XML Part by fionan

VIEWS: 7 PAGES: 52

									                        Securing the Network
                           Infrastructure
                                                   Chapter 5:




Security+ Guide to Network Security Fundamentals
Second Edition
Objectives
   Work with the network cable plant
   Secure removable media
   Harden network devices
   Design network topologies




                                        2
Working with the Network Cable Plant

   Cable plant: physical infrastructure of a network
    (wire, connectors, and cables) used to carry data
    communication signals between equipment
   Three types of transmission media:
      Coaxial cables

      Twisted-pair cables

      Fiber-optic cables




                                                        3
      Coaxial Cables
   Coaxial cable was main type of copper cabling used in
    computer networks for many years
   Has a single copper wire at its center surrounded by
    insulation and shielding
   Called “coaxial” because it houses two (co) axes or
    shafts―the copper wire and the shielding
   Thick coaxial cable has a copper wire in center
    surrounded by a thick layer of insulation that is covered
    with braided metal shielding



                                                                4
      Coaxial Cables (continued)

   Thin coaxial cable looks similar to the cable that carries
    a cable TV signal
   A braided copper mesh channel surrounds the
    insulation and everything is covered by an outer shield of
    insulation for the cable itself
   The copper mesh channel protects the core from
    interference
   BNC connectors: connectors used on the ends of a
    thin coaxial cable



                                                                 5
Coaxial Cables (continued)




                             6
    Twisted-Pair Cables
   Standard for copper cabling used in computer networks
    today, replacing thin coaxial cable
   Composed of two insulated copper wires twisted
    around each other and bundled together with other pairs
    in a jacket
   Shielded twisted-pair (STP) cables have a foil
    shielding on the inside of the jacket to reduce
    interference
   Unshielded twisted-pair (UTP) cables do not have any
    shielding
   Twisted-pair cables have RJ-45 connectors


                                                          7
Fiber-Optic Cables

   Coaxial and twisted-pair cables have copper wire at
    the center that conducts an electrical signal
   Fiber-optic cable uses a very thin cylinder of glass
    (core) at its center instead of copper that transmit
    light impulses
   A glass tube (cladding) surrounds the core
   The core and cladding are protected by a jacket




                                                           8
      Fiber-Optic Cables (continued)
   Classified by the diameter of the core and the diameter
    of the cladding
      Diameters are measured in microns, each is about
        1/25,000 of an inch or one-millionth of a meter
   Two types:
      Single-mode fiber cables: used when data must be
        transmitted over long distances
      Multimode cable: supports many simultaneous light
        transmissions, generated by light-emitting diodes



                                                              9
Securing the Cable Plant

   Securing cabling outside the protected network is
    not the primary security issue for most organizations
   Focus is on protecting access to the cable plant in
    the internal network
   An attacker who can access the internal network
    directly through the cable plant has effectively
    bypassed the network security perimeter and can
    launch his attacks at will




                                                        10
      Securing the Cable Plant (continued)
   The attacker can capture packets as they travel
    through the network by sniffing
      The hardware or software that performs such
       functions is called a sniffer
   Physical security
      First line of defense
      Protects the equipment and infrastructure itself
      Has one primary goal: to prevent unauthorized users
       from reaching the equipment or cable plant in order to
       use, steal, or vandalize it



                                                                11
      Securing Removable Media
   Securing critical information stored on a file server can
    be achieved through strong passwords, network security
    devices, antivirus software, and door locks
   An employee copying data to a floppy disk or CD and
    carrying it home poses two risks:
      Storage media could be lost or stolen, compromising
       the information
      A worm or virus could be introduced to the media,
       potentially damaging the stored information and
       infecting the network


                                                                12
      Magnetic Media
   Record information by changing the magnetic direction
    of particles on a platter
   Floppy disks were some of the first magnetic media
    developed
   The capacity of today’s 3 1/2-inch disks are 14 MB
   Hard drives contain several platters stacked in a closed
    unit, each platter having its own head or apparatus to
    read and write information
   Magnetic tape drives record information in a serial
    fashion



                                                               13
      Optical Media
   Optical media use a principle for recording information
    different from magnetic media
   A high-intensity laser burns a tiny pit into the surface of
    an optical disc to record a one, but does nothing to
    record a zero
   Capacity of optical discs varies by type
   A Compact Disc-Recordable (CD-R) disc can record
    up to 650 MB of data
   Data cannot be changed once recorded



                                                                  14
      Optical Media (continued)
   A Compact Disc-Rewriteable (CD-RW) disc can be
    used to record data, erase it, and record again
   A Digital Versatile Disc (DVD) can store much larger
    amounts of data
      DVD formats include Digital Versatile Disc-
       Recordable (DVD-R), which can record once up to
       395 GB on a single-sided disc and 79 GB on a
       double-sided disc




                                                           15
Electronic Media

   Electronic media use flash memory for storage
      Flash memory is a solid state storage device―
       everything is electronic, with no moving or
       mechanical parts
   SmartMedia cards range in capacity from 2 MB to
    128 MB
   The card itself is only 45 mm long, 37 mm wide, and
    less than 1 mm thick




                                                      16
Electronic Media (continued)

   CompactFlash card
     Consists of a small circuit board with flash
      memory chips and a dedicated controller chip
      encased in a shell
     Come in 33 mm and 55 mm thicknesses and store
      between 8MB and 192 MB of data
   USB memory stick is becoming very popular
     Can hold between 8 MB and 1 GB of memory




                                                  17
Keeping Removable Media Secure

   Protecting removable media involves making sure that
    antivirus and other security software are installed on
    all systems that may receive a removable media
    device, including employee home computers




                                                        18
Hardening Network Devices

   Each device that is connected to a network is a
    potential target of an attack and must be properly
    protected
   Network devices to be hardened categorized as:
      Standard network devices

      Communication devices

      Network security devices




                                                         19
Hardening Standard Network Devices

   A standard network device is a typical piece of
    equipment that is found on almost every network,
    such as a workstation, server, switch, or router
   This equipment has basic security features that you
    can use to harden the devices




                                                      20
      Workstations and Servers
   Workstation: personal computer attached to a network
    (also called a client)
      Connected to a LAN and shares resources with
        other workstations and network equipment
      Can be used independently of the network and can
        have their own applications installed
   Server: computer on a network dedicated to managing
    and controlling the network
   Basic steps to harden these systems are outlined on
    page 152



                                                           21
      Switches and Routers
   Switch
      Most commonly used in Ethernet LANs
      Receives a packet from one network device and
        sends it to the destination device only
      Limits the collision domain (part of network on which
        multiple devices may attempt to send packets
        simultaneously)
   A switch is used within a single network
   Routers connect two or more single networks to form a
    larger network



                                                               22
Switches and Routers (continued)

   Switches and routers must also be protected
    against attacks
   Switches and routers can be managed using the
    Simple Network Management Protocol (SNMP),
    part of the TCP/IP protocol suite
   Software agents are loaded onto each network
    device to be managed




                                                    23
      Switches and Routers (continued)
   Each agent monitors network traffic and stores that
    information in its management information base (MIB)
   A computer with SNMP management software
    (SNMP management station) communicates with
    software agents on each network device and collects the
    data stored in the MIBs
   Page 154 lists defensive controls that can be set for
    switches and routers




                                                              24
Hardening Communication Devices

   A second category of network devices are those
    that communicate over longer distances
   Include:
      Modems

      Remote access servers

      Telecom/PBX Systems

      Mobile devices




                                                     25
Modems

   Most common communication device
   Broadband is increasing in popularity and can
    create network connection speeds of 15 Mbps and
    higher
   Two popular broadband technologies:
      Digital Subscriber Line (DSL) transmits data
       at
       15 Mbps over regular telephone lines
      Another broadband technology uses the local
       cable television system


                                                      26
Modems (continued)

   A computer connects to a cable modem, which is
    connected to the coaxial cable that brings cable TV
    signals to the home
   Because cable connectivity is shared in a
    neighborhood, other users can use a sniffer to view
    traffic
   Another risk with DSL and cable modem
    connections is that broadband connections are
    charged at a set monthly rate, not by the minute of
    connect time


                                                      27
Remote Access Servers

   Set of technologies that allows a remote user to
    connect to a network through the Internet or a wide
    area network (WAN)
   Users run remote access client software and initiate
    a connection to a Remote Access Server (RAS),
    which authenticates users and passes service
    requests to the network




                                                       28
Remote Access Servers (continued)




                                    29
Remote Access Servers (continued)

   Remote access clients can run almost all network-
    based applications without modification
      Possible because remote access technology
       supports both drive letters and universal naming
       convention (UNC) names
   Minimum security features are listed on page 158




                                                          30
Telecom/PBX Systems

   Term used to describe a Private Branch eXchange
   The definition of a PBX comes from the words that
    make up its name:
      Private

      Branch

      eXchange




                                                    31
Mobile Devices

   As cellular phones and personal digital assistants
    (PDAs) have become increasingly popular, they
    have become the target of attackers
   Some defenses against attacks on these devices use
    real-time data encryption and passwords to protect
    the system so that an intruder cannot “beam” a virus
    through a wireless connection




                                                      32
Hardening Network Security Devices

   The final category of network devices includes
    those designed and used strictly to protect the
    network
   Include:
      Firewalls

      Intrusion-detection systems

      Network monitoring and diagnostic devices




                                                      33
    Firewalls
   Typically used to filter packets
   Designed to prevent malicious packets from entering the
    network or its computers (sometimes called a packet filter)
   Typically located outside the network security perimeter as
    first line of defense
   Can be software or hardware configurations
   Software firewall runs as a program on a local computer
    (sometimes known as a personal firewall)
      Enterprise firewalls are software firewalls designed to run
        on a dedicated device and protect a network instead of
        only one computer
      One disadvantage is that it is only as strong as the
        operating system of the computer                         34
        Firewalls (continued)
   Filter packets in one of two ways:
       Stateless packet filtering: permits or denies each packet
        based strictly on the rule base
       Stateful packet filtering: records state of a connection
        between an internal computer and an external server; makes
        decisions based on connection and rule base
   Can perform content filtering to block access to
    undesirable Web sites
   An application layer firewall can defend against worms
    better than other kinds of firewalls
       Reassembles and analyzes packet streams instead of
        examining individual packets
                                                                 35
      Intrusion-Detection Systems (IDSs)
   Devices that establish and maintain network security
   Active IDS (or reactive IDS) performs a specific
    function when it senses an attack, such as dropping
    packets or tracing the attack back to a source
      Installed on the server or, in some instances, on all
       computers on the network
   Passive IDS sends information about what happened,
    but does not take action




                                                               36
      Intrusion-Detection Systems (IDSs)
      (continued)

   Host-based IDS monitors critical operating system
    files and computer’s processor activity and memory;
    scans event logs for signs of suspicious activity
   Network-based IDS monitors all network traffic
    instead of only the activity on a computer
      Typically located just behind the firewall

   Other IDS systems are based on behavior:
      Watch network activity and report abnormal behavior

      Result in many false alarms




                                                             37
Network Monitoring and Diagnostic
Devices

    SNMP enables network administrators to:
      Monitor network performance

      Find and solve network problems

      Plan for network growth

    Managed device:
      Network device that contains an SNMP agent

      Collects and stores management information and
       makes it available to SNMP



                                                    38
Designing Network Topologies

   Topology: physical layout of the network devices,
    how they are interconnected, and how they
    communicate
   Essential to establishing its security
   Although network topologies can be modified for
    security reasons, the network still must reflect the
    needs of the organization and users




                                                           39
Security Zones

   One of the keys to mapping the topology of a
    network is to separate secure users from outsiders
    through:
      Demilitarized Zones (DMZs)

      Intranets

      Extranets




                                                         40
Demilitarized Zones (DMZs)

   Separate networks that sit outside the secure
    network perimeter
   Outside users can access the DMZ, but cannot
    enter the secure network
   For extra security, some networks use a DMZ with
    two firewalls
   The types of servers that should be located in the
    DMZ include:
      Web servers                   – E-mail servers
      Remote access servers         – FTP servers




                                                         41
Demilitarized Zones (DMZs) (continued)




                                         42
Intranets

   Networks that use the same protocols as the public
    Internet, but are only accessible to trusted inside
    users
   Disadvantage is that it does not allow remote
    trusted users access to information




                                                          43
Extranets

   Sometimes called a cross between the Internet and
    an intranet
   Accessible to users that are not trusted internal
    users, but trusted external users
   Not accessible to the general public, but allows
    vendors and business partners to access a company
    Web site




                                                    44
    Network Address Translation (NAT)
   “You cannot attack what you do not see” is the philosophy
    behind Network Address Translation (NAT) systems
   Hides the IP addresses of network devices from attackers
   Computers are assigned special IP addresses (known as
    private addresses)
   These IP addresses are not assigned to any specific user or
    organization; anyone can use them on their own private
    internal network
   Port address translation (PAT) is a variation of NAT
   Each packet is given the same IP address, but a different
    TCP port number

                                                            45
Honeypots

   Computers located in a DMZ loaded with software
    and data files that appear to be authentic
   Intended to trap or trick attackers
   Two-fold purpose:
      To direct attacker’s attention away from real
       servers on the network
      To examine techniques used by attackers




                                                   46
Honeypots (continued)




                        47
      Virtual LANs (VLANs)
   Segment a network with switches to divide the network
    into a hierarchy
   Core switches reside at the top of the hierarchy and
    carry traffic between switches
   Workgroup switches are connected directly to the
    devices on the network
   Core switches must work faster than workgroup
    switches because core switches must handle the traffic
    of several workgroup switches



                                                             48
Virtual LANs (VLANs) (continued)




                                   49
Virtual LANs (VLANs) (continued)

    Segment a network by grouping similar users
     together
    Instead of segmenting by user, you can segment a
     network by separating devices into logical groups
     (known as creating a VLAN)




                                                         50
    Summary
   Cable plant: physical infrastructure (wire, connectors, and
    cables that carry data communication signals between
    equipment)
   Removable media used to store information include:
       Magnetic storage (removable disks, hard drives)
       Optical storage (CD and DVD)
       Electronic storage (USB memory sticks, FlashCards)
   Network devices (workstations, servers, switches, and
    routers) should all be hardened to repel attackers
   A network’s topology plays a critical role in resisting
    attackers
   Hiding the IP address of a network device can help disguise
    it so that an attacker cannot find it
                                                              51
End of Chapter




                 52

								
To top