Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
-
Upload
eric-vanderburg -
Category
Technology
-
view
470 -
download
2
Transcript of Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg
Networking Concepts – Eric Vanderburg ©2005
Chapter 10 Appendix
Security
Networking Concepts – Eric Vanderburg ©2005
Security
Know the costsCosts due to loss of dataCosts of downtimeCost of implementing security measures
Physical must be protected firstShare oriented security (Win9x)User oriented security (Win2k, 2k3, XP)
Networking Concepts – Eric Vanderburg ©2005
Security
Securing dataMake it safe from intrudersMake sure damaged data can be replaced
Plan for network security Identify threatsCommunicate with other managers in office
to make sure security system meets needs (it is not only about IT & think of the users)
Networking Concepts – Eric Vanderburg ©2005
Windows Security Features
KerberosPKI (Public Key Infrastructure)Group PolicyVPN (Virtual Private Network)IPSec (IP Security)
Networking Concepts – Eric Vanderburg ©2005
Windows 2003
CLR (Command Language Runtime) – reduces bugs that leave Windows vulnerable by reducing the power of individual programs, placing them under the control of the OS.
IIS 6.0 – configured for maximum security by default & disabled by default
Unsecured clients cannot login – Windows 95, and NT prior to SP4 cannot login to Windows 2003 domain by default; certificates and encryption required by all clients
Networking Concepts – Eric Vanderburg ©2005
Kerberos
Authentication Method (Win2k &2k3 default)
Based on RFC 1510Uses Kerberos version 5Replaces NTLM (NT LAN Manager) &
NTLMv2 – still used with pre 2k clients
Networking Concepts – Eric Vanderburg ©2005
Kerberos Components
KDC (Key Distribution Center) AS (Authentication Service)
Verifies identity through AD Gives TGT (Ticket Granting Ticket) which gives access to certain
resources TGS (Ticket-Granting Service)
Verifies TGT Creates a service ticket & session key for a resource based on
TGT. Client can present the service ticket to another server to access it’s content. NOTE: Servers have tickets too.
Only services it’s own domain. Must refer to another TGS for interdomain resource access (gives referral ticket)
Server with the desired resource Client
Networking Concepts – Eric Vanderburg ©2005
Items of Note
Delegation with Forwarding and Proxy - For a server such as a database server to access resources on your behalf. (given proxy or forwarding ticket)
NTP (Network Time Protocol) is used to synchronize time between machines. Keys are based on system time so all must be the same.
Networking Concepts – Eric Vanderburg ©2005
PKI
Deploying a PKI allows you to perform tasks such as:Digitally signing files (documents and
applications)Securing e-mail Enabling secure connections between
computers, Better user authentication (smart cards)
Networking Concepts – Eric Vanderburg ©2005
Certificates Digital certificates -
Electronic credentials, consisting of public keys, which are used to sign and encrypt data.
Certificate Vendors: Entrust, Verisign
Select CA Role
Networking Concepts – Eric Vanderburg ©2005
Certificates
Create certificate templates so subordinates can issue certs
Certificate Details
Certificate Template
Networking Concepts – Eric Vanderburg ©2005
Certificates
CA (Certification Authority)Issues digital certificates. Form a hierarchyRoot CASubordinate CA
Intermediate CAIssuing CARudimentary CA
restricted to issuing certain certs
Networking Concepts – Eric Vanderburg ©2005
Certificates Certificate policy and practice statements The two documents that
outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on.
Certificate repositories - Where certificates are stored and published. (AD)
CRL (Certificate Revocation List) - List of certificates that have been revoked before reaching the scheduled expiration date
CTL (Certificate Trust List) - The list of the certificates you trust. If you trust a root, you trust all certs from that root.
View issued certs from Certificates MMC
Double click to see cert
Networking Concepts – Eric Vanderburg ©2005
Certificate Server Role
Publish certificates - The PKI administrator makes certificate templates available to clients (users, services, applications, and computers) and enables additional CAs to issue certificates.
Enroll clients - Users, services, or computers request and receive certificates from an issuing CA or a Registration Authority (RA). The CA\RA administrator or enrollment agent uses the information provided to authenticate the identity of the requester before issuing a certificate.
Publish CRL & CTL - Users need to know which certificates are revokes and which servers are trusted by their CA.
Renew or revoke certificates
Networking Concepts – Eric Vanderburg ©2005
Group Policy
Group Policy MMC
AD Users & Computers MMC
Select your group policy
Edit as needed
Networking Concepts – Eric Vanderburg ©2005
Group Policy
Double click an item to edit the properties for it
Properties
Networking Concepts – Eric Vanderburg ©2005
VPN
Encapsulates & encrypt one packet inside another
Server to Server - Connecting LANsClient to Server - Remote users &
Extranet
Networking Concepts – Eric Vanderburg ©2005
VPN Protocols
L2TP (Layer 2 Tunneling Protocol) Encrypts with IPSec Works on many protocols (X.25, ATM, IP, Frame
Relay) PPTP (Point to Point Tunneling Protocol)
Encrypts with MPPE (Microsoft Point to Point Encryption) - 40, 56, or 128bit
Authenticates with PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MSCHAP, or EAP
Works only over IP
Networking Concepts – Eric Vanderburg ©2005
VPN Advantages
Distance is not a concern More scalable - can adjust bandwidth to use Less reliant on expensive modem pools
Networking Concepts – Eric Vanderburg ©2005
IPSec
Tunnel - encrypts the header and the payload of each packet
Transport - encrypts the payload only. All systems must be IPSec compliant Encryption
Authentication Encryption SHA (Secure Hash Algorithm) - 160bit, high overhead. MD5 (Message Digest 5) - 128bit
Data Encryption DES (Data Encryption Standard) 56bit 3DES (Triple DES) - high processor overhead AES
IPv6 has IPSec built-in
Networking Concepts – Eric Vanderburg ©2005
IPSec
IPSec filters specifies what type of traffic will be accepted by a machinePermit (unsecured packets sent)Request Security (Preference is IPSec
encrypted packets but plaintext is allowed)Require Security (Packets must be
encrypted)
Networking Concepts – Eric Vanderburg ©2005
Security
FirewallsIDSHoneypotMalicious CodeWirelessA “hardened” OS is one
that has been made as secure as possible
Networking Concepts – Eric Vanderburg ©2005
Hardware FirewallsScreened host - hardware firewall filters packets & ports. Bastion host does application filtering. NAT or proxy
Multiple DMZ – each section has its own set of firewalls and DMZ separating it from the others
Screened Subnet/DMZ (Demilitarized Zone) – put external access machines in between 2 firewalls
Screening Router - filters packets & closes ports
Networking Concepts – Eric Vanderburg ©2005
Hardware requirements
Storage – large amounts of log files will be present on this computer so there must be a large amount of storage
Processor – this computer will be analyzing many packets
2 NICs – must be able to connect the outside with the inside
Networking Concepts – Eric Vanderburg ©2005
Software Firewalls
Most are cumbersome to configure and control Inexpensive extra layer of protection Firewall places itself in between the NIC and
the TCP/IP stack Vendors
Windows Firewall (built-in) Novell Border Manager (built-in) Macintosh Firewall (built-in) Norton Internet Security BlackIce ZoneAlarm
Networking Concepts – Eric Vanderburg ©2005
Firewalls (cont)
Multiple firewalls can be used for load balancing
Networking Concepts – Eric Vanderburg ©2005
Firewalls
Windows Firewall
ZoneAlarm
Networking Concepts – Eric Vanderburg ©2005
IDS (Intrusion Detection System)
NIDS (Network IDS) – analyzes network traffic HIDS (Host IDS) – analyzes traffic sent only to its host LIDS (Linux IDS) – Open source IDS for linux clients
or servers (http://www.lids.org/) Looks at network or host traffic based on rules to
determine whether an attack is in progress The IDS can be configured to respond accordingly ex:
close ports, ban IP addresses, alert admins, close shares, disable accounts, ect..
Examples: snort
Networking Concepts – Eric Vanderburg ©2005
Rules
Rule base – set of rules that tell the firewall or IDS what action to take when types of traffic flow through it. Should be based on security policy
Networking Concepts – Eric Vanderburg ©2005
Honeypot
A lure for a hackerWastes the hackers timeFake computer or network behind
security barriersCan be analyzed to view attack methods
and improve security. Identify what they are after, what is their skill level, and what tools they use.
Networking Concepts – Eric Vanderburg ©2005
Malicious Code
Virus - self-replicating code segment which is be attached to an executable. When the program is started, the virus code may also run. If possible, the virus will replicate by attaching a copy of itself to another file. A virus may also have an additional ``payload'' that runs when specific conditions are met.
Trojan horse - malicious code pretending to be a legitimate application. The user believes they are running an innocent application when the program is actually initiating its ulterior activities. Trojan horses do not replicate.
Worm - self-replicating program, does not require a host program, creates a copy and causes it to execute; no user intervention is required. Worms commonly utilize network services to propagate to other computer systems
Spyware - a program that secretly monitors your actions. Could be a remote control program used by a hacker, or it could be used to gather data about users for advertising, aggregation/research, or preliminary information for an attack. Some spyware is configured to download other programs on the computer.
Networking Concepts – Eric Vanderburg ©2005
Viruses
Implement virus protection at these locations: Workstation – protects a single computer by
scanning files from server or e-mail messages Server – scans data read from or written to
server; prevents virus from server spreading throughout network
Internet gateway – scans all Web browser, FTP, and e-mail traffic; stops viruses before they enter network. Do not infect those checking your website
Networking Concepts – Eric Vanderburg ©2005
Wireless Security
Site Survey - adjust location and range so that wireless access extends only to business borders
Passwords should be changed and so should WEP keys. WEP should be enabled.
Filter MACsDisable SSID broadcasting
Networking Concepts – Eric Vanderburg ©2005
Hardening
Remove unneeded servicesClose unused portsRemove unused user accounts
Networking Concepts – Eric Vanderburg ©2005
Auditing
Records certain actions for security and troubleshootingFailed accessGranted access
Should use auditing sparingly – uses resources & more is harder to utilize effectively
Networking Concepts – Eric Vanderburg ©2005
Enabling Auditing
Administrative Tools Local Security Policy
Local Policies Audit Policy.
Double-click the policy that you want to enable or disable.
Click the Success (An audited security access attempt that succeeds) and Fail (audited security access attempt that fails)