Download presentation
Presentation is loading. Please wait.
1
Chapter 6 Network Security
Modified 9/11/2015-jw
2
Objectives List the different types of network security devices and explain how they can be used Define network address translation and network access control Explain how to enhance security through network design
3
Network Security Fundamentals
Once information security and network security were virtually synonymous The network was viewed as the protecting wall around which client computers could be kept safe But this approach is untenable: too many entry points that circumvent the network and allow malware to enter: Infected USB flash drive Malware take advantage of common network protocols (HTTP), and could not always be detected or blocked by network security devices Network Security Fundamentals Once information security and network security were virtually synonymous The network was viewed as the protecting wall around which client computers could be kept safe But this approach is untenable: too many entry points that circumvent the network and allow malware to enter: Infected USB flash drive Malware take advantage of common network protocols (HTTP), and could not always be detected or blocked by network security devices
4
Network Security Posture
Yet having secure network is essential to comprehensive information security posture: Not all applications are designed and written with security and reliability in mind, so falls to network to provide protection Network-delivered services can scale better for larger environments and can complement server and application functionality Attacker who can successfully penetrate computer network may have access to thousands of desktop systems, servers, and storage devices Network Security Posture Yet having secure network is essential to comprehensive information security posture: Not all applications are designed and written with security and reliability in mind, so falls to network to provide protection Network-delivered services can scale better for larger environments and can complement server and application functionality Attacker who can successfully penetrate computer network may have access to thousands of desktop systems, servers, and storage devices
5
Network Security Strategy
Secure network defense still remains critical element in any organization’s security plan Organizations should make network defenses one of first priorities in protecting information Network security strategy: Network devices Network technologies Design of the network Network Security Strategy Secure network defense still remains critical element in any organization’s security plan Organizations should make network defenses one of first priorities in protecting information Network security strategy: Network devices Network technologies Design of the network
6
Security Through Network Devices
Not all applications designed, written with security in mind Network must provide protection Networks with weak security invite attackers
7
Standard Network Devices
Aspects of building a secure network Network devices Network technologies Design of the network itself Security features found in network hardware only provide a basic level of security
8
Standard Network Devices
Open systems interconnection (OSI) reference model Network devices classified based on function Standards released in 1978, revised in 1983, still used today Illustrates: How network device prepares data for delivery How data is handled once received
9
Standard Network Devices (cont’d.)
OSI model breaks networking steps into seven layers Each layer has different networking tasks Each layer cooperates with adjacent layers
10
Security+ Guide to Network Security Fundamentals, Forth Edition
Table 6-1 OSI reference model Security+ Guide to Network Security Fundamentals, Forth Edition
11
Standard Network Devices (cont’d.)
Hubs Connect multiple Ethernet devices together: To function as a single network segment Use coaxial, twisted-pair copper or fiber-optic cables Operate at Layer 1 of the OSI model Do not read data passing through them Ignorant of data source and destination Rarely used today because of inherent security vulnerability
12
Standard Network Devices (cont’d.)
Switches Network switch connects network segments Operate at Data Link Layer (Layer 2) Determine which device is connected to each port Can forward frames sent to that specific device Or broadcast to all devices Use MAC address to identify devices Provide better security than hubs
13
Standard Network Devices (cont’d.)
Network administrator should be able to monitor network traffic Helps identify and troubleshoot network problems Traffic monitoring methods Use a switch with port mirroring Copies all traffic to a designated monitoring port on the switch Security Issue!
14
Standard Network Devices (cont’d.)
Traffic monitoring methods (cont’d) Install a network tap (test access point) A device that installed between two network devices, such as a switch, router, or firewall, to monitor traffic
15
Build your own for $14.99!
16
Network Attacks
17
Spoofing attacks (Discussed in CCNP)
DHCP starvation and DHCP spoofing An attacking device can exhaust the address space available to the DHCP servers for a period of time or establish itself as a DHCP server in man-in-the-middle attacks Solution DHCP snooping
18
Spoofing attacks (Discussed in CCNP)
Spanning tree compromises Attacking device spoofs the root bridge in the STP topology. If successful, the network attacker can see a variety of frames. Solution Proactively configure the primary and backup root devices. Enable root guard.
19
Spoofing attacks (Discussed in CCNP)
MAC spoofing Attacking device spoofs the MAC address of a valid host currently in the CAM table. Switch then forwards frames destined for the valid host to the attacking device. Solution DHCP snooping Port security
20
Spoofing attacks (Discussed in CCNP)
Address Resolution Protocol (ARP) spoofing Attacking device crafts ARP replies intended for valid hosts. The attacking device’s MAC address then becomes the destination address found in the Layer 2 frames sent by the valid network device. Solution Dynamic ARP Inspection DHCP snooping Port security
21
Attacks on switch devices
Cisco Discovery Protocol (CDP) manipulation Information sent through CDP is transmitted in clear text and unauthenticated, allowing it to be captured and divulge network topology information. Solution Disable CDP on all ports where it is not intentionally used.
22
Attacks on switch devices
Secure Shell Protocol (SSH) and Telnet attacks Telnet packets can be read in clear text. SSH is an option but has security issues in version 1. Solution SSH version 2. Telnet with virtual type terminal (VTY) ACLs.
23
MAC layer attacks MAC address flooding Solution
Frames with unique, invalid source MAC addresses flood the switch, exhausting content addressable memory (CAM) table space, disallowing new entries from valid hosts. Traffic to valid hosts is subsequently flooded out all ports. Solution Port security (lock MAC Addresses to specific MAC address VLAN access maps
24
MAC Layer Attacks Common Layer 2 or switch attack (“as of this writing”) Launched for the malicious purpose of: Collecting a broad sample of traffic or Denial of Service (DoS) attack.
25
MAC Layer Attacks Many Switch’s CAM tables are limited in size (1,024 to over 16,000 entries). Tools such as dsniff can flood the CAM table in just over 1 minute.
26
dniff: http://www.monkey.org/~dugsong/dsniff/
“dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, , files, etc.).” “arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching).” “sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.” “I wrote these tools with honest intentions - to audit my own network, and to demonstrate the insecurity of most network application protocols. Please do not abuse this software.”
27
MAC Flooding switches with dsniff
dsniff-2.3]# ./macof > TCP D=55934 S=322 Syn Seq= Len=0 Win=512 > TCP D=44686 S=42409 Syn Seq= Len=0 Win=52 > TCP D=59038 S=21289 Syn Seq= Len=0 Win2 > TCP D=7519 S=34044 Syn Seq= Len=0 Win2 > TCP D=62807 S=53618 Syn Seq= Len=0 Win2 > TCP D=23929 S=51034 Syn Seq= Len=0 Wi2 > TCP D=1478 S=56820 Syn Seq= Len=0 Win=512 > TCP D=38433 S=31784 Syn Seq= Len=0 Win2 > TCP D=42232 S=31424 Syn Seq= Len=0 Win=52 > TCP D=56224 S=34492 Syn Seq= Len=0 Win=52 > TCP D=23840 S=45783 Syn Seq= Len=0 2 > TCP D=3453 S=4112 Syn Seq= Len=0 Win=512 > TCP D=12959 S=42911 Syn Seq= Len=0 W2 > TCP D=33377 S=31735 Syn Seq= Len=0 Win=2 > TCP D=26975 S=57485 Syn Seq= Len=0 Wi2 > TCP D=23135 S=55908 Syn Seq= Len=0 Wi2 > TCP D=54512 S=25534 Syn Seq= Len=0 Win=2 > TCP D=61311 S=43891 Syn Seq= Len=0 Win2 > TCP D=25959 S=956 Syn Seq= Len=0 Win=512 > TCP D=33931 S=1893 Syn Seq= Len=0 Win=52 > TCP D=43954 S=49355 Syn Seq= Len=0 Win2 > TCP D=61408 S=26921 Syn Seq= Len=0 Win=512 > TCP D=61968 S=53055 Syn Seq= Len=0 Win=512
28
MAC Flooding switches with dsniff
Dsniff can generate 150,000+ MAC entries on a switch per minute It takes about 60 seconds to fill the cam table Once table is full, traffic without a CAM entry floods on the VLAN.
29
MAC Flooding Once the CAM table is full, new valid entries will not be accepted. Switch must flood frames to that address out all ports. This has two adverse effects: The switch traffic forwarding is inefficient and voluminous. An intruding device can be connected to any switch port and capture traffic not normally seen on that port.
30
MAC Flooding Attack Example
If the attack is launched before the beginning of the day, the CAM table would be full as the majority of devices are powered on. Legitimate devices are unable to create CAM table entries as they power on. Large number of frames from a large number of devices will be high. If the initial, malicious flood of invalid CAM table entries is a one-time event; Eventually, the switch will age out older, invalid CAM table entries New, legitimate devices will be able to create an entry in the CAM Traffic flooding will cease Intruder may never be detected (network seems normal).
31
Suggested Mitigation for MAC Flood Attacks
Port Security Port security restricts port access by MAC address. Rick Graziani
32
Table 6-2 Protecting the switch
33
Standard Network Devices (cont’d.)
Routers Forward packets across computer networks Operate at Network Layer (Layer 3) Can be set to filter out specific types of network traffic
34
Network Security Hardware
Specifically designed security hardware devices Greater protection than standard networking devices
35
Standard Network Devices (cont’d.)
Load balancers Help evenly distribute work across a network Allocate requests among multiple devices
36
Standard Network Devices (cont’d.)
Load balancers Advantages of load-balancing technology Reduces probability of overloading a single server Optimizes bandwidth of network computers Reduces network downtime Load balancing is achieved through software or hardware device (load balancer)
37
Standard Network Devices (cont’d.)
Security advantages of load balancing Can stop attacks directed at a server or application Because load balancers generally are located between routers and servers, can detect and stop attacks directed at a server or application Load balancer can be used detect and prevent denial-of-service (DoS) and protocol attacks that could cripple a single server Can detect and prevent denial-of-service attacks Some can deny attackers information about the network Hide HTTP error pages Remove server identification headers from HTTP responses
38
Network Security Hardware
Firewalls Hardware-based network firewall inspects packets Can either accept or deny packet entry Usually located outside network security perimeter
39
Firewall Typically used to inspect and filter packets Sometimes called a packet filter Designed to prevent malicious packets from entering the network A firewall can be software-based or hardware-based Hardware firewalls usually are located outside the network security perimeter As the first line of defense
40
Example Firewall Network Diagram
41
Firewall (continued) The basis of a firewall is a rule base
Establishes what action the firewall should take when it receives a packet (allow, block, and prompt) Stateless packet filtering Looks at the incoming packet and permits or denies it based strictly on the rule base Stateful packet filtering Keeps a record of the state of a connection between an internal computer and an external server Then makes decisions based on the connection as well as the rule base
42
Stateless Firewall Rules
Table 6-3 Rule for Web page transmission
43
Stateful Firewall Rules
State = Established
44
Inbound and Outbound Traffic Filtering
Most personal software firewalls today also filter outbound traffic as well as inbound traffic Filtering outbound traffic protects users by preventing malware from connecting to other computers and spreading But it annoys them with these alerts
45
Application-Aware Firewalls
Application-aware firewall (next-generation firewall or NGFW) More “intelligent” firewall operates at higher level Identifies applications that send packets through firewall and then make decisions about application (vs. granular rule settings like destination port or protocol) Application-Aware Firewalls Application-aware firewall (next-generation firewall or NGFW) - More “intelligent” firewall operates at higher level Identifies applications that send packets through firewall and then make decisions about application (vs. granular rule settings like destination port or protocol) Web application firewall - Special type of application-aware that looks at applications using HTTP
46
Application-Aware Firewalls
Web application firewall Special type of application-aware that looks at applications traffic such as HTTP Can block specific sites or specific known attacks Can block XSS and SQL injection attacks Application-Aware Firewalls Application-aware firewall (next-generation firewall or NGFW) - More “intelligent” firewall operates at higher level Identifies applications that send packets through firewall and then make decisions about application (vs. granular rule settings like destination port or protocol) Web application firewall - Special type of application-aware that looks at applications using HTTP
47
Network Security Hardware (cont’d.)
Proxies Devices that substitute for primary devices Proxy server Computer or application that intercepts and processes user requests If a previous request has been fulfilled: Copy of the Web page may reside in proxy server’s cache If not, proxy server requests item from external Web server using its own IP address
48
Network Security Hardware (cont’d.)
Application-aware proxy Special proxy server that “knows” the application protocols that it supports Example - FTP proxy server implements the protocol FTP
49
Proxy Server I will get yahoo.com and save a copy
I want to see yahoo.com Internet Here is my copy of yahoo.com
50
Proxy Server Clients never directly connect to the Internet
This saves bandwidth, because one copy of a popular Web page can be used many times Allows a company to block forbidden Web sites It also prevents many attacks the same way NAT does Can also be used to hide your location and IP address – BAD?????? Reverse proxy Does not serve clients but instead routes incoming requests to the correct server
51
Configuring access to proxy servers
52
Web Based Proxies
53
Network Security Hardware (cont’d.)
Proxy server advantages Increased speed (requests served from the cache) Reduced costs (cache reduces bandwidth required) Improved management Block specific Web pages or sites Stronger security Intercept malware Hide client system’s IP address from the open Internet
54
Network Security Hardware (cont’d.)
Reverse proxy Does not serve clients Routes incoming requests to correct server Reverse proxy’s IP address is visible to outside users Internal server’s IP address hidden
55
Reverse Proxy Connect to Web server 1
56
Network Security Hardware (cont’d.)
Spam filters Enterprise-wide spam filters block spam before it reaches the host systems use three main protocols Simple Mail Transfer Protocol (SMTP) Handles transferring outgoing mail Post Office Protocol (POP) Handles incoming mail Internet Messaging Access Protocol (IMAP)
57
Network Security Hardware (cont’d.)
Spam filters installed with the SMTP server Filter configured to listen on port 25 Pass non-spam to SMTP server listening on another port Method prevents SMTP server from notifying spammer of failed message delivery
58
Network Security Hardware (cont’d.)
Spam filters installed on the servers All spam must first pass through SMTP server and be delivered to user’s mailbox Can result in increased costs Storage, transmission, backup, deletion
59
Network Security Hardware (cont’d.)
Third-party entity contracted to filter spam All directed to third-party’s remote spam filter cleansed before being redirected to organization
61
Internet Content Filters
Monitor Internet traffic and block access to preselected Web sites and files A requested Web page is only displayed if it complies with the specified filters Unapproved Web sites can be restricted based on the Uniform Resource Locator (URL Filtering) or by matching keywords Inspect traffic for malware (malware inspection)
62
Table 6-4 Internet content filter features
63
Network Security Hardware (cont’d.)
Web security gateways Can block malicious content in real time Block content through application level filtering Examples of blocked Web traffic ActiveX objects Adware, spyware Peer to peer file sharing Script exploits TCP/IP malicious code attacks
64
Network Security Hardware (cont’d.)
Passive and active security can be used in a network Active measures provide higher level of security Passive measures Firewall Internet content filter Active measures Can detect and block attack as they occur
65
Network Security Hardware (cont’d.)
Monitoring methodologies Anomaly-based monitoring Compares current detected behavior with baseline Signature-based monitoring Looks for well-known attack signature patterns Behavior-based monitoring Detects abnormal actions by processes or programs Alerts user who decides whether to allow or block activity Heuristic monitoring Uses experience-based techniques
66
Table 6-5 Methodology comparisons to trap port-scanning application
67
Network Security Hardware (cont’d.)
Intrusion detection system (IDS) Active security measure Can detect attack as it occurs
68
Network Security Hardware (cont’d.)
Host intrusion detection system (HIDS) Software-based application that can detect attacks as they occurs Installed on each system needing protection Monitors System calls File system access and modifications Registry settings and modifications Host input and output communications Anomalous activity
69
Network Security Hardware (cont’d.)
Disadvantages of HIDS Cannot monitor network traffic that does not reach local system All log data is stored locally Resource-intensive and can slow system
70
Network Security Hardware (cont’d.)
Network intrusion detection system (NIDS) Watches for attacks on the network NIDS sensors installed on firewalls and routers: Gather information and report back to central device Passive NIDS will sound an alarm Active NIDS will sound alarm and take action Actions may include filtering out intruder’s IP address or terminating TCP session
71
Table 6-6 NIDS evaluation techniques
72
Host Intrusion Prevention Systems (HIPS)
Installed on each system that needs to be protected Rely on agents installed directly on the system being protected Work closely with the operating system, monitoring and intercepting requests in order to prevent attacks
73
Network Security Hardware (cont’d.)
Network intrusion prevention system (NIPS) Similar to active NIDS Monitors network traffic to immediately block a malicious attack NIPS sensors located in line on firewall itself A typical IPS response may be to block all incoming traffic on a specific port
74
NIDS vs. NIPS Major differences between a NIDS and a NIPS is location:
NIDS has sensors that monitor traffic entering and leaving firewall, and reports back to central device for analysis NIPS would be located “in line” on firewall itself to allow NIPS to more quickly take action to block attack Application-aware IPS - Knows information like applications and operating systems so that can provide higher degree of accuracy NIDS vs. NIPS Major differences between a NIDS and a NIPS is location: NIDS has sensors that monitor traffic entering and leaving firewall, and reports back to central device for analysis NIPS would be located “in line” on firewall itself to allow NIPS to more quickly take action to block attack Application-aware IPS - Knows information like applications and operating systems so that can provide higher degree of accuracy
75
Unified Threat Management (UTM) Security Appliances
Because different types of network security hardware each provide a different defense, network may require multiple devices for comprehensive protection Makes cumbersome to manage multiple devices Unified Threat Management (UTM) - Security product that combines several security functions Unified Threat Management (UTM) Security Appliances Because different types of network security hardware each provide a different defense, network may require multiple devices for comprehensive protection Makes cumbersome to manage multiple devices Unified Threat Management (UTM) - Security product that combines several security functions
76
UTM Functions UTM functions: Antispam and antiphishing
Antivirus and antispyware Bandwidth optimization Content filtering Encryption Firewall Instant messaging control Intrusion protection Web filtering UTM Functions UTM functions: Antispam and antiphishing Antivirus and antispyware Bandwidth optimization Content filtering Encryption Firewall Instant messaging control Intrusion protection Web filtering
77
Security Through Network Technologies
Network technologies can also help to secure network Two technologies: Network address translation Network access control Security Through Network Technologies Network technologies can also help to secure network Two technologies: Network address translation Network access control
78
Network Address Translation (NAT)
Hides the IP addresses of network devices from attackers Private addresses IP addresses not assigned to any specific user or organization Function as regular IP addresses on an internal network Non-routable addresses--traffic addressed to private addresses is discarded by Internet routers Table 6-7 Private IP addresses
79
Network Address Translation (NAT)
NAT removes the private IP address from the sender’s packet And replaces it with an alias IP address When a packet is returned to NAT, the process is reversed An attacker who captures the packet on the Internet cannot determine the actual IP address of the sender
80
Network Address Translation (NAT) cont’d
Allows private IP addresses to be used on the public Internet Replaces private IP address with public address Port address translation (PAT) Variation of NAT Outgoing packets given same IP address but different TCP port number
81
Network Address Translation (NAT)
Private IP Addresses Public IP Addresses Address Translation > > > >
82
NAT with PAT Web browser: 192.168.1.101 Port 1100
Port 1102 Address Translation Port > Port 2100 Port > Port 2101 Port > Port 2102 Web browser: Port 1100
83
Network Address Translation (NAT) cont’d
Figure 6-9 Network address translation (NAT) © Cengage Learning 2012
84
Network Address Translation (NAT) cont’d
Advantages of NAT Masks IP addresses of internal devices Allows multiple devices to share smaller number of public IP addresses
85
Network Access Control (NAC)
Examines a computer before it is allowed to connect to the network Each computer must meet security policy first, such as Windows patches up to date Antivirus software Antispyware software Etc. Any device that does not meet the policy is only allowed to connect to a “quarantine” network where the security deficiencies are corrected
86
Figure 6-10 Network access control framework
© Cengage Learning 2012
87
NAC Environment
88
Security Through Network Design Elements
Elements of a secure network design Demilitarized zones Subnetting Virtual LANs Remote access
89
Demilitarized Zone (DMZ)
Separate network located outside secure network perimeter Untrusted outside users can access DMZ but not secure network
90
Figure 6-11 DMZ with one firewall
© Cengage Learning 2012
91
Figure 6-12 DMZ with two firewalls
© Cengage Learning 2012
92
Subnetting Subnetting or subnet addressing - Splits a large block of IP addresses into smaller groups IP address may be split anywhere within its 32 bits Network can be divided into three parts Network Subnet Host Each network can contain several subnets Each subnet can contain multiple hosts
93
Subnetting (cont’d.) Improves network security by isolating groups of hosts Allows administrators to hide internal network layout
94
Image from Cisco CCNA Class 1
95
Subnetting Example Image from Cisco CCNA class 1, modified
Whole Company: /16 through Main Office /24 through Remote Site: /24 through Image from Cisco CCNA class 1, modified
96
Figure 6-13 Subnets © Cengage Learning 2012
97
Table 6-8 Advantages of subnetting
98
Subnets Improve Security
Each subnet can be isolated from the rest of the network Traffic between subnets can be monitored and restricted at the routers Subnets also allow network administrators to hide the internal network layout Outsiders only see your public servers, not your private subnets
99
Virtual LANs (VLAN) VLANs segment a network with switches, not routers
Allow scattered users to be logically grouped together even if attached to different switches VLANs can be isolated so that sensitive data is transmitted only to members of the VLAN Image from Cisco CCNA Switching class
100
VLAN Security VLAN communication can take place in two ways
All devices are connected to the same switch Traffic is handled by the switch itself Devices are connected to different switches A special “tagging” protocol must be used, such as the IEEE 802.1q (aka dot1q) A VLAN is heavily dependent upon the switch for correctly directing packets Attackers could take control of the switch itself, if it has a default or weak password Specially crafted traffic can also "hop" from one VLAN to another
101
Separation of machines into their own unique VLAN with trunks
102
VLAN attacks (Discussed in CCNP)
VLAN hopping By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures. Solution Tighten up trunk configurations and the negotiation state of unused ports. Limit VLANs across trunk ports Place unused ports in a common VLAN.
103
VLAN attacks (Discussed in CCNP)
Attacks between devices on a common VLAN Devices may need protection from one another, even though they are on a common VLAN. This is especially true on service provider segments supporting devices from multiple customers. Solution Private VLANs (PVLANs).
104
Remote Workers Working away from the office commonplace today:
Telecommuters Traveling sales representatives Traveling workers Strong security for remote workers must be maintained Transmissions are routed through networks not managed by the organization Remote Workers Working away from the office commonplace today: Telecommuters Traveling sales representatives Traveling workers Strong security for remote workers must be maintained Transmissions are routed through networks not managed by the organization
105
Remote Access Remote access - Any combination of hardware and software that enables remote users to access local internal network Remote access provides remote users with same access and functionality as local users through VPN or dial-up connection Service includes support for remote connection and logon and then displays the same network interface as the normal network
106
VPN Virtual private network (VPN) Types of VPNs
Uses unsecured network as if it were secure All data transmitted between remote device and network is encrypted Types of VPNs Remote-access User to LAN connection Site-to-site Multiple sites can connect to other sites over the Internet
107
VPN cont’d Endpoints – devices used in communicating VPN transmissions
software on local computer VPN concentrator (hardware device) Integrated into another networking device VPNs can be software-based or hardware-based Hardware-based generally have better security Software-based have more flexibility in managing network traffic
108
VPN cont’d
109
Summary Standard network security devices provide a degree of security
Hubs, switches, router, load balancer Hardware devices specifically designed for security give higher protection level Hardware-based firewall, Web application firewall Proxy server intercepts and processes user requests Virtual private network uses unsecured public network and encryption to provide security
110
Summary (cont’d.) Intrusion detection system designed to detect attack as it occurs Network technologies can help secure a network Network address translation Network access control Methods for designing a secure network Demilitarized zones Virtual LANs
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.