UTSA                17
Figure 3.8 Peer-to-Peer WLAN

                  Wireless Client

Wireless Client
                                    Wireless Client

                                      UTSA            18
Infrastructure Mode WLAN

• All wireless clients connect through an
  AP (fig. 3-9)
• Can extend use of wired network
• If have multiple APs, clients can roam if
  the AP coverage overlaps (fig. 3-10)

                     UTSA                     19
Figure 3.9 Infrastructure Mode WLAN

             Corporate                        Access Point

                            Wireless Client    Wireless Client

                                      UTSA                       20
Figure 3.10 WLAN Roaming


                            New Association
   Old Association

             Roaming User

                                    UTSA      21
802.11 Media Access Control

• CSMA/CA – carrier sense multiple
  access with collision avoidance

                   UTSA              22
802.11 Spread Spectrum
Radio Technology
• DSSS – Direct sequencing spread spectrum – best
  suited for high-speed, client/server applications
  where radio interference is minimal (fig. 3-11)
• FHSS – Frequency hopping spread spectrum –
  minimal interference, but max speed of 2 Mbps
  (fig. 3-12)
• OFDM – Orthogonal frequency division
  multiplexing – (802.11a) available bandwidth
  divided into multiple data carriers, without
  guardbands (fig. 3-13)
                        UTSA                      23
Figure 3.11 Direct Sequencing

2400     1   2   3   4   5   6   7   8   9 10 11    2483

       22 MHz

                                             UTSA          24
Figure 3.12 Frequency Hopping


        2.400 GHz                             2.483 GHz

                                         UTSA             25
Figure 3.13 OFDM


                   UTSA               26
802.11 MAC

• CSMA/CA – carrier sense multiple
  access/collision avoidance

                   UTSA              27
Wireless Roaming

• Capability to connect to multiple APs
• Method varies among vendors – usually
  done because client is getting out of
  range of current AP

                   UTSA                   28
SSID – Service Set Identifier

• The name of the WLAN
• All devices on the WLAN must employ the same SSID in
  order to communicate. Client can have multiple SSIDs
• Wardrivers scan for SSIDs being broadcast by wireless
  LANs, then set that SSID on their client to attempt to join
  that WLAN
• Knowing the SSID name does not necessarily mean that
  rogue clients will be able to join the network. It depends
  on how the network administrator has configured their

                              UTSA                              29
Ways to Avoid Rogue Clients

• Change SSID default (Linksys is lynksys, Cisco is
• Don’t broadcast SSID
• Associate clients by MAC address. If incorrect
  MAC, connection not allowed – generally suitable
  for smaller networks
• WEP encryption – wired equivalent privacy – link
  level encryption between client and AP
  (symmetric) – vulnerable to attack
• Cryptographic authentication
                         UTSA                         30
    Physical Security Concerns of

• Many wireless devices are mobile, meaning they
  are used outside the network perimeter
• These devices are small and easily stolen
• Need to be concerned about data stored on these
  mobile devices

                        UTSA                        31
     Limitations of PDAs and Mobile

•   Battery life
•   Small displays
•   Limited input methods
•   Reduce memory
•   Slower CPU processing speeds

                        UTSA          32

• Communications protocol designed for use in personal
  area networks (PANs) that require short-range
• Provides physical and data link layer connectivity to the
• Usage:
   – Internet Bridge – PC uses a mobile phone to access Internet.
     PC communicates with phone via Bluetooth protocol. Mobile
     phone dials Internet. Bluetooth protocol support Point-to-Point
     protocol (PPP), which in turn can transport IP packets
   – Synchronization – create a PAN for purpose of synchronizing
     email, calendar, and contact data
   – Three-in-one phone – function as 1) cordless phone, 2) intercom
     phone for device-to-device communications, and 3) regular cell 33
Bluetooth Limitations

• Primary limitation - Devices, not users, are trusted
• Small storage and RAM prohibit security checks
  on each packet – so upper level applications are
  responsible for security after initial connection

                          UTSA                           34
VoIP – Voice Over IP

• Also known as IP telephony
• Convergence of voice and data
• Voice traffic carried over a packet switch data
  network via IP

                          UTSA                      35
Tips for Securing VOIP Traffic

• Encrypt VOIP traffic and run it over a VPN
• Properly configure your firewalls
• Consider segmenting voice and data traffic by using a virtual LAN.
  This will limit the threat posed by packet-sniffing tools and minimize
  disruption in the event of an attack.

• Consider using proxy servers in front of corporate firewalls to
  process incoming and outgoing voice data.

•   Make sure that server-based IP PBXs are locked down and
    protected against viruses and denial-of-service attacks.

                                  UTSA                                 36

• Do you foresee a need for Bluetooth? How, where? What
  level of security will you need? How will you achieve it?
• Where? What level of security will you need? How will
  you achieve it?
• Do you foresee a need for WLANs? What level of security
  will you need? How will you achieve it?
• What about VoIP?
• What are your risks? How will you mitigate them?
• What new policies will you need? Why?
• What potential regulations are impacted? How do you
  address them?
                            UTSA                          37
Chapter 3 Review Questions

• What is a VPN? Describe how it is used.
• Why would anyone invest in a VPN?
• Compare and contrast the 3 primary VPN classifications.
• Describe the basic features of a VPN
• Compare and contrast the major tunneling protocols.
  Why is the combination of L2TP/IPsec considered best?
• Compare and contrast the 3 primary 802.11X IEEE
  wireless standards
• Compare and contrast peer-to-peer WLANs with
  Infrastructure Mode WLANs.

                            UTSA                            38
Chapter 3 Review Questions (cont.)

• Compare and contrast DSSS, FHSS, and OFDM
• Describe the MAC utilized by 802.11
• What is wireless roaming?
• What is the significance of the SSID?
• How can you avoid rogue wireless clients?
• Describe Bluetooth. What are its similarities and
  differences with 802.11?
• What is VoIP? Provide tips for securing a VoIP

                         UTSA                         39

Shared By: