CompTIA Network +

Chapter 12
Securing a Network
Objectives
 What are the goals of network security, and what sorts of
attacks do you need to defend against?

 What best practices can be implemented to defend

against security threats?

 What are the characteristics of various remote-access

security technologies?
Objectives
 How can firewalls be used to protect an organization’s
internal network, while allowing connectivity to an
untrusted network, such as the Internet?

 How can virtual private networks (VPN) be used to

secure traffic as that traffic flows over an untrusted
network?

 What is the difference between intrusion prevention

and intrusion detection systems, and how do they
protect an organization form common security threats?
 Securing a Network
 Today’s networks are increasingly dependent on
connectivity with other networks.
 However, connecting an organization’s trusted
network to untrusted network’s such as the
Internet, introduces security risks.
 To protect your organization’s data from
malicious users, you need to understand the
types of threats against which you might have to
defend.
 Security Fundamentals

 For most of today’s corporate networks, the

demands of e-commerce and customer contact
require connectivity between internal corporate
networks and the outside world.

 All networks require network security

Three Primary Goals of Network Security

 Confidentiality – keeping the data private

 Integrity – ensures that data has not been

modified

 Availability – the data is accessible when

needed
Security Fundamentals

CIA
Availability Confidentiality

Data

Integrity
 Security Fundamentals

 Confidentiality can be provided by encryption.

 Encryption has two basic forms:
 Symmetric encryption -- implies that the same key
is used by both the sender and receiver to encrypt
and decrypt a packet.
 DES is an old, insecure protocol
 3DES and AES are much better
 Asymmetric encryption -- uses different keys for
the sender and receiver of a packet
 RSA is the most common system, used by HTTPS
 Security Fundamentals

 Integrity can be provided by hashing

 Hash value is like a fingerprint of the data
 Any alteration in data changes the hash
 Ethernet uses CRC32 to detect transmission errors
 MD5 is an old, insecure hash function
 SHA-1, SHA-2, and SHA-3 are newer and more
secure
 Security Fundamentals

 Availability can be provided by fault tolerance

 Attacks on availability are called Denial of Service
(DoS) attacks
 A DoS attack from many machines is called a
Distributed Denial of Service (DDoS) attack
Security Fundamentals

Figure 12-1 Symmetric Encryption Example

Security Fundamentals

Figure 12-2 Asymmetric Encryption Example

 Security Fundamentals
 Categories of Network Attacks
 Confidentiality Attacks
 Makes confidential data visible to an
attacker
 Integrity Attacks
 Alters data in transit or at rest
 Availability Attacks
 Makes system unavailable to
authorized users
 Security Fundamentals

Figure 12-3 Confidentiality Attack Example

Attacker compromises the Web server, then pivots to attack the database server
 Security Fundamentals
 Attack techniques
 Packet capture
 Ping sweep and port scan
 Dumpster diving
 Electromagnetic emanations
 Wiretapping telephone lines
 Social engineering
 Steganography
 Covert channels
 Bouncing attack
 Security Fundamentals

Figure 12-4 Integrity Attack

 Security Fundamentals
 Integrity Attack Methods
 Salami attack (many small alterations)
 Data diddling (changes data before it is stored)
 Virus (attached to an EXE file)
 Worm (travels through a network)
 Trojan (masquerades as innocent software)
 Trust relationship exploitation
 Botnet
 Session hijacking
 Security Fundamentals
 Password attacks
 Keylogger (steal keypresses)
 Packet capture
 Brute force (guess all possible passwords)
 Dictionary (try passwords from a dictionary)
Security Fundamentals

Figure 12-5 DoS Attack

Security Fundamentals

Figure 12-6 TCP SYN Flood Attack Example

Security Fundamentals

Figure 12-7 Smurf Attack Example

 Security Fundamentals
 Availability Attacks
 DoS
 DDoS
 SYN flood
 Buffer overflow
 ICMP flood (Smurf attack)
 Security Fundamentals
 Electrical Disturbances
 At a physical level, an attacker could launch an availability attack
by interrupting or interfering with electrical service available to a
system, such as the following:
 Power Spikes
 Electrical surges
 Power faults
 Blackouts
 Power sag
 Brownout
 To combat these threats, you might want to install
uninterruptable power supplies (UPS) and generator backup
for strategic devices in your network.
 Security Fundamentals
 Attacks on a System’s Physical Environment
 Attackers could also intentionally damage computing equipment by
influencing the equipment’s physical environment.
 Temperature
 Humidity
 Gas
 Consider the following recommendations to mitigate such
environmental threats:
 Computing facilities should be locked.
 Access should require access credentials
 Access point should be visually monitored.
 Climate control system should be monitored.
 Fire detection and suppression systems should not do damage to computer
equipment if possible.
 Defending Against Attacks
 Now that we have an understanding of security
fundamentals, it is now time to talk about how to defend
against security threats using network devices.

 User Training
 Many attacks require user intervention in order to be carried out.
 For example a user needs to execute an application
containing a virus before the virus takes any actions.
 Similarly, social engineering requires a user to give sensitive
information to an attacker in order for the attacker to access the
user’s account.
 Defending Against Attacks
 User Training (cont.)
 As a result, several potential attacks can be thwarted through
effective user training.
 As a few examples, users could be trained on using polices such
as the following:
 Never give your password to anyone, even if they claim to be from IT.
 Do not open e-mail attachments from unknown sources.
 Select strong passwords, consisting of at least eight characters and
containing a mixture of alphabetical (upper- and lowercase), numeric,
and special characters.
 Change your password monthly (or more often)
 Defending Against Attacks
 Patching
 Some attacks are directed at vulnerabilities known to exist in
various Oss and applications.

 As these are discovered, the vendors of the OSs, or application

often respond by releasing a patch.
 A patch is designed to correct a known bug of fix a know vulnerability
in a piece of software

 A network administrator should have a plan for

implementing patches as they become available.
 Defending Against Attacks
 Security Policies
 One of the main reasons security breaches occur within an
organization is the lack of a security policy or, if a security policy
is in place, the lack of effectively communicating/enforcing that
security policies to all concerned.
 A security policy is a continually changing document that dictates
a set of guidelines for network use.
 The main purpose of a security policy is to protect the asset of an
organization.
 Asset – intellectual property, processes and procedures, sensitive customer
data, and specific server functions.
Defending Against Attacks

Figure 12-8 Components of a Security Policy

 Security Fundamentals
 Incident Response
 Everyone will get hacked
 Respond effectively
 Contain damage
 Reverse harm
 Improve security to prevent repeated attack
 Defending Against Attacks
 Vulnerability Scanners
 After you deploy your network-security solution, components of
that solution might not behave as expected.
 Additionally, you might not be aware of some of the vulnerabilities
in your network devices.
 You should periodically test your network for weakness.
 These test can be performed using application designed to check
for a variety of known weakness.
 These application are known as vulnerability scanners.
 Nessus is a full vulnerability scanner
 Nmap (actually just a port scanner, not a full vulnerability
scanner)
Defending Against Attacks

Figure 12-9 Nessus

Defending Against Attacks

Figure 12-10 Nmap

 Defending Against Attacks
 Honey Pots and Honey Nets
 A honey pot acts as a distracter. Specifically, a system
designated as a honey pot appears to be an attractive target.

 The attacker then use their resources attacking the honey pot, the
end result of which is the they leave the real servers alone.
 honey pot -- signal machine that draws they attacker attention.
 Honey net -- multiple machines that draw the attacker attention.

 A honey pot/net can also be used to study how attackers conduct

their attacks.
 Defending Against Attacks
 Access Control List (ACL)
 ACLs are rules, typically applied to router interfaces,
that specify permit or deny traffic.
 ACL’s filtering criteria:
 Source IP
 Destination IP
 Source Port
 Destination Port
 Source MAC
 Destination MAC
Defending Against Attacks

Figure 12-11 ACL Example

 Defending Against Attacks
 Remote Access Security

 Although ACLs can be used to permit of deny specific connection

flowing through a router, you also need to control connections to
network devices.

 Many of these remote-access security methods have been

introduced in preceding chapters
Remote Access Security Methods
 RAS • NAC
 RDP • 802.1x
 PPPoE • CHAP
 PPP • MS-CHAP
 SSH • EAP
 Kerberos • Two-factor
 AAA authentication
 RADIUS • Single sign-on
 TACACS+
 Defending Against Attacks
 Firewalls
 At this point, we have introduced various security
threats, along with best practices to protect your
network form those threats.
 Now we are going to cover three additional layers of
security that can be applied to a network.
 The additional layers consist of firewalls, virtual
private networks, and intrusion detection and
prevention systems.
 Defending Against Attacks
 Firewall Types
 A firewall defines a set of rules to dictate which types of traffic are
permitted of denied as that traffic enters of exits a firewall
interface.
 Software firewall -- can be used to protect a signal system or can
be software loaded in a computer with more that one NIC, controlling
traffic between them.
 Hardware firewall – is an appliance that acts as the firewall.
 Firewall Inspection Types
 Packet-filtering firewall (stateless) -- inspect traffic solely on a
packet’s header. One at a time.
 Stateful firewall – recognize that a packet is part of a session
that might have originated inside the LAN or outside the LAN
Defending Against Attacks

Figure 12-12 Packet-Filtering Firewall

Defending Against Attacks

Figure 12-13 Stateful Firewall

 Defending Against Attacks
 Firewall Zones
 A firewalls interface can be defined as belonging to
different firewall zones.

 After the zones are created, you then set up rules based on
those zones.

 Typical zones names:

 Inside
 Outside
 DMZ
Defending Against Attacks

Figure 12-14 Firewall Zone Example

 Defending Against Attacks
 Virtual Private Networks (VPN).
 Much of today’s workforce is located outside of a corporate
headquarters location.
 Some employees work in remote offices, while other
telecommute, and other travel as part of their job.
 These employees need a secure method to connect back to the
headquarters (HQ).
 WAN technologies could be used but would be expensive to
implement.
 A VPN supports secure communication between two sites over an
untrusted network.
 Defending Against Attacks

 VPN (cont.)
 There are two primary categories of VPNs

 Site to Site -- interconnects two sites, as an

alternative to a leased line, at a reduced cost.

 Client to Site – interconnects a remote user with a

site, as an alternative to dial-up or ISDN
connectivity, at a reduced cost.
Defending Against Attacks

Figure 12-15 Sample Site-to-Site VPN

Defending Against Attacks

Figure 12-16 Sample Client-to-Site VPN

 Defending Against Attacks
 Overview of IPsec
 Broadband technologies, such as cable and DSL, in addition to
other VPN transport mechanisms, often traverse and untrusted
network, such as the Internet.
 IPsec VPNs offer strong security features, such as the following:
 Confidentiality
 Integrity
 Authentication
 IKE Modes and Phase
 IPsec use a collection of protocols to provide features. One of
the primary protocols the IPsec uses is the Internet Key
Exchange
Defending Against Attacks

Transport mode encrypts only the payload

Tunnel mode encrypts the whole packet
Defending Against Attacks

Figure 12-18 IPsec VPN Steps

 Defending Against Attacks

 VPN Protocols
 SSL/TLS
 Strong, used by HTTPS
 L2TP / IPSec
 L2F
 Old tunneling protocol from Cisco, no encryption
 PPTP
 Old Microsoft VPN protocol, weak encryption
 Defending Against Attacks
 Intrusion Detection and Prevention
 When an attacker launches an attack against a network,
intrusion detection systems (IDS), and intrusion prevention
systems (IPS) technologies are often able to recognize the attack
and respond appropriately.
 Attacks might be recognizable by comparing incoming data
streams against a database of well-known attack signatures.
 IDS Versus IPS
 IDS, sits parallel to the network, is a passive device, that monitors
all traffic and sends alerts.
 IPS, sits in-line to the network, is an active device, that monitors
all traffic and sends alerts and deals with the offending traffic.
Defending Against Attacks

Figure 12-19 IDS and IPS Network Placement

 Defending Against Attacks
 IDS and IPS Device Categories
 IDS and IPS device can be categorized based on how they detect
malicious traffic.
 Detection Methods
 Signature-based detection
 Policy-based detection
 Anomaly-based detection
 Deploying Network-Based and Host-Based Solutions
 NIPS and HIPS solutions can work in tandem. This help further
protect the system.
Defending Against Attacks

Figure 12-20 NIDS, NIPS, and HIPS Deployment Example