Network+ Guide to Networks, Fourth Edition Chapter 14 Network Security

Network+ Guide to Networks, Fourth Edition

Chapter 14

Network Security

Network+ Guide to Networks, 4e 2

Security Audits

• Every organization should assess security risks by conducting a security audit– Thorough examination of each aspect of network to

determine how it might be compromised– At least annually, preferably quarterly

• The more devastating a threat’s effects and the more likely it is to happen, the more rigorously your security measures should address it

• In-house or third-party audits


Security Risks

• Not all security breaches result from manipulation of network technology– Staff members purposely or inadvertently reveal

passwords– Undeveloped security policies

• Malicious and determined intruders may “cascade” their techniques


Risks Associated with People

• Human errors, ignorance, and omissions cause majority of security breaches

• Risks associated with people:– Social engineering or snooping to obtain passwords– Incorrectly creating or configuring user IDs, groups,

and their associated rights on file server– Overlooking security flaws in topology or hardware

configuration– Overlooking security flaws in OS or application

configuration– Lack of documentation and communication


Risks Associated with Transmission and Hardware

• Risks inherent in network hardware and design:– Transmissions can be intercepted– Networks using leased public lines vulnerable to

eavesdropping– Network hubs broadcast traffic over entire segment– Unused hub, router, or server ports can be exploited

and accessed by hackers– Not properly configuring routers to mask internal

subnets


Risks Associated with Protocols and Software

• Networked software only as secure as it is configured to be

• Risks pertaining to networking protocols and software:– TCP/IP contains several security flaws– Trust relationships between one server and another

may allow hackers to access entire network – NOSs may contain “back doors” or security flaws

allowing unauthorized access to system


Risks Associated with Internet Access

• Common Internet-related security issues:– Firewall may not be adequate protection, if not

configured properly• IP spoofing

– When user Telnets or FTPs to site over Internet, user ID and password transmitted in plain text

– Hackers may obtain information about user IDs from newsgroups, mailing lists, forms filled out on Web

– Flashing– Denial-of-service attack


An Effective Security Policy

• Security policy identifies security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for team members, responsibilities for each employee– Specifies how to address security breaches– Should not state exact hardware, software,

architecture, or protocols used to ensure security• Nor how hardware or software will be installed and

configured

– Details change occasionally


Physical Security

• Restrict physical access to components– Computer room, hubs, routers, switches, etc.

• Locks may be physical or electronic– Electronic access badges– Numeric key codes– Bio-recognition access

• Closed-circuit TV systems

• Most important way to ensure physical security is to plan for it


Physical Security (continued)

Figure 14-1: Badge access security system


Security in Network Design: Firewalls

• Selectively filter or block traffic between networks– Hardware-based, software-based, or combination

• Packet-filtering firewall examines header of every packet of data received– Common filtering criteria:

• IP addresses• Ports • Flags set in IP header• Transmissions that use UDP or ICMP• First packet in new data stream?• Inbound or outbound?


Proxy Servers

• Proxy service: software that acts as intermediary between external and internal networks– Screen all incoming and outgoing traffic

• Manage security at Application layer

• May be combined with Firewall for greater security

• Improve performance for users accessing resources external to network by caching files


Proxy Servers (continued)

Figure 14-4: A proxy server used on a WAN


Remote Access

• Must remember that any entry point to a LAN or WAN creates potential security risk

• Remote control:– Can present serious security risks– Most remote control software programs offer

features that increase security– Desirable security features:

• User name and password requirement

• Ability of host system to call back

• Support for data encryption


Remote Access (continued)

• Remote control (continued):– Desirable security features (continued):

• Ability to leave host system’s screen blank while remote user works

• Ability to disable host system’s keyboard and mouse

• Ability to restart host system when remote user disconnects


Remote Access (continued)

• Dial-up networking – Effectively turns remote workstation into node on

network – Secure remote access server package should

include at least:• User name and password authentication

• Ability to log all dial-up connections, their sources, and their connection times

• Ability to perform callbacks to users

• Centralized management of dial-up users and their rights on network


Network Operating System Security

• Regardless of NOS, can implement basic security by restricting what users authorized to do– Limit public rights– Administrators should group users according to

security levels


Logon Restrictions

• Additional restrictions that network administrators can use to strengthen security of network:– Time of day– Total time logged on– Source address– Unsuccessful logon attempts


Passwords

• Tips for making and keeping passwords secure:– Always change system default passwords– Do not use familiar information– Do not use dictionary words– Make password longer than eight characters– Choose combination of letters and numbers– Do not write down or share passwords– Change password at least every 60 days– Do not reuse passwords


Encryption

• Use of algorithm to scramble data into format that can be read only by reversing the algorithm

• Encryption provides following assurances:– Data not modified after sender transmitted it and

before receiver picked it up– Data can only be viewed by intended recipient– All data received at intended destination truly issued

by stated sender and not forged by an intruder


Private Key Encryption

• Data encrypted using single key that only sender and receiver know

• Data Encryption Standard (DES): 56-bit key– Triple DES (3DES): weaves 56-bit key through data

three times

• Advanced Encryption Standard (AES): weaves 128-, 160-, 192-, or 256-bit keys through data multiple times– Used in military communication

• Sender must share key with recipient


Private Key Encryption (continued)

Figure 14-6: Private key encryption


Public Key Encryption

• Data encrypted using two keys: – Private key– Public key associated with user

• Public key server: publicly accessible host that freely provides list of users’ public keys

• Key pair: combination of public key/private key• Public keys more vulnerable than private keys

– Use longer keys– RSA: most popular public key algorithm

• Digital certificate: password-protected, encrypted file that holds identification information


PGP (Pretty Good Privacy)

• Typical e-mail communication is highly insecure

• PGP: public key encryption system that can verify authenticity of an e-mail sender and encrypt e-mail data in transmission– Freely available– Most popular tool for encrypting e-mail– Can be used to encrypt data on storage devices or

with applications other than e-mail


SSL (Secure Sockets Layer)

• Method of encrypting TCP/IP transmissions en route between client and server – Public key encryption

• HTTPS (HTTP over Secure Sockets Layer): uses TCP port 443, rather than port 80

• SSL session: association between client and server defined by agreement on specific set of encryption techniques– Created by SSL handshake protocol

• IETF has attempted to standardize SSL with Transport Layer Security (TLS)


IPSec (Internet Protocol Security)

• Defines encryption, authentication, and key management for TCP/IP transmissions– Encrypts data by adding security information to

header of IP packets– Operates at Network layer

• Accomplishes authentication in two phases:– Key management: Internet Key Exchange (IKE)– Encryption: authentication header (AH) or

Encapsulating Security Payload (ESP)

• Can be used with any type of TCP/IP transmission


PAP (Password Authentication Protocol)

• Authentication protocol that works over PPP– Simple, not very secure– Does not protect against possibility of malicious

intruder attempting to guess user’s password through brute force attack

Figure 14-9: Two-step authentication used in PAP


CHAP and MS-CHAP

• Challenge Handshake Authentication Protocol (CHAP): operates over PPP– Encrypts user names and passwords– Three-way handshake– Password never transmitted alone or as clear text

• Microsoft Challenge Authentication Protocol (MS-CHAP): similar to CHAP– Used on Windows systems– MS-CHAPv2 uses stronger encryption

• Mutual authentication: both computers verify credentials of the other


CHAP and MS-CHAP (continued)

Figure 14-10: Three-way handshake used in CHAP


EAP (Extensible Authentication Protocol)

• Another extension to PPP protocol suite– Does not perform encryption or authentication– Requires authenticator to initiate authentication

process by asking connected computer to verify itself– Flexible: supported by most OSs and can be used

with any authentication method– Works with biorecognition and wireless protocols


Kerberos

• Cross-platform authentication protocol – Uses key encryption to verify identity of clients and

to securely exchange information– Significant advantages over NOS authentication

• Does not automatically trust clients

• Requires client to prove identity through third party

– Key Distribution Center (KDC): server that issues keys

– authentication service (AS): authenticates a principal• Issues a ticket


Wireless Network Security: WEP (Wired Equivalent Privacy)

• Wireless transmissions susceptible to eavesdropping– War driving

• By default, 802.11 standard does not offer security– Allows for optional encryption using WEP

• Uses keys to authenticate network clients and encrypt data in transit

• Network key

• On Windows XP, network key can be saved as part of wireless connection’s properties

• Current versions of WEP allow 28-bit network keys


IEEE 802.11i and WPA (Wi-Fi Protected Access)

• Uses EAP with strong encryption scheme– Dynamically assigns every transmission own key– Logging on to wireless network more complex than

with WEP– AP acts as proxy between remote access server and

station until station successfully authenticates– Requires mutual authentication– After authentication, remote access server instructs

AP to allow traffic from client into network– Client and server agree on encryption key


IEEE 802.11i and WPA (continued)

• 802.11i specifies AES encryption method – Mixes each packet in data stream with different key

• WPA: subset of 802.11i standard– Main difference from 802.11i is that WPA specifies

RC4 encryption rather than AES

Documents

Network+ Guide to Networks, Fourth Edition Chapter 14 Network Security