PACE-IT: Network Hardening Techniques (part 1)

Network hardening techniques I.

Instructor, PACE-IT Program – Edmonds Community College

Areas of expertise Industry Certifications

PC Hardware

Network Administration

IT Project Management

Network Design

User Training

IT Troubleshooting

Qualifications Summary

Education

M.B.A., IT Management, Western Governor’s University

B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions.

Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Network hardening techniques I.PACE-IT.

– Using secure protocols.

– Using anti-malware software.

– Implementing switch and router security.

Using secure protocols.Network hardening techniques I.

Network security is always an ongoing process because the threats to it keep changing.

Although security threats are continually evolving, administrators can use some techniques to harden the base network structure to help ease the ever shifting security landscape.

These hardening techniques establish a good security foundation that can be further built upon, making the network that much harder to crack.



– SSH (Secure Shell).» A protocol that is used to create an encrypted

communications session between devices. • Commonly used to create a secure virtual terminal

session.

– SNMP (Simple Network Management Protocol) v.3.

» A protocol used to manage and configure devices remotely on the network. It is more secure than the prior two versions.

– SFTP (Secure File Transfer Protocol).

» A protocol used to transfer data (files) and manage file structures (directories) in a secure manner through the use of an SSH session.

• It is a better option than FTP, which requires user authentication, but does not encrypt the communication.


– TLS (Transport Layer Security).» A cryptographic protocol used to encrypt online

communications. It uses certificates and asymmetrical cryptography to authenticate hosts and exchange security keys.

• It is a better option than SSL (Secure Socket Layer), which functions in a similar manner.

– HTTPS (Hypertext Transport Protocol Secure).

» A protocol that is used to secure the communication channel between a Web browser and a Web server.

• It uses either TLS or SSL technology.

– IPsec (Internet Protocol Security).» A network layer (Layer 3) IP security protocol suite that

can use multiple methods to mutually authenticate both ends of the communications channel. It also will encrypt all data transmissions.

• Unlike most other protocols, it can provide end-to-end security for any application.

Using anti-malware software.Network hardening techniques I.

Using anti-malware software.Network hardening techniques I.

– Anti-malware software options.» Anti-malware applications help to protect networks and

network resources against malware intrusions (e.g., spyware, viruses, and worms). There are three main options when using anti-malware software.

• Host-based anti-malware: the application is installed on the individual machines and only protects those nodes on which it resides. It is easily tuned to the needs of the individual host, but requires the user to keep it up to date.

• Network-based anti-malware: the application is installed within the local network and served to the individual clients that require it. It is easily administered, but harder to tune for the individual hosts.

• Cloud-based anti-malware: the application resides in the cloud (outside of the local network) and is served to the clients inside the local network as needed. This service has a very small footprint on the local machines and tends to be kept more current than the other options.

Implementing switch and router security.Network hardening techniques I.

When is using a password not secure? The answer is when the password is kept in clear text.

One solution to this is to save passwords and other sensitive information as hashes. Hashing is a cryptographic process that uses an algorithm to derive a set value (the hashed value) from the sensitive data. The hash can be used to verify that data is coming from where it is supposed to and that it has not been intercepted or changed in transit.

The most popular hashing algorithms are MD5 (message-digest algorithm) and SHA (Secure Hash Algorithm). Of the two, SHA is the more secure.



– Switch port security measures.» Switch port security should be enabled.» The native VLAN should be changed from its default

value.• All active ports should be assigned to non-native

VLANs.• All non-active switch ports should be assigned to an

unused non-native VLAN. • VLANs should be created to clearly segment the

network into logical areas.» MAC address filtering should be considered. This will

only allow specific MAC addresses to connect to specific ports.

» DHCP snooping should be enabled. This will only allow DHCP responses from an administrator defined switch port.

» Dynamic ARP Inspection (DAI) should be enabled. This process is combined with DHCP snooping to restrict the opportunity for ARP cache poisoning to occur. All ARP requests are compared against the ARP table contained in the administratively defined DHCP server.


– Router security measures.» Each interface on a router should have an access

control list (ACL) in place to control and filter traffic.• Each interface can actually have two ACLs—one on

the inbound side of the interface and one on the outbound side.

» An ACL is a set of rules that is used to govern and filter the flow of network traffic into and out of a network.

• The ACL examines packets against its established rules, beginning from the first rule at the top of the list. The rules either allow or deny the packet from continuing.

• Once the packet matches a rule, the rule is enforced and the ACL process is exited.

• ACL rules can be based on protocols and ports, IP addresses, source addresses, destination addresses, etc.

• All ACLs end with an implicit deny—meaning that if it isn’t specifically allowed, then a packet is discarded.

» The ACL can be time based (e.g., day of the week or time of day) and can fulfill a specific function based on the reason it is created (e.g., an ACL can be used to filter out websites or Web content).

What was covered.Network hardening techniques I.

Hardening techniques are used by administrators as a foundation to network security. Some secure protocols that can and should be used on the network are: SSH, SNMP v.3, SFTP, TLS (and possibly SSL), HTTPS, and IPsec.

Topic

Using secure protocols.

Summary

Anti-malware applications are used to protect against malware intrusions on systems. There are three main options for using these applications: host-based, network-based, and cloud-based. Each of the options has its own advantages.

Using anti-malware software.

Passwords and sensitive data should be kept as hashed values. The most popular hashing algorithms are MD5 and SHA. Switch port security includes adjusting VLAN settings, MAC address filtering, DHCP snooping, and DAI. To harden a router, each interface should have at least one ACL active on it. All ACLs have an implicit deny at the end of the list.

Implementing switch and router security.

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.

PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.

PACE-IT: Network Hardening Techniques (part 1)

Education

Transcript of PACE-IT: Network Hardening Techniques (part 1)