Download
chapter fifteen n.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter Fifteen PowerPoint Presentation
Download Presentation
Chapter Fifteen

Chapter Fifteen

210 Vues Download Presentation
Télécharger la présentation

Chapter Fifteen

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Chapter Fifteen Network Security

  2. Objectives • Identify security risks in LANs and WANs • Explain how physical security contributes to network security • Discuss hardware- and design-based security techniques

  3. Objectives • Use network operating system techniques to provide basic security • Implement enhanced security through specialized software • Describe the elements of an effective security policy

  4. Terminology • A hacker is someone who masters the inner workings of operating systems and utilities in an effort to better understand them • A cracker is someone who uses his or her knowledge of operating systems and utilities to intentionally damage or destroy data or systems • In general, root refers to a highly privileged user ID that has all rights to create, delete, modify, move, read, write, or execute files on a system • A firewall is a specialized device that selectively filters or blocks traffic between networks

  5. Security Audits • Assessment of an organization’s security risks • Regular security audits should be performed at least annually and preferably quarterly • You should also conduct a security audit after making any significant changes to your network

  6. Security Risks • Social engineering • Manipulating relationships to circumvent network security measures and gain access to a system • Some risks associated with people: • Intruders or attackers using social engineering or snooping to obtain passwords • An administrator incorrectly creating or configuring user IDs, groups, and their associated rights on a file server

  7. Security Risks • Some risks associated with people (cont.): • Network administrators overlooking security flaws in topology or hardware configuration • Network administrators overlooking security flaws in operating system or application configuration • Lack of proper documentation and communication of security policies • Dishonest or disgruntled employees abusing their file and access rights • An unusual computer or terminal being left logged into the network

  8. Security Risks • Some risks associated with people (cont.): • Users or administration choosing easy-to-guess passwords • Authorized staff leaving computer room doors open or unlocked • Staff discarding disks or backup tapes in public waste containers • Administrators neglecting to remove access files and rights for former employees • Users leaving passwords out in open spaces

  9. Risks Associated with Hardware and Network Design • Inherent risks in network hardware and design: • Wireless transmission can typically be intercepted • Networks that use leased lines are vulnerable to eavesdropping • Network hubs broadcast traffic over the entire segment • If they are not disabled, unused hubs, routers, or server ports can be exploited and accessed by crackers

  10. Risks Associated with Hardware and Network Design • Inherent risks in network hardware and design (cont.): • If routers are not properly configured to mask internal subnets, users on outside networks can read the private addresses • Modems attached to network devices may be configured to accept incoming calls • Dial-in access servers used by telecommuting or remote staff may not be carefully secured and monitored • Computers hosting very sensitive data may coexist on the same subnet with computers open to the general public

  11. Risks Associated with Protocols and Software • Some risks pertaining to networking protocols and software: • TCP/IP contains several security flaws • Trust relationships between one server and another may allow a cracker to access the entire network because of a single flaw • Network operating system software typically contains “backdoors” or security flaws

  12. Risks Associated with Protocols and Software • Some risks pertaining to networking protocols and software (cont.): • If the network operating system allows server operators to exit to a command prompt, intruders could run destructive command-line programs • Administrators might accept the default security options after installing an operating system or application • Transactions that take place between applications may be left open to interception

  13. Risks Associated with Internet Access • Common Internet-related security breaches: • IP spoofing • Outsiders obtain internal IP addresses, then use those addresses to pretend that they have authority to access your internal network from the Internet • When a user Telnets or FTPs to your site over the Internet, his or her user ID and password will be transmitted in plain text • Crackers may obtain information about your user ID from newsgroups, mailing lists, or forms filled out on the Web

  14. Risks Associated with Internet Access • Common Internet-related security breaches (cont.): • Flashing • Internet user send commands to another Internet user’s machine that cause the screen to fill with garbage characters • Denial-of-service attack • Occurs when a system becomes unable to function because it has been deluged with messages or otherwise disrupted

  15. Addressing Risks Associated with People • An effective security policy • Typical goals for security policies: • Ensuring that authorized users have appropriate access to the resources they need • Preventing unauthorized users from gaining access to the network, systems, programs, or data • Protecting sensitive data from unauthorized access

  16. Addressing Risks Associated with People • Typical goals for security policies (cont.): • Preventing accidental damage to hardware or software • Preventing intentional damage to hardware or software • Creating an environment where the network and systems can withstand and quickly recover from any type of threat • Communicating each employee’s responsibilities with respect to maintaining data integrity and system security

  17. Security Policy Content • After risks are identified and responsibilities for managing them are assigned, the policy’s outline should be generated with those risks in mind • The security policy should explain clearly to users: • What they can and cannot do • How these measures protect the network’s security

  18. Response Policy • Suggestions for team roles • Dispatcher • Manager • Technical support specialist • Public relations specialist

  19. Passwords • Tips for making and keeping passwords secure: • Do not use the familiar types of passwords • Do not use any word that might appear in a dictionary • Make passwords longer than six characters

  20. Passwords • Tips for making and keeping passwords secure (cont.): • Choose a combination of letters and numbers • Do not write down your password or share it with others • Change your password at least every 90 days

  21. Physical Security FIGURE 15-1 Badge access security system

  22. Physical Security • Bio-recognition access • Device scans an individual’s unique physical characteristics • Relevant questions in assessing physical security: • Which rooms contain critical systems or data and need to be secured? • Through what means might intruders gain access to the facility, computer room, telecommunications room, wiring closet, or data storage areas?

  23. Physical Security • Relevant questions in assessing physical security (cont.): • How and to what extent are authorized personnel granted entry? • Are employees instructed to ensure security after entering or leaving secured areas? • Are authentication methods difficult to forge or circumvent?

  24. Physical Security • Relevant questions in assessing physical security (cont.): • Do supervisors or security personnel make periodic physical security checks? • Are all combinations, codes, or other access means to computer facilities protected at all times? • Does a plan exist for documenting and responding to physical security breaches?

  25. Addressing Risks Associated with Hardware and Design • Firewall • Specialized device that selectively filters or blocks traffic between networks Figure 15-2: Placement of a firewall between a private network and the Internet

  26. Firewalls • Packet filtering firewall • Router that operates at the Data Link and Transport layers of the OSI Model • Also called screening firewalls Figure 15-3: Packet filtering firewall

  27. Firewalls • Criteria that a firewall might use to accept or deny data: • Source and destination IP addresses • Source and destination ports • TCP, UDP, or ICMP protocols

  28. Firewalls • Criteria that a firewall might use to accept or deny data (cont.): • Packet’s status as the first packet in a new data stream or a subsequent packet • Packet’s status as inbound or outbound to or from your private network • Packet’s status as originating from or being destined for an application on your private network

  29. Firewalls • Proxy service • Software application on a network host that acts as an intermediary between external and internal networks • Network host that runs the proxy service is known as a proxy server, or gateway

  30. Firewalls Figure 15-4: Proxy server used on a WAN

  31. Firewalls • Questions to ask when choosing a firewall: • Does the firewall support encryption? • Does the firewall support authentication? • Does the firewall allow you to manage it centrally and through a standard interface?

  32. Firewalls • Questions to ask when choosing a firewall (cont.): • How easily can you establish rules for access to and from the firewall? • Does the firewall support filtering at the highest layers of the OSI Model? • Does the firewall provide logging and auditing capabilities, or alert you to intrusions? • Does the firewall protect the identity of your internal LAN’s addresses from the outside world?

  33. Remote Access • Remote access • Capability for traveling employees, telecommuters, or distant vendors to access an organization’s private LAN or WAN through specialized remote access servers

  34. Remote Control • Important security features for a remote control program: • Login ID and password requirements for gaining access to the host system • Ability for the host system to call back • Support for data encryption on transmissions between the remote user and the system

  35. Remote Control • Important security features for a remote control program (cont.): • Ability to leave the host system’s screen blank while a remote user works on it • The ability to disable the host system’s keyboard and mouse • Ability to restart the host system when a remote user disconnects from the system

  36. Dial-Up Networking • Recommended features for a secure remote access server package: • Login ID and password authentication • Ability to log all dial-up connections, their resources, and their connection times • Ability to perform callbacks to users who initiate connections • Centralized management of dial-up users and their rights on the network

  37. Remote Authentication Dial-In User Service (RADIUS) • Terminal Access Controller Access Control System (TACACS) • Centralized authentication system for remote access servers that is similar to RADIUS Figure 15-5: RADIUS server providing central authentication

  38. Addressing Risks Associated with Protocols and Software • Restriction that network administrators can use to strengthen the security of their networks • Some users may be valid only during specific hours • Some user IDs may be restricted to a specific number of hours per day of logged-in time • You can specify that user IDs can log in only from certain workstation or certain areas of the network • Set a limit on how many unsuccessful login attempts from a single user the server will accept before blocking that ID from even attempting to log on

  39. Encryption • Use of an algorithm to scramble data into a format that can be read only by reversing the algorithm • In order to protect data, encryption provides the following assurances: • Data were not modified after the sender transmitted them and before receiver picked them up • Data can only be viewed by their intended recipient (or at their intended destination) • All of the data received at intended destination were truly issued by the stated sender and not forged by an intruder

  40. Encryption • The most popular kind of encryption weaves a key (random string of characters) into the original data’s bits to generate a unique data block • The scrambled data block is known as cipher text • The longer the key, the less easily the cipher text can be decrypted by an unauthorized system

  41. Encryption Figure 15-6: Key encryption and decryption

  42. Encryption • Private key encryption • Data are encrypted using a single that only the sender and receiver know • Also known as symmetric encryption • The most popular private key encryption is the data encryption standard (DES)

  43. Encryption Figure 15-17: Private key encryption

  44. Encryption • Public key encryption • Data are encrypted using two keys • Also know as asymmetric encryption • Public-key server • Freely provides provides a list of users’ public keys • Combination of public key and private key is known as key pair

  45. Encryption • Digital certificates • Password-protected and encrypted file holding an individual’s identification information Figure 15-8: Public key encryption

  46. Encryption Figure 15-8: Public key encryption

  47. Kerberos • Cross-platform authentication protocol using key encryption to verify identity of clients and to securely exchange information once a client logs onto a system • The server issuing keys to clients during initial client authentication is known as a key distribution center (KDC) • In order to authenticate a client, KDC runs an authentication service (AS) • An AS issues a ticket (temporary set of credentials) • A kerberos client, or user, is known as a principal

  48. Kerberos • Session key • Issues to both client and service by authentication service that uniquely identifies their session • Authenticator • User’s timestamp encrypted with the session key • Ticket granting service (TGS) • Application separate from AS that also runs on the KDC • TGS issues client a ticket granting ticket (TGT)

  49. PGP and SSL • Pretty Good Privacy (PGP) • Public key encryption system that verifies authenticity of an e-mail sender and encrypts e-mail data in transmission • Secure Sockets Layer (SSL) • Method of encrypting TCP/IP transmissions en route between client and server using public key encryption technology

  50. SSL • HTTP • URL prefix indicating a Web page requires its data to be exchanged between client and server using SSL encryption • SSL session • Association between the client and server identified by an agreement on a specific set of encryption techniques • Handshake protocol • Perhaps the most significant protocol within SSL