View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Security Awareness: Applying Security Awareness: Applying Practical Security in Your Practical Security in Your
WorldWorld
Chapter 5: Network SecurityChapter 5: Network Security
Security Awareness: Applying Practical Security in Your World 2
ObjectivesObjectives
Give an overview of how networks work
List and describe three types of network attacks
Explain how network defenses can be used to enhance a network security perimeter
Tell how a wireless local area network (WLAN) functions and list some of its security features
Security Awareness: Applying Practical Security in Your World 3
Network Security Network Security
Computer networks in organizations are prime targets for hackers.
Computer networks are also found in homes The growth of home networks has resulted in more
attacks
Security Awareness: Applying Practical Security in Your World 4
How Networks Work How Networks Work
Personal computers Isolated from other computers (See Figure 5-1) Function limited to the hardware, software, and
data on that one computer
Computer network Interconnected computers and devices (See Figure 5-2) Sharing increases functionality, reduces costs, and
increases accuracy
Security Awareness: Applying Practical Security in Your World 5
How Networks Work (continued)How Networks Work (continued)
Security Awareness: Applying Practical Security in Your World 6
How Networks Work (continued)How Networks Work (continued)
Security Awareness: Applying Practical Security in Your World 7
Types of NetworksTypes of Networks
Local area network (LAN) A network of computers located relatively close to each other
Wide area network (WAN) A network of computers geographically dispersed
Security Awareness: Applying Practical Security in Your World 8
Types of Networks (continued)Types of Networks (continued)
Security Awareness: Applying Practical Security in Your World 9
Transmitting DataTransmitting Data
Protocols Sets of rules used by sending and receiving devices to transmit data Both sender and receiver must use same set of rules
Transmission Control Protocol/Internet Protocol (TCP/IP) Most common protocol in use IP Address Unique number assigned to each
device on a TCP/IP network that identifies it from all other devices
Data is divided into smaller units called packets for transmission through a network(See Figure 5-4)
Security Awareness: Applying Practical Security in Your World 10
Figure 5-4Figure 5-4
Security Awareness: Applying Practical Security in Your World 11
Devices on a NetworkDevices on a Network
Different types of equipment perform different functions Many devices are responsible for sending packets
through the LAN or across a WAN
Router Directs packets “toward” their destination
Network perimeter Line of defense around a network made up of products, procedures and people (See Figure 5-5)
Security Awareness: Applying Practical Security in Your World 12
Devices on a Network (continued)Devices on a Network (continued)
Security Awareness: Applying Practical Security in Your World 13
Network AttacksNetwork Attacks
Hackers attack network perimeters in different ways Attacks include:
Denial of Service (DoS)
Man-in-the-Middle
Spoofing
Security Awareness: Applying Practical Security in Your World 14
Denial of Service (DoS)Denial of Service (DoS)
Normal conditions Computers contact a server with a request
Denial of Service (DoS) Server is flooded with requests, making it unavailable to legitimate users(See Figure 5-6) Attacking computers programmed not to reply to
the server’s response Server “holds the line open” for each request
(See Figure 5-7) and eventually runs out of resources as more requests are received
Security Awareness: Applying Practical Security in Your World 15
Denial of Service (DoS) Denial of Service (DoS) (continued)(continued)
Security Awareness: Applying Practical Security in Your World 16
Denial of Service (DoS) Denial of Service (DoS) (continued)(continued)
Security Awareness: Applying Practical Security in Your World 17
Distributed Denial of Service Distributed Denial of Service (DDoS)(DDoS)
Distributed Denial of Service (DDoS) Variant of a DoS that uses many computers to attack a target Hacker finds a handler Special software is loaded on the handler and it
searches for zombies Software is loaded on the zombies without the user’s
knowledge Eventually that hacker instructs all zombies to flood
a particular server
Security Awareness: Applying Practical Security in Your World 18
Man-in-the-MiddleMan-in-the-Middle
Man-in-the-Middle Two computers are tricked into thinking they are communicating with each other when there is actually a hidden third party between them (See Figure 5-8) Communications can be monitored or modified
Security Awareness: Applying Practical Security in Your World 19
Man-in-the-Middle (continued)Man-in-the-Middle (continued)
Security Awareness: Applying Practical Security in Your World 20
SpoofingSpoofing Spoofing Pretending to be the legitimate owner
IP Address Spoofing False IP address inserted into packets
ARP Spoofing ARP table changed to redirect packets (See Figure 5-10)
ARP table Address Resolution Protocol table stores list of MAC addresses and corresponding IP addresses (See Figure 5-9)
MAC Address* Media Access Control address is the hardware address of the Network Interface Card (NIC)
Security Awareness: Applying Practical Security in Your World 21
Spoofing (continued)Spoofing (continued)
Security Awareness: Applying Practical Security in Your World 22
Spoofing (continued)Spoofing (continued)
Security Awareness: Applying Practical Security in Your World 23
Network DefensesNetwork Defenses
Three groups of networks defenses:
Devices
Configurations
Countermeasures
Security Awareness: Applying Practical Security in Your World 24
DevicesDevices
Firewalls Designed to prevent malicious packets from entering Typically outside the security perimeter
(See Figure 5-11)
Software based Runs as a local program to protect one computer (personal firewall) or as a program on a separate computer (network firewall) to protect the network
Hardware based separate devices that protect the entire network (network firewalls)
Security Awareness: Applying Practical Security in Your World 25
Devices (continued)Devices (continued)
Security Awareness: Applying Practical Security in Your World 26
Devices (continued)Devices (continued)
Firewall rule base AKA Access control list (ACL) Establishes what action the firewall should take when it receives a packet Allow
Block
Prompt
Should reflect the organization's security policy
Security Awareness: Applying Practical Security in Your World 27
Devices (continued)Devices (continued)
Stateless packet filtering Allows or denies packets based strictly on the rule base
Stateful packet filtering Keeps a record of the state of a connection Makes decisions based on the rule base and the
connection
Security Awareness: Applying Practical Security in Your World 28
Devices (continued)Devices (continued)
Intrusion Detection System (IDS) Examines the activity on a network Goal is to detect intrusions and take action
Two types of IDS: Host-based IDS Installed on a server or other
computers (sometimes all) Monitors traffic to and from that particular computer
Network-based IDS Located behind the firewall and monitors all network traffic (See Figure 5-12)
Security Awareness: Applying Practical Security in Your World 29
Devices (continued)Devices (continued)
Security Awareness: Applying Practical Security in Your World 30
Devices (continued)Devices (continued)
Network Address Translation (NAT) Systems Hides the IP address of network devices Located just behind the firewall
(See Figure 5-13)
NAT device uses an alias IP address in place of the sending machine’s real one (See Figure 5-14)
“You cannot attack what you can’t see”
Security Awareness: Applying Practical Security in Your World 31
Devices (continued)Devices (continued)
Security Awareness: Applying Practical Security in Your World 32
Devices (continued)Devices (continued)
Security Awareness: Applying Practical Security in Your World 33
Devices (continued)Devices (continued)
Proxy Server Operates similar to NAT, but also examines packets to look for malicious content Replaces the protected computer’s IP address with
the proxy server’s address
Protected computers never have a direct connection outside the network The proxy server intercepts requests
(See Figure 5-15)
Acts “on behalf of” the requesting client
Security Awareness: Applying Practical Security in Your World 34
Devices (continued)Devices (continued)
Security Awareness: Applying Practical Security in Your World 35
Network DesignNetwork Design
The key to effective network design is a single point of entry into a network Difficult to maintain Employees or others may bypass security by
installing unauthorized entry points (See Figure 5-16)
Common design tools:Demilitarized Zones (DMZ)
Virtual Private Networks (VPNs)
Security Awareness: Applying Practical Security in Your World 36
Network Design (continued)Network Design (continued)
Security Awareness: Applying Practical Security in Your World 37
Network Design (continued)Network Design (continued)
Demilitarized Zones (DMZ) Another network that sits outside the secure network perimeter Outside users can access the DMZ, but not the
secure network (See Figure 5-17)
Some DMZs use two firewalls (See Figure 5-18) This prevents outside users from even accessing the
internal firewall Provides an additional layer of security
Security Awareness: Applying Practical Security in Your World 38
Network Design (continued)Network Design (continued)
Security Awareness: Applying Practical Security in Your World 39
Network Design (continued)Network Design (continued)
Security Awareness: Applying Practical Security in Your World 40
Network Design (continued)Network Design (continued)
Virtual Private Networks (VPNs) A secure network connection over a public network (See Figure 5-19) Allows mobile users to securely access information
Sets up a unique connection called a tunnel
Security Awareness: Applying Practical Security in Your World 41
Network Design (continued)Network Design (continued)
Security Awareness: Applying Practical Security in Your World 42
Network Design (continued)Network Design (continued)
Advantages of VPNs: Low cost
Flexibility
Security
Standards
Security Awareness: Applying Practical Security in Your World 43
Network Design (continued)Network Design (continued)
Honeypots Computer located in a DMZ and loaded with files and software that appear to be authentic, but are actually imitations (See Figure 5-21) Intentionally configured with security holes
Goals: Direct attacker’s attention away from real targets
Examine the techniques used by hackers
Security Awareness: Applying Practical Security in Your World 44
Network Design (continued)Network Design (continued)
Security Awareness: Applying Practical Security in Your World 45
Components of a WLANComponents of a WLAN
Wireless network interface card (WNIC) Card inserted into the wireless device that sends and receives signals from the access point
Access point (AP) Acts as the base station and is connected to the wired network Multiple access points allow ease of roaming
(See Figure 5-22)
Security Awareness: Applying Practical Security in Your World 46
Components of a WLAN Components of a WLAN (continued)(continued)
Security Awareness: Applying Practical Security in Your World 47
Security in a WLANSecurity in a WLAN
WLANs include a different set of security issues
Steps to secure: Turn off broadcast information
MAC address filtering
WEP encryption
Password protect the access point
Physically secure the access point
Use enhanced WLAN security standards whenever possible
Security Awareness: Applying Practical Security in Your World 48
SummarySummary
A computer network allows users to share hardware, programs and data. Two types of computer networks are:
Local area network (LAN) computers all close together
Wide area network (WAN) Computers geographically dispersed
On most networks, each computer or device must be assigned a unique address called the IP address.
Security Awareness: Applying Practical Security in Your World 49
Summary (continued) Summary (continued)
Hackers attacks network perimeters in several ways: Denial of Service (DoS)
Distributed Denial of Service (DDoS)
Man-in-the-Middle
Spoofing
Security Awareness: Applying Practical Security in Your World 50
Summary (continued)Summary (continued)
There are devices that can be installed to make the network perimeter more secure. Firewalls
Hardware or software based
Intrusion-detection system (IDS) Host-based or network-based
Network Address Translation (NAT)
Proxy server
Security Awareness: Applying Practical Security in Your World 51
Summary (continued)Summary (continued)
Network security can be enhanced by its design. Single point of entry is best, but hard to maintain
Technologies frequently used to enhance secure network design: Demilitarized zones (DMZ)
Virtual private networks (VPNs)
Honeypots
Security Awareness: Applying Practical Security in Your World 52
Summary (continued)Summary (continued)
Wireless local area networks are becoming increasingly common. Two basic components:
Wireless network interface card (WNIC)
Access point (AP)
Securing a WLAN requires additional steps beyond those required for a wired network.