Get documents about "XML: Part
Document Sample
Chapter 5: Securing the Network
Infrastructure
Security+ Guide to Network Security
Fundamentals
Second Edition
Objectives
• Work with the network cable plant
• Secure removable media
• Harden network devices
• Design network topologies
Security+ Guide to Network Security 2
Fundamentals, 2e
Working with the Network
Cable Plant
• Cable plant: physical infrastructure of a network
(wire, connectors, and cables) used to carry data
communication signals between equipment
• Three types of transmission media:
– Coaxial cables
– Twisted-pair cables
– Fiber-optic cables
Security+ Guide to Network Security 3
Fundamentals, 2e
Coaxial Cables
• Coaxial cable was main type of copper cabling used
in computer networks for many years
• Has a single copper wire at its center surrounded by
insulation and shielding
• Called “coaxial” because it houses two (co) axes or
shafts―the copper wire and the shielding
• Thick coaxial cable has a copper wire in center
surrounded by a thick layer of insulation that is
covered with braided metal shielding
Security+ Guide to Network Security 4
Fundamentals, 2e
Coaxial Cables (continued)
• Thin coaxial cable looks similar to the cable that
carries a cable TV signal
• A braided copper mesh channel surrounds the
insulation and everything is covered by an outer
shield of insulation for the cable itself
• The copper mesh channel protects the core from
interference
• BNC connectors: connectors used on the ends of a
thin coaxial cable
Security+ Guide to Network Security 5
Fundamentals, 2e
Coaxial Cables (continued)
Security+ Guide to Network Security 6
Fundamentals, 2e
Twisted-Pair Cables
• Standard for copper cabling used in computer
networks today, replacing thin coaxial cable
• Composed of two insulated copper wires twisted
around each other and bundled together with other
pairs in a jacket
Security+ Guide to Network Security 7
Fundamentals, 2e
Twisted-Pair Cables (continued)
• Shielded twisted-pair (STP) cables have a foil
shielding on the inside of the jacket to reduce
interference
• Unshielded twisted-pair (UTP) cables do not have
any shielding
• Twisted-pair cables have RJ-45 connectors
Security+ Guide to Network Security 8
Fundamentals, 2e
Fiber-Optic Cables
• Coaxial and twisted-pair cables have copper wire at
the center that conducts an electrical signal
• Fiber-optic cable uses a very thin cylinder of glass
(core) at its center instead of copper that transmit
light impulses
• A glass tube (cladding) surrounds the core
• The core and cladding are protected by a jacket
Security+ Guide to Network Security 9
Fundamentals, 2e
Fiber-Optic Cables (continued)
• Classified by the diameter of the core and the
diameter of the cladding
– Diameters are measured in microns, each is about
1/25,000 of an inch or one-millionth of a meter
• Two types:
– Single-mode fiber cables: used when data must be
transmitted over long distances
– Multimode cable: supports many simultaneous light
transmissions, generated by light-emitting diodes
Security+ Guide to Network Security 10
Fundamentals, 2e
Securing the Cable Plant
• Securing cabling outside the protected network is not
the primary security issue for most organizations
• Focus is on protecting access to the cable plant in
the internal network
• An attacker who can access the internal network
directly through the cable plant has effectively
bypassed the network security perimeter and can
launch his attacks at will
Security+ Guide to Network Security 11
Fundamentals, 2e
Securing the Cable Plant (continued)
• The attacker can capture packets as they travel
through the network by sniffing
– The hardware or software that performs such functions
is called a sniffer
• Physical security
– First line of defense
– Protects the equipment and infrastructure itself
– Has one primary goal: to prevent unauthorized users
from reaching the equipment or cable plant in order to
use, steal, or vandalize it
Security+ Guide to Network Security 12
Fundamentals, 2e
Securing Removable Media
• Securing critical information stored on a file server
can be achieved through strong passwords, network
security devices, antivirus software, and door locks
• An employee copying data to a floppy disk or CD and
carrying it home poses two risks:
– Storage media could be lost or stolen, compromising
the information
– A worm or virus could be introduced to the media,
potentially damaging the stored information and
infecting the network
Security+ Guide to Network Security 13
Fundamentals, 2e
Magnetic Media
• Record information by changing the magnetic
direction of particles on a platter
• Floppy disks were some of the first magnetic media
developed
• The capacity of today’s 3 1/2-inch disks are 14 MB
• Hard drives contain several platters stacked in a
closed unit, each platter having its own head or
apparatus to read and write information
• Magnetic tape drives record information in a serial
fashion
Security+ Guide to Network Security 14
Fundamentals, 2e
Optical Media
• Optical media use a principle for recording
information different from magnetic media
• A high-intensity laser burns a tiny pit into the surface
of an optical disc to record a one, but does nothing to
record a zero
• Capacity of optical discs varies by type
• A Compact Disc-Recordable (CD-R) disc can record
up to 650 MB of data
• Data cannot be changed once recorded
Security+ Guide to Network Security 15
Fundamentals, 2e
Optical Media (continued)
• A Compact Disc-Rewriteable (CD-RW) disc can be
used to record data, erase it, and record again
• A Digital Versatile Disc (DVD) can store much larger
amounts of data
– DVD formats include Digital Versatile Disc-Recordable
(DVD-R), which can record once up to 395 GB on a
single-sided disc and 79 GB on a double-sided disc
Security+ Guide to Network Security 16
Fundamentals, 2e
Electronic Media
• Electronic media use flash memory for storage
– Flash memory is a solid state storage device―
everything is electronic, with no moving or mechanical
parts
• SmartMedia cards range in capacity from 2 MB to
128 MB
• The card itself is only 45 mm long, 37 mm wide, and
less than 1 mm thick
Security+ Guide to Network Security 17
Fundamentals, 2e
Electronic Media (continued)
• CompactFlash card
– Consists of a small circuit board with flash memory
chips and a dedicated controller chip encased in a
shell
– Come in 33 mm and 55 mm thicknesses and store
between 8MB and 192 MB of data
• USB memory stick is becoming very popular
– Can hold between 8 MB and 1 GB of memory
Security+ Guide to Network Security 18
Fundamentals, 2e
Keeping Removable Media Secure
• Protecting removable media involves making sure
that antivirus and other security software are installed
on all systems that may receive a removable media
device, including employee home computers
Security+ Guide to Network Security 19
Fundamentals, 2e
Hardening Network Devices
• Each device that is connected to a network is a
potential target of an attack and must be properly
protected
• Network devices to be hardened categorized as:
– Standard network devices
– Communication devices
– Network security devices
Security+ Guide to Network Security 20
Fundamentals, 2e
Hardening Standard Network
Devices
• A standard network device is a typical piece of
equipment that is found on almost every network,
such as a workstation, server, switch, or router
• This equipment has basic security features that you
can use to harden the devices
Security+ Guide to Network Security 21
Fundamentals, 2e
Workstations and Servers
• Workstation: personal computer attached to a
network (also called a client)
– Connected to a LAN and shares resources with other
workstations and network equipment
– Can be used independently of the network and can
have their own applications installed
• Server: computer on a network dedicated to
managing and controlling the network
• Basic steps to harden these systems are outlined on
page 152
Security+ Guide to Network Security 22
Fundamentals, 2e
Switches and Routers
• Switch
– Most commonly used in Ethernet LANs
– Receives a packet from one network device and sends
it to the destination device only
– Limits the collision domain (part of network on which
multiple devices may attempt to send packets
simultaneously)
• A switch is used within a single network
• Routers connect two or more single networks to form
a larger network
Security+ Guide to Network Security 23
Fundamentals, 2e
Switches and Routers (continued)
• Switches and routers must also be protected against
attacks
• Switches and routers can be managed using the
Simple Network Management Protocol (SNMP), part
of the TCP/IP protocol suite
• Software agents are loaded onto each network
device to be managed
Security+ Guide to Network Security 24
Fundamentals, 2e
Switches and Routers (continued)
• Each agent monitors network traffic and stores that
information in its management information base
(MIB)
• A computer with SNMP management software
(SNMP management station) communicates with
software agents on each network device and collects
the data stored in the MIBs
• Page 154 lists defensive controls that can be set for
switches and routers
Security+ Guide to Network Security 25
Fundamentals, 2e
Hardening Communication Devices
• A second category of network devices are those that
communicate over longer distances
• Include:
– Modems
– Remote access servers
– Telecom/PBX Systems
– Mobile devices
Security+ Guide to Network Security 26
Fundamentals, 2e
Modems
• Most common communication device
• Broadband is increasing in popularity and can create
network connection speeds of 15 Mbps and higher
• Two popular broadband technologies:
– Digital Subscriber Line (DSL) transmits data at
15 Mbps over regular telephone lines
– Another broadband technology uses the local cable
television system
Security+ Guide to Network Security 27
Fundamentals, 2e
Modems (continued)
• A computer connects to a cable modem, which is
connected to the coaxial cable that brings cable TV
signals to the home
• Because cable connectivity is shared in a
neighborhood, other users can use a sniffer to view
traffic
• Another risk with DSL and cable modem connections
is that broadband connections are charged at a set
monthly rate, not by the minute of connect time
Security+ Guide to Network Security 28
Fundamentals, 2e
Remote Access Servers
• Set of technologies that allows a remote user to
connect to a network through the Internet or a wide
area network (WAN)
• Users run remote access client software and initiate a
connection to a Remote Access Server (RAS), which
authenticates users and passes service requests to
the network
Security+ Guide to Network Security 29
Fundamentals, 2e
Remote Access Servers (continued)
Security+ Guide to Network Security 30
Fundamentals, 2e
Remote Access Servers (continued)
• Remote access clients can run almost all network-
based applications without modification
– Possible because remote access technology supports
both drive letters and universal naming convention
(UNC) names
• Minimum security features are listed on page 158
Security+ Guide to Network Security 31
Fundamentals, 2e
Telecom/PBX Systems
• Term used to describe a Private Branch eXchange
• The definition of a PBX comes from the words that
make up its name:
– Private
– Branch
– eXchange
Security+ Guide to Network Security 32
Fundamentals, 2e
Mobile Devices
• As cellular phones and personal digital assistants
(PDAs) have become increasingly popular, they have
become the target of attackers
• Some defenses against attacks on these devices use
real-time data encryption and passwords to protect
the system so that an intruder cannot “beam” a virus
through a wireless connection
Security+ Guide to Network Security 33
Fundamentals, 2e
Hardening Network Security Devices
• The final category of network devices includes those
designed and used strictly to protect the network
• Include:
– Firewalls
– Intrusion-detection systems
– Network monitoring and diagnostic devices
Security+ Guide to Network Security 34
Fundamentals, 2e
Firewalls
• Typically used to filter packets
• Designed to prevent malicious packets from entering
the network or its computers (sometimes called a
packet filter)
• Typically located outside the network security
perimeter as first line of defense
• Can be software or hardware configurations
Security+ Guide to Network Security 35
Fundamentals, 2e
Firewalls (continued)
• Software firewall runs as a program on a local
computer (sometimes known as a personal firewall)
– Enterprise firewalls are software firewalls designed to
run on a dedicated device and protect a network
instead of only one computer
– One disadvantage is that it is only as strong as the
operating system of the computer
Security+ Guide to Network Security 36
Fundamentals, 2e
Firewalls (continued)
• Filter packets in one of two ways:
– Stateless packet filtering: permits or denies each
packet based strictly on the rule base
– Stateful packet filtering: records state of a connection
between an internal computer and an external server;
makes decisions based on connection and rule base
• Can perform content filtering to block access to
undesirable Web sites
Security+ Guide to Network Security 37
Fundamentals, 2e
Firewalls (continued)
• An application layer firewall can defend against
worms better than other kinds of firewalls
– Reassembles and analyzes packet streams instead of
examining individual packets
Security+ Guide to Network Security 38
Fundamentals, 2e
Intrusion-Detection Systems (IDSs)
• Devices that establish and maintain network security
• Active IDS (or reactive IDS) performs a specific
function when it senses an attack, such as dropping
packets or tracing the attack back to a source
– Installed on the server or, in some instances, on all
computers on the network
• Passive IDS sends information about what
happened, but does not take action
Security+ Guide to Network Security 39
Fundamentals, 2e
Intrusion-Detection Systems (IDSs)
(continued)
• Host-based IDS monitors critical operating system
files and computer’s processor activity and memory;
scans event logs for signs of suspicious activity
• Network-based IDS monitors all network traffic
instead of only the activity on a computer
– Typically located just behind the firewall
• Other IDS systems are based on behavior:
– Watch network activity and report abnormal behavior
– Result in many false alarms
Security+ Guide to Network Security 40
Fundamentals, 2e
Network Monitoring and
Diagnostic Devices
• SNMP enables network administrators to:
– Monitor network performance
– Find and solve network problems
– Plan for network growth
• Managed device:
– Network device that contains an SNMP agent
– Collects and stores management information and
makes it available to SNMP
Security+ Guide to Network Security 41
Fundamentals, 2e
Designing Network Topologies
• Topology: physical layout of the network devices,
how they are interconnected, and how they
communicate
• Essential to establishing its security
• Although network topologies can be modified for
security reasons, the network still must reflect the
needs of the organization and users
Security+ Guide to Network Security 42
Fundamentals, 2e
Security Zones
• One of the keys to mapping the topology of a network
is to separate secure users from outsiders through:
– Demilitarized Zones (DMZs)
– Intranets
– Extranets
Security+ Guide to Network Security 43
Fundamentals, 2e
Demilitarized Zones (DMZs)
• Separate networks that sit outside the secure
network perimeter
• Outside users can access the DMZ, but cannot enter
the secure network
• For extra security, some networks use a DMZ with
two firewalls
• The types of servers that should be located in the
DMZ include:
– Web servers – E-mail servers
– Remote access servers – FTP servers
Security+ Guide to Network Security 44
Fundamentals, 2e
Demilitarized Zones (DMZs)
(continued)
Security+ Guide to Network Security 45
Fundamentals, 2e
Intranets
• Networks that use the same protocols as the public
Internet, but are only accessible to trusted inside
users
• Disadvantage is that it does not allow remote trusted
users access to information
Security+ Guide to Network Security 46
Fundamentals, 2e
Extranets
• Sometimes called a cross between the Internet and
an intranet
• Accessible to users that are not trusted internal
users, but trusted external users
• Not accessible to the general public, but allows
vendors and business partners to access a company
Web site
Security+ Guide to Network Security 47
Fundamentals, 2e
Network Address Translation (NAT)
• “You cannot attack what you do not see” is the
philosophy behind Network Address Translation
(NAT) systems
• Hides the IP addresses of network devices from
attackers
• Computers are assigned special IP addresses
(known as private addresses)
Security+ Guide to Network Security 48
Fundamentals, 2e
Network Address Translation
(NAT) (continued)
• These IP addresses are not assigned to any specific
user or organization; anyone can use them on their
own private internal network
• Port address translation (PAT) is a variation of NAT
• Each packet is given the same IP address, but a
different TCP port number
Security+ Guide to Network Security 49
Fundamentals, 2e
Honeypots
• Computers located in a DMZ loaded with software
and data files that appear to be authentic
• Intended to trap or trick attackers
• Two-fold purpose:
– To direct attacker’s attention away from real servers on
the network
– To examine techniques used by attackers
Security+ Guide to Network Security 50
Fundamentals, 2e
Honeypots (continued)
Security+ Guide to Network Security 51
Fundamentals, 2e
Virtual LANs (VLANs)
• Segment a network with switches to divide the
network into a hierarchy
• Core switches reside at the top of the hierarchy and
carry traffic between switches
• Workgroup switches are connected directly to the
devices on the network
• Core switches must work faster than workgroup
switches because core switches must handle the
traffic of several workgroup switches
Security+ Guide to Network Security 52
Fundamentals, 2e
Virtual LANs (VLANs)
(continued)
Security+ Guide to Network Security 53
Fundamentals, 2e
Virtual LANs (VLANs)
(continued)
• Segment a network by grouping similar users
together
• Instead of segmenting by user, you can segment a
network by separating devices into logical groups
(known as creating a VLAN)
Security+ Guide to Network Security 54
Fundamentals, 2e
Summary
• Cable plant: physical infrastructure (wire, connectors,
and cables that carry data communication signals
between equipment)
• Removable media used to store information include:
– Magnetic storage (removable disks, hard drives)
– Optical storage (CD and DVD)
– Electronic storage (USB memory sticks, FlashCards)
Security+ Guide to Network Security 55
Fundamentals, 2e
Summary (continued)
• Network devices (workstations, servers, switches,
and routers) should all be hardened to repel attackers
• A network’s topology plays a critical role in resisting
attackers
• Hiding the IP address of a network device can help
disguise it so that an attacker cannot find it
Security+ Guide to Network Security 56
Fundamentals, 2e
Related docs
Other docs by HC120910211541
Resins are classified according to their formulation and area of final application into
Views: 3 | Downloads: 0
