Chapter 13 – Network Security Password Protection Security Models Firewalls Security Protocols
Using Passwords Passwords are the most common method of securing network resources. Passwords can be an effective security mechanism, or they can be useless, depending on how they are used. The strength of any password protection is based on the password policies that administrators set.
Using Passwords Most operating systems include tools that allow administrators to impose password policies on users, such as Password length restrictions Password change intervals Password policies are typically available in network operating systems that use a directory service to authenticate users and grant them access to network resources.
Controlling User Account Password Settings
Using the Windows 2000 Group Policy Interface
Setting a Minimum Password Length
Setting a Password Change Interval
Enforcing Password Complexity
Setting Account Lockout Policies
Security Models/Security Levels Client/Server Networks Peer-to-peer Networks User-Level Security Share Level Security
Client/Server Networks User accounts are stored in a central location. A user logs on to the network from a computer that transmits the user name and password to a server, which either grants or denies access to the network.
Client/Server Networks Account information can be stored in a centralized directory service or on individual servers. A directory service, such as the Microsoft Windows 2000 Active Directory service or Novell Directory Services (NDS), provides authentication services for an entire network.
Peer-to-Peer Networks Each computer maintains its own security information and performs its own authentications. Computers on this type of network can function as both clients and servers.
Peer-to-Peer Networks When a computer functioning as a client attempts to use resources (called shares) on another computer that is functioning as a server, the server itself authenticates the client before granting it access.
Peer-to-Peer User-Level Security When users log on to their computers, they are authenticated against an account on that system. If several people use the same computer, each must have a separate user account. When users elsewhere on the network attempt to access server resources on that computer, they are also authenticated against the accounts on the computer that hosts the resources. The user-level, peer-to-peer security model is suitable only for relatively small networks. If users want to change their account passwords, they must change them on every computer on which they have an account.
Client/Server User-Level Security Administrators create user accounts in a directory service, such as Active Directory in Windows 2000 or a Microsoft Windows NT domain. When users log on to their computers, the directory service authenticates them. When you want to allow other network users to gain access to resources on your computer, you select their user accounts from a list provided by the domain controller. With all accounts stored in a centralized directory service, administrators and users can make changes more easily.
Peer-to-Peer Share Level Security Microsoft Windows Me, Microsoft Windows 98, and Microsoft Windows 95 cannot maintain their own user accounts. In peer-to-peer mode, Windows Me, Windows 98, and Windows 95 operate by using share-level security. In share-level security, users assign passwords to the individual shares they create on their computers. When network users want to access a share on another computer, they must supply the appropriate password. The share passwords are stored on the individual computers. When sharing drives, users can specify two different passwords to provide both read-only access and full control of the share. Share-level security is not as flexible as user-level security and does not provide as much protection.
Setting Share-Level Passwords
What Is a Firewall? A firewall is a hardware or software product designed to protect a network from unauthorized access. A network connected to the Internet must have a firewall to protect it from Internet intruders. A firewall is a barrier between two networks that evaluates all incoming or outgoing traffic to determine whether it should be permitted to pass to the other network. Some firewalls are dedicated routers with additional software that monitors incoming and outgoing traffic. Some firewalls are software products that run on a standard computer.
Packet Filtering The most basic type of firewall Functions Examines arriving packets Decides whether to allow the packets to gain access to the network, based on the information found in the protocol headers used to construct the packets
Packet Filter Types Hardware addresses. Filter packets based on hardware addresses, enabling only certain computers to transmit data to the network IP addresses. Permit only traffic destined to or originating from specific addresses to pass through to the network
Packet Filter Types Protocol identifiers. Filter packets based on the protocol that generated the information carried within an Internet Protocol (IP) datagram Port numbers. Filter packets based on the source or destination port number specified in a packet’s transport layer protocol header
NAT NAT stands for network address translation. NAT is a network layer technique that protects the computers on your network from Internet intruders by masking their IP addresses. NAT allows you to assign unregistered IP addresses to your computers.
NAT NAT The router that provides Internet access can use NAT. The NAT router functions as an intermediary between the private network and the Internet. NAT is implemented in numerous firewall products, ranging from high-end routers used on large corporate networks to inexpensive Internet connection-sharing solutions.
Proxy Servers Proxy servers are similar to NAT routers, except that they function at the application layer of the Open Systems Interconnection (OSI) reference model. A proxy server acts as an intermediary between the clients on a private network and the Internet resources they want to access. Clients send their requests to the proxy server, which sends a duplicate request to the desired Internet server. The Internet server replies to the proxy server, which relays the response to the client.
Proxy Servers Proxy servers can cache the information they receive from the Internet. Administrators can configure proxy servers to filter the traffic they receive, blocking users on the private network from accessing certain services. The main problem with proxy servers is that you sometimes must configure applications to use them.
Configuring a Proxy Server Client
Security Protocols IPSec – Internet Protocol Security, Protects data transmitted over the LAN IP AH – IP Authentication Header IP ESP – IP Encapsulating Security Payload L2TP – Layer 2 Tunneling Protocol SSL – Secure Socket Layer
IPSec IPSec stands for Internet Protocol Security. IPSec is a series of draft standards published by the Internet Engineering Task Force (IETF). IPSec defines a methodology that uses authentication and encryption to secure the data transmitted over a local area network (LAN). IPSec consists of two separate protocols that provide different levels of security protection: IP Authentication Header (AH) and IP Encapsulating Security Payload (ESP). Using the two protocols together provides the best possible security IPSec can offer.
IP AH Protocol AH provides authentication and guaranteed integrity of IP datagrams. AH adds an extra header, right after the IP header, to the datagrams generated by the transmitting computer. When you use AH, the Protocol field in the IP header identifies the AH protocol, instead of the transport layer protocol contained in the datagram. The AH header contains A sequence number that prevents unauthorized computers from replying to a message An integrity check value (ICV) that the receiving computer uses to verify that incoming packets have not been altered
IP ESP Protocol Provides datagram encryption Encapsulates the transport layer data in each datagram by using its own header and trailer Encrypts all of the data following the ESP header Also contains a sequence number and an ICV
L2TP L2TP stands for Layer 2 Tunneling Protocol. L2TP is derived from the Cisco Systems Layer 2 Forwarding protocol and the Microsoft Point-to-Point Tunneling Protocol (PPTP). IPSec can operate in tunnel mode independently or with L2TP. L2TP creates a tunnel by encapsulating Point-to-Point Protocol (PPP) frames inside User Datagram Protocol (UDP) packets.
SSL SSL stands for Secure Sockets Layer. SSL is a special-purpose security protocol that is designed to protect the data transmitted between Web servers and their client browsers. Virtually all of the Web servers and browsers available today support SSL. For example, when you access a secured site on the Internet to purchase a product with a credit card, your browser is probably using SSL to communicate with the server. Like IPSec, SSL provides authentication and encryption services.
Kerberos Kerberos is an authentication protocol typically used by directory services, such as Active Directory, to provide users with a single network logon capability. Kerberos was developed at the MIT and is now standardized by the IETF. When a server running Kerberos (called an authentication server) authenticates a client, the server grants that client the credentials needed to access resources anywhere on the network. Windows 2000 and other operating systems rely heavily on Kerberos to secure their client/server network exchanges.
Chapter Summary Password policies ensure that users choose effective passwords. User-level security requires a separate account for each user. In share-level security, all users access shares by using the same passwords. A firewall is a hardware or software product that protects a network from unauthorized access, using techniques such as packet filtering, NAT, or proxy servers. Applications and operating systems use security protocols, such as IPSec, L2TP, SSL, and Kerberos, to protect their data as it is transmitted over the network.