1/28/20101/28/2010Network PlusUnit 5 Section 1 Security

Identify and Describe Security RisksPeopleTransmissionsProtocolsInternet Access

Network+ Guide to Networks, 5th Edition6Risks Associated with PeopleHalf of all security breachesHuman errors, ignorance, omissionsSocial engineeringStrategy to gain passwordPhishingGlean access, authentication informationPose as someone needing information

Network+ Guide to Networks, 5th Edition7Risks Associated with Transmission and HardwarePhysical, Data Link, Network layer security risksRequire more technical sophisticationRisks inherent in network hardware and designTransmission interceptionMan-in-the-middle attackEavesdroppingNetworks connecting to Internet via leased public linesSniffingNetwork hubs broadcasting traffic over entire segment

Network+ Guide to Networks, 5th Edition8Risks Associated with Transmission and Hardware (contd.)Risks inherent in network hardware and design (contd.)Private address availability to outsideRouters not properly configured to mask internal subnetsPort access via port scannerUnused hub, switch, router, server ports not securedRouter attackRouters not configured to drop suspicious packets

Network+ Guide to Networks, 5th Edition9Risks Associated with Transmission and Hardware (contd.)Risks inherent in network hardware and design (contd.)Security holesModems accept incoming callsDial-in access servers not secured, monitoredGeneral public computer accessComputers hosting sensitive dataInsecure passwordsEasily guessable, default values

Network+ Guide to Networks, 5th Edition10Risks Associated with Protocols and SoftwareIncludes Transport, Session, Presentation, and Application layersNetworking protocols and software risksTCP/IP security flawsNOS ProblemsInvalid trust relationshipsNOS back doors, security flawsNOS allows server operators to exit to command promptAdministrators default security options

Network+ Guide to Networks, 5th Edition12Risks Associated with Internet Access Common Internet-related security issuesImproperly configured firewallOutsiders obtain internal IP addresses: IP spoofingChat session flashingDenial-of-service attackSmurf attack: hacker issues flood of broadcast ping messagesTelnets or FTPsTransmit user ID, password in plain textSocial media (Facebook, mailing lists, forums)Provide hackers user information

Network Security TechnologyRouter Access ListsIntruder Detection and PreventionFirewallsProxy Servers

24Security in Network DesignRouter Access ListsControl traffic through routersRouters main functionExamine packets, determine where to sendBased on Network layer addressing informationACL (access control list)Known as access listRouters decline to forward certain packets

25Router Access Lists (contd.)ACL instructs routerPermit or deny traffic according to variables:Network layer protocol (IP, ICMP)Transport layer protocol (TCP, UDP)Source IP addressSource netmaskDestination IP addressDestination netmaskTCP, UDP port number

26Router Access Lists (contd.)Router receives packet, examines packetRefers to ACL for permit, deny criteriaDrops packet if characteristics matchFlagged as denyAccess list statementsDeny all traffic from source addressesNetmask 255.255.255.255Deny all traffic destined for TCP port 23Separate ACLs for:InterfacesInbound and outbound traffic

27Intrusion Detection and PreventionProvides more proactive security measureDetecting suspicious network activityIDS (intrusion detection system)Software monitoring trafficOn dedicated IDS deviceOn another device performing other functionsPort mirroringPort configured to send copy of all traffic to another port for monitoring purposesDetects many suspicious traffic patternsDenial-of-service, smurf attacks

28Intrusion Detection and Prevention (contd.)DMZ (demilitarized zone)Networks protective perimeterIDS sensors installed at network edgesIDS at DMZ drawbackNumber of false positives loggedIDS can only detect and log suspicious activity

DMZIn computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. An external attacker only has access to equipment in the DMZ, rather than any other part of the network.

29Intrusion Detection and Prevention (contd.)IPS (intrusion-prevention system)Reacts to suspicious activityWhen alertedDetect threat and prevent traffic from flowing to networkBased on originating IP addressCompared to firewallsIPS originally designed as more comprehensive traffic analysis, protection toolDifferences now diminished

30Intrusion Detection and Prevention (contd.)

Figure 12-2 Placement of an IDS/IPS on a network

Network+ Guide to Networks, 5th Edition31FirewallsSpecialized device and computer installed with specialized softwareSelectively filters, blocks traffic between networksInvolves hardware, software combinationResidesBetween two interconnected private networksBetween private network and public network (network-based firewall)Firewall default configurationBlock most common security threatsPreconfigured to accept, deny certain traffic typesNetwork administrators often customize settings

Network+ Guide to Networks, 5th Edition32Firewalls (contd.)

Figure 12-3 Placement of a firewall between a private network and the Internet

34Types of FirewallsPacket-filtering firewall (screening firewall)Simplest firewallBlocks traffic into LANExamines headerCheck for IP address, Port number, IP header flagsBlocks traffic attempting to exit LANStops spread of wormsStops Zombie programs/spywarePort blockingBased on TCPor UDP port numbersPrevents connection to and transmission completion through ports

35Firewall ConfigurationCommon packet-filtering firewall criteriaSource, destination IP addressesSource, destination portsFlags set in the IP headerTransmissions using UDP or ICMP protocolsPackets status as first packet in new data stream, subsequent packetPackets status as inbound to, outbound from private networkLogging, auditing capabilitiesProtect internal LANs address identity

Network+ Guide to Networks, 5th Edition36Firewall FunctionsFirewall may have more complex functionsEncryptionUser authenticationCentral managementEasy rule establishmentFiltering Content-filtering firewallsStateful - Monitor data stream from end to endStateless firewall Block individual packets

38Proxy ServersProxy serviceNetwork host software application Intermediary between external, internal networksScreens all incoming and outgoing trafficProxy serverNetwork host running proxy serviceApplication layer gateway, application gateway, and proxyManages security at Application layer

39Proxy Server FunctionsSecurityPrevent outside world from discovering internal network the addressesImproves performanceCaching files

Network+ Guide to Networks, 5th Edition40Proxy Servers (contd.)

Figure 12-5 A proxy server used on a WAN

41NOS (Network Operating System) SecurityRestrict user authorizationCentralized administrationActive DirectorySecure access to server files and directoriesPublic rights Conferred to all usersVery limitedKeep software updated with latest patchesProvide strong policies for passwords and logon restrictions

42Logon RestrictionsAdditional restrictionsTime of dayTotal time logged onSource addressUnsuccessful logon attemptsSecure Password

Network+ Guide to Networks, 5th Edition44Passwords TipsChange system default passwordsDo not use familiar information or dictionary wordsDictionary attackUse long passwordsLetters, numbers, special charactersDo not write down or shareChange frequentlyDo not reuseUse different passwords for different applications

EncryptionUse of keys to scramble data to prevent eavesdroppingSymmetric vs Asymmetric keysEncryption systems

Network+ Guide to Networks, 5th Edition45EncryptionUse of algorithmScramble dataFormat read by algorithm reversal (decryption)PurposeInformation privacyKey EncryptionBased on number of bitsStrength of encryption double with each bit48Key Encryption

Figure 12-6 Key encryption and decryption49Private (Symmetric) Key EncryptionData encrypted using single keyKnown by sender and receiverSymmetric encryptionSame key used during both encryption and decryptionDES (Data Encryption Standard)Most popular private key encryptionIBM developed (1970s)56-bit key: secure at the timeTriple DESWeaves 56-bit key three timesSymmetric Key Encryption

50Private Key Encryption AES (Advanced Encryption Standard)Weaves 128, 160, 192, 256 bit keys through data multiple timesUses Rijndael algorithmMore secure than DESMuch faster than Triple DESReplaced DES in high security level situationsPrivate key encryption drawbackSender must somehow share key with recipient51Public (Asymmetric) Key EncryptionData encrypted using two keysPrivate key: user knowsPublic key: anyone may requestPublic key serverPublicly accessible hostFreely provides users public keysKey pairCombination of public key and private keyAsymmetric encryptionRequires two different keys52

Figure 12-8 Public key encryption54Public Key EncryptionPKI Public Key Infrastructure RC4Key up to 2048 bits longHighly secure, fastE-mail, browser program useLotus Notes, NetscapeDigital certificatePassword-protected, encrypted fileHolds identification informationPublic keyCA (certificate authority)Issues, maintains digital certificatesExample: Verisign

Data Encryption SystemsPretty Good Privacy (PGP)Used with emailSecure Sockets Layers (SSL)Used with HTTPSSecure Shell (SSH)Replaces Telenet uses SSLSecure Copy (SCP)Replaces FTP Uses SSLIP Security (IP Sec)Used at Network layer with VPNs

56PGP (Pretty Good Privacy)Secures e-mail transmissionsDeveloped by Phil Zimmerman (1990s)Public key encryption systemVerifies e-mail sender authenticityEncrypts e-mail data in transmissionAdministered at MITFreely available Open source and proprietaryAlso used to encrypt storage device data57SSL (Secure Sockets Layer)Encrypts TCP/IP transmissionsWeb pages, Web form data entered into Web formsEn route between client and serverUsing Public key encryption technologyWeb pages using HTTPS HTTP over Secure Sockets Layer, HTTP SecureData transferred from server to client (vice versa)Using SSL encryptionHTTPS uses TCP port 443Used by SSL VPNs58SSL (contd.)SSL sessionAssociation between client and serverSpecific set of encryption techniquesCreated by SSL handshake protocolAllows client and server to authenticateSSLNetscape originally developedIETF attempted to standardizeTLS (Transport Layer Security) protocolHTTPSBased on SSL Presentation layer encyrptionUses Port 443Browser may show padlock symbol or green color59SSH (Secure Shell)Collection of protocolsProvides Telnet capabilities with securityGuards against security threatsUnauthorized host accessIP spoofingInterception of data in transitDNS spoofingEncryption algorithm (depends on version)DES, Triple DES, RSA, Kerberos

61SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol)Part of SSH which runs on Port 22SCP (Secure CoPy) utilityExtension to OpenSSHAllows copying of files from one host to another securelyReplaces insecure file copy protocols (FTP)Does not encrypt user names, passwords, dataProprietary SSH version (SSH Communications Security) Requires SFTP (Secure File Transfer Protocol) to copy filesSlightly different from SCP (does more than copy files)63IPSec (Internet Protocol Security)Defines encryption, authentication, key managementWorks at Network layer for TCP/IP transmissionsNative IPv6 standardDifference from other methodsEncrypts data by adding security information to all IP packet headersTransforms data packetsOperates at Network layer (Layer 3)Used by L2TP VPN connections

66IPSec (contd.)

Figure 12-9 Placement of a VPN concentrator on a WANNetwork Authentication Allow a user to login to a server or service without revealing the user password to packet sniffers.Requires some form of encryptionSecure Login Systems

67Authentication ProtocolsAuthenticationProcess of verifying a users credentialsGrant user access to secured resourcesAuthentication protocolsRules computers follow to accomplish authenticationSeveral authentication protocol typesRADIUS/TACACSPAPCHAPEAP and 802.1x (EAPoL)Kerberos68RADIUS and TACACSProvides centralized network authentication, accounting for multiple usersDefined by IETFRuns over UDP RADIUS serverCentral Authentication of usersDoes not replace functions performed by remote access serverTACACS (Terminal Access Controller Access Control System)Similar, earlier centralized authentication version

70RADIUS and TACACS (contd.)

Figure 12-10 A RADIUS server providing centralized authentication71PAP (Password Authentication Protocol)PAP authentication protocolOperates over PPPSimple two-step authentication process Not secureSends clients credentials in clear textSubject to Eavesdropping and packet sniffingNetwork+ Guide to Networks, 5th Edition72PAP (contd.)

Figure 12-11 Two-step authentication used in PAP73CHAP Operates over PPP and encrypts user names, passwordsPassword never transmitted alonePassword never transmitted in clear textUses three-way handshake

Figure 12-12 Three-way handshake used in CHAPMS-CHAP (contd.)MS-CHAP (Microsoft Challenge Authentication Protocol)Similar authentication protocolWindows-based computersPotential CHAP, MS-CHAP authentication flawEavesdropping could capture character string encrypted with password, then decryptSolutionMS-CHAPv2 (Microsoft Challenge Authentication Protocol, version 2)Uses stronger encryption7478CHAP and MS-CHAP (contd.)

Figure 12-14 Windows Vista Advanced Security Settings dialog box79EAP (Extensible Authentication Protocol)Another authentication protocolPart of PPP suite authorized client and serverProvides process to verify client server credentialsWorks with other encryption, authentication schemesRequires authenticator to initiate authentication processAsk connected computer to verify itselfEAPs advantages: FlexibilityWorks with bio-recognition devices80802.1x (EAPoL)Codified by IEEESpecifies use of one of many authentication methods plus EAPGrant access to and dynamically generate and update authentication keys for transmissions to a particular portPrimarily used with wireless networksOriginally designed for wired LANEAPoL (EAP over LAN)Only defines process for authenticationCommonly used with RADIUS authenticationAlso called Port based authentication81802.1x (EAPoL) (contd.)Figure 12-15 802.1x authentication process

82KerberosCross-platform authentication protocolUses Private Key encryption service called ASVerifies client identitySecurely exchanges information after client logs onTermsKDC (Key Distribution Center) issues key to clientAS (authentication service)Ticket - used to prove identity of user has been validatedPrincipalTicket Granting service (TGS)Issues tickets to client83Kerberos TGSOriginal process Kerberos AS issued separate ticket for each service accessed by clientTicket-Granting Service (TGS) addedAS issues Ticket-Granting Ticket (TGT)TGT is used by client to get ticket from TGS for each serviceWireless Security Options

84Wireless Network SecurityWireless Susceptible to eavesdroppingWar drivingEffective for obtaining private informationForms of Wireless EncryptionWEP802.11iUses EAPoLWPA WPA2Based on 802.11i85WEP (Wired Equivalent Privacy)802.11 standard securityNone by defaultSSID: only item requiredWEPRequires authentication to access WAPUses a single private key for entire sessionEncrypt data in transitKeys may be cracked using softwareNo longer considered secure from Eavesdropping or packet sniffing87

Figure 12-16 Entering a WEP key in the Windows XP wireless network properties dialog box88IEEE 802.11i and WPA (Wi-Fi Protected Access)802.11i uses 802.1x (EAPoL)Authenticate devicesDynamically assigns every transmission its own keyRelies on TKIPEncryption key generation, management schemeUses AES encryptionWPA and WPA2WPA (Wi-Fi Protected Access)Subset of 802.11iSame authentication as 802.11iUses RC4 encryptionHas been crackedWPA2Follows 802.11iUses AES securityReplaces WPA2Setting Wireless Security

Network+ Guide to Networks, 5th EditionNetwork+ Guide to Networks, 5th EditionThe End