NETWORK

SECURITY
Group 11
 2

INTRODUCTION
Network security is one of the toughest areas of IT to be responsible for. It
seems as if a new threat surfaces on a regular basis and that you are
constantly needing to learn new things just a half a step ahead of potential
problems. This chapter focuses on some of the elements administrators use
to keep their networks as secure as possible.
 3
VPN- VIRTUAL PRIVATE NETWORK (VPN)
Encapsulates encrypted data inside another datagram that contains routing
information. The connection between two computers establishes a switched
connection dedicated to the two computers. The encrypted data is encapsulated
inside Point-to-Point Protocol(PPP), and that connection is used to deliver the data.
To put it more simply, a VPN extends a LAN by establishing a remote
connection using a public network such as the Internet. A VPN provides a
point-to-point dedicated link between two points over a public IP network.

the VPN enables network connectivity over a possibly long physical distance. In this
respect, a VPN is a form of wide-area network (WAN).

Examples of VPN:

Proton VPN Nord VPN Express VPN Surfshark VPN

COMPONENTS OF THE VPN 4

CONNECTION
A VPN enables anyone with an Internet connection to use the infrastructure
of the public network to dial in to the main network and access resources as
if the user were locally logged on to the network. It also enables two
networks to securely connect to each other.

• VPN client: The computer that initiates the connection to the VPN server.

• VPN server: Authenticates connections from VPN clients.

• Access method: As mentioned, a VPN is most often established over a public

network such as the Internet; however, some VPN implementations use a private
intranet. The network used must be IP (Internet protocol)- based.

• VPN protocols: Required to establish, manage, and secure the data over the VPN
connection. Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling
Protocol (L2TP) are commonly associated with VPN connections. These
protocols enable authentication and encryption in VPNs. Authentication enables
VPN clients and servers to correctly establish the identity of people on the
network. Encryption enables potentially sensitive data to be guarded from the
general public.
VPN PROS AND CONS 5

Pros:

Reduced Cost – VPN can replace remote-access servers and long-distance dialup
network connections that were commonly used in the past by business travelers who
needed access to their company internet.

Network Scalability – The internet enables an organization to grow its remote client
base without having to increase or modify an internal network infrastructure.

Reduced Support – Using internet, organizations do not need to employ support

personnel to manage a VPN infrastructure.

Simplified – With a VPN, a network administrator can easily add remote clients. All
authentication work is managed from the VPN authentication server, and client
systems can be easily configured for automatic VPN Access.
 6

CONS
Security – using VPN, data is sent over a public network, so data security is a
concern. VPNs use security protocols to address this shortcoming, but VPN
administrators must understand data security over public networks to ensure that data
is not tampered with or stolen.

Reliability – The reliability of the VPN communication depends on the public

network and is not under an organization’s direct control. The solution relies on an
internet service provider (ISP) and its quality of service
 POINT-TO-POINT TUNNELING 7

PROTOCOL
• Point-to-Point Tunneling Protocol (PPTP), which is documented in RFC 2637, is often
mentioned together with PPP.

• To establish a PPTP session between a client and server, a TCP connection known as a PPTP
control connection is required to create and maintain the communication tunnel.

• The PPTP control connection exists between the IP address of the PPTP client and the IP
address of the PPTP server, using TCP port 1723 on the server and a dynamic port on the client.

• PPTP provides authenticated and encrypted communications between two endpoints such as a
client and server. PPTP does not use a public key infrastructure but does use a user ID and
password.

• PPTP uses the same authentication methods as PPP, including Microsoft Challenge Handshake
Authentication Protocol (MS-CHAP), Challenge Handshake Authentication
Protocol (CHAP), Password Authentication Protocol (PAP), and Extensible Authentication
Protocol (EAP),
LAYER 2 TUNNELING PROTOCOL 8

Layer 2 Tunneling Protocol (L2TP) is a combination of PPTP and Cisco L2F

technology. L2TP, as the name suggests, uses tunneling to deliver data. It
authenticates the client in a two-phase process: It authenticates the computer and then
the user. By authenticating the computer, it prevents the data from being intercepted,
changed, and returned to the user in what is known as a man-in-the-middle attack.
L2TP ensures both parties that the data they receive is exactly the data sent by the
originator.

Following is a quick list of some of the advantages of each,

starting with PPTP:
•  PPTP has been around longer; it offers more interoperability than L2TP.
•  PPTP is an industry standard.
•  PPTP is easier to configure than L2TP because L2TP uses digital certificates.
•  PPTP has less overhead than L2TP.
Following are some of the advantages of L2TP:
•  L2TP offers greater security than PPTP.
•  L2TP supports common public key infrastructure technology.
•  L2TP provides support for header compression.
IPSEC
9

The IP Security (IPsec) protocol is designed to provide secure communications

between systems. This includes system-to-system communication in the same
network, as well as communication to systems on external networks. IPsec is an IP
layer security protocol that can both encrypt and authenticate network transmissions.
IPsec is composed of two separate protocols: Authentication Header (AH)
and Encapsulating Security Payload (ESP). AH provides the authentication and
integrity checking for data packets, and ESP provides encryption services.

IPsec provides three key security services:

 Data verification: Verifies that the data received is from the intended
source
 Protection from data tampering: Ensures that the data has not been tampered with
or changed between the sending and receiving devices
 Private transactions: Ensures that the data sent between the sending and receiving
devices is unreadable by any other devices

IPsec operates at the network layer of the Open Systems Interconnect (OSI)

reference model and provides security for protocols that operate at the higher
layers. Thus, by using IPsec, you can secure practically all TCP/IP- related
communications.
SITE-TO-SITE, HOST-TO-SITE, AND 10
HOST-TO-HOST

The scope of a VPN tunnel can vary, with the two most common variations
being site-to-site and host-to-site (also known as client-to-site).
A third variation is host-to-host, but it is really just a special implementation of site-
to-site. In a site-to-site implementation, as the name implies, whole networks are
connected together.
In a host-to-site scenario, individual clients (such as telecommuters or travelers)
connect to the network remotely. Because the individual client makes a direct
connection to the network, each client doing so must have VPN client software
installed.
ACCESS CONTROL
 12

ACCESS CONTROL
Access control describes the mechanisms used to filter network traffic to determine
who is and who is not allowed to access the network and network resources.
Firewalls, proxy servers, routers, and individual computers all can maintain access
control to some degree by protecting the edges of the network. By limiting who can
and cannot access the network and its resources, it is easy to understand why access
control plays a critical role in security strategy. Several types of access control
strategies exist, as discussed in the following sections.
 13

MANDATORY
ACCESS CONTROL
Mandatory access control (MAC) is the most secure form of access control.
In systems configured to use mandatory access control, administrators dictate who
can access and modify data, systems, and resources. MAC systems are commonly
used in military installations, financial institutions, and, because of new privacy laws,
medical institutions.

MAC secures information and resources by assigning sensitivity labels or attributes

to objects and users. When users request access to an object, their sensitivity level is
compared to the object’s. A label is a feature applied to files, directories, and other
resources in the system. It is similar to a confidentiality stamp. When a label is placed
on a file, it describes the level of security for that specific file. It permits access by
files, users, programs, and so on that have a similar or higher security setting.
 14

DISCRETIONARY
ACCESS CONTROL
Discretionary access control (DAC) is not enforced from the administrator or
operating system. Instead, access is controlled by an object’s owner.

DAC uses an access control list (ACL) to determine access. The ACL is a table that
informs the operating system of the rights each user has to a particular system object,
such as a file, folder, or printer. Each object has a security attribute that identifies its
ACL. The list has an entry for each system user with access privileges. The most
common privileges include the ability to read a file (or all the files in a folder), to
write to the file or files, and to execute the file (if it is an executable file or program).

Microsoft Windows servers/clients, Linux, UNIX, and Mac OS X are among the
operating systems that use ACLs. The list is implemented differently by each
operating system.
15
RULE-BASED 16

ACCESS CONTROL
Rule-based access control (RBAC) controls access to objects according to established
rules. The configuration and security settings established on a router or firewall are a
good example.

When a firewall is configured, rules are set up that control access to the network.
Requests are reviewed to see if the requestor meets the criteria to be allowed access
through the firewall. For instance, if a firewall is configured to reject all addresses in
the 192.166.x.x IP address range, and the requestor’s IP is in that range, the request
would be denied.

In a practical application, RBAC is a variation on MAC. Administrators typically

configure the firewall or other device to allow or deny access. The owner or another
user does not specify the conditions of acceptance, and safeguards ensure that an
average user cannot change settings on the devices.
 17

ROLE-BASED
ACCESS CONTROL
In role-based access control (RBAC), access decisions are determined by the roles
that individual users have within the organization. Role-based access requires the
administrator to have a thorough understanding of how a particular organization
operates, the number of users, and each user’s exact function in that organization.

Roles should receive just the privilege level necessary to do the job associated with
that role. This general security principle is known as the least privilege concept.
When people are hired in an organization, their role is clearly defined. A network
administrator creates a user account for the new employee and places that user
account in a group with people who have the same role in the organization.
REMOTE-ACCESS 18

PROTOCOLS AND SERVICES

These technologies include the protocols to allow access to the server and to secure
the data transfer after the connection is established. Also necessary are methods of
access control that make sure only authorized users are using the remote-access
features.

All the major operating systems include built-in support for remote access. They
provide both the access methods and security protocols necessary to secure the
connection and data transfers.
REMOTE ACCESS 19

SERVICE
Remote access service (RAS) is a remote-access solution included with Windows
Server products. RAS is a feature-rich, easy-to-configure, easy-to- use method of
configuring remote access.

RAS supports remote connectivity from all the major client operating
systems available today, including all newer Windows operating systems:
  Windows Server products
  Windows Home-based clients
  Windows Professional-based clients
  Windows Enterprise-based clients
  UNIX-based/Linux clients
  Mac OS X-based clients

Although the system is called RAS, the underlying technologies that enable the RAS
process are dialup protocols such as PPP.
PPP
20

PPP is the standard remote-access protocol in use today. PPP is actually a family of
protocols that work together to provide connection services. Because PPP is an
industry standard, it offers interoperability between different software vendors in
various remote-access implementations. PPP provides a number of security
enhancements compared to regular Serial Line Interface Protocol (SLIP), a basic
encapsulation of the IP protocol that works over serial and modem connections, the
most important being the encryption of usernames and passwords during the
authentication process.

During the establishment of a PPP connection between the remote system and the
server, the remote server needs to authenticate the remote user. It does so by using the
PPP authentication protocols. PPP accommodates a number of authentication
protocols, and it’s possible on many systems to configure more than one
authentication protocol. The protocol used in the authentication process depends on
the security configurations established between the remote user and the server. PPP
authentication protocols include CHAP, MS-CHAP, MS-CHAPv2, EAP, and PAP.
Each of these authentication methods is discussed in the section “Remote
Authentication Protocols.”
PPPOE
21

Point-to-Point Protocol over Ethernet (PPPoE) is a protocol used to connect multiple

network users on an Ethernet local area network to a remote site through a common
device.

With PPPoE, a number of different users can share the same physical connection to
the Internet. In the process, PPPoE provides a way to keep track of individual user
Internet access times. Because PPPoE is for individual authenticated access to high-
speed data networks, it is an efficient way to create a separate connection to a remote
server for each user. This strategy enables ISPs or administrators to bill or track
access on a per-user basis rather than a per-site basis. Users accessing PPPoE
connections require the same information as required with standard dialup phone
accounts, including a username and password combination. As with a dialup PPP
service, an ISP will most likely automatically assign configuration information such
as the IP address, subnet mask, default gateway, and DNS server.

The PPPoE communication process has two stages: the discovery stage and the PPP
session stage. The discovery stage uses four steps to establish the PPPoE connection:
initiation, offer, request, and session confirmation. These steps represent back-and-
forth communication between the client and the PPPoE server. After these steps have
been negotiated, the PPP session can be established using familiar PPP authentication
protocols.
 22

NETWORK ACCESS
CONTROL
Network access control (NAC) is a method to restrict access to the network based on
identity or posture (discussed later in this chapter). This was created by Cisco to
enforce privileges and make decisions on a client device based on information
gathered from it (such as the vendor and version of the antivirus software running). If
the wanted information is not found (such as that the antivirus definitions are a year
old), the client can be placed in a quarantine network area to keep them from
infecting the rest of the network. They can also be placed in a guest network and/or
allowed to run nonpersistent (versus persistent) agents.
REMOTE-CONTROL 23

PROTOCOLS
Several protocols are associated with remote-control access that you should be aware
of: Remote Desktop Protocol (RDP), Secure Shell (SSH), and Citrix Independent
Computing Architecture (ICA). RDP is used in a Windows environment. Terminal
Services in Windows Server 2008 and prior, now called Remote Desktop
Services (RDS) in Windows Server 2008 R2 and later, provides a way for a client
system to connect to a server, such as Windows Server, and, by using RDP, operate on
the server as if they were local client applications. Such a configuration is known
as thin client computing, whereby client systems use the resources of the server
instead of their local processing power.

Windows products (server as well as client) have built-in support for remote desktop
connections. The underlying protocol used to manage the connection is RDP. RDP is
a low-bandwidth protocol used to send mouse movements, keystrokes, and bitmap
images of the screen on the server to the client computer. RDP does not actually send
data over the connection—only screenshots and client keystrokes. RDP uses TCP and
UDP port 3389.

SSH is a tunneling protocol originally created for UNIX systems. It uses encryption
to establish a secure connection between two systems and provides alternative,
security-equivalent applications for such utilities as Telnet, File Transfer
Protocol (FTP), Trivial File Transfer Protocol (TFTP), and other communications-
oriented applications.
REMOTE-CONTROL 24

PROTOCOLS
Citrix ICA enables clients to access and run applications on a server, using
the server’s resources. Only the user interface, keystrokes, and mouse
movements transfer between the client system and the server. In effect,
even though you work at the remote computer, the system functions as if
you were actually sitting at the computer itself.
MAC FILTERING
25

Another name for a network card or network adapter is a network controller. Every
controller has a unique MAC address associated with it. Filtering network traffic
using a system’s MAC address typically is done using an ACL. This list keeps track
of all MAC addresses and is configured to allow or deny access to certain systems
based on the list.
TCP/IP FILTERING 26

Another type of filtering that can be used with an ACL is TCP/IP filtering.
The ACL determines what types of IP traffic will be let through the router.
IP traffic that is not permitted according to the ACL is blocked. Depending
on the type of IP filtering used, the ACL can be configured to allow or deny
several types of IP traffic:
  Protocol type: TCP, UDP, ICMP, SNMP, IP
  Port number used by protocols (for TCP/UPD)
  Message source address
  Message destination address
FULL BACKUPS
27

The preferred method of backup is the full backup method, which copies all files and
directories from the hard disk to the backup media.

The main advantage of full backups is that a single tape or tape set holds all
the data you need backed up. If a failure occurs, a single tape might be all
that is needed to get all data and system information back. The upshot of all
this is that any disruption to the network is greatly reduced.

Unfortunately, its strength can also be its weakness. A single tape holding
an organization’s data can be a security risk. If the tape were to fall into the
wrong hands, all the data could be restored on another computer.
Using passwords on tape backups and using a secure offsite and onsite
location can minimize the security risk.
 28

DIFFERENTIAL
BACKUPS
Companies that don’t have enough time to complete a full backup daily can use
the differential backup. Differential backups are faster than a full backup because they
back up only the data that has changed since the last full backup. This means that if
you do a full backup on a Saturday and a differential backup on the following
Wednesday, only the data that has changed since Saturday is backed up. Restoring the
differential backup requires the last full backup and the latest differential backup.
Differential backups know what files have changed since the last full backup because
they use a setting called the archive bit. The archive bit flags files that have changed
or have been created and identifies them as ones that need to be backed up.
INCREMENTAL
29

BACKUPS
Some companies have a finite amount of time they can allocate to backup procedures.
Such organizations are likely to use incremental backups in their backup strategy.
Incremental backups save only the files that have changed since the last full or
incremental backup. Like differential backups, incremental backups use the archive
bit to determine which files have changed since the last full or incremental backup.
Unlike differentials, however, incremental backups clear the archive bit, so files that
have not changed are not backed up.
30
TAPE ROTATIONS
31

After you select a backup type, you are ready to choose a backup rotation. Several
backup rotation strategies are in use—some good, some bad, and some really bad.
The most common, and perhaps the best rotation strategy is grandfather, father,
son (GFS).

The GFS backup rotation is the most widely used—and for good reason. For
example, a GFS rotation may require 12 tapes: 4 tapes for daily backups (son), 5
tapes for weekly backups (father), and 3 tapes for monthly backups (grandfather).

Using this rotation schedule, you can recover data from days, weeks, or months
earlier. Some network administrators choose to add tapes to the monthly rotation so
that they can retrieve data even further back, sometimes up to a year.
BACKUP BEST PRACTICES 32

• Offsite storage: Consider storing backup tapes offsite so that if a

disaster occurs in a building, a current set of tapes is still available offsite.
The offsite tapes should be as current as any onsite and should be secure.
 
• Label tapes: The goal is to restore the data as quickly as possible, and
trying to find the tape you need can prove difficult if it is not marked.
Furthermore, this can prevent you from recording over a tape you need.

•  New tapes: Like old cassette tapes, the tape cartridges used for the
backups wear out over time. One strategy used to prevent this from
becoming a problem is to periodically introduce new tapes into the rotation
schedule.
 
• Verify backups: Never assume that the backup was successful.
Seasoned administrators know that checking backup logs and performing
periodic test restores are part of the backup process.
 
• Cleaning: You need to occasionally clean the tape drive. If the inside
gets dirty, backups can fail.