XML Part by fionan


									                        Securing the Network
                                                   Chapter 5:

Security+ Guide to Network Security Fundamentals
Second Edition
   Work with the network cable plant
   Secure removable media
   Harden network devices
   Design network topologies

Working with the Network Cable Plant

   Cable plant: physical infrastructure of a network
    (wire, connectors, and cables) used to carry data
    communication signals between equipment
   Three types of transmission media:
      Coaxial cables

      Twisted-pair cables

      Fiber-optic cables

      Coaxial Cables
   Coaxial cable was main type of copper cabling used in
    computer networks for many years
   Has a single copper wire at its center surrounded by
    insulation and shielding
   Called “coaxial” because it houses two (co) axes or
    shafts―the copper wire and the shielding
   Thick coaxial cable has a copper wire in center
    surrounded by a thick layer of insulation that is covered
    with braided metal shielding

      Coaxial Cables (continued)

   Thin coaxial cable looks similar to the cable that carries
    a cable TV signal
   A braided copper mesh channel surrounds the
    insulation and everything is covered by an outer shield of
    insulation for the cable itself
   The copper mesh channel protects the core from
   BNC connectors: connectors used on the ends of a
    thin coaxial cable

Coaxial Cables (continued)

    Twisted-Pair Cables
   Standard for copper cabling used in computer networks
    today, replacing thin coaxial cable
   Composed of two insulated copper wires twisted
    around each other and bundled together with other pairs
    in a jacket
   Shielded twisted-pair (STP) cables have a foil
    shielding on the inside of the jacket to reduce
   Unshielded twisted-pair (UTP) cables do not have any
   Twisted-pair cables have RJ-45 connectors

Fiber-Optic Cables

   Coaxial and twisted-pair cables have copper wire at
    the center that conducts an electrical signal
   Fiber-optic cable uses a very thin cylinder of glass
    (core) at its center instead of copper that transmit
    light impulses
   A glass tube (cladding) surrounds the core
   The core and cladding are protected by a jacket

      Fiber-Optic Cables (continued)
   Classified by the diameter of the core and the diameter
    of the cladding
      Diameters are measured in microns, each is about
        1/25,000 of an inch or one-millionth of a meter
   Two types:
      Single-mode fiber cables: used when data must be
        transmitted over long distances
      Multimode cable: supports many simultaneous light
        transmissions, generated by light-emitting diodes

Securing the Cable Plant

   Securing cabling outside the protected network is
    not the primary security issue for most organizations
   Focus is on protecting access to the cable plant in
    the internal network
   An attacker who can access the internal network
    directly through the cable plant has effectively
    bypassed the network security perimeter and can
    launch his attacks at will

      Securing the Cable Plant (continued)
   The attacker can capture packets as they travel
    through the network by sniffing
      The hardware or software that performs such
       functions is called a sniffer
   Physical security
      First line of defense
      Protects the equipment and infrastructure itself
      Has one primary goal: to prevent unauthorized users
       from reaching the equipment or cable plant in order to
       use, steal, or vandalize it

      Securing Removable Media
   Securing critical information stored on a file server can
    be achieved through strong passwords, network security
    devices, antivirus software, and door locks
   An employee copying data to a floppy disk or CD and
    carrying it home poses two risks:
      Storage media could be lost or stolen, compromising
       the information
      A worm or virus could be introduced to the media,
       potentially damaging the stored information and
       infecting the network

      Magnetic Media
   Record information by changing the magnetic direction
    of particles on a platter
   Floppy disks were some of the first magnetic media
   The capacity of today’s 3 1/2-inch disks are 14 MB
   Hard drives contain several platters stacked in a closed
    unit, each platter having its own head or apparatus to
    read and write information
   Magnetic tape drives record information in a serial

      Optical Media
   Optical media use a principle for recording information
    different from magnetic media
   A high-intensity laser burns a tiny pit into the surface of
    an optical disc to record a one, but does nothing to
    record a zero
   Capacity of optical discs varies by type
   A Compact Disc-Recordable (CD-R) disc can record
    up to 650 MB of data
   Data cannot be changed once recorded

      Optical Media (continued)
   A Compact Disc-Rewriteable (CD-RW) disc can be
    used to record data, erase it, and record again
   A Digital Versatile Disc (DVD) can store much larger
    amounts of data
      DVD formats include Digital Versatile Disc-
       Recordable (DVD-R), which can record once up to
       395 GB on a single-sided disc and 79 GB on a
       double-sided disc

Electronic Media

   Electronic media use flash memory for storage
      Flash memory is a solid state storage device―
       everything is electronic, with no moving or
       mechanical parts
   SmartMedia cards range in capacity from 2 MB to
    128 MB
   The card itself is only 45 mm long, 37 mm wide, and
    less than 1 mm thick

Electronic Media (continued)

   CompactFlash card
     Consists of a small circuit board with flash
      memory chips and a dedicated controller chip
      encased in a shell
     Come in 33 mm and 55 mm thicknesses and store
      between 8MB and 192 MB of data
   USB memory stick is becoming very popular
     Can hold between 8 MB and 1 GB of memory

Keeping Removable Media Secure

   Protecting removable media involves making sure that
    antivirus and other security software are installed on
    all systems that may receive a removable media
    device, including employee home computers

Hardening Network Devices

   Each device that is connected to a network is a
    potential target of an attack and must be properly
   Network devices to be hardened categorized as:
      Standard network devices

      Communication devices

      Network security devices

Hardening Standard Network Devices

   A standard network device is a typical piece of
    equipment that is found on almost every network,
    such as a workstation, server, switch, or router
   This equipment has basic security features that you
    can use to harden the devices

      Workstations and Servers
   Workstation: personal computer attached to a network
    (also called a client)
      Connected to a LAN and shares resources with
        other workstations and network equipment
      Can be used independently of the network and can
        have their own applications installed
   Server: computer on a network dedicated to managing
    and controlling the network
   Basic steps to harden these systems are outlined on
    page 152

      Switches and Routers
   Switch
      Most commonly used in Ethernet LANs
      Receives a packet from one network device and
        sends it to the destination device only
      Limits the collision domain (part of network on which
        multiple devices may attempt to send packets
   A switch is used within a single network
   Routers connect two or more single networks to form a
    larger network

Switches and Routers (continued)

   Switches and routers must also be protected
    against attacks
   Switches and routers can be managed using the
    Simple Network Management Protocol (SNMP),
    part of the TCP/IP protocol suite
   Software agents are loaded onto each network
    device to be managed

      Switches and Routers (continued)
   Each agent monitors network traffic and stores that
    information in its management information base (MIB)
   A computer with SNMP management software
    (SNMP management station) communicates with
    software agents on each network device and collects the
    data stored in the MIBs
   Page 154 lists defensive controls that can be set for
    switches and routers

Hardening Communication Devices

   A second category of network devices are those
    that communicate over longer distances
   Include:
      Modems

      Remote access servers

      Telecom/PBX Systems

      Mobile devices


   Most common communication device
   Broadband is increasing in popularity and can
    create network connection speeds of 15 Mbps and
   Two popular broadband technologies:
      Digital Subscriber Line (DSL) transmits data
       15 Mbps over regular telephone lines
      Another broadband technology uses the local
       cable television system

Modems (continued)

   A computer connects to a cable modem, which is
    connected to the coaxial cable that brings cable TV
    signals to the home
   Because cable connectivity is shared in a
    neighborhood, other users can use a sniffer to view
   Another risk with DSL and cable modem
    connections is that broadband connections are
    charged at a set monthly rate, not by the minute of
    connect time

Remote Access Servers

   Set of technologies that allows a remote user to
    connect to a network through the Internet or a wide
    area network (WAN)
   Users run remote access client software and initiate
    a connection to a Remote Access Server (RAS),
    which authenticates users and passes service
    requests to the network

Remote Access Servers (continued)

Remote Access Servers (continued)

   Remote access clients can run almost all network-
    based applications without modification
      Possible because remote access technology
       supports both drive letters and universal naming
       convention (UNC) names
   Minimum security features are listed on page 158

Telecom/PBX Systems

   Term used to describe a Private Branch eXchange
   The definition of a PBX comes from the words that
    make up its name:
      Private

      Branch

      eXchange

Mobile Devices

   As cellular phones and personal digital assistants
    (PDAs) have become increasingly popular, they
    have become the target of attackers
   Some defenses against attacks on these devices use
    real-time data encryption and passwords to protect
    the system so that an intruder cannot “beam” a virus
    through a wireless connection

Hardening Network Security Devices

   The final category of network devices includes
    those designed and used strictly to protect the
   Include:
      Firewalls

      Intrusion-detection systems

      Network monitoring and diagnostic devices

   Typically used to filter packets
   Designed to prevent malicious packets from entering the
    network or its computers (sometimes called a packet filter)
   Typically located outside the network security perimeter as
    first line of defense
   Can be software or hardware configurations
   Software firewall runs as a program on a local computer
    (sometimes known as a personal firewall)
      Enterprise firewalls are software firewalls designed to run
        on a dedicated device and protect a network instead of
        only one computer
      One disadvantage is that it is only as strong as the
        operating system of the computer                         34
        Firewalls (continued)
   Filter packets in one of two ways:
       Stateless packet filtering: permits or denies each packet
        based strictly on the rule base
       Stateful packet filtering: records state of a connection
        between an internal computer and an external server; makes
        decisions based on connection and rule base
   Can perform content filtering to block access to
    undesirable Web sites
   An application layer firewall can defend against worms
    better than other kinds of firewalls
       Reassembles and analyzes packet streams instead of
        examining individual packets
      Intrusion-Detection Systems (IDSs)
   Devices that establish and maintain network security
   Active IDS (or reactive IDS) performs a specific
    function when it senses an attack, such as dropping
    packets or tracing the attack back to a source
      Installed on the server or, in some instances, on all
       computers on the network
   Passive IDS sends information about what happened,
    but does not take action

      Intrusion-Detection Systems (IDSs)

   Host-based IDS monitors critical operating system
    files and computer’s processor activity and memory;
    scans event logs for signs of suspicious activity
   Network-based IDS monitors all network traffic
    instead of only the activity on a computer
      Typically located just behind the firewall

   Other IDS systems are based on behavior:
      Watch network activity and report abnormal behavior

      Result in many false alarms

Network Monitoring and Diagnostic

    SNMP enables network administrators to:
      Monitor network performance

      Find and solve network problems

      Plan for network growth

    Managed device:
      Network device that contains an SNMP agent

      Collects and stores management information and
       makes it available to SNMP

Designing Network Topologies

   Topology: physical layout of the network devices,
    how they are interconnected, and how they
   Essential to establishing its security
   Although network topologies can be modified for
    security reasons, the network still must reflect the
    needs of the organization and users

Security Zones

   One of the keys to mapping the topology of a
    network is to separate secure users from outsiders
      Demilitarized Zones (DMZs)

      Intranets

      Extranets

Demilitarized Zones (DMZs)

   Separate networks that sit outside the secure
    network perimeter
   Outside users can access the DMZ, but cannot
    enter the secure network
   For extra security, some networks use a DMZ with
    two firewalls
   The types of servers that should be located in the
    DMZ include:
      Web servers                   – E-mail servers
      Remote access servers         – FTP servers

Demilitarized Zones (DMZs) (continued)


   Networks that use the same protocols as the public
    Internet, but are only accessible to trusted inside
   Disadvantage is that it does not allow remote
    trusted users access to information


   Sometimes called a cross between the Internet and
    an intranet
   Accessible to users that are not trusted internal
    users, but trusted external users
   Not accessible to the general public, but allows
    vendors and business partners to access a company
    Web site

    Network Address Translation (NAT)
   “You cannot attack what you do not see” is the philosophy
    behind Network Address Translation (NAT) systems
   Hides the IP addresses of network devices from attackers
   Computers are assigned special IP addresses (known as
    private addresses)
   These IP addresses are not assigned to any specific user or
    organization; anyone can use them on their own private
    internal network
   Port address translation (PAT) is a variation of NAT
   Each packet is given the same IP address, but a different
    TCP port number


   Computers located in a DMZ loaded with software
    and data files that appear to be authentic
   Intended to trap or trick attackers
   Two-fold purpose:
      To direct attacker’s attention away from real
       servers on the network
      To examine techniques used by attackers

Honeypots (continued)

      Virtual LANs (VLANs)
   Segment a network with switches to divide the network
    into a hierarchy
   Core switches reside at the top of the hierarchy and
    carry traffic between switches
   Workgroup switches are connected directly to the
    devices on the network
   Core switches must work faster than workgroup
    switches because core switches must handle the traffic
    of several workgroup switches

Virtual LANs (VLANs) (continued)

Virtual LANs (VLANs) (continued)

    Segment a network by grouping similar users
    Instead of segmenting by user, you can segment a
     network by separating devices into logical groups
     (known as creating a VLAN)

   Cable plant: physical infrastructure (wire, connectors, and
    cables that carry data communication signals between
   Removable media used to store information include:
       Magnetic storage (removable disks, hard drives)
       Optical storage (CD and DVD)
       Electronic storage (USB memory sticks, FlashCards)
   Network devices (workstations, servers, switches, and
    routers) should all be hardened to repel attackers
   A network’s topology plays a critical role in resisting
   Hiding the IP address of a network device can help disguise
    it so that an attacker cannot find it
End of Chapter


To top