Network Security

Introduction to Network
Security
Objectives
• Develop a network security policy
• Secure physical access to network equipment
• Secure network data
• Use tools to find network security weaknesses
Guide to Networking Essentials, Fifth Edition 2

Network Security Overview and
Policies
• Perceptions of network security vary depending on:
– People
– Industry
• Network security should be as unobtrusive as
possible, allowing network users to concentrate on
the tasks they want to accomplish, rather than how
to get to the data they need to perform those tasks
• A company that can demonstrate its information
systems are secure is more likely to attract
customers, partners, and investors
Developing a Network Security Policy
• A network security policy describes the rules
governing access to a company’s information
resources, the enforcement of those rules, and the
steps taken if rules are breached
– Should also describe the permissible use of those
resources after they’re accessed
– Should be easy for ordinary users to understand and
reasonably easy to comply with
– Should be enforceable
– Should clearly state the objective of each policy so
that everyone understands its purpose
Determining Elements of a Network
Security Policy
• Elements (minimum for most networks)
– Privacy policy
– Acceptable use policy
– Authentication policy
– Internet use policy
– Access policy
– Auditing policy
– Data protection
• Security policy should protect organization legally
• Security policy should be continual work in progress
Understanding Levels of Security
• Security doesn’t come without a cost
• Before deciding on a level of security, answer:
– What must be protected?
– From whom should data be protected?
– What costs are associated with security being
breached and data being lost or stolen?
– How likely is it that a threat will actually occur?
– Are the costs to implement security and train users to
use a secure network outweighed by the need to
provide an efficient, user-friendly environment?
• Levels: highly restrictive, moderately restrictive, open

Highly Restrictive Security Policies
• Include features such as:
– Data encryption, complex password requirements,
detailed auditing and monitoring of computer and
network access, intricate authentication methods, and
policies that govern use of the Internet/e-mail
• Might require third-party hardware and software
• High implementation expense
– High design and configuration costs for SW and HW
– Staffing to support the security policies
– Lost productivity (high learning curve for users)
• Used when cost of a security breach is high
Moderately Restrictive Security
Policies
• Most organizations can opt for this type of policy
• Requires passwords, but not overly complex ones
• Auditing detects unauthorized logon attempts,
network resource misuse, and attacker activity
– Most NOSs contain authentication, monitoring, and
auditing features to implement the required policies
• Infrastructure can be secured with moderately
priced off-the-shelf HW and SW (firewalls, ACLs)
• Costs are primarily in initial configuration and
support
Open Security Policies
• Policy might have simple or no passwords,
unrestricted access to resources, and probably no
monitoring and auditing
• Makes sense for a small company with the primary
goal of making access to network resources easy
• Internet access should probably not be possible via
the company LAN
– If Internet access is available company-wide, a more
restrictive policy is probably warranted
• Sensitive data, if it exists, might be kept on
individual workstations that are backed up regularly
and are physically inaccessible to other employees
Common Elements of Security Policies
• Virus protection for servers and desktop computers
is a must
• There should be policies aimed at preventing
viruses from being downloaded or spread
• Backup procedures for all data that can’t be easily
reproduced should be in place, and a disaster
recovery procedure must be devised
• Security is aimed not only at preventing improper
use of or access to network resources, but also at
safeguarding the company’s information
Securing Physical Access to the
Network
• If there’s physical access to equipment, there is no
security
– A computer left alone with a user logged on is
particularly vulnerable
• If an administrator account is logged on, a person can
even give his/her account administrator control
– If no user is logged on
• People could log on to the computer with their own
accounts and access files to which they wouldn’t
normally have access
• Computer could be restarted and booted from
removable media, bypassing the normal OS security
• Computer or HDs could be stolen and later cracked
Physical Security Best Practices
• When planning your network, ensure that rooms are
available to house servers and equipment
– Rooms should have locks and be suitable for the
equipment being housed
• If a suitable room isn’t available, locking cabinets,
freestanding or wall mounted, can be purchased to
house servers and equipment in public areas
• Wiring from workstations to wiring cabinets should
be inaccessible to eavesdropping equipment
• Physical security plan should include procedures for
recovery from natural disasters (e.g., fire or flood)
Physical Security of Servers
• May be stashed away in lockable wiring closet
along with switch to which the server is connected
• Often require more tightly controlled environmental
conditions than patch panels, hubs, and switches
• Server rooms should be equipped with power that’s
preferably on a circuit separate from other devices
• If you must put servers accessible to people who
should not have physical access to them, use
locking cabinets
– You can purchase rack-mountable servers

Security of Internetworking Devices
• Routers and switches contain critical configuration
information and perform essential network tasks
– Internetworking devices, such as hubs, switches,
and routers, should be given as much attention in
terms of physical security as servers
• A room with a lock is the best place for these
devices
• Wall-mounted enclosure with a lock is second best
– Some cabinets come with a built-in fan or have a
mounting hole for a fan
– They also come with convenient channels for wiring

Securing Access to Data
• Facets
– Authentication and authorization
– Encryption/decryption
– Virtual Private Networks (VPNs)
– Firewalls
– Virus and worm protection
– Spyware protection
– Wireless security

Implementing Secure Authentication
and Authorization
• Administrators must control who has access to the
network (authentication) and what logged on
users can do to the network (authorization)
– NOSs have tools to specify options and restrictions
on how/when users can log on to network
• Password complexity requirements
• Logon hours
• Logon locations
• Remote logons, among others
– File system access controls and user permission
settings determine what a user can access on a
network and what actions a user can perform
Configuring Password Requirements
in a Windows Environment
• Specify if passwords are required for all users, how
many characters a password must be, and whether
they should meet certain complexity requirements
• XP allows passwords up to 128 characters
– Minimum of five to eight characters is typical
– If minimum length is 0, blank passwords are allowed
• Other options include Maximum/Minimum
password age, and Enforce password history
• When a user fails to enter a correct password, a
policy can be set to lock the user account
in a Windows Environment (continued)

in a Linux Environment
• Linux password configuration can be done globally
or on a user-by-user basis
• Options in a standard Linux Fedora Core 4 include
maximum/minimum password age, and number of
days’ warning a user has before password expires
– Linux system must be using shadow passwords, a
secure method of storing user passwords
– Options can be set by editing /etc/login.defs
• Use Pluggable Authentication Modules (PAM) to
set other options like account lockout, password
history, and complexity tests
Reviewing Password Dos and Don’ts
• Use a combination of uppercase letters, lowercase
letters, and numbers
• Include one or more special characters
• Try using a phrase, e.g., NetW@rk1ng !s C00l
• Don’t use passwords based on your logon name,
family members’ names, or even your pet’s name
• Don’t use common dictionary words unless they
are part of a phrase
• Don’t make your password so complex that you
forget it or need to write it down somewhere
Restricting Logon Hours and Logon
Location

Restricting Logon Hours and Logon
Location (continued)

Authorizing Access to Files and
Folders
• Windows OSs have two options for file security
– Sharing permissions are applied to folders (and
only folders) shared over the network
• Don’t apply to files/folders if user is logged on locally
• These are the only file security options available in a
FAT or FAT32 file system
– NTFS permissions allow administrators to assign
permissions to files as well as folders
• Apply to file access by a locally logged-on user too
• Enable administrators to assign permissions to user
accounts and group accounts
• Six standard permissions are available for folders

Folders (continued)

Folders (continued)

Securing Data with Encryption
• Use encryption to safeguard data as it travels
across the Internet and within the company
network
– Prevents somebody using eavesdropping
technology, such as a packet sniffer, from capturing
packets and using the data for malicious purposes
• Data on disks can be secured with encryption

Using IPSec to Secure Network Data
• The most popular method for encrypting data as it
travels network media is to use an extension to the
IP protocol called IP Security (IPSec)
– Establishes an association between two
communicating devices
• Association is formed by two devices authenticating
their identities via a preshared key, Kerberos
authentication, or digital certificates
– After the communicating parties are authenticated,
encrypted communication can commence

(continued)

(continued)

Securing Data on Disk Drives

Securing Communication with Virtual
Private Networks

VPNs in a Windows Environment
• Windows supports a special TCP/IP protocol called
Point-to-Point Tunneling Protocol (PPTP)
– A user running Windows can dial up a Windows server
when it’s running RRAS
– A VPN could be established permanently across the
Internet by leasing dedicated lines at each end of a
two-way link and maintaining ongoing PPTP-based
communications across that dedicated link
• Starting with Windows 2000, Windows supports
Layer 2 Tunneling Protocol (L2TP)
– Supports advanced authentication and encryption
– Requires Windows machines on both sides
VPNs in Other OS Environments
• Linux implementations of VPNs typically use PPTP or IPSec;
an L2TP implementation is now available
• One of the most popular VPN solutions for Linux is a free
downloadable package called OpenSwan
• Novell NetWare provides VPN server connections to
corporate networks for VPN clients
• Mac OS 9 and later supports VPN client connections to
Windows (using PPTP or IPSec)
• One method of providing VPN services to connect remote
sites is to use routers with VPN capability to form a router-to-
router VPN connection

VPN Benefits
• Advantages of using VPNs
– Installing several modems on an RRAS server so
that users can dial up the server directly isn’t
necessary; instead, users can dial up any ISP
– Remote users can usually access an RRAS server
by making only a local phone call, as long as they
can access a local ISP
– When broadband Internet connectivity is available
(e.g., DSL, cable modem), remote users can
connect to the corporate network at high speed,
making remote computing sessions more productive
• Additionally, VPNs save costs
Protecting Networks with Firewalls
• Firewall: HW device or SW program that inspects
packets going into or out of a network or computer,
and then discards/forwards them based on rules
– Protects against outside attempts to access
unauthorized resources, and against malicious
network packets intended to disable or cripple a
corporate network and its resources
– If placed between Internet and corporate network,
can restrict users’ access to Internet resources
• Firewalls can attempt to determine the context of a
packet (stateful packet inspection (SPI))
Using a Router as a Firewall
• A firewall is just a router with specialized SW that
facilitates creating rules to permit or deny packets
• Many routers have capabilities similar to firewalls
– After a router is configured, by default, all packets
are permitted both into and out of the network
– Network administrator must create rules (access
control lists) that deny certain types of packets
• Typically, an administrator builds access control lists
so that all packets are denied, and then creates rules
that make exceptions

Using Intrusion Detection Systems
• An IDS usually works with a firewall or router with
access control lists
– A firewall protects a network from potential break-ins
or DoS attacks, but an IDS must detect an attempted
security breach and notify the network administrator
– May be able to take countermeasures if an attack is
in progress
– Invaluable tool to help administrators know how
often their network is under attack and devise
security policies aimed at thwarting threats before
they have a chance to succeed
Using Network Address Translation to
Improve Security
• A benefit of NAT is that the real address of an
internal network resource is hidden and
inaccessible to the outside world
– Because most networks use NAT with private IP
addresses, those devices configured with private
addresses can’t be accessed directly from outside
the network
– An external device can’t initiate a network
conversation with an internal device, thus limiting an
attacker’s options to cause mischief

Protecting a Network from Worms,
Viruses, and Rootkits
• Malware is SW designed to cause harm/disruption
to a computer system or perform activities on a
computer without the consent of its owner
– A virus spreads by replicating itself into other
programs or documents
– A worm is similar to a virus, but it doesn’t attach
itself to another program
– A backdoor is a program installed on a computer
that permits access to the computer, bypassing the
normal authentication process
– To help prevent spread of malware, every computer
should have virus-scanning software running
Protecting a Network from Worms,
Viruses, and Rootkits (continued)
• A Trojan program appears to be something useful,
but in reality contains some type of malware
• Rootkits are a form of Trojan programs that can
monitor traffic to and from a computer, monitor
keystrokes, and capture passwords
• The hoax virus is one of the worst kinds of viruses
– The flood of e-mail from people actually falling for the
hoax is the virus!
• Malware protection can be expensive; however, the
loss of data and productivity that can occur when a
network becomes infected is much more costly
Protecting a Network from Spyware
and Spam
• Spyware: monitors/controls part of a computer at
the expense of user’s privacy and to the gain of a
third party
– Is not usually self-replicating
– Many anti-spyware programs are available, and
some are bundled with popular antivirus programs
• Spam is simply unsolicited e-mail
– Theft of e-mail storage space, network bandwidth,
and people’s time
– Detection and prevention is an uphill battle
• For every rule or filter anti-spam software places on
an e-mail account, spammers find a way around them
Implementing Wireless Security
• Attackers who drive around looking for wireless
LANs to intercept are called wardrivers
• Wireless security methods
– SSID (not easy to guess and not broadcast)
– Wired Equivalency Protocol (WEP)
– Wi-Fi Protected Access (WPA)
– 802.11i
– MAC address filtering
• You should also set policies: limit AP signal
access, change encryption key regularly, etc.
Using a Cracker’s Tools to Stop
Network Attacks
• If you want to design a good, solid network
infrastructure, hire a security consultant who knows
the tools of the cracker’s trade
– A cracker (black hat) is someone who attempts to
compromise a network or computer system for the
purposes of personal gain or to cause harm
– The term hacker has had a number of meanings
throughout the years
• White hats often use the term penetration tester for
their consulting services

Discovering Network Resources
• Attackers use command-line utilities such as Ping,
Traceroute, Finger, and Nslookup to get information
about the network configuration and resources
– Other tools used
• Ping scanner: automated method for pinging a range
of IP addresses
• Port scanner: determines which TCP and UDP ports
are available on a particular computer or device
• Protocol analyzers are also useful for resource
discovery because they allow you to capture packets
and determine which protocol’s services are running

Discovering Network Resources (continued)



Gaining Access to Network Resources
• One of the easiest resources to open is one in
which no password is set
– Check all devices that support Telnet, FTP, e-mail,
and Web services
– Verify that passwords are set on all devices and
disable any unnecessary services
• If an attackers needs to learn user name/password:
– Finger may be used to discover user names
– Linux, NetWare, and Windows servers have default
administrator names that are often left unchanged
• Attacker may then use a password-cracking tool
Disabling Network Resources
• A denial-of-service (DoS) attack is an attacker’s
attempt to tie up network bandwidth or network
services so that it renders those resources useless
to legitimate users
– Packet storms typically use the UDP protocol
because it’s not connection oriented
– Half-open SYN attacks use TCP’s handshake to tie
up a server with invalid TCP sessions, thereby
preventing real sessions from being created
– In a ping flood, a program sends a large number of
ping packets to a host
Summary
• A network security policy describes rules governing access to a
company’s information resources
– Should contain these types of policies: privacy policy, acceptable
use policy, authentication policy, Internet use policy, auditing
policy, and data protection policy
• Must secure physical access to network resources
• Securing access to data includes authentication and
authorization, encryption/decryption, VPNs, firewalls,
virus/worm/spyware protection, and wireless security
• VPNs are an important aspect of network security
– Secure remote access to private network (via Internet)

Summary (continued)
• Firewalls filter packets and permit or deny packets
based on a set of defined rules
• Malware can be viruses, worms, Trojans, and rootkits
• Wireless security involves attention to configuring
SSID correctly and configuring/using wireless
security protocols, such as WEP, WPA, or 802.11i
• Tools that crackers use to compromise a network can
be used to determine whether a network is secure
• DoS attacks are used to disrupt network operation

Network Security

Uploaded by

Copyright:

Available Formats

Network Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Network Security

Uploaded by

Copyright:

Available Formats

Introduction to Network

Guide to Networking Essentials, Fifth Edition 2

Guide to Networking Essentials, Fifth Edition 6

Guide to Networking Essentials, Fifth Edition 13

Guide to Networking Essentials, Fifth Edition 14

Guide to Networking Essentials, Fifth Edition 15

Guide to Networking Essentials, Fifth Edition 18

Guide to Networking Essentials, Fifth Edition 21

Guide to Networking Essentials, Fifth Edition 22

Guide to Networking Essentials, Fifth Edition 23

Guide to Networking Essentials, Fifth Edition 24

Guide to Networking Essentials, Fifth Edition 25

Guide to Networking Essentials, Fifth Edition 26

Guide to Networking Essentials, Fifth Edition 27

Guide to Networking Essentials, Fifth Edition 28

Guide to Networking Essentials, Fifth Edition 29

Guide to Networking Essentials, Fifth Edition 30

Guide to Networking Essentials, Fifth Edition 31

Guide to Networking Essentials, Fifth Edition 33

Guide to Networking Essentials, Fifth Edition 36

Guide to Networking Essentials, Fifth Edition 38

Guide to Networking Essentials, Fifth Edition 44

Guide to Networking Essentials, Fifth Edition 45

Guide to Networking Essentials, Fifth Edition 46

Guide to Networking Essentials, Fifth Edition 47

Guide to Networking Essentials, Fifth Edition 48

Guide to Networking Essentials, Fifth Edition 51

Guide to Networking Essentials, Fifth Edition 52

You might also like