CIS 122 - Chap 8

Document Sample
CIS 122 - Chap 8 Powered By Docstoc
					                      Chapter 8
                        WAN
                      SECURITY



CIS – 122 – Wide Area Networks
               WAN Links and Usage
   Economy Links
       Customers
       Business Partners & Overseas Sites
       Telecommuters, mobile workers
       Branch Offices
   Primary WAN Connections
       Internet Usage
       T1 Line usage
   Commerce
       Electronic Payment Systems (EPS)
       Common Electronic Purse Specifications (CEPS )
       Micro Payment Transfer Protocol (MPTP)


CIS – 122 – Wide Area Networks
               WAN Distribution




CIS – 122 – Wide Area Networks
                Security Threats

   Data exposure in transit and storage
   Application-level attacks
   Mismanagement of encryption techniques
   Inattention to access and identity risks
   Misconfiguration by security administrators
   Hackers and Intruders



CIS – 122 – Wide Area Networks
                  WAN Security Issues
   E-mail Virus -      Virus attaches to e-mail messages and then
    replicates through address book
   Worm -      Worm scans network for PC with security hole, then copies
    and replicates itself
   Trojan Horse -      Disguised as normal computer program. User
    downloads it, program executes and erases hard disk
   IP Spoofing – Malicious customer redirection to steal orders
   Authentication – Proper user and operator validation
   Authorization – Level of access controls to system
   Accounting – Who did what and when?



    CIS – 122 – Wide Area Networks
            Denial of Service Attacks

   Designed to render PC or network incapable
    of providing normal services
   Types of DoS attacks
       Bandwidth attacks
       Distributed Denial of Service (DDoS)
       Smurf Attack
       Trino
       Tribal Flood Network (TFN) and TFN2K
       Stacheldraht – Known as “Barbed Wire”

CIS – 122 – Wide Area Networks
              Security Policy Issues

   Employee Education              Information
   Enforcement of                   Protection
    Security measures               Perimeter Security
   Effectiveness                   Host/Device Security
    Evaluation                      User Accounts
   Acceptable Use                  Password Policy
   Remote Access


CIS – 122 – Wide Area Networks
               Network Address Translation

   Used to protect IP addresses inside an
    organization network
   Private IP addresses are created and used
   No internal addresses published to Internet
   Private IP addresses are mapped to Public IP
    addresses



CIS – 122 – Wide Area Networks
             NAT Structure Examples




CIS – 122 – Wide Area Networks
                Port Address Translation

   PAT is the reason why IPv6 is delayed
   PAT can theoretically “hide” 65,000 private
    addresses behind each public address.
   PAT uses the concept of multiplexing
    (Chapter 2)




CIS – 122 – Wide Area Networks
                Port Address Translation

    Recall that TCP and UDP allow for
     multiplexed IP connections.
    The TCP Multiplexing/Demultiplexing
     Diagram illustrates this concept.




CIS – 122 – Wide Area Networks
             Multiplexing Using TCP Port Numbers




   Multiplexing relies on the use of a concept called a
    socket. A socket consists of three things:
   An IP address
   A transport protocol
   A port number
CIS – 122 – Wide Area Networks
                       Multiplexing Using TCP Port
                                 Numbers




    The fact that each connection between two sockets is unique means
     that you can use multiple applications at the same time, talking to
     applications running on the same or different computers
    Multiplexing, based on sockets, ensures that the data is delivered to
     the correct applications.


    CIS – 122 – Wide Area Networks
                   Firewalls & DMZs
   Firewalls
        Examines each network packet and determines
         forwarding
   DMZ
        An area behind the firewall, accessible to the Internet
   Perimeter Security
        Exists at points where private LAN meets interface to
         Public Internet


    CIS – 122 – Wide Area Networks
 Firewall
 or DMZ
Placement



  CIS – 122 – Wide Area Networks
               Intrusion Detection
   Adds another layer of security to perimeter
   Determines if
       Intruder is breaking into the system
       Legitimate user is misusing the system
   Performs system monitoring
       Tracks users
       Counts number of attempted logins
   Scans traffic for protocol anomalies
   Searches for violations of standard protocol
    behavior
CIS – 122 – Wide Area Networks
                  Web Hosting Security

   Extends beyond usual capabilities of firewalls
    and intrusion detection systems
   Sophisticated software and human interface
    efforts
   Staff of security experts monitor security alerts.
   Examines equipment audit log files
   Provide corrective actions and identifies faults



    CIS – 122 – Wide Area Networks
               Open Profiling Standard (OPS)

   Personal Profile contains:
    •   Unique identifier for profile and every web site visited
    •   Demographic data (country, zip, age, gender)
    •   Direct contact information (name, address,telephone)
    •   Credit card information
    •   Personal preferences (hobbies, favorite magazines,
        books and activities)




CIS – 122 – Wide Area Networks
              Security Measures
   LAN/WAN
       Daily or every shift virus alert checks/ email
        checks
       Review lists for security breaches & attacks
       Apply security software patches
       Use encryption techniques on browsers
   Personal
       Virus checker on every desktop
       Personal Firewalls
       Strong password policy – require changes often
       Restrictive policy on termination of accounts
CIS – 122 – Wide Area Networks
                   Cryptography

   Used to scramble ordinary text (plain text)
    into ciphertext (encryption)
   Designed to protect
       Confidentiality
       Integrity
       Non-repudiation
       Authentication



CIS – 122 – Wide Area Networks
                Encryption Keys

   Key: a variable combined with an
    algorithm to encrypt and decrypt text

   Types of Keys
    •   Symmetric Key Encryption
    •   Private Key Encryption
    •   Public Key Encryption


CIS – 122 – Wide Area Networks
               Symmetric Key Encryption

   Secret-key cryptography
    •   Sender and Receiver of message share a
        single key to encrypt and decrypt message
    •   Key exchanged in secure way
    •   Key installed on two computers exchanging
        data
    •   DES uses symmetric key encryption


CIS – 122 – Wide Area Networks
               Symmetric Key Encryption




CIS – 122 – Wide Area Networks
                   Private And Public Keys
   Private Key - single secret key known only to people
    that exchange messages
      Data is lost if private key is lost because it can’t be
       decrypted
      Private key shared between two computers so each can
       encrypt and decrypt messages
   Public Key - value provided by designated authority to
    be applied with a private key to encrypt messages and
    digital signatures
      Uses public key to encrypt and Private key to decrypt
      Digital signature ensures original message content not
       modified

    CIS – 122 – Wide Area Networks
            Private and Public Keys




CIS – 122 – Wide Area Networks
               Encryption Standards

   Data Encryption                 Kerberos
    Standard (DES)                  Pretty Good Privacy
   RSA Algorithm                   Secure Sockets Layer
   Public Key                       (SSL)
    Infrastructure (PKI)            Secure Hypertext
   Digital Certificates             Transfer Protocol (S-
   Internet Protocol                HTTP)
    Security

CIS – 122 – Wide Area Networks
                    Topic Review

1.   What are some security threats that we
     must protect user data from?
2.   What are some common DoS attacks?
3.   What does NAT do?
4.   How does an intrusion detection system
     stop attacks?
5.   What is the difference between transport
     and tunnel mode?
 CIS – 122 – Wide Area Networks
                   Virtual      Private   Network (VPN)
   VPN is a Private data network
        Runs through public communications network or
         Internet
        Uses encryption to protect privacy of data
        Only authorized users can access private network
        Creates private tunnel or pathway through Internet
   VPN Equipment
        Security gateways
        Security Policy Servers
        Certificate Authority (CA)
        Router
        Firewall
    CIS – 122 – Wide Area Networks
                        VPN Network




CIS – 122 – Wide Area Networks
                   VPN Protocols
   Point-to-Point Tunneling Protocol
    (PPTP)
       Encapsulates PPP packets with GRE encapsulation
   Layer-2 Forwarding (L2F)
       Interfaces with Frame Relay & ATM; uses PPP for
        authentication of remote user
   Layer-2 Tunneling Protocol
       Defines own tunneling protocol; uses IPSec for
        encryption
   IPsec
       Operates at IP layer; allows sender to
        authenticate and encrypt each IP packet
CIS – 122 – Wide Area Networks
              Transport & Tunneling Modes

   Tunnel mode is used to establish private tunnel
    through Internet backbone
   Depends on Internet to deliver data to
    destination LAN
   Transport mode used between LAN server and
    router to deliver packets to Internet




CIS – 122 – Wide Area Networks
           Transport and Tunnel Modes




CIS – 122 – Wide Area Networks
              IP SEC Packet Format

   Top layer of packet usage
       E-mail message
       Web browser request
       Database transaction
   Second layer
       Transport protocol provided by TCP and UDP
   Bottom layer
       IPSec and encryption

CIS – 122 – Wide Area Networks
             Tunnel Mode vs. Transport Mode


    Tunnel Mode
        Outer IP header specifies IPsec processing
         destination.
        Inner header specifies destination for packet
    Transport Mode
        IPSec header follows directly behind IP header
        In front of TCP/UDP packet


CIS – 122 – Wide Area Networks
                  Tunnel Mode & Transport Mode




CIS – 122 – Wide Area Networks
                    VPN Extranet

    Extranet
        Extends company intranet to customers and business
         partners outside actual organization
    Used Information Sharing/Collaboration
        Sharing product catalogs with wholesalers
        Collaborating on joint development efforts
        Sharing training programs
        Requires authorized access, encryption and privacy




CIS – 122 – Wide Area Networks
                  Firewalls & Methods
   Firewalls
        Filters access to protected private network
        Uses authentication / filtering policies
        Utilizes Policies to allow or disallow different types of
         transmissions
   Methods
        Packet Filtering – Analyze packets against sets of filters
        Proxy Services – Requests services on behalf of system
         users
        Stateful Inspection – Dynamic packet filtering

    CIS – 122 – Wide Area Networks
                  Effective Firewall Components
   Restrict network entry to carefully controlled point
   Prevent attackers from getting close to other defenses
   Restrict network exit at carefully controlled point
   Network Policy defining rules to permit access
   Advanced Authentication with digital certificates
   Router Packet Filtering to grant or deny access by source
    address (host) or by port (service)
   Application Gateway for service provided by processes
    used by TCP connection state



    CIS – 122 – Wide Area Networks
             Types of Firewalls
   Packet Filtering
       Uses packet filtering rules in router to block or filter
        protocols and IP addresses
   Dual-homed gateway
       Complete block to IP traffic between the Internet
        and Private LAN network
   Screened Host
       Combines packet filtering router with application
        gateway
   Screened Subnet Firewall
       Has intermediate perimeter network to shield the
        private LAN network or intranet


CIS – 122 – Wide Area Networks
                 Firewall Policies

   IP Addresses
   Protocols
   Domain Names
   Ports
   Specific Words and Phrases



CIS – 122 – Wide Area Networks
                   Reliable Array of Independent Nodes
                                  (RAIN)


   Software clustering technology
        Provides for redundant firewalls
        Developed by California Institute of
         Technology
        Software monitors user activity
           Picks up any failure that might occur
           Reroutes user to working firewall




    CIS – 122 – Wide Area Networks
  RAIN
 Diagram



CIS – 122 – Wide Area Networks
                Personal Firewalls

   Designed for Mobile workers and telecommuters
       Creates personal firewall to protect mobile PC
       Offers protection from network attacks
       Protection hostile networks
       Prevents infected e-mail from installing back door
   Defends against Trojan Horses, Viruses and DoS
    attacks.



CIS – 122 – Wide Area Networks
               Personal Firewall




CIS – 122 – Wide Area Networks
                    Topic Review
1.   A user wants to send IPX and DECNET traffic
     over the internet, how can this be
     accomplished?
2.   What is an extranet?
3.   What is an intranet?
4.   What are the pro's of having multiple
     ingress/egress points in the network?
5.   What are the con's of having multiple
     ingress/egress points in the network?

 CIS – 122 – Wide Area Networks

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:15
posted:3/5/2010
language:English
pages:45