1 / 56

CIST 1601 Information Security Fundamentals

CIST 1601 Information Security Fundamentals. Chapter 3 Infrastructure and Connectivity. Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College. Understanding Infrastructure Security.

tyra
Télécharger la présentation

CIST 1601 Information Security Fundamentals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIST 1601 Information Security Fundamentals Chapter 3 Infrastructure and Connectivity Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College

  2. Understanding Infrastructure Security Infrastructure security deals with the most basic aspect of how information flows and how work occurs in your network and systems. This includes servers, networks, network devices, workstations, and the processes in place to facilitate work. Your network is composed of a variety of media and devices that both facilitate communications and provide security. Some of these devices (such as routers, modems, and PBX systems) provide external connectivity from your network to other systems and networks. Some of the devices (such as CD-Rs, disks, USB thumb drives, and tape) provide both internal archival storage and working storage for your systems. Networks are tied together using the Internet and other network technologies, thereby making them vulnerable to any number of attacks. To provide reasonable security, you must know how these devices work and how they provide, or fail to provide, security. Each time you add a device, change configurations, or switch technologies, you’re potentially altering the fundamental security capabilities of your network. The job of a security professional is to eliminate the obvious threats, to anticipate how the next creative assault on your infrastructure might occur, and to be prepared to neutralize it before it happens. A network is no more secure than its weakest node.

  3. Working with Hardware Components Network hardware components include physical devices such as routers, servers, firewalls, workstations, and switches. From a security perspective you must evaluate your network from the standpoint of each and every device within it. It cannot be overstated: The complexity of most networks makes securing them extremely complicated. To provide reasonable security, you must evaluate every device to determine its unique strengths and vulnerabilities. Network Separation (2:52) This network has Internet connections. Internet connections expose your network to the highest number of external threats. These threats can come from virtually any location worldwide.

  4. Working with Software Components Hardware exists to run software. The software is intended to make the hardware components easy to configure and easy to support, however, that software can also make the hardware easy to bypass. Network infrastructure includes servers and workstations running operating systems, routers, firewalls, and dedicated devices that have their own communications and control programs. This situation leaves networks open to attacks and security problems because many of these systems work independently. Many larger organizations have built a single area for network monitoring and administrative control of systems called a Network Operations Center (NOC). This centralization lets you see a larger overall picture of the network, and it lets you take actions on multiple systems or network resources if an attack is under way. Using a NOC makes it easier to see how an attack develops and to provide countermeasures. NOCs are expensive and require a great deal of support: factors beyond the economy or scale of all but the largest businesses. After a NOC is developed and implemented it must be constantly evaluated and changed as needed.

  5. Understanding the Different Network Infrastructure Devices - Firewalls Firewalls, Routers, and Switches (7:47)All-in-one Security Appliances and Spam Filters (2:36) A firewall is a component placed on computers and networks to help eliminate undesired access by the outside world. It can be composed of hardware, software, or a combination of both. Firewalls are the front line defense devices for networks that are connected to the Internet. A firewall protects hosts on a internal private network from attackers on a external public network by: Packet filtering Port filtering IP address filtering A software firewall is a program that runs within an OS, such as Linux, Unix, or Windows. With a software firewall, adding interfaces is as easy as adding and configuring another NIC. It is easier to make configuration errors in a software firewall. A hardware firewall is also referred to as an appliance firewall. Appliance firewalls are often designed as stand-alone black box solutions that can be plugged in to a network and operated with minimal configuration and maintenance. A hardware firewall is purchased with a fixed number of interfaces available. Hardware firewalls outperform and generally provide increased security over software firewalls.

  6. Packet Filter Firewalls Firewall Rules (7:57) A packet-filtering firewall is typically a router and operate at the network layer of the OSI model. A packet filtering firewall only looks at a data packet to obtain the source and destination addresses and the protocol and port used. This information is then compared to the configured packet filtering rules to decide if the packet will be dropped or forwarded to its destination. A packet filtering firewall only examines the packet header information, not the data or payload. Packet filters examine each incoming (and usually outgoing) packet then pass or discard it based on network data packet fields: Source and destination IP address Specified port numbers Specific protocols (TCP, UDP, ICMP) Packet-filtering solutions are generally considered less-secure firewalls because they still allow packets inside the network, regardless of communication pattern within the session. The packet-filtering firewall provides high performance.

  7. Proxy Firewalls Proxy firewalls serve as go-betweens for the network and the Internet by processing requests received from external networks and reprocessing them for use internally. This type of firewall has a set of rules that the packets must pass to get in or out. The primary security feature of a proxy firewall is that it hides the client information. It can be used to hide the internal addresses from the outside would through Network Address Translation, which does not allow the computers on the network to directly access the Internet. NAT hides a packet’s IP address before sending it through another network. It is the only computer on a network that communicates with mistrusted computers. If the organization is using the proxy server for both Internet connectivity and web content caching, the proxy server should be placed between the internal network and the Internet, with access for users who are requesting the web content. A proxy-based firewall provides greater network isolation than a stateful firewall. A proxy firewall blocking network access from external networks

  8. Proxy Firewalls Web Application Firewalls (3:05) An application firewall is typically integrated into another type of firewall to filter traffic that is traveling at the Application layer of the OSI model. The proxy function can occur at either the application level or the circuit level. An application firewall creates a virtual circuit between the firewall clients. Each protocol has its own dedicated portion of the firewall that is concerned only with how to properly filter that protocol’s data. This type of server is advanced and must know the rules and capabilities of the protocol used. A unique application-level proxy server must exist for each protocol supported. Unlike a circuit-level firewall, an application-level firewall does not examine the IP address and port of the data packet. An application-level proxy firewall is most detrimental to network performance because it requires more processing per packet.

  9. Proxy Firewalls A proxy firewall typically uses two network interface cards (NICs). This type of firewall is referred to as a dual-homed firewall. Dual-homed computers have two NICs installed, each connected to a separate network. A dual-homed firewall has two network interfaces. One interface connects to the public network, usually the Internet. The other interface connects to the private network. The forwarding and routing function should be disabled on the firewall to ensure that network segregation occurs. A dual-homed firewall segregating two networks from each other

  10. Stateful Inspection Firewalls Stateful inspection is also referred to as stateful packet filtering. A stateful-inspection firewall, a combination of all types of firewalls,is suited for main perimeter security. Stateful-inspection firewalls can thwart port scanning by closing off ports until a connection to the specific port is requested. Stateful inspection firewalls work at the Network Layer to provide an additional layer of security and also monitor the state of each connection. Most of the devices used in networks don’t keep track of how information is routed or used. After a packet is passed, the packet and path are forgotten. In stateful packet filtering records are kept using a state table that tracks every communications channel. Stateful inspections provide additional security, especially in connectionless protocols such as UDP and ICMP. Denial-of-service (DoS) attacks present a challenge because flooding techniques are used to overload the state table and effectively cause the firewall to shut down or reboot. Stateful and circuit-level proxy firewalls, while slower than packet-filtering firewalls, offer better performance than application-level firewalls.

  11. Firewalls and DMZs Firewalls can be used to create demilitarized zones (DMZs). A DMZ is a network segment placed between an internal (private) network and an external (public) network, such as the Internet. Typically, either one or two firewalls are used to create a DMZ. A DMZ implemented with one firewall connected to a public network, a private network and a DMZ segment is cheaper to implement than a DMZ implemented with two firewalls. A DMZ with a firewall on each end is typically more secure than a single-firewall DMZ. The main objective for the placement of firewalls is to allow only traffic that the organization deems necessary and provide notification of suspicious behavior.

  12. Physical Port Security (5:24) Hubs Hubs act as a central connection point for network devices on one network segment. Hubs are used to extend the length of network beyond the cable’s maximum segment distance. They work at the Physical layer of the OSI model. Hubs are network devices that allow many hosts to inter-communicate through the usage of physical ports. This makes hubs central connectivity devices and prone to being attacked. Traffic sent to one port is regenerated it to all other ports. Hubs do not provide data isolation between endpoint ports, allowing any node to observe data traffic to and from all other nodes on the same device providing attackers with access to inspect network traffic for interception of user credentials, security encryption traffic, and other forms of sensitive transmitted data. Hubs are considered highly unsecure.

  13. Modems A modem is a hardware device that connects the digital signals from a computer to the analog telephone line. It allows these signals to be transmitted longer distances than are possible with digital signals. The word "modem" is an amalgam of the words "modulator" and "demodulator," which are the two functions that occur during transmission. Modems present a unique set of challenges from a security perspective. Leaving modems open for incoming calls with little to no authentication for users dialing in can be a clear security vulnerability in the network. For example, war-dialing attacks take advantage of this situation. War-dialing is the process by which an automated software application is used to dial numbers in a given range to determine whether any of the numbers are serviced by modems that accept dial-in requests. Setting the callback features to have the modem call the user back at a preset number and using encryption and firewall solutions will help keep the environment safe from attacks. Monitor computers that have modems to check whether they have been compromised Check for software updates for computers that have modems. Remove all unnecessary modems from computers.

  14. Remote Access (2:50) Remote Access Services Remote access servers (RAS) allow clients to use dial-up connections and network technologies to access servers and internal networks. RAS connections are achieved through dial-up DSL, VPNs, cable modems and ISDN. Client systems with a modem can connect using normal dial-up connections to a properly equipped remote-access service server, which functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet. The RAS environment is vulnerable to public PBX infrastructure vulnerabilities, RAS software bugs, buffer overflows, and social engineering. You should apply vendor security patches as soon as they are available to protect against RAS software bugs. Social engineering and the public PBX infrastructure is a common method used by intruders to access your RAS environment. Typical methods of securing remote access servers: Implementing a strong authentication method or two-factor authentication Limiting which users are allowed to dial-in and limiting the dial-in hours Implementing account lockout and strict password policies Implementing a real-time alerting system Allowing dial-in only and forcing callback to a preset number are strategies for securing remote access servers (RAS). A RAS connection between a remote workstation and a Windows server

  15. Routers Routers enable connectivity between two or more networks and can connect multiple network segments into one network. Routers operate at the Network Layer (Layer 3) by using IP addresses to route packets to their destination along the most efficient path. Routers store information about network destinations in routing tables. Routing tables contain information about known hosts on both sides of the router. Routers can be configured in many instances to act as packet-filtering firewalls. When configured properly, they can prevent unauthorized ports from being opened. Routers are the first line of defense and should therefore be configured to forward only traffic that is authorized by the network administrator. Access entries can be specified to allow only authorized traffic and deny unauthorized traffic. Methods for securing routers: Routers should be kept in locked rooms You should use complex passwords for administrative consoles Routers should be kept current with the latest available vendor security patches Configure access list entries to prevent unauthorized connections and routing of traffic Use monitoring equipment to protect connection points and devices Secure Router Configuration (2:38)

  16. Routers Routers, in conjunction with a CSU/DSU) are also used to translate LAN to WAN framing. Such routers are referred to as border routers. Border routers decide who can come in and under what conditions. Dividing internal networks into two or more subnets is a common use for routers. Routers can also be connected internally to other routers, effectively creating autonomouslzones. This type of connection keeps local network traffic off the network backbone and provides additional security internally. Routers establish routing tables. A router contains information about the networks connected to it and where to send requests if the destination is unknown. These tables grow as connections are made through the router. Routers communicate routing information using three standard protocols: Routing Information Protocol (RIP) is a simple protocol that is part of the TCP/IP protocol suite. Routers that use RIP routinely broadcast the status and routing information of known routers. RIP also attempts to find routes between systems using the smallest number of hops or connections. Border Gateway Protocol (BGP) allows groups of routers to share routing information.  Open Shortest Path First (OSPF) allows routing information to be updated faster than with RIP.

  17. Switch Port Security and 802.1X (5:35) Switches VLAN Management (3:44) Switches can be used to connect multiple LAN segments. Switches operate at the Data Link layer of the OSI model (Layer 2), using the MAC address to send packets to their destination. Switches create virtual circuits between systems in a network. These virtual circuits are somewhat private and reduce network traffic when used. Virtual circuits are more difficult to examine with network monitors. Only packets destined for the computer on a particular port of a switch can be seen. With computers connected through a switch, eventually any individual computer would be exposed to only traffic destined for that particular computer or for all computers. Therefore, any port would be able to see only traffic destined for it and broadcasts. Switches are used to create security segments on a LAN through the implementation of VLANs. Physical access control to the networking closet is critical to protect switched networks against any exposed supervisory ports that can be exploited by an attacker. Methods for securing switches: Switches should be kept in locked rooms You should use complex passwords for administrative consoles Switches should be kept current with the latest a Use monitoring equipment to protect connection points and device available vendor security patches

  18. Telecom/PBX Systems Many modern PBX (private branch exchange) systems integrate voice and data onto a single data connection to your phone service provider. These connections are made using existing network connections such as a T1 or T3 network. A PBX provides a connection to the public switched telephone network (PSTN) and provides telephone extensions for employees. A PBX is a programmable telephone switch that is typically located on a company’s premises. A PBX can usually be remotely administered. For years, PBX-type systems have been targeted by hackers, mainly to get free long-distance service. The vulnerabilities that phone networks are subject to include social engineering, long-distance toll fraud, and breach of data privacy. To protect a PBX from hacker attacks: Make sure the PBX is in a secure area Limit the number of entry points Change default passwords Only allow authorized maintenance Remote PBX administration should require user names and passwords The telephone number used to remotely administer a PBX should be unlisted Block all toll numbers and limit long-distance calling Implement a PBX password change and audit policy Many times, hackers can gain access to the phone system via social engineering because this device is usually serviced through a remote maintenance port. A modern digital PBX system integrating voice and data onto a single network connection

  19. VPN Concentrators (2:06) Virtual Private Networks VPNs are used to make connections between private networks across a public network. VPN connections provide a mechanism for the creation of a secured “tunnel” through a public network such as the Internet using a tunneling protocol, such as L2TP or PPTP. These connections are not guaranteed to be secure unless, and an encryption system, such as IPSec, is used.

  20. VPN Server in Front of the Firewall For the Internet interface on the VPN server, configure the input and output filters using the Routing and Remote Access snap-in. With the VPN server in front of the firewall attached to the Internet you need to add packet filters to the Internet interface that only allow VPN traffic to and from the IP address of the VPN server's interface on the Internet. For inbound traffic, when the tunneled data is decrypted by the VPN server it is forwarded to the firewall, which employs its filters to allow the traffic to be forwarded to intranet resources. Because the only traffic that is crossing the VPN server is traffic generated by authenticated VPN clients, firewall filtering in this scenario can be used to prevent VPN users from accessing specific intranet resources. Because the only Internet traffic allowed on the intranet must go through the VPN server, this approach also prevents the sharing of File Transfer Protocol (FTP) or Web intranet resources with non-VPN Internet users.

  21. VPN Server Behind the Firewall More commonly, the firewall is connected to the Internet and the VPN server is another intranet resource connected to a DMZ. The VPN server has an interface on the DMZ and an interface on the intranet. In this approach, the firewall must be configured with input and output filters on its Internet interface to allow the passing of tunnel maintenance traffic and tunneled data to the VPN server. Additional filters can allow the passing of traffic to Web servers, FTP servers, and other types of servers on the DMZ. The firewall does not have the encryption keys for each VPN connection so it can only filter on the plaintext headers of the tunneled data, meaning that all tunneled data passes through the firewall. No problem, because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server. When you deploy a VPN gateway in its own DMZ behind the external firewall, you receive the following benefits: The firewall can protect the VPN gateway The firewall can inspect plain text from the VPN Internet connectivity does not depend on the VPN gateway In this deployment, the following drawbacks are experienced: The firewall will need special routes to the VPN gateway configured Roaming client support is hard to achieve For the Internet interface on the firewall, input and output filters need to be configured using the firewall's configuration software.

  22. Wireless Access Points To build a wireless network: On the client side, you need a wireless NIC On the network side, you need a wireless access point (WAP) A wireless access point (WAP) is a low-power transmitter/receiver, also known as a transceiver, which is strategically placed for access. The portable device and the access point communicate using one of several communications protocols, including IEEE 802.11 (also known as Wireless Ethernet). Wireless offers mobile connectivity within a campus, a building, or even a city. Wireless communications, although convenient, can also be less than secure. While many WAPs now ship with encryption on, you will still want to verify that this is the case with your network. A wireless portal being used to connect a computer to a company network. Notice that the portal connects to the network and is treated like any other connection used in the network.

  23. Monitoring and Diagnosing Networks Network Monitors Network monitors, otherwise called sniffers, were originally introduced to help troubleshoot network problems. Examining the signaling and traffic that occurs on a network requires a network monitor. Network monitors are now available for most environments, and they’re effective and easy to use. Today, a network-monitoring system usually consists of a PC with a NIC (running in promiscuous mode) and monitoring software. Microsoft Network Monitor is a packet analyzer. It enables capturing, viewing, and analyzing network data and deciphering network protocols. It can be used to troubleshoot network problems and applications on the network. The monitoring software is menu driven, easy to use, and has a big help file. The traffic displayed by sniffers can become overly involved and require additional technical materials which you can find on the Internet for free. With a few hours of work, most people can make network monitors work efficiently and use the data they present. Microsoft Network Monitor

  24. Monitoring and Diagnosing Networks Intrusion Detection Systems An IDS and a firewall working together to secure a network An IDS (Intrusion Detection System) is a hardware device with software that monitors events in a system or network to identify when intrusions are taking place. IDS are designed to analyze data, identify attacks, and respond to the intrusion. An IDS can run on network devices and on individual workstations. You can configure the IDS to monitor for suspicious network activity, check systems logs, perform stateful packet matching, and disconnect sessions that are violating your security policy. An IDS is used to protect and report network abnormalities to a network administrator or system. It works with audit files and rule-based processing to determine how to act in the event of an unusual situation on the network. IDSs are different from firewalls in that firewalls control the information that gets in and out of the network, whereas IDSs can identify unauthorized activity. IDSs are also designed to catch attacks in progress within the network, not just on the boundary between private and public networks. If the firewall were compromised, the IDS would notify you based on rules it’s designed to implement. In the event the firewall is compromised or penetrated, the IDS can react by disabling systems, ending sessions, and even potentially shutting down your network. The main types are a host-based IDS system and network IDS system. With a host-based IDS system, software runs on the host computer system to monitor machine logs, system logs, and how applications inter-operate. With a network IDS, the IDS checks for network traffic and traffic patterns that could be indicative of attacks such as port scan and denial-of-service attacks. Log Analysis (2:33)

  25. Securing Workstations and Servers Workstations are particularly vulnerable in a network. Workstations communicate using services such as file sharing, network services, and applications programs. Many of these programs have the ability to connect to other workstations or servers. These connections are potentially vulnerable to interception and exploitation. The process of making a workstation or a server more secure is called platform hardening. The process of hardening the operating system is referred to as OS hardening. Platform hardening procedures can be categorized into three basic areas: Remove unused software, services, and processes from the workstations (for example, remove the server service from a workstation). These services and processes may create opportunities for exploitation. Ensure that all services and applications are up-to-date, including available service and security packs, and configured in the most secure manner allowed. This may include assigning passwords, limiting access, and restricting capabilities. Minimize information dissemination about the operating system, services, and capabilities of the system. Many attacks can be targeted at specific platforms once the platform has been identified. Many operating systems use default account names for administrative access. If at all possible, these should be changed. During a new installation of Windows Vista or Windows XP, the first user created is automatically added to the administrators group. Windows Vista then goes one step further and automatically disables the actual administrator account once another account belonging to the administrators group has been created.

  26. Understanding Mobile Devices Mobile devices, including pagers and personal digital assistants (PDAs) use either RF signaling or cellular technologies for communication. If the device uses the Wireless Application Protocol (WAP), the device in all likelihood doesn’t have security enabled. Several levels of security exist in the WAP protocol: Anonymous authentication, which allows virtually anyone to connect to the wireless portal Server authentication, which requires the workstation to authenticate against the server Two-way (client and server) authentication, which requires both ends of the connection (client and server) to authenticate to confirm validity Many new wireless devices are also capable of using certificates to verify authentication. The Wireless Session Protocol (WSP) manages the session information and connection between the devices. The Wireless Transaction Protocol (WTP) provides services similar to TCP and UDP for WAP. The Wireless Datagram Protocol (WDP) provides the common interface between devices. Wireless Transport Layer Security (WTLS) is the security layer of the Wireless Application Protocol. A mobile environment using WAP security. This network uses both encryption and authentication to increase security.

  27. Understanding Remote Access Using Point-to-Point Protocol Point-to-Point Protocol PPP offers multiple protocol support including AppleTalk, IPX, and DECnet, and is widely used today as a transport protocol for dial-up connections. PPP is a protocol for communicating between two points using a serial interface, provides service at layer 2 of the OSI model. PPP can handle both synchronous and asynchronous connections. PPP provides no security. PPP is primarily intended for dial-up connections and should never be used for VPN connections. PPP works with POTS, Integrated Services Digital Network (ISDN), and other faster connections such as T1. PPP does not provide data security, but it does provide authentication using Challenge Handshake Authentication Protocol (CHAP). CHAP can be used to provide on-demand authentication within an ongoing data transmission. A dial-up connection using PPP works well because it isn’t common for an attacker to tap a phone line. You should make sure all your PPP connections use secure channels, dedicated connections, or dial-up connections. PPP using a single B channel on an ISDN connection. In the case of ISDN, PPP would normally use one 64Kbps B channel for transmission.

  28. Understanding Remote Access Working with Tunneling Protocols Tunneling protocols add a capability to the network: The ability to create tunnels between networks that can be more secure, support additional protocols, and provide virtual paths between systems. The three primary tunneling protocols are PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol) and L2F (Layer 2 Forwarding protocol).

  29. Working with Tunneling Protocols Point-to-Point Tunneling Protocol Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to work with the Point-to-Point (PPP) protocol to create a virtual Internet connection so that networks can use the Internet as their WAN link. PPTP is known as a tunneling protocol because the PPTP protocol dials through the PPP connection, which results in a secure connection between client and server. This connectivity method creates a virtual private network (VPN), allowing for private network security. In effect PPTP creates a secure WAN connection using dial-up access. PPTP supports encapsulation in a single point-to-point environment. PPTP encapsulates and encrypts PPP packets. This makes PPTP a favorite low-end protocol for networks. The negotiation between the two ends of a PPTP connection is done in the clear. Once the negotiation is performed, the channel is encrypted. A packet-capture device, such as a sniffer, that captures the negotiation process can potentially use that information to determine the connection type and information about how the tunnel works.

  30. Working with Tunneling Protocols Layer 2 Forwarding L2F was created by Cisco as a method of creating tunnels primarily for dial-up connections. L2F is similar in capability to PPP and should not be used over WANs. L2F does provide authentication, but it does not provide encryption. Layer 2 Tunneling Protocol Layer Two Tunneling Protocol (L2TP) is an enhancement of PPTP that can be used between LANs and can also be used to create a VPN. L2TP is primarily a point-to-point protocol. Relatively recently, Microsoft and Cisco agreed to combine their respective tunneling protocols into one protocol: the Layer Two Tunneling Protocol (L2TP). L2TP is a hybrid of PPTP and L2F. L2TP supports multiple network protocols and can be used in networks besides TCP/IP. L2TP works over IPX, SNA, and IP. L2TP isn’t secure, and you should use IPSec with it to provide encryption of the data. L2TP operates at the Data Link layer of the OSI model and uses UDP for sending packets as well as for maintaining the connection. L2TP uses UDP port number 1701. 

  31. Working with Tunneling Protocols Secure Shell Secure Shell (SSH) is a type of tunneling protocol that allows access to remote systems in a secure manner. SSH was originally designed for UNIX systems. SSH is a program that allows connections to be secured by encrypting the session between the client and the server. SSH also provides security equivalent programs such as Telnet, FTP, and many of the other communications-oriented programs under UNIX. SSH transmits both authentication information and data securely during terminal connections with UNIX computers. SSH uses port 22. Internet Protocol Security IPSec (Internet Protocol Security) is not a tunneling protocol, but it is used in conjunction with tunneling protocols to provide network security. IPSec is oriented primarily toward LAN-to-LAN connections, rather than dial-up connections. IPSec can be used to digitally sign headers and to encrypt and encapsulate packets. IPSec provides both authentication and encryption, and is regarded as one of the strongest security standards. When the Authentication Header (AH) protocol is used, IPSec digitally signs packet headers, and when the Encapsulating Security Payload (ESP) is used, IPSec encrypts packets.

  32. Working with Tunneling Protocols IPSec can be used with many different protocols besides TCP/IP, and it has two modes of security: Tunneling mode is used for VPNing over an unsecured public network. In Tunneling mode, packets are encapsulated within other packets and both the payload and message headers are encrypted. Two routers that require secure communications should use IPSec in tunnel mode to encrypt packets. Transport mode is used only when the data portion needs to be encrypted over owner-controlled networks like LAN. In Transport mode, only the payload is encrypted. When transport mode is used, packets are not encapsulated.

  33. RADIUS and TACACS (5:46) Working with RADIUS A RADIUS server communicating with an ISP to allow access to a remote user. Notice that the remote server is functioning as a client to the RADIUS server. This allows centralized administration of access rights. Remote Authentication Dial-In User Service (RADIUS) is a mechanism that provides centralized remote user authentication, authorization, and accounting. The centralized authentication, authorization, and accounting features of RADIUS allow central administration of all aspects of remote login. The accounting features allow administrators to track usage and network statistics by maintaining a central database. A RADIUS server can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether or not an incoming caller is authorized. In a large network with many connections, this allows a single server to perform all authentications. A RADIUS server acts as either the authentication server or a proxy client that forwards client requests to other authentication servers. The initial network access server, which is usually a VPN server or dial-up server, acts as a RADIUS client by forwarding the VPN or dial-up client’s request to the RADIUS server. RADIUS is the protocol that carries the information between the VPN or dial-up client, the RADIUS client, and the RADIUS server. RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. RADIUS uses UDP transport.

  34. TACACS/+ Terminal Access Controller Access Control System (TACACS) is a client/server-oriented environment, and it operates in a similar manner to RADIUS. Extended TACACS (XTACACS) replaced the original and combined authentication and authorization with logging to enable auditing. Although RADIUS performs in much the same manner, TACACS+ is used almost exclusively by Cisco. RADIUS is more of a generic standard used by many different companies. TACACS+ is gaining ground, however. The most current method or level of TACACS is TACACS/+. TACACS/+ allows credentials to be accepted from multiple methods, including Kerberos. TACACS+ provides authentication, authorization, and accounting (AAA). TACACS relies on TCP over port 49.

  35. Securing Internet Connections Working with Ports and Sockets TCP/IP establishes connections and circuits using a combination of the IP address and a port. A port is an interface that is used to connect to a device. Sockets are a combination of the IP address and the port. The socket identifies which application will respond to the network request. For example, if you attempt to connect to a remote system with the IP address 192.168.0.100, which is running a website, you’ll use port 80 by default. The combination of these two elements gives you a socket; 192.168.0.100:80. IP is used to route the information through the network. The four layers of TCP/IP encapsulate the information into a valid IP packet that is then transmitted across the network. The figure to the right illustrates the key components of a TCP packet requesting the home page of a website. The destination port is the port data is sent to. In the case of a web application, the data for port addresses would both contain 80. The data field contains the value Get/. This value requests the home or starting page from the web server. In essence, this command or process requested the home page of the site 192.168.0.100 port 80. The data is formed into another data packet that is passed down to IP and sent back to the originating system on port 1024. The connections to most services using TCP/IP are based on this port model.

  36. Securing Internet Connections Working with E-Mail The most common e‑mail systems use the following protocols, which use TCP for session establishment: Simple Mail Transport Protocol SMTP is a mail delivery protocol that is used to send e‑mail between an e‑mail client and an e‑mail server as well as between e‑mail servers. SMTP uses port 25. Post Office Protocol POP is a newer protocol that relies on SMTP for message transfer to receive e‑mail. POP3, the newest version of POP, allows messages to be transferred from the waiting post office to the e‑mail client. The current POP3 standard uses port 110. Internet Message Access Protocol IMAP is the newest player in the e‑mail field, and it’s rapidly becoming the most popular. Like POP, IMAP has a store-and-forward capability. IMAP allows messages to be stored on an e‑mail server instead of being downloaded to the client. It also allows messages to be downloaded based on search criteria. The current version IMAP 4 uses port 143. Each of these web services is offered in conjunction with web-enabled programs such as Flash and Java. These services use either a socket to communicate or a program that responds to commands through the browser. If your browser can be controlled by an application, your system is at great risk of attack. Servers are also vulnerable to this issue because they must process requests from browsers for information or data. The process of transferring an e‑mail message.

  37. Securing Internet Connections Working with the Web There are two common ways to provide secure connections between a web client and a web server: Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most widely used cryptographic protocols used to convey information between a web client and a server. The SSL protocol uses an encryption scheme between the two systems. The client initiates the session, the server responds, indicating that encryption is needed, and then they negotiate an appropriate encryption scheme. TLS is a newer protocol that merges SSL with other protocols to provide encryption. TLS supports SSL connections for compatibility, but it also allows other encryption protocols, such as Triple DES, to be used. SSL/TLS uses port 443 and TCP for connections. HTTP Secure (HTTP/S) is a protocol that is used for secure connections between two systems that use the Web. It protects the connection, and all traffic between the two systems is encrypted. HTTP/S uses SSL or TLS for connection security, and it uses port 443 and TCP for connections.

  38. Securing Internet Connections ActiveX ActiveX is a technology that was implemented by Microsoft. ActiveX allows customized controls, icons, and other features to increase the usability of web enabled systems. ActiveX uses a method called authenticode for security. Authenticode is a type of certificate technology that allows ActiveX components to be validated by a server. ActiveX runs on the client. Web browsers can be configured so that they require confirmation to accept an ActiveX control. However, many users don’t understand these confirmation messages when they appear, and they automatically accept the components. Automatically accepting an ActiveX component or control creates the opportunity for security breaches on a client system when the control is used because an ActiveX control contains programming instructions that can contain malicious code or create vulnerabilities in a system.

  39. Securing Internet Connections Buffer Overflows Perhaps the most popular method of privilege escalation is a buffer-overflow attack. Buffer overflows cause disruption of service and lost data. Buffer overflows occur when an application receives more data than it is programmed to accept. This situation can cause: An application to terminate. The termination may leave the system sending the data with temporary access to privileged levels in the attacked system. The overwriting of data or memory storage. A denial of service due to overloading the input buffer’s ability to cope with the additional data. Or the originator can execute arbitrary code, often at a privileged level. A buffer overflow is targeted toward an individual machine.

  40. Securing Internet Connections Common Gateway Interface Common Gateway Interface (CGI) is an older form of scripting that was used extensively in early web systems. CGI scripts could be used to capture data from a user using simple forms. CGI scripts are not widely used in new systems and are being replaced by Java, ActiveX, and other technologies. The CGI script ran on the web server, and it interacted with the client browser. Vulnerabilities in CGI are the result of its inherent ability to do what it is told. If a CGI script is written to wreak havoc (or carries extra code added to it by a miscreant) and it is executed, your systems will suffer. The best protection against any weaknesses is to not run applications written in CGI.

  41. Securing Internet Connections Cookies Cookies are text files that a browser maintains on the user's hard disk. They store information on a Web client for future sessions with a Web server. A cookie will typically contain information about the user. It is used to provide a persistent, customized Web experience for each visit and to track a user’s browser habits. A cookie can contain the history of a client to improve customer service. A tracking cookie is a particular type of permanent cookie that stays around, whereas a session cookie stays around only for the particular visit to a web-site. The danger to maintaining session information is that sites may access cookies stored in the browser’s cache that may contain sensitive information identifying the user or allowing access to secured sites. The information stored in a cookie is not typically encrypted and might be vulnerable to hacker attacks. The best protection is to not allow cookies to be accepted. Almost every browser offers the option to enable or disable cookies. If you enable them, you can usually choose whether to accept/reject all or only those from an originating server.

  42. Cross-site Scripting (12:36) Securing Internet Connections Cross-site scripting (XSS) Cross-site scripting (XSS) is when a website redirects the client’s browser to attack yet another site. XSS is a type of security vulnerability typically found in Web applications that allows code injection by hackers into the Web pages viewed by other users. It is used to trick a user into visiting a site and having code execute locally. XSS poses the most danger when a user accesses a financial organization’s site using his or her login credentials. The problem is not that the hacker will take over the server. It is more likely that the hacker will take over the client’s session. This will allow the hacker to gain information about the legitimate user that is not publicly available. The best protection against cross-site scripting is to disable the running of scripts.

  43. Securing Internet Connections Input Validation Anytime a user must supply values in a session, validation of the data entered should be done. Many vendors, however, have fallen prey to input validation vulnerabilities within their code. In some instances, empty values have been accepted, while others have allowed privilege escalation if certain backdoor passwords were used. The best protection against input validation vulnerabilities is for developers to follow best practices and always validate all values entered. As an administrator, when you learn of an input validation vulnerability with any application on your system, you should immediately stop using it until a patch has been released and installed.

  44. Securing Internet ConnectionsJava Applets A Java applet is a small, self-contained Java script that is downloaded from a server to a client and then run from the browser. The client browser must have the ability to run Java applets in a virtual machine on the client. Java applets are used extensively in web servers today, and they are popular tools used for website development. Signed applets are similar to unsigned Java applets-with one key difference: Unsigned Java applets use sandboxes to enforce security. A sandbox protects the system from malicious software by enforcing the execution of the application within the sandbox and preventing access to the system resources outside the sandbox. The concept of a Web script that runs in its own environment and cannot interfere with any other process is known as a sandbox. A signed applet does not run in the Java sandbox, and it has higher system access capabilities. Signed applets are not usually downloaded from the Internet. This type of applet is usually provided by in-house or custom-programming efforts. These applets can also include a digital signature to verify authenticity. If the applet is verified as authentic, it will be installed. Users should never download a signed applet unless they are sure that the provider is trusted. Errors in the Java virtual machine that runs in the applications may allow some applets to run outside of the sandbox. When this occurs, the applet is unsafe and may perform malicious operations. From a user’s standpoint, the best defense is to make certain you run only applets from reputable sites you’re familiar with. From an administrator’s standpoint, you should make certain programmers adhere to programming guidelines when creating the applets.

  45. Securing Internet Connections JavaScript JavaScript is a programming language that allows access to the system resources of the system running the script. These scripts can interface with all aspects of an operating system just like programming languages, such as the C language. This means that JavaScript scripts, when executed, can potentially damage systems or be used to send information to unauthorized persons. JavaScript scripts can be downloaded from a website to a client and executed within a Web browser. The client browser must have the ability to run Java applets in a virtual machine on the client. Java applets are used extensively in web servers today, and they are becoming one of the most popular tools used for website development.

  46. Securing Internet ConnectionsPopups A Popup occurs when a Web site is opened in the foreground. Popups are an annoyance, and some can contain inappropriate content or entice the user to download malware. Some popup blockers may delete the information already entered by reloading the page, causing the users unnecessary grief. Many popup blockers are integrated into vendor toolbars. Field help for fill-in forms is often in the form of a popup. A Popunder occurs when a Web site is opened in the background. Popunders are in the same family as popups and should be prevented by enabling a popup blocker on the user’s computer. You can adjust the settings on popup blockers to meet the organizational policy or to best protect the user environment: High settings might prevent application or program installation. Medium will block most automatic popups but still allow functionality. You can circumvent popup blockers in various ways: Most popup blockers block only the JavaScript; therefore, technologies such as Flash bypass the popup blocker. On many Internet browsers, holding down the Ctrl key while clicking a link will allow it to bypass the popup filter.

  47. Securing Internet Connections SMTP Relay SMTP relay is a feature designed into many e-mail servers that allows them to forward e-mail to other e-mail servers. The main purpose of implementing an e-mail relay server is to protect the primary e-mail server by reducing the effects of viruses and port scan attacks. Initially, the SMTP relay function was intended to help bridge between systems. This capability allows e-mail connections between systems across the Internet to be made easily. Unfortunately, this feature has been used to generate a great deal of spam on the Internet. You should configure your e-mail server to prevent e-mail relay because e-mail relay can result in untraceable, unwanted, unsolicited e-mail messages being sent.

  48. Working with File Transfer Protocol FTP servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication. FTP has three separate functions. FTP is a protocol, a client, and a server. The client system runs a program called FTP. The server runs a service called FTP server. The FTP client and server communicate using the FTP protocol. The client requests a connection to a server that runs the FTP service. The client and server communicate using a protocol that defines the command structure and interactions between the client and server. Early FTP servers based security on the honor system. Most logons to an FTP site used the anonymous logon, conventionally, the user's e-mail address, and the password was anonymous. In this situation, the only security offered is what is configured by the operating system. The major security vulnerability of FTP is that the user ID and password are not encrypted and is sent in clear text. This allows it to be subject to packet capture; a major security breach-especially if you are connecting to an FTP server across the Internet. The only protection is to implement Secure FTP (SFTP) or to implement FTP with Transport Layer Security (TLS) or Secure Sockets Layer (SSL). Secure FTP (SFTP) is accomplished using a protocol called Secure Shell (SSH).

  49. ICMP and SNMP (4:39) Understanding Network Protocols Simple Network Management Protocol (SNMP) is used to monitor network devices. SNMP is used for monitoring the health of network equipment, computer equipment, and devices like UPS. It uses port 161 to communicate. Internet Control Message Protocol (ICMP) is used for destination and error reporting functions in TCP/IP. ICMP is routable and is used by programs such as Ping and Traceroute. ICMP is used for carrying error, control and informational packets between hosts. ICMP is one of the favorite protocols used for DoS attacks. You can disable ICMP through the router to prevent these types of situations from occurring. Internet Group Management Protocol (IGMP) is used for group messaging and multicasting. IGMP maintains a list of systems that belong to a message group. When a message is sent to a particular group, each system receives an individual copy. Multicasting, can consume huge amounts of bandwidth in a network and possibly create a DoS situation. Most network administrators disable the reception of broadcast and multicast traffic from outside their local network.

  50. The Basics of Cabling, Wires, and Communications Coax Coaxial cabling has a center conductor which is used to carry data from point to point. The center conductor has an insulator wrapped around it. A shield is found over the insulator, and a nonconductive sheath is found around the shielding. Coaxial cabling is probably one of the oldest network cabling used these days. Coax has two primary vulnerabilities from a security perspective. The most common is the addition of a T-connector attached to a network sniffer. This sniffer would have unrestricted access to the signaling on the cable. The second and less common method involves a connection called a vampire tap. A vampire tap is a type of connection that hooks directly into a coax by piercing the outer sheath and attaching a small wire to the center conductor or core. This type of attachment allows a tap to occur almost anywhere in the network. Taps can be hard to find because they can be anywhere in the cable. The two common methods of tapping a coax cable.

More Related