All Network Security

Embed Size (px)

Citation preview

  • 8/3/2019 All Network Security

    1/336

    Guide to Network SecurityFundamentals

    Chapter 1

    C

  • 8/3/2019 All Network Security

    2/336

    Learning Objectives Understand network security Understand security threat trends and their

    ramifications Understand the goals of network security Determine the factors involved in a secure

    network strategy

    Understanding Network Security Network security

    o Process by which digital information assets areprotected

    Goalso Maintain integrityo Protect confidentialityo Assure availability

  • 8/3/2019 All Network Security

    3/336

    Understanding Network Security Security ensures that users:

    o Perform only tasks they are authorized to doo Obtain only information they are authorized to

    haveo Cannot cause damage to data, applications, or

    operating environment

    Security Threats Identity theft Privacy concerns Wireless access

  • 8/3/2019 All Network Security

    4/336

    To Offset Security Threats Integrity

    o Assurance that data is not altered or destroyed inan unauthorized manner

    Confidentialityo Protection of data from unauthorized disclosure to

    a third party

    Availabilityo Continuous operation of computing systems

    Security Ramifications:Costs of Intrusion

    Causes of network security threatso Technology weaknesseso Configuration weaknesseso Policy weaknesseso Human error

  • 8/3/2019 All Network Security

    5/336

    Technology Weaknesses TCP/IP Operating systems Network equipment

    Configuration Weaknesses Unsecured accounts System accounts with easily guessed

    passwords Misconfigured Internet services

    Unsecured default settings Misconfigured network equipment Trojan horse programs Vandals Viruses

  • 8/3/2019 All Network Security

    6/336

    Policy Weaknesses Lack of a written security policy Politics High turnover Concise access controls not applied Software and hardware installation and

    changes do not follow policy Proper security

    Nonexistent disaster recovery plan

    Human Error Accident Ignorance Workload Dishonesty

    Impersonation Disgruntled employees Snoops Denial-of-service attacks

  • 8/3/2019 All Network Security

    7/336

    Goals of Network Security Achieve the state where any action that is not

    expressly permitted is prohibitedo Eliminate thefto Determine authenticationo Identify assumptionso Control secrets

    Creating a Secure NetworkStrategy Address both internal and external threats Define policies and procedures Reduce risk across across perimeter security, the

    Internet, intranets, and LANs

  • 8/3/2019 All Network Security

    8/336

    Creating a Secure Network

    Strategy Human factors Know your weaknesses Limit access Achieve security through persistence

    o Develop change management process

    Remember physical security Perimeter security

    o

    Control access to critical network applications,data, and services

    continued

    Creating a Secure NetworkStrategy Firewalls

    o Prevent unauthorized access to or from privatenetwork

    o Create protective layer between network andoutside world

    o Replicate network at point of entry in order toreceive and transmit authorized data

    o Have built-in filterso Log attempted intrusions and create reports

    continued

  • 8/3/2019 All Network Security

    9/336

    Creating a Secure Network

    Strategy Web and file servers Access control

    o Ensures that only legitimate traffic is allowed intoor out of the network Passwords PINs Smartcards

    continued

    Creating a Secure NetworkStrategy Change management

    o Document changes to allareas of IT infrastructure

    Encryptiono Ensures messages cannot be intercepted or read

    by anyone other than the intended person(s)

    continued

  • 8/3/2019 All Network Security

    10/336

    Creating a Secure Network

    Strategy Intrusion detection system (IDS)

    o Provides 24/7 network surveillanceo Analyzes packet data streams within the networko Searches for unauthorized activity

    Chapter Summary Understanding network security Security threats Security ramifications Goals of network security Creating a secure network strategy

  • 8/3/2019 All Network Security

    11/336

    Chapter 2

    Authentication

    Learning Objectives Create strong passwords and store them

    securely Understand the Kerberos authentication process Understand how CHAP works Understand what mutual authentication is and

    why it is necessary Understand how digital certificates are created

    and why they are used

    continued

  • 8/3/2019 All Network Security

    12/336

    Learning Objectives Understand what tokens are and how they

    function Understand biometric authentication processes

    and their strengths and weaknesses Understand the benefits of multifactor

    authentication

    Security of System Resources Three-step process (AAA)

    o Authentication Positive identification of person/system seeking access to

    secured information/services

    o Authorization Predetermined level of access to resources

    o Accounting Logging use of each asset

  • 8/3/2019 All Network Security

    13/336

    Authentication Techniques

    Usernames and passwords Kerberos Challenge Handshake Authentication Protocol

    (CHAP) Mutual authentication Digital certificates Tokens Biometrics Multifactor authentication

    Usernames and Passwords Username

    o Unique alphanumeric identifier used to identify anindividual when logging onto a computer/network

    Passwordo Secret combination of keystrokes that, when

    combined with a username, authenticates a userto a computer/network

  • 8/3/2019 All Network Security

    14/336

    Basic Rules for Password Protection

    1.Memorize passwords; do not write them down2.Use different passwords for different functions3.Use at least 6 characters4.Use mixture of uppercase and lowercase letters,

    numbers, and other characters5.Change periodically

    Strong Password CreationTechniques

    Easy to remember; difficult to recognize Examples:

    o First letters of each word of a simple phrase; adda number and punctuation Asb4M?

    o Combine two dissimilar words and place a numberbetween them SleigH9ShoE

    o Substitute numbers for letters (not obviously)

  • 8/3/2019 All Network Security

    15/336

    Techniques to Use MultiplePasswords

    Group Web sites or applications by appropriatelevel of securityo Use a different password for each groupo Cycle more complex passwords down the groups,

    from most sensitive to least

    Storing Passwords Written

    o Keep in a place you are not likely to lose ito Use small typeo Develop a personal code to apply to the list

    Electronico Use a specifically designed application (encrypts

    data)

  • 8/3/2019 All Network Security

    16/336

    Kerberos

    Provides secure and convenient way toaccess data and services through:o Session keyso Ticketso Authenticatorso Authentication serverso Ticket-granting ticketso Ticket-granting serverso Cross-realm authentication

    Kerberos in a Simple Environment Session key

    o Secret key used during logon session betweenclient and a service

    Ticketo Set of electronic information used to authenticate

    identity of a principal to a service

    Authenticatoro Device (eg, PPP network server) that requires

    authentication from a peer and specifiesauthentication protocol used in the configurerequest during link establishment phase

    continued

  • 8/3/2019 All Network Security

    17/336

    Kerberos in a Simple Environment Checksum

    o Small, fixed-length numerical valueo Computed as a function of an arbitrary number of

    bits in a messageo Used to verify authenticity of sender

    Kerberos in a Simple Environment

  • 8/3/2019 All Network Security

    18/336

    Kerberos in a More ComplexEnvironment

    Ticket-granting ticket (TGT)o Data structure that acts as an authenticating proxy

    to principals master key for set period of time Ticket-granting server (TGS)

    o Server that grants ticket-granting tickets to aprincipal

    Kerberos in a More ComplexEnvironment

  • 8/3/2019 All Network Security

    19/336

    Kerberos in Very LargeNetwork Systems

    Cross-realm authenticationo Allows principal to authenticate itself to gain

    access to services in a distant part of a Kerberossystem

    Cross-Realm Authentication

  • 8/3/2019 All Network Security

    20/336

    Security Weaknesses of Kerberos Does not solve password-guessing attacks Must keep password secret Does not prevent denial-of-service attacks Internal clocks of authenticating devices must be

    loosely synchronized Authenticating device identifiers must not be

    recycled on a short-term basis

    Challenge Handshake AuthenticationProtocol (CHAP)

    PPP mechanism used by an authenticator toauthenticate a peer

    Uses an encrypted challenge-and-responsesequence

  • 8/3/2019 All Network Security

    21/336

    CHAP Challenge-and-ResponseSequence

    CHAP Security Benefits Multiple authentication sequences throughout

    Network layer protocol sessiono Limit time of exposure to any single attack

    Variable challenge values and changingidentifierso Provide protection against playback attacks

  • 8/3/2019 All Network Security

    22/336

    CHAP Security Issues Passwords should not be the same in both

    directions Not all implementations of CHAP terminate the

    link when authentication process fails, but insteadlimit traffic to a subset of Network layer protocolso Possible for users to update passwords

    Mutual Authentication Process by which each party in an electronic

    communication verifies the identity of the otherparty

  • 8/3/2019 All Network Security

    23/336

    Digital Certificates Electronic means of verifying identity of an

    individual/organization Digital signature

    o Piece of data that claims that a specific, namedindividual wrote or agreed to the contents of anelectronic document to which the signature isattached

    Electronic Encryption andDecryption Concepts

    Encryptiono Converts plain text message into secret message

    Decryptiono Converts secret message into plain text message

    Symmetric ciphero Uses only one key

    Asymmetric ciphero Uses a key pair (private key and public key)

    continued

  • 8/3/2019 All Network Security

    24/336

    Electronic Encryption andDecryption Concepts

    Certificate authority (CA)o Trusted, third-party entity that verifies the actual

    identity of an organization/individual beforeproviding a digital certificate

    Nonrepudiationo Practice of using a trusted, third-party entity to

    verify the authenticity of a party who sends amessage

  • 8/3/2019 All Network Security

    25/336

    How Much TrustShould One Place in a CA?

    Reputable CAs have several levels ofauthentication that they issue based on theamount of data collected from applicants

    Example: VeriSign

    Security Tokens Authentication devices assigned to specific user Small, credit card-sized physical devices Incorporate two-factor authentication methods Utilize base keys that are much stronger than

    short, simple passwords a person can remember

  • 8/3/2019 All Network Security

    26/336

    Types of Security Tokens Passive

    o Act as a storage device for the base keyo Do not emit, or otherwise share, base tokens

    Activeo Actively create another form of a base key or

    encrypted form of a base key that is not subject toattack by sniffing and replay

    o Can provide variable outputs in variouscircumstances

    One-Time Passwords Used only once for limited period of time; then

    is no longer valid Uses shared keys and challenge-and-

    response systems, which do not require thatthe secret be transmitted or revealed

    Strategies for generating one-time passwordso Counter-based tokenso Clock-based tokens

  • 8/3/2019 All Network Security

    27/336

    Biometrics Biometric authentication

    o Uses measurements of physical or behavioralcharacteristics of an individual

    o Generally considered most accurate of allauthentication methods

    o Traditionally used in highly secure areaso Expensive

    How Biometric Authentication Works

    1.Biometric is scanned after identity is verified2.Biometric information is analyzed and put into

    an electronic template3.Template is stored in a repository4.To gain access, biometric is scanned again5.Computer analyzes biometric data and

    compares it to data in template

    6.If data from scan matches data in template,person is allowed access7.Keep a record, following AAA model

  • 8/3/2019 All Network Security

    28/336

    False Positives and FalseNegatives False positive

    o Occurrence of an unauthorized person beingauthenticated by a biometric authenticationprocess

    False negativeo Occurrence of an authorized person not being

    authenticated by a biometric authenticationprocess when they are who they claim to be

    Different Kinds of Biometrics Physical characteristics

    o Fingerprintso Hand geometryo Retinal scanningo Iris scanningo Facial scanning

    Behavioral characteristicso Handwritten signatures

    o Voice

  • 8/3/2019 All Network Security

    29/336

    Fingerprint Biometrics

    Hand Geometry Authentication

  • 8/3/2019 All Network Security

    30/336

    Retinal Scanning

    Iris Scanning

  • 8/3/2019 All Network Security

    31/336

    Signature Verification

    General Trends in Biometrics Authenticating large numbers of people over a

    short period of time (eg, smart cards) Gaining remote access to controlled areas

  • 8/3/2019 All Network Security

    32/336

    Multifactor Authentication Identity of individual is verified using at least two

    of the three factors of authenticationo Something you know (eg, password)o Something you have (eg, smart card)o Something about you (eg, biometrics)

    Chapter Summary Authentication techniques

    o Usernames and passwordso Kerberoso CHAPo Mutual authenticationo Digital certificateso Tokenso Biometricso

    Multifactor authentication

  • 8/3/2019 All Network Security

    33/336

    Chapter 3

    Attacks and Malicious Code

    Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major components used in a DDoS attack

    and how they are installed Understand major types of spoofing attacks Discuss man-in-the-middle attacks, replay

    attacks, and TCP session hijacking

    continued

  • 8/3/2019 All Network Security

    34/336

    Learning Objectives Detail three types of social-engineering attacks

    and explain why they can be incredibly damaging List major types of attacks used against

    encrypted data List major types of malicious software and

    identify a countermeasure for each one

    Denial-of-Service Attacks Any malicious act that causes a system to be

    unusable by its real user(s) Take numerous forms Are very common Can be very costly Major types

    o SYN floodo Smurf attack

  • 8/3/2019 All Network Security

    35/336

    SYN Flood Exploits the TCP three-way handshake Inhibits servers ability to accept new TCP

    connections

    TCP Three-Way Handshake

  • 8/3/2019 All Network Security

    36/336

  • 8/3/2019 All Network Security

    37/336

    Smurf Non-OS specific attack that uses the network to

    amplify its effect on the victim Floods a host with ICMP Saturates Internet connection with bogus traffic

    and delays/prevents legitimate traffic fromreaching its destination

  • 8/3/2019 All Network Security

    38/336

    IP Fragmentation Attacks:Ping of Death

    Uses IP packet fragmentation techniques tocrash remote systems

    Ping of Death

  • 8/3/2019 All Network Security

    39/336

    Distributed Denial-of-Service Attacks

    Use hundreds of hosts on the Internet toattack the victim by flooding its link to theInternet or depriving it of resources

    Used by hackers to target government andbusiness Internet sites

    Automated tools; can be executed by scriptkiddies

    Result in temporary loss of access to a givensite and associated loss in revenue and

    prestige

  • 8/3/2019 All Network Security

    40/336

    Conducting DDoS Attacks

    DDoS Countermeasures Security patches from software vendors Antivirus software Firewalls Ingress (inbound) and egress (outbound) filtering

  • 8/3/2019 All Network Security

    41/336

    Ingress and Egress Filtering

    Preventing the Network fromInadvertently Attacking Others

    Filter packets coming into the network destinedfor a broadcast address

    Turn off directed broadcasts on internal routers Block any packet from entering the network that

    has a source address that is not permissible onthe Internet (see Figures 3-8 and 3-9)

    continued

  • 8/3/2019 All Network Security

    42/336

    Preventing the Network fromInadvertently Attacking Others

    Block at the firewall any packet that uses aprotocol or port that is not used for Internetcommunications on the network

    Block packets with a source address originatinginside your network from entering your network

    Ingress Filtering of Packetswith RFC 1918 Addresses

  • 8/3/2019 All Network Security

    43/336

    Filtering of Packetswith RFC 2827 Addresses

    Spoofing Act of falsely identifying a packets IP address,

    MAC address, etc Four primary types

    o IP address spoofingo ARP poisoningo Web spoofingo DNS spoofing

  • 8/3/2019 All Network Security

    44/336

    IP Address Spoofing Used to exploit trust relationships between two

    hosts Involves creating an IP address with a forged

    source address

  • 8/3/2019 All Network Security

    45/336

    ARP Poisoning Used in man-in-the-middle and session hijacking

    attacks; attacker takes over victims IP addressby corrupting ARP caches of directly connectedmachines

    Attack toolso ARPoisono Ettercapo Parasite

    Web Spoofing Convinces victim that he or she is visiting a real

    and legitimate site Considered both a man-in-the-middle attack and

    a denial-of-service attack

  • 8/3/2019 All Network Security

    46/336

    Web Spoofing

    DNS Spoofing Aggressor poses as the victims legitimate DNS

    server Can direct users to a compromised server Can redirect corporate e-mail through a hackers

    server where it can be copied or modified beforesending mail to final destination

  • 8/3/2019 All Network Security

    47/336

    To Thwart Spoofing Attacks IP spoofing

    o Disable source routing on all internal routerso Filter out packets entering local network from the

    Internet that have a source address of the localnetwork

    ARP poisoningo Use network switches that have MAC binding

    features

    continued

    To Thwart Spoofing Attacks Web spoofing

    o Educate users DNS spoofing

    o Thoroughly secure DNS serverso Deploy anti-IP address spoofing measures

  • 8/3/2019 All Network Security

    48/336

    Man in the Middle Class of attacks in which the attacker places

    himself between two communicating hosts andlistens in on their session

    To protect againsto Configure routers to ignore ICMP redirect packets

    Man-in-the-Middle Attacks

  • 8/3/2019 All Network Security

    49/336

    Man-in-the-Middle Applications Web spoofing TCP session hijacking Information theft Other attacks (denial-of-service attacks,

    corruption of transmitted data, traffic analysis togain information about victims network)

    Man-in-the-Middle Methods ARP poisoning ICMP redirects DNS poisoning

  • 8/3/2019 All Network Security

    50/336

    Replay Attacks Attempts to circumvent authentication

    mechanisms by:o Recording authentication messages from a

    legitimate usero Reissuing those messages in order to

    impersonate the user and gain access to systems

    Replay Attack

  • 8/3/2019 All Network Security

    51/336

    TCP Session Hijacking Attacker uses techniques to make the victim

    believe he or she is connected to a trusted host,when in fact the victim is communicating with theattacker

    Well-known toolo Hunt (Linux)

  • 8/3/2019 All Network Security

    52/336

    Attacker Using Victims TCPConnection

    Social Engineering Class of attacks that uses trickery on people

    instead of computers Goals

    o Fraudo Network intrusiono Industrial espionageo Identity thefto Desire to disrupt the system or network

  • 8/3/2019 All Network Security

    53/336

    Dumpster Diving

    Online Attacks Use chat and e-mails venues to exploit trust

    relationships

  • 8/3/2019 All Network Security

    54/336

    Social Engineering Countermeasures

    Take proper care of trash and discarded items Ensure that all system users have periodic

    training about network security

    Attacks Against Encrypted Data Weak keys Mathematical attacks Birthday attack Password guessing Brute force Dictionary

  • 8/3/2019 All Network Security

    55/336

    Weak Keys Secret keys used in encryption that exhibit

    regularities in encryption, or even a poor level ofencryption

    Mathematical Attack Attempts to decrypt encrypted data using

    mathematics to find weaknesses in theencryption algorithm

    Categories of cryptanalysiso Cyphertext-only analysiso Known plaintext attacko Chosen plaintext attack

  • 8/3/2019 All Network Security

    56/336

    Birthday Attack Class of brute-force mathematical attacks that

    exploits mathematical weaknesses of hashalgorithms and one-way hash functions

    Password Guessing Tricks authentication mechanisms by determining

    a users password using techniques such asbrute force or dictionary attacks

  • 8/3/2019 All Network Security

    57/336

    Brute Force Method of breaking passwords that involves

    computation of every possible combination ofcharacters for a password of a given characterlength

  • 8/3/2019 All Network Security

    58/336

    Dictionary Method of breaking passwords by using a

    predetermined list of words as input to thepassword hash

    Only works against poorly chosen passwords

    Software Exploitation Utilizes software vulnerabilities to gain access

    and compromise systems Example

    o Buffer overflow attach To stop software exploits

    o Stay appraised of latest security patches providedby software vendors

  • 8/3/2019 All Network Security

    59/336

    Malicious Software

    Viruses Self-replicating programs that spread by

    infecting other programs Damaging and costly

  • 8/3/2019 All Network Security

    60/336

    Virus Databases

  • 8/3/2019 All Network Security

    61/336

    Evolution of Virus PropagationTechniques

    Protecting Against Viruses Enterprise virus protection solutions

    o Desktop antivirus programso Virus filters for e-mail serverso Network appliances that detect and remove

    viruses

    Instill good behaviors in users and systemadministratorso Keep security patches and virus signature

    databases up to date

  • 8/3/2019 All Network Security

    62/336

  • 8/3/2019 All Network Security

    63/336

    Trojan Horses Class of malware that uses social engineering to

    spread Types of methods

    o Sending copies of itself to all recipients in usersaddress book

    o Deleting or modifying fileso Installing backdoor/remote control programs

  • 8/3/2019 All Network Security

    64/336

    Logic Bombs

    Set of computer instructions that lie dormantuntil triggered by a specific event

    Once triggered, the logic bomb performs amalicious task

    Almost impossible to detect until aftertriggered

    Often the work of former employees For example: macro virus

    o Uses auto-execution feature of specific

    applications

    Worms Self-contained program that uses security flaws

    such as buffer overflows to remotely compromisea victim and replicate itself to that system

    Do not infect other executable programs Account for 80% of all malicious activity on

    Internet Examples: Code Red, Code Red II, Nimda

  • 8/3/2019 All Network Security

    65/336

    Defense Against Worms Latest security updates for all servers Network and host-based IDS Antivirus programs

    Chapter Summary Mechanisms, countermeasures, and best

    practices for:o Malicious softwareo Denial-of-service attackso Software exploitso Social engineeringo Attacks on encrypted data

  • 8/3/2019 All Network Security

    66/336

    Chapter 4

    Remote Access

    Learning Objectives Understand implications of IEEE 802.1x and

    how it is used Understand VPN technology and its uses for

    securing remote access to networks Understand how RADIUS authentication

    works Understand how TACACS+ operates

    Understand how PPTP works and when it isused

    continued

  • 8/3/2019 All Network Security

    67/336

    Learning Objectives Understand how L2TP works and when it is used Understand how SSH operates and when it is

    used Understand how IPSec works and when it is used Understand the vulnerabilities associated with

    telecommuting

    IEEE 802.1x Internet standard created to perform

    authentication services for remote access to acentral LAN

    Uses SNMP to define levels of access controland behavior of ports providing remote access toLAN environment

    Uses EAP over LAN (EAPOL) encapsulationmethod

  • 8/3/2019 All Network Security

    68/336

    802.1x General Topology

  • 8/3/2019 All Network Security

    69/336

    Telnet Standard terminal emulation protocol within

    TCP/IP protocol suite defined by RFC 854 Utilizes UDP port 23 to communicate Allows users to log on to remote networks and

    use resources as if locally connected

    Controlling Telnet Assign enable password as initial line of defense Use access lists that define who has access to

    what resources based on specific IP addresses Use a firewall that can filter traffic based on ports,

    IP addresses, etc

  • 8/3/2019 All Network Security

    70/336

    Virtual Private Network Secures connection between user and home

    office using authentication mechanisms andencryption techniqueso Encrypts data at both ends

    Uses two technologieso IPSeco PPTP

    VPN Diagram

  • 8/3/2019 All Network Security

    71/336

    Tunneling Enables one network to send its data via another

    networks connections Encapsulates a network protocol within packets

    carried by the second network

    Tunneling

  • 8/3/2019 All Network Security

    72/336

    VPN Options Install/configure client computer to initiate

    necessary security communications Outsource VPN to a service provider

    o Encryption does not happen until data reachesproviders network

    Service Providing Tunneling

  • 8/3/2019 All Network Security

    73/336

    VPN Drawbacks Not completely fault tolerant Diverse implementation choices

    o Software solutions Tend to have trouble processing all the simultaneous

    connections on a large network

    o Hardware solutions Require higher costs

    Remote Authentication Dial-in UserService (RADIUS)

    Provides a client/server security system Uses distributed security to authenticate users

    on a network Includes two pieces

    o Authentication servero Client protocols

    Authenticates users through a series ofcommunications between client and serverusing UDP

  • 8/3/2019 All Network Security

    74/336

    Authenticating with a RADIUS Server

    Benefits of Distributed Approach toNetwork Security

    Greater security Scalable architecture Open protocols Future enhancements

  • 8/3/2019 All Network Security

    75/336

    Terminal Access Controller AccessControl System (TACACS+)

    Authentication protocol developed by Cisco Uses TCP a connection-oriented

    transmission instead of UDP Offers separate acknowledgement that

    request has been received regardless ofspeed of authentication mechanism

    Provides immediate indication of a crashedserver

  • 8/3/2019 All Network Security

    76/336

    Advantages of TACACS+over RADIUS

    Addresses need for scalable solution Separates authentication, authorization, and

    accounting Offers multiple protocol support

    Point-to-Point Tunneling Protocol Multiprotocol that offers authentication,

    methods of privacy, and data compression Built upon PPP and TCP/IP Achieves tunneling by providing encapsulation

    (wraps packets of information within IPpackets)o Data packetso Control packets

    Provides users with virtual node on corporateLAN or WAN

  • 8/3/2019 All Network Security

    77/336

    PPTP Tasks

    Queries status of communications servers Provides in-band management Allocates channels and places outgoing calls Notifies Windows NT Server of incoming calls Transmits and receives user data with bi-

    directional flow control Notifies Windows NT Server of disconnected

    calls Assures data integrity; coordinates packet

    flow

    Layer Two Tunneling Protocol PPP defines an encapsulation mechanism for

    transporting multiprotocol packets across layertwo point-to-point links

    L2TP extends PPP model by allowing layer twoand PPP endpoints to reside on different devicesinterconnected by a packet-switched network

    continued

  • 8/3/2019 All Network Security

    78/336

    Layer Two Tunneling Protocol Allows separation of processing of PPP packets

    and termination of layer two circuito Connection may terminate at a (local) circuit

    concentrator Solves splitting problems by projecting a PPP

    session to a location other than the point at whichit is physically received

    Secure Shell (SSH) Secure replacement for remote logon and file

    transfer programs (Telnet and FTP) thattransmit data in unencrypted text

    Uses public key authentication to establish anencrypted and secure connection from usersmachine to remote machine

    Used to:o Log on to another computer over a networko Execute command in a remote machineo Move files from one machine to another

  • 8/3/2019 All Network Security

    79/336

    Key Components of an SSH Product

    Engine Administration server Enrollment gateway Publishing server

    IP Security Protocol Set of protocols developed by the IETF to

    support secure exchange of packets at IPlayer

    Deployed widely to implement VPNs Works with existing and future IP standards Transparent to users Promises painless scalability

    Handles encryption at packet level usingEncapsulating Security Payload (ESP)

  • 8/3/2019 All Network Security

    80/336

    IPSec Security Payload

    ESP and Encryption Models Supports many encryption protocols Encryption support is designed for use by

    symmetric encryption algorithms Provides secure VPN tunneling

  • 8/3/2019 All Network Security

    81/336

    Telecommuting Vulnerabilities

    Telecommuting Vulnerabilities

  • 8/3/2019 All Network Security

    82/336

    Telecommuting Vulnerabilities

    Telecommuting Vulnerabilities

  • 8/3/2019 All Network Security

    83/336

    Telecommuting Vulnerabilities

    Remote Solutions Microsoft Terminal Server Citrix Metaframe Virtual Network Computing

  • 8/3/2019 All Network Security

    84/336

  • 8/3/2019 All Network Security

    85/336

    Chapter 5

    E-mail

    Learning Objectives Understand the need for secure e-mail Outline benefits of PGP and S/MIME Understand e-mail vulnerabilities and how to

    safeguard against them Explain the dangers posed by e-mail hoaxes and

    spam, as well as actions that can be taken tocounteract them

  • 8/3/2019 All Network Security

    86/336

    Challenges to Utility and ProductivityGains Offered by E-mail

    E-mail security Floods of spam Hoaxes

    E-mail Security Technologies Two main standards

    o Pretty good privacy (PGP)o Secure/Multipurpose Internet Mail Extension

    (S/MIME)

    These competing standards:o Seek to ensure integrity and privacy of information

    by wrapping security measures around e-mail dataitself

    o Use public key encryption techniques (alternativeto securing communication link itself, as in VPN)

  • 8/3/2019 All Network Security

    87/336

    Secure E-mail and Encryption

    Secure e-mailo Uses cryptography to secure messages

    transmitted across insecure networks

    Advantages of e-mail encryptiono E-mail can be transmitted over unsecured linkso E-mail can be stored in encrypted form

    Key cryptography conceptso Encryptiono Digital signatureso Digital certificates

    Main Features of Secure E-mail Confidentiality Integrity Authentication Nonrepudiation

  • 8/3/2019 All Network Security

    88/336

    Encryption Passes data and a value (key) through a series

    of mathematical formulas that make the dataunusable and unreadable

    To recover information, reverse the processusing the appropriate key

    Two main typeso Conventional cryptographyo Public key cryptography

    Encryption

  • 8/3/2019 All Network Security

    89/336

    Hash Functions Produce a message digest that cannot be

    reversed to produce the original Two major hash functions in use

    o SHA-1 (Secure Hash Algorithm 1)o MD5 (Message Digest algorithm version 5)

    Digital Signatures Electronic identification of a person or thing

    created by using a public key algorithm Verify (to a recipient) the integrity of data and

    identity of the sender Provide same features as encryption, except

    confidentiality Created by using hash functions

  • 8/3/2019 All Network Security

    90/336

    Digital Certificates Electronic document attached to a public key

    by a trusted third party Provide proof that the public key belongs to a

    legitimate owner and has not beencompromised

    Consist of:o Owners public keyo Information unique to ownero Digital signatures or an endorser

  • 8/3/2019 All Network Security

    91/336

    Combining Encryption Methods Hybrid cryptosystems

    o Take advantage of symmetric and public keycryptography

    o Example: PGP/MIME Conventional encryption

    o Fast, but results in key distribution problem Public key encryption

    o Private key and public key

  • 8/3/2019 All Network Security

    92/336

    Public Key Encryption

    How Secure E-mail Works Encryption

    1.Message is compressed2.Session key is created3.Message is encrypted using session key with

    symmetrical encryption method4.Session key is encrypted with an asymmetrical

    encryption method5.Encrypted session key and encrypted message

    are bound together and transmitted to recipient Decryption: reverse the process

  • 8/3/2019 All Network Security

    93/336

    Secure E-mail Decryption

  • 8/3/2019 All Network Security

    94/336

    Background on PGP

    Current de facto standard Written by Phil Zimmerman 1991 Supports major conventional encryption

    methodso CASTo International Data Encryption Algorithm (IDEA)o Triple Data Encryption Standard (3DES)o Twofish

    PGP Certificates More flexible and extensible than X.509

    certificates A single certificate can contain multiple

    signatures

  • 8/3/2019 All Network Security

    95/336

    PGP Certificate Format

    S/MIME Specification designed to add security to

    e-mail messages in MIME format Security services

    o Authentication (using digital signatures)o Privacy (using encryption)

  • 8/3/2019 All Network Security

    96/336

    What S/MIME Defines

    Format for MIME data Algorithms that must be used for

    interoperabilityo RSAo RC2o SHA-1

    Additional operational concernso ANSI X.509 certificateso Transport over the Internet

    S/MIME Background Four primary standards

    o RFC 2630 Cryptographic Message Syntax

    o RFC 2633 S/MIME version 3 Message Specification

    o RFC 2632 S/MIME version 3 Certificate Handling

    o RFC 2634 Enhanced Security Services for S/MIME

  • 8/3/2019 All Network Security

    97/336

    S/MIME Encryption Algorithms

    Three symmetric encryption algorithmso DESo 3DESo RC2

    PKCS (Public Key Cryptography Standards) S/MIME prevents exposure of signature

    information to eavesdroppero Applies digital signature first; then encloses

    signature and original message in an encrypteddigital envelope

    X.509 Certificates Rather than define its own certificate type (like

    PGP), S/MIME relies on X.509 Issued by a certificate authority (CA)

  • 8/3/2019 All Network Security

    98/336

    S/MIME Trust Model:Certificate Authorities

    Purely hierarchical model Line of trust goes up the chain to a CA, whose

    business is verifying identity and assuring validityof keys or certificates

  • 8/3/2019 All Network Security

    99/336

    Differences BetweenPGP and S/MIME

    Features S/MIME3 OpenPGP

    Structure ofmessages

    Binary, based onCMS

    PGP

    Structure of digitalcertificates

    X.509 PGP

    Algorithm:symmetricencryption

    3DES 3DES

    Algorithm: digitalsignature

    Diffie-Hellman EIGamal

    continued

    Differences BetweenPGP and S/MIME

    Features S/MIME3 OpenPGP

    Algorithm: hash SHA-1 SHA-01

    MIMEencapsulation forsigned data

    Choice ofmultipart/signed orCMS format

    Multipart/signedwith ASCII armor

    MIMEencapsulation forencrypted data

    Application/PKCS#7-MIME Multipart/encrypted

    Trust model Hierarchical Web of trust

    continued

  • 8/3/2019 All Network Security

    100/336

    Differences BetweenPGP and S/MIME

    Features S/MIME3 OpenPGP

    Marketplaceadoption

    Growing quickly Current encryptionstandard

    Marketplaceadvocates

    Microsoft, RSA,VeriSign

    Some PGP, Inc.products absorbedinto McAfee line

    Ease of use Configuration notintuitive; must obtain

    and installcertificates; generaluse straight-forward

    Configuration notintuitive; must

    create certificates;general usestraight-forward

    continued

    Differences BetweenPGP and S/MIME

    Features S/MIME3 OpenPGP

    Software Already integratedin Microsoft andNetscape products

    PGP software mustbe downloadedand installed

    Cost ofcertificates

    Must be purchasedfrom CA; yearly fee

    PGP certificatescan be generatedby anyone; free

    Keymanagement

    Easy, but you musttrust CA

    Harder; user mustmake decisions onvalidity of identities

    continued

  • 8/3/2019 All Network Security

    101/336

    Differences BetweenPGP and S/MIME

    Features S/MIME3 OpenPGP

    Compatibility Transparentlyworks with anyvendors MIME e-mail client, but notcompatible withnon-MIMEe-mail formats

    Compatible withMIME and non-MIMEe-mail formats, butrecipient must havePGP installed

    Centralized

    management

    Possible through

    PKI

    Status is in doubt

    E-mail Vulnerabilities

    continued

  • 8/3/2019 All Network Security

    102/336

    E-mail Vulnerabilities

    Spam Act of flooding the Internet with many copies of

    the same message in an attempt to force themessage on people who would not otherwisechoose to receive it

    Unrequested junk mail

  • 8/3/2019 All Network Security

    103/336

    E-mail Spam Targets individual users with direct mail

    messages Creates lists by:

    o Scanning Usenet postingso Stealing Internet mailing listso Searching the Web for addresses

    Uses automated tools to subscribe to as manymailing lists as possible

    Hoaxes and Chain Letters E-mail messages with content designed to get

    the reader to spread them by:o Appealing to be an authority to exploit trusto Generating excitement about being involvedo Creating a sense of importance/belongingo Playing on peoples gullibility/greed

    Do not carry malicious payload, but are usuallyuntrue or resolved

  • 8/3/2019 All Network Security

    104/336

    Costs of Hoaxes and ChainLetters Lost productivity Damaged reputation Relaxed attitude toward legitimate virus warnings

  • 8/3/2019 All Network Security

    105/336

    Countermeasures for Hoaxes Effective security awareness campaign Good e-mail policy E-mail content filtering solutions

  • 8/3/2019 All Network Security

    106/336

    Guidelines for HoaxCountermeasures

    Create a policy and train users on what to dowhen they receive a virus warning

    Establish the intranet site as the onlyauthoritative source for advice on viruswarnings

    Ensure that the intranet site displays up-to-date virus and hoax information on the homepage

    Inform users that if the virus warning is not

    listed on the intranet site, they should forwardit to a designated account

    Chapter Summary PGP

    o Current de facto e-mail encryption standardo Basis of OpenPGP standard

    S/MIMEo Emerging standard in e-mail encryptiono Uses X.509 certificates used by Microsoft and

    Netscape browser and e-mail client software

    E-mail vulnerabilities and scams, and how to

    combat themo Spamo Hoaxes and e-mail chain letters

  • 8/3/2019 All Network Security

    107/336

    Chapter 6

    Web Security

    Learning Objectives Understand SSL/TLS protocols and their

    implementation on the Internet Understand HTTPS protocol as it relates to SSL Explore common uses of instant messaging

    applications and identify vulnerabilitiesassociated with those applications

    continued

  • 8/3/2019 All Network Security

    108/336

    Learning Objectives Understand the vulnerabilities of JavaScript,

    buffer overflow, ActiveX, cookies, CGI, applets,SMTP relay, and how they are commonlyexploited

    Secure Sockets Layer (SSL) andTransport Layer Security (TLS)

    Commonly used protocols for managing thesecurity of a message transmission across theinsecure Internet

  • 8/3/2019 All Network Security

    109/336

    Secure Sockets Layer (SSL) Developed by Netscape for transmitting private

    documents via the Internet Uses a public key to encrypt data that is

    transferred over the SSL connection URLs that require an SSL connection start with

    https: instead of http:

    Transport Layer Security (TLS) Latest version of SSL Not as widely available in browsers

  • 8/3/2019 All Network Security

    110/336

    SSL/TLS Protocol

    Runs on top of the TCP and below higher-level protocols

    Uses TCP/IP on behalf of higher-levelprotocols

    Allows SSL-enabled server to authenticateitself to SSL-enabled client

    Allows client to authenticate itself to server Allows both machines to establish an

    encrypted connection

    Secure Sockets Layer Protocol

  • 8/3/2019 All Network Security

    111/336

    SSL/TLS Protocol Uses ciphers to enable encryption of data

    between two parties Uses digital certificates to enable authentication

    of the parties involved in a secure transaction

    Cipher Types Used by SSL/TLS Asymmetric encryption (public key encryption) Symmetric encryption (secret key encryption)

  • 8/3/2019 All Network Security

    112/336

    Digital Certificates

    Componentso Certificate users nameo Entity for whom certificate is being issuedo Public key of the subjecto Time stamp

    Typically issued by a CA that acts as a trustedthird partyo Public certificate authoritieso Private certificate authorities

    Secure Hypertext Transfer Protocol(HTTPS)

    Communications protocol designed to transferencrypted information between computersover the World Wide Web

    An implementation of HTTP Often used to enable online purchasing or

    exchange of private information over insecurenetworks

    Combines with SSL to enable securecommunication between a client and a server

  • 8/3/2019 All Network Security

    113/336

    Instant Messaging (IM)

    Communications service that enables creationof a private chat room with another individual

    Based on client/server architecture Typically alerts you whenever someone on

    your private list is online Categorized as enterprise IM or consumer IM

    systems Examples: AOL Instant Messenger, ICQ,

    NetMessenger, Yahoo! Messenger

    IM Security Issues Cannot prevent transportation of files that

    contain viruses and Trojan horses Misconfigured file sharing can provide access

    to sensitive or confidential data Lack of encryption Could be utilized for transportation of

    copyrighted material; potential for substantial

    legal consequences Transferring files reveals network addressesof hosts; could be used for Denial-of-Serviceattack

  • 8/3/2019 All Network Security

    114/336

    IM Applications Do not use well-known TCP ports for

    communication and file transfers; use registeredports

    Ports can be filtered to restrict certainfunctionalities or prevent usage altogether

    Vulnerabilities of Web Tools Security of Web applications and online

    services is as important as intendedfunctionalityo JavaScripto ActiveXo Bufferso Cookieso Signed applets

    o Common Gateway Interface (CGI)o Simple Mail Transfer Protocol (SMTP) relay

  • 8/3/2019 All Network Security

    115/336

    JavaScript Scripting language developed by Netscape to

    enable Web authors to design interactive sites Code is typically embedded into an HTML

    document and placed between the and tags

    Programs can perform tasks outside userscontrol

    JavaScript Security Loopholes Monitoring Web browsing Reading password and other system files Reading browsers preferences

  • 8/3/2019 All Network Security

    116/336

    ActiveX

    Loosely defined set of technologies developedby Microsofto Outgrowth of OLE (Object Linking and

    Embedding) and COM (Component Object Model)

    Provides tools for linking desktop applicationsto WWW content

    Utilizes embedded Visual Basic code that cancompromise integrity, availability,andconfidentiality of a target system

    Buffer Temporary storage area, usually in RAM Acts as a holding area, enabling the CPU to

    manipulate data before transferring it to a device

  • 8/3/2019 All Network Security

    117/336

    Buffer Overflow Attacks

    Triggered by sending large amounts of datathat exceeds capacity of receiving applicationwithin a given field

    Take advantage of poor applicationprogramming that does not check size of inputfield

    Not easy to coordinate; prerequisites:o Place necessary code into programs address

    space

    o Direct application to read and execute embeddedcode through effective manipulation of registersand memory of system

    Cookies Messages given to Web browsers by Web

    serverso Browser stores message in a text fileo Message is sent back to server each time browser

    requests a page from server Verify a users session Designed to enhance browsing experience

  • 8/3/2019 All Network Security

    118/336

    Vulnerabilities of Cookies

    Contain tools that are easily exploited toprovide information about users withoutconsento Attacker convinces user to follow malicious

    hyperlink to targeted server to obtain the cookiethrough error handling process on the server

    o User must be logged on during time of attack

    To guard against EHE attackso Do not return unescaped data back to usero Do not echo 404 file requests back to user

    Java Applets Internet applications (written in Java

    programming language) that can operate onmost client hardware and software platforms

    Stored on Web servers from where they canbe downloaded onto clients when firstaccessed

    With subsequent server access, the applet is

    already cached on the client and can beexecuted with no download delay

  • 8/3/2019 All Network Security

    119/336

    Signed Applets Technique of adding a digital signature to an

    applet to prove that it came unaltered from aparticular trusted source

    Can be given more privileges than ordinaryapplets

    Unsigned applets are subject to sandboxrestrictions

    Unsigned Applets

  • 8/3/2019 All Network Security

    120/336

    Sandbox Model Prevent the applet from:

    o Performing required operations on local systemresources

    o Connecting to any Web site except the site fromwhich the applet was loaded

    o Accessing clients local printero Accessing clients system clipboard and properties

    Signed Applets

  • 8/3/2019 All Network Security

    121/336

    Reasons for UsingCode Signing Features

    To release the application from sandboxrestrictions imposed on unsigned code

    To provide confirmation regarding source of theapplications code

    Common Gateway Interface (CGI) Interface specification that allows

    communication between client programs andWeb servers that understand HTTP

    Uses TCP/IP Can be written in any programming language Parts of a CGI script

    o Executable program on the server (the script itself)o HTML page that feeds input to the executable

  • 8/3/2019 All Network Security

    122/336

    Typical Form Submission

    CGI Interactive nature leads to security loopholes

    o Allowing input from other systems to a programthat runs on a local server exposes the system topotential security hazards

  • 8/3/2019 All Network Security

    123/336

    Precautions to Take When RunningScripts on a Server

    Deploy IDS, access list filtering, andscreening on the border of the network

    Design and code applications to check sizeand content of input received from clients

    Create different user groups with differentpermissions; restrict access to hierarchical filesystem based on those groups

    Validate security of a prewritten script beforedeploying it in your production environment

    Simple Mail Transfer Protocol(SMTP)

    Standard Internet protocol for globale-mail communications

    Transaction takes place between two SMTPservers

    Designed as a simple protocolo Easy to understand and troubleshooto Easily exploited by malicious users

  • 8/3/2019 All Network Security

    124/336

    Vulnerabilities of SMTP Relay Spam via SMTP relay can lead to:

    o Loss of bandwidtho Hijacked mail servers that may no longer be able

    to serve their legitimate purpose Mail servers of innocent organizations can be

    subject to blacklisting

    Chapter Summary Protocols commonly implemented for secure

    message transmissionso Secure Socket Layero Transport Layer Security

    Data encryption across the Internet throughSecure Hyper Text Transfer Protocol in relationto SSL/TSL

    continued

  • 8/3/2019 All Network Security

    125/336

    Chapter Summary Instant Messaging

    o Common useso Vulnerabilities

    Well-known vulnerabilities associated with webdevelopment tools

  • 8/3/2019 All Network Security

    126/336

    Chapter 7

    Directory and File Transfer Services

    Learning Objectives Explain benefits offered by centralized

    enterprise directory services such as LDAPover traditional authentication systems

    Identify major vulnerabilities of the FTPmethod of exchanging data

    Describe S/FTP, the major alternative to usingFTP, in order to better secure your network

    infrastructure Illustrate the threat posed to your network byunmonitored file shares

  • 8/3/2019 All Network Security

    127/336

    Directory Services Network services that uniquely identify users and

    can be used to authenticate and authorize themto use network resources

    Allow users to look up username or resourceinformation, just as DNS does

    Lightweight Directory Access Protocol(LDAP)

    Accesses directory data based on ISOs X.500standard, but includes TCP/IP support andsimplified client design

    Exchanges directory information with clients (isnota database that stores the information)

    Allows users to search using a broad set ofcriteria (name, type of service, location)

    continued

  • 8/3/2019 All Network Security

    128/336

    LDAP Provides additional features including

    authentication and authorizationo Each person uses only one username and

    password regardless of client software and OS Key feature and benefit

    o Versatile directory system that is standards basedand platform independent

    Major LDAP Products

  • 8/3/2019 All Network Security

    129/336

    Common Applications of LDAP Single sign-on (SSO) User administration Public key infrastructure (PKI)

    LDAP Operations

  • 8/3/2019 All Network Security

    130/336

    LDAP Framework Directory Information Tree (DIT)

    o Data structure that actually contains directoryinformation about network users and services

    o Hierarchical structure

    Directory Information Tree

  • 8/3/2019 All Network Security

    131/336

    LDAP Framework

    DN exampleo cn=Jonathan Q

    Publico ou=Information

    Security Departmento o=XYZ Corp.o c=United States

    LDAP Security Benefits Authentication

    o Ensures users identitieso Three levels

    No authentication Simple authentication Simple Authentication and Security Layer (SASL)

    Authorizationo Determines network resources the user may

    accesso Determined by access control lists (ACLs)

    Encryptiono Utilizes other protocols through (SASL)

  • 8/3/2019 All Network Security

    132/336

    LDAP Security Vulnerabilities Denial of service Man in the middle Attacks against data confidentiality

    File Transfer Services Ability to share programs and data around the

    world is an essential aspect of the Internet Critical to todays networked organizations

  • 8/3/2019 All Network Security

    133/336

    File Transfer Protocol (FTP) Commonly used but very insecure Two standard data transmission methods

    active FTP and passive FTPo In both, client initiates a TCP session using

    destination port 21 (command connection)o Differences are in the data connection that is set

    up when user wants to transfer data between twomachines

    Setup of FTP Control Connection

  • 8/3/2019 All Network Security

    134/336

    Active FTP FTPs default connection FTP server creates data connection by opening a

    TCP session using source port of 20 anddestination port greater than 1023 (contrary toTCPs normal operation)

    Setup of theActive FTP Data Connection

  • 8/3/2019 All Network Security

    135/336

    Passive FTP Not supported by all FTP implementations Client initiates data connection to the server with

    a source and destination port that are bothrandom high ports

    Setup of thePassive FTP Data Connection

  • 8/3/2019 All Network Security

    136/336

    FTP Security Issues Bounce attack Clear text authentication and data transmission Glob vulnerability Software exploits and buffer overflow

    vulnerabilities Anonymous FTP and blind FTP access

    FTP Countermeasures Do not allow anonymous access unless a clear

    business requirement exists Employ a state-of-the-art firewall Ensure that server has latest security patches

    and has been properly configured to limit useraccess

    Encrypt data before placing it on FTP server

    continued

  • 8/3/2019 All Network Security

    137/336

    FTP Countermeasures Encrypt FTP data flow using a VPN connection Switch to a secure alternative

    Secure File Transfers Secure File Transfer Protocol (S/FTP)

    o Replacement for FTP that uses SSH version 2 asa secure framework for encrypting data transfers

  • 8/3/2019 All Network Security

    138/336

    Benefits of S/FTP over FTP

    Offers strong authentication using a variety ofmethods including X.509 certificates

    Encrypts authentication, commands, and alldata transferred between client and serverusing secure encryption algorithms

    Easy to configure a firewall to permit S/FTPcommunications (uses a single, well-behavedTCP connection)

    Requires no negotiation to open a second

    connection

    SecureFTP Implementation Programs

  • 8/3/2019 All Network Security

    139/336

    File Sharing Originally intended to share files on a LAN Easy to set up Uses Windows graphical interface Can be configured as peer-to-peer or as

    client/server shares

  • 8/3/2019 All Network Security

    140/336

    File Sharing Risks Confidentiality of data Some viruses spread via network shares Other types of critical information beside user

    documentation could become compromised iffiles shares are misconfigured

    Protecting Your File Shares Define and communicate a policy Conduct audits of file shares using commercial

    scanning and audit tools

  • 8/3/2019 All Network Security

    141/336

    Chapter Summary Key resources used to support mission-critical

    business applicationso Directory services

    LDAP

    o File transfer mechanisms FTP S/FTP

  • 8/3/2019 All Network Security

    142/336

    Chapter 8

    Wireless and Instant Messaging

    Learning Objectives Understand security issues related to wireless

    data transfer Understand the 802.11x standards Understand Wireless Application Protocol (WAP)

    and how it works Understand Wireless Transport Layer Security

    (WTLS) protocol and how it works

    continued

  • 8/3/2019 All Network Security

    143/336

    Learning Objectives Understand Wired Equivalent Privacy (WEP) and

    how it works Conduct a wireless site survey Understand instant messaging

    802.11 IEEE group responsible for defining interface

    between wireless clients and their networkaccess points in wireless LANs

    First standard finalized in 1997 defined threetypes of transmission at Physical layero Diffused infrared - based on infrared transmissionso Direct sequence spread spectrum (DSSS) - radio-

    basedo Frequency hopping spread spectrum (FHSS) -

    radio-based

    continued

  • 8/3/2019 All Network Security

    144/336

    802.11 Established WEP as optional security protocol Specified use of 2.4 GHz industrial, scientific, and

    medical (ISM) radio band Mandated 1 Mbps data transfer rate and optional

    2 Mbps data transfer rate Most prominent working groups: 802.11b,

    802.11a, 802.11i, and 802.11g

    802.11a High-Speed Physical Layer in the 5 GHz Band Sets specifications for wireless data transmission

    of up to 54 Mbps in the5 GHz band

    Uses an orthogonal frequency divisionmultiplexing encoding scheme rather than FHSSor DSSS

    Approved in 1999

  • 8/3/2019 All Network Security

    145/336

    802.11b

    Higher-Speed Layer Extension in the 2.4GHz Band

    Establishes specifications for datatransmission that provides 11 Mbpstransmission (with fallback to 5.5, 2, and 1Mbps) at 2.4 GHz band

    Sometimes referred to as Wi-Fi whenassociated with WECA certified devices

    Uses only DSSS

    Approved in 1999

    802.11c Worked to establish MAC bridging functionality

    for 802.11 to operate in other countries Folded into 802.1D standard for MAC bridging

  • 8/3/2019 All Network Security

    146/336

    802.11d Responsible for determining requirements

    necessary for 802.11 to operate in othercountries

    Continuing

    802.11e Responsible for creating a standard that will add

    multimedia and quality of service (QoS)capabilities to wireless MAC layer and thereforeguarantee specified data transmission rates anderror percentages

    Proposal in draft form

  • 8/3/2019 All Network Security

    147/336

    802.11f Responsible for creating a standard that will allow

    for better roaming between multivendor accesspoints and distribution systems

    Ongoing

    802.11g Responsible for providing raw data throughput

    over wireless networks at a throughput rate of 22Mbps or more

    Draft created in January 2002; final approvalexpected in late 2002 or early 2003

  • 8/3/2019 All Network Security

    148/336

    802.11h

    Responsible for providing a way to allow forEuropean implementation requests regardingthe 5 GHz band

    Requirementso Limits PC card from emitting more radio signal

    than neededo Allows devices to listen to radio wave activity

    before picking a channel on which to broadcast

    Ongoing; not yet approved

    802.11i Responsible for fixing security flaws in WEP and

    802.1x Hopes to eliminate WEP altogether and replace it

    with Temporal Key Integrity Protocol (TKIP),which would require replacement of keys within acertain amount of time

    Ongoing; not yet approved

  • 8/3/2019 All Network Security

    149/336

    802.11j Worked to create a global standard in the

    5 GHz band by making high-performance LAN(HiperLAN) and 802.11a interoperable

    Disbanded after efforts in this area were mostlysuccessful

  • 8/3/2019 All Network Security

    150/336

    Wireless Application Protocol(WAP) Open, global specification created by the WAP

    Forum Designed to deliver information and services to

    users of handheld digital devices Compatible with most wireless networks Can be built on any operating system

    WAP-Enabled Devices

  • 8/3/2019 All Network Security

    151/336

    WAP-Enabled Devices

    How WAP 1x Works WAP 1.x Stack

    o Set of protocols created by the WAP Forum thatalters the OSI model

    o Five layers lie within the top four (of seven) layersof the OSI model

    o Leaner than the OSI model Each WAP protocol makes data transactions as

    compressed as possible and allows for more droppedpackets than OSI model

  • 8/3/2019 All Network Security

    152/336

    WAP 1.x Stack Compared toOSI/Web Stack

    Differences Between Wireless andWired Data Transfer

    WAP 1.x stack protocols require that datacommunications between clients (wirelessdevices) and servers pass through a WAPgateway

    Network architectural structures

  • 8/3/2019 All Network Security

    153/336

    WAP versus Wired Network

    The WAP 2.0 Stack Eliminates use of WTLS; relies on a lighter

    version of TLS the same protocol used onthe common Internet stack which allowsend-to-end security and avoids any WAPgaps

    Replaces all other layers of WAP 1.x bystandard Internet layers

    Still supports the WAP 1.x stack in order tofacilitate legacy devices and systems

  • 8/3/2019 All Network Security

    154/336

    Additional WAP 2.0 Features WAP Push User agent profile Wireless Telephony Application Extended Functionality Interface (EFI) Multimedia Messaging Service (MMS)

  • 8/3/2019 All Network Security

    155/336

    Wireless Transport Layer Security(WTLS) Protocol

    Provides authentication, data encryption, andprivacy for WAP 1.x users

    Three classes of authenticationo Class 1

    Anonymous; does not allow either the client or thegateway to authenticate each other

    o Class 2 Only allows the client to authenticate the gateway

    o Class 3 Allows both the client and the gateway to authenticate

    each other

    WTLS Protocol:Steps of Class 2 Authentication

    1.WAP device sends request for authentication2.Gateway responds, then sends a copy of its

    certificate which contains gateways publickey to the WAP device

    3.WAP device receives the certificate and publickey and generates a unique random value

    4.WAP gateway receives encrypted value and

    uses its own private key to decrypt it

  • 8/3/2019 All Network Security

    156/336

    WTLS Security Concerns Security threats posed by WAP gap Unsafe use of service set identifiers (SSIDs)

    Wired Equivalent Privacy (WEP) Optional security protocol for wireless local

    area networks defined in the 802.11bstandard

    Designed to provide same level of security asa wired LAN

    Not considered adequate security without alsoimplementing a separate authentication

    process and providing for external keymanagement

  • 8/3/2019 All Network Security

    157/336

    Wireless LAN (WLAN) Connects clients to network resources using

    radio signals to pass data through the ether Employs wireless access points (AP)

    o Connected to the wired LANo Act as radio broadcast stations that transmit data

    to clients equipped with wireless network interfacecards (NICs)

    How a WLAN Works

  • 8/3/2019 All Network Security

    158/336

    APs

    NICs

  • 8/3/2019 All Network Security

    159/336

    How WEP Works Uses a symmetric key (shared key) to

    authenticate wireless devices(not wirelessdevice users) and to guarantee integrity of databy encrypting transmissions

    Each of the APs and clients need to share thesame key

    Client sends a request to the AP asking forpermission to access the wired network

    continued

    How WEP Works If WEP has not been enabled (default), the AP

    allows the request to pass If WEP hasbeen enabled, client begins a

    challenge-and-response authentication process

  • 8/3/2019 All Network Security

    160/336

    WEPs Weaknesses Problems related to the initialization vector (IV)

    that it uses to encrypt data and ensure itsintegrityo Can be picked up by hackerso Is reused on a regular basis

    Problems with how it handles keys

    Other WLAN Security Loopholes War driving Unauthorized users can attach themselves to

    WLANs and use their resources, set up theirown access points and jam the network

    WEP authenticates clients, not users Wireless network administrators and users

    must be educated about inherent insecurity of

    wireless systems and the need for care

  • 8/3/2019 All Network Security

    161/336

    Conducting a Wireless SiteSurvey1.Conduct a needs assessment of network users2.Obtain a copy of the sites blueprint3.Do a walk-through of the site4.Identify possible access point locations5.Verify access point locations6.Document findings

    Instant Messaging (IM) AOL Instant Messenger (AIM) MSN Messenger Yahoo! Messenger ICQ Internet Relay Chat (IRC)

  • 8/3/2019 All Network Security

    162/336

    Definition of IM Uses a real-time communication model Allows users to keep track of online status and

    availability of other users who are also using IMapplications

    Can be used on both wired and wireless devices Easy and fast

    continued

    Definition of IM Operates in two models:

    o Peer-to-peer model May cause client to expose sensitive information

    o Peer-to-network model Risk of network outage and DoS attacks making IM

    communication unavailable

  • 8/3/2019 All Network Security

    163/336

    Problems Facing IM Lack of default encryption enables packet sniffing Social engineering overcomes even encryption

    Technical Issues Surrounding IM Files transfers Application sharing

  • 8/3/2019 All Network Security

    164/336

    Legal Issues Surrounding IM Possible threat of litigation or criminal indictment

    should the wrong message be sent or overheardby the wrong person

    Currently immune to most corporate efforts tocontrol it

    Must be monitored in real time

    Blocking IM Install a firewall to block ports that IM products

    use; IM will be unavailable to all employees Limited blocking not currently possible

  • 8/3/2019 All Network Security

    165/336

    Cellular Phone Simple MessagingService (SMS)

    Messages are typed and sent immediately Problems

    o Tracking inappropriate messageso Risk of having messages sniffed

    Chapter Summary Efforts of IEEE, specifically 802.11x standards, to

    standardize wireless security Security issues related to dominant wireless

    protocolso WAP

    Connects mobile telephones, PDAs, pocket computers,and other mobile devices to the Internet

    o WEP Used in WLANs

    continued

  • 8/3/2019 All Network Security

    166/336

    Chapter Summary WTLS protocol Conducting a site survey in advance of building a

    WLAN Security threats related to using (IM)

  • 8/3/2019 All Network Security

    167/336

    Chapter 9

    Devices

    Learning Objectives Understand the purpose of a network firewall and

    the kinds of firewall technology available on themarket

    Understand the role of routers, switches, andother networking hardware in security

    Determine when VPN or RAS technology worksto provide a secure network connection

  • 8/3/2019 All Network Security

    168/336

    Firewalls Hardware or software device that provides a

    means of securing a computer or network fromunwanted intrusiono Dedicated physical device that protects network

    from intrusiono Software feature added to a router, switch, or

    other device that prevents traffic to or from part ofa network

    Management Cycle forFirewall Protection

    1.Draft a written security policy2.Design the firewall to implement the policy3.Implement the design by installing selected

    hardware and software4.Test the firewall5.Review new threats, requirements for

    additional security, and updates to systems

    and software; repeat process from first step

  • 8/3/2019 All Network Security

    169/336

    Drafting a Security Policy What am I protecting? From whom? What services does my company need to access

    over the network? Who gets access to what resources? Who administers the network?

    Available Targets andWho Is Aiming at Them

    Common areas of attacko Web serverso Mail serverso FTP serverso Databases

    Intruderso Sport hackerso Malicious hackers

  • 8/3/2019 All Network Security

    170/336

    Who Gets Access to WhichResources?

    List employees or groups of employees alongwith files and file servers and databases anddatabase servers they need to access

    List which employees need remote access to thenetwork

  • 8/3/2019 All Network Security

    171/336

    Who Administers the Network? Determine individual(s) and scope of individual

    management control

    Designing the Firewallto Implement the Policy

    Select appropriate technology to deploy thefirewall

  • 8/3/2019 All Network Security

    172/336

    What Do Firewalls ProtectAgainst? Denial of service (DoS) Ping of death Teardrop or Raindrop attacks SYN flood LAND attack Brute force or smurf attacks IP spoofing

    How Do Firewalls Work? Network address translation (NAT) Basic packet filtering Stateful packet inspection (SPI) Application gateways Access control lists (ACL)

  • 8/3/2019 All Network Security

    173/336

    Network Address Translation(NAT)

    Only technique used by basic firewalls Enables a LAN to use one set of IP addresses

    for internal traffic and a second set forexternal traffic

    Each active connection requires a uniqueexternal address for duration ofcommunication

    Port address translation (PAT)o Derivative of NATo Supports thousands of simultaneous connections

    on a single public IP address

    Basic Packet Filtering Firewall system examines each packet that

    enters it and allows through only thosepackets that match a predefined set of rules

    Can be configured to screen informationbased on many data fields:o Protocol typeo IP addresso TCP/UDP porto Source routing information

  • 8/3/2019 All Network Security

    174/336

    Stateful Packet Inspection (SPI)

    Controls access to network by analyzingincoming/outgoing packets and letting thempass or not based on IP addresses of sourceand destinationo Examines a packet based on information in its

    header

    Enhances security by allowing the filter todistinguish on which side of firewall aconnection was initiated; essential to blocking

    IP spoofing attaches

    Access Control Lists (ACL) Rules built according to organizational policy that

    defines who can access portions of the network

  • 8/3/2019 All Network Security

    175/336

    Routers Network management device that sits between

    network segments and routes traffic from onenetwork to another

    Allows networks to communicate with oneanother

    Allows Internet to function Act as digital traffic cop (with addition of packet

    filtering)

    How a Router Moves Information Examines electronic envelope surrounding a

    packet; compares address to list of addressescontained in routers lookup tables

    Determines which router to send the packet tonext, based on changing network conditions

  • 8/3/2019 All Network Security

    176/336

    How a Router Moves Information

    Beyond the Firewall Demilitarized zone (DMZ) Bastion hosts (potentially)

  • 8/3/2019 All Network Security

    177/336

    Demilitarized Zone

    Area set aside for servers that are publiclyaccessible or have lower securityrequirements

    Sits between the Internet and internalnetworks line of defenseo Stateful device fully protects other internal

    systemso Packet filter allows external traffic only to services

    provided by DMZ servers

    Allows a company to host its own Internetservices without sacrificing unauthorizedaccess to its private network

  • 8/3/2019 All Network Security

    178/336

    Bastion Hosts

    Computers that reside in a DMZ and that hostWeb, mail, DNS, and/or FTP services

    Gateway between an inside network and anoutside network

    Defends against attacks aimed at the insidenetwork; used as a security measure

    Unnecessary programs, services, andprotocols are removed; unnecessary networkports are disabled

    Do not share authentication services withtrusted hosts within the network

    Application Gateways Also known as proxy servers Monitor specific applications (FTP, HTTP, Telnet) Allow packets accessing those services to go to

    only those computers that are allowed Good backup to packet filtering

  • 8/3/2019 All Network Security

    179/336

    Application Gateways Security advantages

    o Information hidingo Robust authentication and loggingo Simpler filtering rules

    Disadvantageo Two steps are required to connect inbound or

    outbound traffic; can increase processor overhead

    OSI Reference Model Architecture that classifies most network

    functions Seven layers

    o Applicationo Presentationo Sessiono Transporto Network

    o Data-Linko Physical

  • 8/3/2019 All Network Security

    180/336

    The OSI Stack Layers 4 and 5

    o Where TCP and UDP ports that controlcommunication sessions operate

    Layer 3o Routes IP packets

    Layer 2o Delivers data frames across LANs

  • 8/3/2019 All Network Security

    181/336

    Limitations ofPacket-Filtering Routers

    ACL can become long, complicated, and difficultto manage and comprehend

    Throughput decreases as number of rules beingprocessed increases

    Unable to determine specific content or data ofpackets at layers 3 through 5

    Switches Provide same function as bridges (divide

    collision domains), but employ application-specific integrated circuits (ASICs) that areoptimized for the task

    Reduce collision domain to two nodes (switchand host)

    Main benefit over hubso Separation of collision domains limits the

    possibility of sniffing

  • 8/3/2019 All Network Security

    182/336

    Switches

    Switch Security ACLs Virtual Local Area Networks (VLANs)

  • 8/3/2019 All Network Security

    183/336

    Virtual Local Area Network

    Uses public wires to connect nodes Broadcast domain within a switched network Uses encryption and other security

    mechanisms to ensure thato Only authorized users can access the networko Data cannot be intercepted

    Clusters users in smaller groupso Increases security from hackerso Reduces possibility of broadcast storm

    Security Problems with Switches Common ways of switch hijacking

    o Try default passwords which may not have beenchanged

    o Sniff network to get administrator password viaSNMP or Telnet

  • 8/3/2019 All Network Security

    184/336

    Securing a Switch Isolate all management interfaces Manage switch by physical connection to a serial

    port or through secure shell (SSH) or otherencrypted method

    Use separate switches or hubs for DMZs tophysically isolate them from the network andprevent VLAN jumping

    continued

    Securing a Switch Put switch behind dedicated firewall device Maintain the switch; install latest version of

    software and security patches Read product documentation Set strong passwords

  • 8/3/2019 All Network Security

    185/336

    Example of a Compromised VLAN

    Wireless Almost anyone can eavesdrop on a network

    communication Encryption is the only secure method of

    communicating with wireless technology

  • 8/3/2019 All Network Security

    186/336

    Modems

    DSL versus Cable Modem

    Security DSL

    o Direct connection between computer/network andthe Internet

    Cable modemo Connected to a shared segment; party lineo Most have basic firewall capabilities to prevent

    files from being viewed or downloadedo Most implement the Data Over Cable Service

    Interface Specification (DOCSIS) forauthentication and packet filtering

  • 8/3/2019 All Network Security

    187/336

    Dynamic versus Static IP Addressing

    Static IP addresseso Provide a fixed target for potential hackers

    Dynamic IP addresseso Provide enhanced securityo By changing IP addresses of client machines,

    DHCP server makes them moving targets forpotential hackers

    o Assigned by the Dynamic Host ConfigurationProtocol (DHCP)

    Remote Access Service (RAS) Provides a mechanism for one computer to

    securely dial in to another computer Treats modem as an extension of the network Includes encryption and logging Accepts incoming calls Should be placed in the DMZ

  • 8/3/2019 All Network Security

    188/336

    Security Problems with RAS Behind physical firewall; potential for network to

    be compromised Most RAS systems offer encryption and callback

    as features to enhance security

    Telecom/Private Branch Exchange(PBX)

    PBXo Private phone system that offers features such as

    voicemail, call forwarding, and conference callingo Failure to secure a PBX can result in toll fraud,

    theft of information, denial of service, andenhanced susceptibility to legal liability

  • 8/3/2019 All Network Security

    189/336

    IP-Based PBX

    PBX Security Concerns Remote PBX management Hoteling or job sharing

    o Many move codes are standardized and postedon the Internet

  • 8/3/2019 All Network Security

    190/336

    Virtual Private Networks

    Provide secure communication pathway ortunnel through public networks (eg, Internet)

    Lowest levels of TCP/IP are implementedusing existing TCP/IP connection

    Encrypts either underlying data in a packet orthe entire packet itself before wrapping it inanother IP packet for delivery

    Further enhances security by implementingInternet Protocol Security (IPSec)

  • 8/3/2019 All Network Security

    191/336

    Internet Protocol Security (IPSec) Allows encryption of either just the data in a

    packet (transport mode) or the packet as a whole(tunnel mode)

    Enables a VPN to eliminate packet sniffing andidentity spoofing

    Requirement of Internet Protocol version 6 (IPv6)specification

    Intrusion Detection Systems (IDS) Monitor networks and report on unauthorized

    attempts to access any part of the system Available from many vendors Forms

    o Software (computer-based IDS)o Dedicated hardware devices (network-based IDS)

    Types of detectiono Anomaly-based detectiono Signature-based detection

  • 8/3/2019 All Network Security

    192/336

    Computer-based IDS

    Software applications (agents) are installedon each protected computero Make use of disk space, RAM, and CPU time to

    analyze OS, applications, system audit trailso Compare these to a list of specific ruleso Report discrepancies

    Can be self-contained or remotely managed Easy to upgrade software, but do not scale

    well

    Network-based IDS Monitors activity on a specific network segment Dedicated platforms with two components

    o Sensor Passively analyzes network traffic

    o Management system Displays alarm information from the sensor

  • 8/3/2019 All Network Security

    193/336

    Anomaly-based Detection Builds statistical profiles of user activity and

    then reacts to any activity that falls outsidethese profiles

    Often leads to large number of false positiveso Users do not access computers/network in static,

    predictable wayso Cost of building a sensor that could hold enough

    memory to contain the entire profile and time to

    process the profiles is prohibitively large

  • 8/3/2019 All Network Security

    194/336

    Signature-based Detection

    Similar to antivirus program in its method ofdetecting potential attacks

    Vendors produce a list of signatures used bythe IDS to compare against activity on thenetwork or host

    When a match is found, the IDS take someaction (eg, logging the event)

    Can produce false positives; normal networkactivity may be construed as malicious

    Network Monitoring and Diagnostics

    Essential steps in ensuring safety and health of anetwork (along with IDS)

    Can be either stand-alone or part of a network-monitoring platformo HPs OpenViewo IBMs Netview/AIXo Fidelias NetVigilo Aprismas Spectrum

  • 8/3/2019 All Network Security

    195/336

    Ensuring Workstation andServer Security

    Remove unnecessary protocols such as NetBIOSor IPX

    Remove unnecessary user accounts Remove unnecessary shares Rename the administrator account Use strong passwords

    Personal Firewall Software Packages

    Offer application-level blocking, packetfiltering, and can put your computer intostealth mode by turning off most if not all ports

    Many products available, including:o Norton Firewallo ZoneAlarmo Black Ice Defendero Tiny Softwares Personal Firewall

  • 8/3/2019 All Network Security

    196/336

    Firewall Product Example

    Antivirus Software Packages Necessary even on a secure network Many vendors, including:

    o McAffeeo Nortono Computer Associateso Network Associates

  • 8/3/2019 All Network Security

    197/336

    Mobile Devices

    Can open securityholes for anycomputer with whichthese devicescommunicate

    Chapter Summary Virtual isolation of a computer or network by

    implementing a firewall through software andhardware techniques:o Routerso Switcheso Modemso Various software packages designed to run on

    servers, workstations, and PDAs

    continued

  • 8/3/2019 All Network Security

    198/336

    Chapter Summary Virtual private networks (VPNs) Private branch exchanges (PBX) Remote Access Services (RAS)

  • 8/3/2019 All Network Security

    199/336

    Chapter 10

    Media and Medium

    Learning Objectives Identify and discuss the various types of

    transmission media Explain how to physically protect transmission

    media adequately Identify and discuss the various types of storage

    media Know how to lessen the risk of catastrophic loss

    of information

    continued

  • 8/3/2019 All Network Security

    200/336

    Learning Objectives Understand the various ways to encrypt data Properly maintain or destroy stored data

    Transmission Media Coaxial cable Twisted pair copper cable

    o Shieldedo Unshielded

    Fiber-optic cable Wireless connections

  • 8/3/2019 All Network Security

    201/336

    Coaxial Cable Hollow outer cylinder surrounds a single inner

    wire conductor

    Coaxial Cable More expensive than traditional telephone

    wiring Less prone to interference Typically carries larger amounts of data Easily spliced; allows unauthorized users

    access to the network Two types (not interchangeable)

    o 50-ohmo 75-ohm

  • 8/3/2019 All Network Security

    202/336

    50-Ohm Coaxial Cable Uses unmodulated signal over a single channel Two standards

    o 10Base2 (ThinNet)o 10Base5 (ThickNet)

    50-Ohm Coaxial Cable Advantages

    o Simple to implement and widely availableo Low cost alternative that provides relatively high

    rates of data transmission Disadvantages

    o Can only carry data and voiceo Limited in distance it can transmit signals

  • 8/3/2019 All Network Security

    203/336

    10Base2 (ThinNet) Uses a thin coaxial cable in an Ethernet

    environment Capable of covering up to 180 meters Allows daisy chaining Not highly susceptible to noise interference Transmits at 10 Mbps Can support up to 30 nodes per segment

    10Base5 (ThickNet) Primarily used as a backbone in an office LAN

    environment Often connects wiring closets Can transmit data at speeds up to 10 Mbps Covers distances up to 500 meters Can accommodate up to 100 nodes per segment Rigid and difficult to work with

  • 8/3/2019 All Network Security

    204/336

    75-ohm Coaxial Cable For analog signaling and high-speed digital

    signaling

    75-ohm Coaxial Cable Advantages

    o Allows for data, voice, and video capabilitieso Can cover greater distances and offers more

    bandwidth Disadvantages

    o Requires hardware to connect via modemso More difficult to maintain

  • 8/3/2019 All Network Security

    205/336

    Twisted Pair Copper Cable

    Individual copper wires are twisted together toprevent cross talk between pairs and toreduce effects of EMI and RFI

    Inexpensive alternative to coaxial cable, butcannot support the same distances

    Long been used by telephone companies Types

    o Unshielded twisted pair (UTP)o Shielded twisted pair (STP)

    Unshielded Twisted Pair (UTP) Most common medium for both voice and data Currently supports up to 1 Gbps protocols

  • 8/3/2019 All Network Security

    206/336

    Shielded Twisted Pair (STP) Extra foil shield wrapped between copper pairs

    provides additional insulation from EMI Used extensively in LAN wiring

    Shielded Twisted Pair (STP)

  • 8/3/2019 All Network Security

    207/336

    Twisted Pair Categories Category 3 (CAT 3) Category 5 (CAT 5) Category 6 (CAT 6)

    Twisted Pair CAT 3 For voice and data transmission

  • 8/3/2019 All Network Security

    208/336