Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg

Networking Concepts – Eric Vanderburg ©2005

Chapter 10 Appendix

Security


Security

Know the costsCosts due to loss of dataCosts of downtimeCost of implementing security measures

Physical must be protected firstShare oriented security (Win9x)User oriented security (Win2k, 2k3, XP)


Security

Securing dataMake it safe from intrudersMake sure damaged data can be replaced

Plan for network security Identify threatsCommunicate with other managers in office

to make sure security system meets needs (it is not only about IT & think of the users)


Windows Security Features

KerberosPKI (Public Key Infrastructure)Group PolicyVPN (Virtual Private Network)IPSec (IP Security)


Windows 2003

CLR (Command Language Runtime) – reduces bugs that leave Windows vulnerable by reducing the power of individual programs, placing them under the control of the OS.

IIS 6.0 – configured for maximum security by default & disabled by default

Unsecured clients cannot login – Windows 95, and NT prior to SP4 cannot login to Windows 2003 domain by default; certificates and encryption required by all clients


Kerberos

Authentication Method (Win2k &2k3 default)

Based on RFC 1510Uses Kerberos version 5Replaces NTLM (NT LAN Manager) &

NTLMv2 – still used with pre 2k clients


Kerberos Components

KDC (Key Distribution Center) AS (Authentication Service)

Verifies identity through AD Gives TGT (Ticket Granting Ticket) which gives access to certain

resources TGS (Ticket-Granting Service)

Verifies TGT Creates a service ticket & session key for a resource based on

TGT. Client can present the service ticket to another server to access it’s content. NOTE: Servers have tickets too.

Only services it’s own domain. Must refer to another TGS for interdomain resource access (gives referral ticket)

Server with the desired resource Client


Items of Note

Delegation with Forwarding and Proxy - For a server such as a database server to access resources on your behalf. (given proxy or forwarding ticket)

NTP (Network Time Protocol) is used to synchronize time between machines. Keys are based on system time so all must be the same.


PKI

Deploying a PKI allows you to perform tasks such as:Digitally signing files (documents and

applications)Securing e-mail Enabling secure connections between

computers, Better user authentication (smart cards)


Certificates Digital certificates -

Electronic credentials, consisting of public keys, which are used to sign and encrypt data.

Certificate Vendors: Entrust, Verisign

Select CA Role


Certificates

Create certificate templates so subordinates can issue certs

Certificate Details

Certificate Template


Certificates

CA (Certification Authority)Issues digital certificates. Form a hierarchyRoot CASubordinate CA

Intermediate CAIssuing CARudimentary CA

restricted to issuing certain certs


Certificates Certificate policy and practice statements The two documents that

outline how the CA and its certificates are to be used, the degree of trust that can be placed in these certificates, legal liabilities if the trust is broken, and so on.

Certificate repositories - Where certificates are stored and published. (AD)

CRL (Certificate Revocation List) - List of certificates that have been revoked before reaching the scheduled expiration date

CTL (Certificate Trust List) - The list of the certificates you trust. If you trust a root, you trust all certs from that root.

View issued certs from Certificates MMC

Double click to see cert


Certificate Server Role

Publish certificates - The PKI administrator makes certificate templates available to clients (users, services, applications, and computers) and enables additional CAs to issue certificates.

Enroll clients - Users, services, or computers request and receive certificates from an issuing CA or a Registration Authority (RA). The CA\RA administrator or enrollment agent uses the information provided to authenticate the identity of the requester before issuing a certificate.

Publish CRL & CTL - Users need to know which certificates are revokes and which servers are trusted by their CA.

Renew or revoke certificates


Group Policy

Group Policy MMC

AD Users & Computers MMC

Select your group policy

Edit as needed


Group Policy

Double click an item to edit the properties for it

Properties


VPN

Encapsulates & encrypt one packet inside another

Server to Server - Connecting LANsClient to Server - Remote users &

Extranet


VPN Protocols

L2TP (Layer 2 Tunneling Protocol) Encrypts with IPSec Works on many protocols (X.25, ATM, IP, Frame

Relay) PPTP (Point to Point Tunneling Protocol)

Encrypts with MPPE (Microsoft Point to Point Encryption) - 40, 56, or 128bit

Authenticates with PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MSCHAP, or EAP

Works only over IP


VPN Advantages

Distance is not a concern More scalable - can adjust bandwidth to use Less reliant on expensive modem pools


IPSec

Tunnel - encrypts the header and the payload of each packet

Transport - encrypts the payload only. All systems must be IPSec compliant Encryption

Authentication Encryption SHA (Secure Hash Algorithm) - 160bit, high overhead. MD5 (Message Digest 5) - 128bit

Data Encryption DES (Data Encryption Standard) 56bit 3DES (Triple DES) - high processor overhead AES

IPv6 has IPSec built-in


IPSec

IPSec filters specifies what type of traffic will be accepted by a machinePermit (unsecured packets sent)Request Security (Preference is IPSec

encrypted packets but plaintext is allowed)Require Security (Packets must be

encrypted)


Security

FirewallsIDSHoneypotMalicious CodeWirelessA “hardened” OS is one

that has been made as secure as possible


Hardware FirewallsScreened host - hardware firewall filters packets & ports. Bastion host does application filtering. NAT or proxy

Multiple DMZ – each section has its own set of firewalls and DMZ separating it from the others

Screened Subnet/DMZ (Demilitarized Zone) – put external access machines in between 2 firewalls

Screening Router - filters packets & closes ports


Hardware requirements

Storage – large amounts of log files will be present on this computer so there must be a large amount of storage

Processor – this computer will be analyzing many packets

2 NICs – must be able to connect the outside with the inside


Software Firewalls

Most are cumbersome to configure and control Inexpensive extra layer of protection Firewall places itself in between the NIC and

the TCP/IP stack Vendors

Windows Firewall (built-in) Novell Border Manager (built-in) Macintosh Firewall (built-in) Norton Internet Security BlackIce ZoneAlarm


Firewalls (cont)

Multiple firewalls can be used for load balancing


Firewalls

Windows Firewall

ZoneAlarm


IDS (Intrusion Detection System)

NIDS (Network IDS) – analyzes network traffic HIDS (Host IDS) – analyzes traffic sent only to its host LIDS (Linux IDS) – Open source IDS for linux clients

or servers (http://www.lids.org/) Looks at network or host traffic based on rules to

determine whether an attack is in progress The IDS can be configured to respond accordingly ex:

close ports, ban IP addresses, alert admins, close shares, disable accounts, ect..

Examples: snort

http://www.lids.org/


Rules

Rule base – set of rules that tell the firewall or IDS what action to take when types of traffic flow through it. Should be based on security policy


Honeypot

A lure for a hackerWastes the hackers timeFake computer or network behind

security barriersCan be analyzed to view attack methods

and improve security. Identify what they are after, what is their skill level, and what tools they use.


Malicious Code

Virus - self-replicating code segment which is be attached to an executable. When the program is started, the virus code may also run. If possible, the virus will replicate by attaching a copy of itself to another file. A virus may also have an additional ``payload'' that runs when specific conditions are met.

Trojan horse - malicious code pretending to be a legitimate application. The user believes they are running an innocent application when the program is actually initiating its ulterior activities. Trojan horses do not replicate.

Worm - self-replicating program, does not require a host program, creates a copy and causes it to execute; no user intervention is required. Worms commonly utilize network services to propagate to other computer systems

Spyware - a program that secretly monitors your actions. Could be a remote control program used by a hacker, or it could be used to gather data about users for advertising, aggregation/research, or preliminary information for an attack. Some spyware is configured to download other programs on the computer.


Viruses

Implement virus protection at these locations: Workstation – protects a single computer by

scanning files from server or e-mail messages Server – scans data read from or written to

server; prevents virus from server spreading throughout network

Internet gateway – scans all Web browser, FTP, and e-mail traffic; stops viruses before they enter network. Do not infect those checking your website


Wireless Security

Site Survey - adjust location and range so that wireless access extends only to business borders

Passwords should be changed and so should WEP keys. WEP should be enabled.

Filter MACsDisable SSID broadcasting


Hardening

Remove unneeded servicesClose unused portsRemove unused user accounts


Auditing

Records certain actions for security and troubleshootingFailed accessGranted access

Should use auditing sparingly – uses resources & more is harder to utilize effectively


Enabling Auditing

Administrative Tools Local Security Policy

Local Policies Audit Policy.

Double-click the policy that you want to enable or disable.

Click the Success (An audited security access attempt that succeeds) and Fail (audited security access attempt that fails)

Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg

Technology

Transcript of Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg