Chapter 12: LAN Security

Security Overview

• Security is not just protecting against hackers, but ensuring that your organization’s data retains its integrity.

• Ensuring integrity means that the organization’s data is not corrupted, inappropriately accessed, modified, or deleted.

• When considering security, you must consider all threats to your organization’s network.

• Be reasonable in your actions. Don’t spend $10,000 protecting a $500 resource.

Threat OverviewComputer Viruses. Can infect all computers on a LAN very quickly. Often arrive via e-mail, but also can enter the network via infected files brought in from user’s infected home computer. Viruses require user intervention to replicate.

Computer Worms. Similar to viruses except that they do not require user intervention and can replicate automatically.

Hacker/Attacker. An unauthorized user who attempts to exploit a weakness in LAN security. Hackers can be bored 13-year-olds or professionals attempting to steal company secrets.

Threat OverviewSystems Administrators. Have access to everything on the network and can accidentally do damage to the network. Strong auditing policies that report on administrator activities are important.

End users. Can deliberately or unintentionally damage equipment or data. Might install unauthorized programs.

Environment. Flood, earthquake, fire, tsunami. What happens to your organization’s data if the building catches fire?

Security Policies• The more secure something is, the more inconvenient it is to access. When securing company assets, you must also consider the

needs of the everyday user. Users will not want to type in five passwords to open their e-mail.

• Determine the value and vulnerability of your organization’s IT assets. A server hosting the company’s intranet is less valuable

than the server hosting the company’s accounting database. A server protected by a firewalled network and strong passwords is

vulnerable if it is housed underneath your cubicle desk where anyone can open it and walk away with the hard disk drive after hours.

Security Policies• Spend money wisely. Don’t spend $10,000 dollars protecting a $500 asset.

• Ensure that users are aware of the network rules. It is more difficult to discipline an employee for surfing pornographic Web sites if

there is no organizational policy on Web browsing. Have them sign some form of acceptable use policy as part of indoctrination when they are hired.

• Store usage policy on the company intranet server where it can be easily accessed.

Firewalls• A firewall is a system designed to prevent unauthorized access to

internal network systems.

• Packet filter firewalls filter traffic at either Layer 3 or Layer 4 of the OSI model.

For example: You could allow HTTP traffic from a particular range of IP addresses and deny HTTP traffic from all others.

Alternatively, you could block all traffic from a particular IP address range.

Firewalls• When a firewall blocks traffic, it can either drop or reject a packet.

Rejecting a packet sends information back to the sender. As this can provide information about your firewall it is safest to simply drop the packets.

• Stateful inspection firewall examines all aspects of the data including packet header information, fragmentation, and arrival and departure time. Requires more processing power than packet filter firewalls.

Hardware vs. Software Firewalls

• Hardware firewalls are purpose built appliances that are built specifically to function as firewalls.

• Often very fast as their design is optimized for the firewall function.

• Do not integrate well with other network resources. Limited reporting functionality.

• Software firewalls run on top of a server operating system such as Windows or Linux.

Hardware vs. Software Firewalls

• Can be expensive as you must pay for the computer, operating system, and firewall software.

• Can integrate well with other network resources. Can have extensive reporting functionality.

For example: Microsoft ISA Server 2004 is integrated with Active Directory and can restrict traffic based on user group membership and provide administrators with user-based security statistics.

DMZ• A DMZ (also known as a Screened Subnet) is a special network

that sits between an internal and an external firewall.

• Firewalls are configured so that traffic from the external network can only reach the DMZ network. Traffic from the internal

network can only reach the DMZ network. Traffic can not pass directly from Internal network to external network.

• Two firewall approach means that if host on DMZ is compromised, network is still protected.

• DMZ can also be implemented using a single server with 3 network cards. Less secure than two firewall approach.

Physical Security• Important network devices, such as servers and switches need to be

behind lock and key.

• Always assume that if someone can physically get to the computer, they can retrieve any data off it. Even if that requires a screwdriver to remove the hard disk drive.

• Use smart cards to log access to the server room and limit access. Almost all administration duties can be performed remotely over the network, so it should be rare for people to enter the network room.

• Ensure that your server room is air conditioned. Servers that overheat can crash.

• Use a sophisticated fire protection system for the server room. Spending money on a halon system is better than spending money

replacing servers destroyed by the sprinkler system accidentally going off.

Wireless Networks• Wireless networks, though convenient, are inherently insecure.

• Wireless network transmissions can allow your network to be accessed via the company car park.

• WEP is one solution, though even a long WEP

key can be cracked given a few hours.

• Consider using IPSec to more robustly encrypt

network transmissions.

• Place the wireless network users behind a firewall.

Password Security• Password security requires having passwords that are difficult for

another user to guess.

• Passwords should be changed regularly. Enforce a password history so that users cannot use prior passwords. Ensure that a minimum of 24 hours passes before a user can change their password, otherwise they will change it several times to get back to

their original password.

• Your password policy should not be so onerous that users paste notes to their monitor to remember their latest password.

Password Security• Passwords should be complex and involve numbers, mixed case,

and special characters such as !@#$%^&*.

• Be careful about resetting user passwords over the phone. A common infiltration technique is to visit a person’s desk when they are away from the day and ring the help desk from their extension complaining that they are the person and that they have forgotten their password. The help desk tech, seeing that the extension matches the user, resets the password and the infiltrator gains access.

Backing Up Data• Backups should be taken every day.

• Backup media should be stored in a safe location, away from the server room. Backup media contains all your

organization’s files. Why hack a server when you can get all of the organization’s data from a backup tape sitting on the shelf in the Administrator’s cubicle?

• Full backups back up all files.

• Differential backup back up all files since the last full backup.

• Incremental backups back up all files since the last full or incremental backup.

Audit Policy• Auditing is a way of keeping records of events.

• You can audit almost everything, but you should not because then searching for unusual events may be like searching for a needle in a haystack.

• Audit failures as successes are common. Repeated failed logons indicate that something suspicious might be happening. Repeated successful logons are quite normal.

• Audit account management activity. You should have a record of which members of the administrative team are creating accounts and changing passwords. Some administrators create backdoor

administrative accounts if they suspect that they are about to be fired.

• Store auditing records in a safe location where they can’t be modified by someone trying to hide their tracks.

Summary• Security is not just protecting against hackers, but ensuring that

your organization’s data retains its integrity.

• Ensuring integrity means that the organization’s data is not corrupted, inappropriately accessed, modified, or deleted.

• Be reasonable in your actions. Don’t spend $10,000 protecting a $500 resource.

• Important network devices, such as servers and switches need to be behind lock and key. Always assume that if someone can

physically get to the computer, they can retrieve any data off it.

Summary• Use smart cards to log access to the server room and limit access.

Almost all administration duties can be performed remotely over the network, so it should be rare for people to enter the server

room.

• Hardware firewalls are purpose built appliances that are built specifically to function as firewalls.

• Software firewalls run on top of a server operating system such as Windows or Linux.

Discussion Questions Why should you be careful about resetting user passwords

over the phone?

What steps can you take to secure your wireless network against unauthorized access?

Where should you keep your backup media?

What is the difference between an incremental and a differential backup?

How does a DMZ work?