Introduction to Network Security

Objectives
• Develop a network security policy
• Secure physical access to network equipment
• Secure network data
• Use tools to find network security weaknesses

2
Network Security Overview and Policies

• Network security should be as unobtrusive as

possible
– Allowing network users to concentrate on the tasks they want to
accomplish rather than how to get to the data they need to
perform those tasks
• Having a secure network enables an organization
to go about its business confidently and efficiently
• A company that can demonstrate its information
systems are secure is more likely to attract
customers, partners, and investors

3
 Developing a Network Security Policy

• A network security policy is a document that

describes the rules governing access to a
company’s information resources, enforcement of
these rules, and steps taken if rules are breached
• A security policy should:
– Be easy for ordinary users to understand and reasonably
comply with
– Be enforceable. Example: You shouldn’t forbid Internet use
during a certain time of day unless you have a method of
monitoring or restricting this use
– Clearly state the objective of each policy so that everyone
understands its purpose
4
 Determining Elements of a Network
Security Policy
• Basic items needed in order to start writing your
security policy:
– Privacy policy: Describes what staff, customers, and business
partners can expect for monitoring and reporting
– Acceptable use policy: Explains for what purposes network
resources can be used
– Authentication policy: Describes how users identify themselves
to gain access to network resources
– Internet use policy: Explains what constitutes proper or
improper use of Internet resources

5
 Determining Elements of a Network
Security Policy
• Basic items needed in order to start writing your
security policy (continued):
– Access policy: Specifies how and when users are allowed to
access network resources
– Auditing policy: Explains the manner in which security
compliance or violations can be verified and the consequences
for violations
– Data protection: Outlines the policies for backup procedures,
virus protection, and disaster recovery

6
 Understanding Levels of Security
• Before determining the level of security your
network needs, answer these questions:
– What must be protected?
– From whom should data be protected?
– What costs are associated with security being breached and
data being lost or stolen?
– How likely is it that a threat will actually occur?
– Are the costs to implement security and train personnel to use
a secure network outweighed by the need to create an efficient,
user-friendly environment?
• Depending on your answers, you’ll likely implement
one of the levels of security on the following slides
7
 Understanding Levels of Security

• Highly Restrictive Security Policies

– Include features such as data encryption, complex password
requirements, detailed auditing and monitoring of computer and
network access, intricate authentication methods, and policies
governing use of the Internet and e-mail
– Expensive to implement and support
• Moderately Restrictive Security Policies
– Require passwords for each user but not overly complex
– Auditing is geared toward detecting unauthorized logon
attempts, misuse of network resources, and network attacker
activity
– Can use moderately priced off-the-shelf hardware and
software, such as firewalls and access control lists
8
 Understanding Levels of Security

• Open Security Policies

– Consist of simple or no passwords, unrestricted access to
resources, and probably no monitoring and auditing
– Might make sense for a small company with the main goal of
making access to network resources easy
– Sensitive data might be kept on workstations that are backed
up regularly and physically inaccessible to other employees
• No matter which type of policy a company uses,
some common elements should be present:
– Virus and other malware protection for servers and desktops
– Backup procedures
– Physical security of servers and network devices
9
Securing Physical Access to the Network

 Best practices to secure your network from

physical attack:
 Ensure that rooms are available to house servers and
equipment. These rooms should have locks, adequate power
receptacles, adequate cooling measures, and an EMI-free
environment
 If a suitable room is not available, locking cabinets can be
purchased to house servers and equipment in public areas
 Wiring from workstations to wiring cabinets should be
inaccessible to eavesdropping equipment
 Your physical security plan should include procedures for
recovery from natural disasters such as fire or floods

10
 Physical Security of Servers
• Servers can generate a substantial amount of heat
and need adequate cooling
– Lack of cooling can damage hard drives, cause CPUs to shut
down or malfunction, and damage power supplies
• Power to the server should be on a separate circuit
from other electrical devices
– Enough power outlets should be installed to eliminate the need
for extension cords
– Verify power requirements for UPSs. Some UPSs require
special twist-lock outlet plugs rated for high currents
• If you’re forced to place servers in a public access
area, locking cabinets are a must
11
 Security of Internetworking Devices
• Routers and switches contain critical configuration
information
– A user with physical access to these devices needs only a laptop or
handheld computer to get into the router or switch
• Configuration changes made to routers and switches
can have disastrous results
• A room with a lock is the best place for internetworking
devices
– A wall-mounted enclosure with a lock is the next best thing
– Some cabinets have a built-in fan or a mounting hole for a fan
– Most racks also come with channels to run wiring

12
 Securing Access to Data

• Securing data on a network:

– Authentication and authorization
– Encryption
– Virtual private networks (VPNs)
– Firewalls
– Virus and worm protection
– Spyware protection
– Wireless security

13
 Implementing Secure Authentication
and Authorization
• Allow administrators to control who has access to the
network (authentication) and what users can do after
they are logged on to the network (authorization)
• Network OSs include tools that enable administrators
to specify options and restrictions on how and when
users can log on to the network
• File system access controls and user permission
settings determine what a user can access on a
network
– Also controls what actions a user can perform on the network, such
as installing software or shutting down a system

14
Configuring Password Requirements
in a Windows Environment
• Windows 7 allows passwords up to 128 characters
– Minimum of five to eight characters is typical
• Other password options include:
– Maximum password age
– Minimum password age
– Enforce password history: Determines how many different
passwords must be used before a password can be used
again
• Password policies for Windows 7 or Windows
Server 2008 can be set in the Local Security
Policy console found in Administrative Tools

15
Configuring Password Requirements
in a Windows Environment

Password policy settings in Windows 7

16
 Configuring Password Requirements
in a Linux Environment
• Linux password configuration can be done globally or
on a user-by-user basis
• Like Windows, Linux has a number of password options
that can be configured
– For these password options to be available, the Linux
system must be using shadow passwords, a secure
method of storing user passwords on a Linux system
• Password options can be set by editing the
/etc/login.defs configuration file
• Other password options can be configured by using
Pluggable Authentication Modules (PAM)

17
 Reviewing Password Dos and Don’ts
• Do use a combination of uppercase letters,
lowercase letters, and numbers
• Do include one or more special characters
• Do consider using a phrase, such as
NetW@ork1ng!sC001
• Don’t use passwords based on your logon name,
your family members’ or pets’ names
• Don’t use common dictionary words unless they are
part of a phrase
• Don’t make your password so complex that you
forget it
18
 Restricting Logon Hours and Logon
Location
• Both Windows and Linux have solutions to restrict
logon by time of day, day of week, and location
• In Windows, the default settings allow logon 24 hours a
day, seven days a week
• A common use of restricting logon hours is to disallow
logon during a system backup
• Users can be restricted to logging on only from
particular workstations
– If a user who has access to sensitive data logs on at a
workstation in a coworker’s office and then walks away, the
coworker now has access to sensitive data

19
 Authorizing Access to Files and
Folders
• Windows OSs have two options for file
security: sharing permissions and NTFS
permissions
• Sharing permissions are applied to folders
(files in a shared folder inherit the same
permission)
• NTFS permissions can be applied to files as
well as folders
• File and folder permissions are a necessary
tool administrators use to make network
resources secure

20
 Securing Data with Encryption
• Encryption prevents people from using
eavesdropping technology—such as a packet
sniffer—to capture packets
• The most widely used method for encrypting data is
using IP Security (IPSec)
• Preshared key - series of letters, numbers, and
special characters that two devices use to
authenticate each other’s identity (administrator
enters the same key in the IPSec settings on both
devices)
• Kerberos authentication - also uses keys, but the
OS generates the keys

21
 Securing Data with Encryption
• Digital certificates - involves a certification authority
(CA)
– Someone wanting to send encrypted data must apply for a digital
certificate from a CA, which is responsible for verifying the applicant’s
authenticity
– Public CAs, such as Verisign, sell certificates to companies wanting to
have secure communication sessions across public networks
• On Linux systems, a simple method for encrypting files
is using gpg (Gnu Privacy Guard), a command-line
program
– This program uses a password the user enters to encrypt the file
specified as an argument to the gpg command

22
 Securing Data on Disk Drives
• If someone gains access to the hard disk where data is
stored, your data could be vulnerable
• In Windows OSs, Encrypting File System (EFS) is used
to encrypt files or folders
• EFS works in one of three modes:
– Transparent mode: Requires hardware with trusted platform module
(TPM) support and protects the system if someone tries to boot with a
different OS
– USB key mode: An encryption key is stored on a USB drive that the
user inserts before starting the system
– User authentication mode: The system requires a user password
before it decrypts the OS files and boots

23
 Securing Communication with Virtual
Private Networks
• A virtual private network (VPN) is a network
connection that uses the Internet to give users or
branch offices secure access to a company’s
network resources
• VPNs use encryption technology to ensure the
communication is secure while traveling through
the public Internet
– A “tunnel” is created between the VPN client and VPN server
• VPN servers can be configured on server OSs or
they can be in the form of a dedicated device with
the sole purpose of handling VPN connections
24
Securing Communication with Virtual
Private Networks

A typical VPN connection

25
 VPNs in a Windows Environment
• Windows server OSs include a VPN server solution
with Routing and Remote Access (RRAS)
• Windows 2008 supports three implementations of VPN:
– Point-to-Point Tunneling Protocol (PPTP): A commonly used VPN
protocol in Windows OSs with client support for Linux and Mac OS X
– Layer 2 Tunneling Protocol with IPSec (L2TP/IPSec): Provides a
higher level of security than PPTP. Provides data integrity as well as
identity verification
– Secure Socket Tunneling Protocol (SSTP): Works behind most
firewalls without firewall administrators needing to configure the
firewall to allow VPN
• All three implementations are enabled by default when
you configure Windows Server 2008 as a VPN server
26
 VPNs in Other OS Environments
• Linux OSs also support VPN client and VPN server
applications (typically use PPTP or L2TP/IPSec)
– A popular VPN solution for Linux is a free package called
OpenSwan)
• Mac OS X supports VPN client connections to
Windows servers by using PPTP or IPSec
• Mac OS X Server has a VPN server service that
allows Mac OS X, Windows, and UNIX/Linux
clients to connect to a corporate LAN through the
Mac OS X VPN server

27
 VPN Benefits
• VPN benefits include the following:
– Enable mobile users to connect with corporate networks
securely wherever an Internet connection is available
– Allow multiple sites to maintain permanent secure connections
via the Internet instead of using expensive WAN links
– Can reduce costs by using the ISP’s support services instead
of paying for more expensive WAN support
– Eliminate the need to support dial-up remote access

28
 Protecting Networks with Firewalls
• A firewall is a hardware device or software program
that inspects packets going into or out of a network or
computer, then discards or forwards these packets
based on a set of rules
• A hardware firewall is configured with two or more
network interfaces, typically placed between a
corporate LAN and the WAN connection
• A software firewall is installed in an OS and inspects all
packets coming into or leaving the computer
– Based on predefined rules, the packets are discarded or
forwarded for further processing

29
 Protecting Networks with Firewalls
• Firewalls protect against outside attempts to access
resources and protect against malicious packets
intended to disable a network and its resources
– Firewalls can also be used to restrict users’ access to Internet
resources
• After installed, the administrator must build rules that
allow only certain packets to enter or exit the network
– Can be based on source and destination addresses, protocols
such as IP, TCP, ICMP, and HTTP
• Firewalls can also attempt to determine a packet’s
context (process called stateful packet inspection)
– SPI helps ensure that a packet is denied if it’s not part of an ongoing
legitimate conversation
30
Protecting Networks with Firewalls

31
 Protecting Networks with Firewalls
• Routers can be used as firewalls
• Network administrators can create rules, called access
control lists (ACLs), that deny certain types of packets
– ACLs can examine many of the same packet properties that
firewalls can
• An intrusion detection system (IDS) usually works
with a firewall or router
– Detects an attempted security breach and notifies the
administrator
– In some cases an IDS can take countermeasures like resetting
the connection between source and destination devices

32
 Protecting Networks with Firewalls
• Because most networks use Network Address
Translation (NAT) with private IP addresses,
devices configured with private IP addresses can’t
be accessed directly from outside the network
• When NAT is used, an external device can’t initiate
a network conversation with an internal device

33
 Protecting a Network from Worms,
Viruses, and Rootkits
• A virus is a program that spreads by replicating itself
into other programs or documents
– Purpose is to disrupt computer or network operation by deleting
or corrupting files, formatting disks, or using large amounts of
computer resources
• A worm is similar to a virus but a worm doesn’t attach
itself to another program
– Can create a backdoor, which is a program installed on a
computer that permits access to the computer, bypassing
normal authentication process
• Rootkits are a form of a Trojan program that can
monitor traffic to and from a computer (capturing
passwords and other important information)
34
 Protecting a Network from Worms,
Viruses, and Rootkits
• Viruses, worm, and rootkits are part of a broader
category of software called malware, which is any
software designed to cause harm or disruption
• Every desktop and server should have virus-scanning
software running
– Most virus-protection software is also designed to detect and prevent
worms
• Virus and worm protection can be expensive but
perhaps worth it if loss of data and productivity can be
avoided
– Virus software must be updated because developers of viruses and
worm software are always looking for new ways to wreak havoc

35
 Protecting a Network from Spyware
and Spam
• Spyware is a type of malware that monitors or
controls part of your computer at the expense of
your privacy
– Spyware usually decreases your computer’s performance and
increases pop-up Internet messages and spam
• Many antispyware programs are available – some
are bundled with antivirus programs
• Spam is more of a nuisance than a threat to your
computer
– Unsolicited e-mail that takes up e-mail storage space, network
bandwidth and people’s time

36
 Implementing Wireless Security
• An attacker does not need physical access to your
network cabling to compromise the network
– Anyone with a wireless scanner and some software can
intercept data or access wireless devices
• Wireless security must be enabled on all your
devices by using one or more of the following
methods:
– Service set identifier (SSID) – An SSID is an alphanumeric
label configured on the access point – each client must
configure its wireless NIC for that SSID to connect to that
access point

37
 Implementing Wireless Security
• Wireless security options (continued):
– MAC address filtering: If network is small, you can use the MAC
address filtering feature on APs to restrict network access to
computers with specific MAC addresses
– Wired Equivalency Protocol (WEP): Provides data encryption
so that a casual attacker who gains access sees only encrypted
data
– Wi-Fi Protected Access (WPA): Similar to WEP, only has
enhancements that make cracking the encryption code more
difficult
– 802.11i : Usually referred to as WPA2 because it incorporates
much of the WPA standard – advantage over WPA is that it
uses more advanced encryption standards and a more secure
method of handing encryption keys
38
 Using an Attacker’s Tools to Stop
Network Attacks
• The terms black hats and white hats are
sometimes used to describe an individual skilled at
breaking into a network
– Black hats are the bad guys, white hats are the good guys
• White hats use the term penetration tester for their
consulting services
– A certification has been developed for white hats called
Certified Ethical Hacker (CEH)
– White hats try to hack into a network to see what types of holes
exist in a network’s security and close them

39
 Discovering Network Resources
• Attackers use command-line utilities to discover as
much about your network as they can
– Ping, Traceroute Finger, and Nslookup are some utilities used
• A ping scanner is an automated method for
pinging a range of IP addresses
• A port scanner determines which TCP and UDP
ports are available on a particular computer or
device
– By determining which ports are active, a port scanner can tell
you what services are enabled on a computer

40
 Discovering Network Resources
• Protocol analyzers allow you to capture packets
and determine which protocol services are running
– Require access to the network media
• The use of the Finger utility can be disabled by
turning it off on all UNIX, Linux servers and routers
– A port scan should be run on all network devices to see what
services are on, and then services that aren’t necessary should
be turned off
• To protect against the use of protocol analyzers, all
hubs and switches should be secured in a locked
room or cabinet

41
Gaining Access to Network Resources
• After an attacker has discovered the resources
available, the next step might be gaining access
– Will try to gain access via devices that have no password set
• Finger can be used to discover usernames
• Linux and Windows servers have default
administrator names that are often left unchanged
– An attacker with a password-cracking tool can easily exploit
• Using a password-cracking tool on your own
system is recommended to see whether your
passwords are complex enough

42
 Disabling Network Resources
• A denial-of-service (DoS) attack is an attacker’s
attempt to tie up network bandwidth or network
services
– Three common types of DoS attacks focus on typing up a
server or network service
• Packet storms: use the UDP protocol to send UDP packets that
have a spoofed (made up) host address, causing the host to be
unavailable to respond to other packets
• Half-open SYN attacks: use the TCP three-way handshake to tie
up a server with invalid TCP sessions
• A ping flood sends a large number of ping packets to a host – they
cause the host to reply, typing up CPU cycles and bandwidth

43
 Chapter Summary
• A network security policy is a document that describes
the rules governing access to a company’s information
resources
• A security policy should contain these types of policies:
privacy policy, acceptable use policy, authentication
policy, Internet use policy, auditing policy, and data
protection policy
• Securing physical access to network resources is
paramount
• Securing access to data includes authentication and
authorization, encryption/decryption, VPNs, firewalls,
virus and worm protection, spyware protection and
wireless security

44
 Chapter Summary
• VPNs are an important aspect of network security because
they provide secure remote access to a private network via
the Internet
• Firewalls, a key component of any network security plan,
filter packets and permit or deny packets based on a set of
defined rules
• Malware encompasses viruses, worms, Trojan programs,
and rootkits
• Wireless security involves attention to configuring a wireless
network’s SSID correctly and configuring and using one of
several wireless security protocols, such as WEP, WPA, or
802.11i

45
 Chapter Summary
• Tools that attackers use to compromise a network can also
be used to determine whether a network is secure.
• Denial of service is one method attackers use to disrupt
network operation. Three types of DoS attacks include half-
open SYN attacks, ping floods, and packet storms.

46