1 / 34

Network+ Guide to Networks, Fourth Edition

Network+ Guide to Networks, Fourth Edition. Chapter 14 Network Security. Security Audits. Every organization should assess security risks by conducting a security audit Thorough examination of each aspect of network to determine how it might be compromised

marge
Télécharger la présentation

Network+ Guide to Networks, Fourth Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network+ Guide to Networks, Fourth Edition Chapter 14 Network Security

  2. Security Audits • Every organization should assess security risks by conducting a security audit • Thorough examination of each aspect of network to determine how it might be compromised • At least annually, preferably quarterly • The more devastating a threat’s effects and the more likely it is to happen, the more rigorously your security measures should address it • In-house or third-party audits Network+ Guide to Networks, 4e

  3. Security Risks • Not all security breaches result from manipulation of network technology • Staff members purposely or inadvertently reveal passwords • Undeveloped security policies • Malicious and determined intruders may “cascade” their techniques Network+ Guide to Networks, 4e

  4. Risks Associated with People • Human errors, ignorance, and omissions cause majority of security breaches • Risks associated with people: • Social engineering or snooping to obtain passwords • Incorrectly creating or configuring user IDs, groups, and their associated rights on file server • Overlooking security flaws in topology or hardware configuration • Overlooking security flaws in OS or application configuration • Lack of documentation and communication Network+ Guide to Networks, 4e

  5. Risks Associated with Transmission and Hardware • Risks inherent in network hardware and design: • Transmissions can be intercepted • Networks using leased public lines vulnerable to eavesdropping • Network hubs broadcast traffic over entire segment • Unused hub, router, or server ports can be exploited and accessed by hackers • Not properly configuring routers to mask internal subnets Network+ Guide to Networks, 4e

  6. Risks Associated with Protocols and Software • Networked software only as secure as it is configured to be • Risks pertaining to networking protocols and software: • TCP/IP contains several security flaws • Trust relationships between one server and another may allow hackers to access entire network • NOSs may contain “back doors” or security flaws allowing unauthorized access to system Network+ Guide to Networks, 4e

  7. Risks Associated with Internet Access • Common Internet-related security issues: • Firewall may not be adequate protection, if not configured properly • IP spoofing • When user Telnets or FTPs to site over Internet, user ID and password transmitted in plain text • Hackers may obtain information about user IDs from newsgroups, mailing lists, forms filled out on Web • Flashing • Denial-of-service attack Network+ Guide to Networks, 4e

  8. An Effective Security Policy • Security policy identifies security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for team members, responsibilities for each employee • Specifies how to address security breaches • Should not state exact hardware, software, architecture, or protocols used to ensure security • Nor how hardware or software will be installed and configured • Details change occasionally Network+ Guide to Networks, 4e

  9. Physical Security • Restrict physical access to components • Computer room, hubs, routers, switches, etc. • Locks may be physical or electronic • Electronic access badges • Numeric key codes • Bio-recognition access • Closed-circuit TV systems • Most important way to ensure physical security is to plan for it Network+ Guide to Networks, 4e

  10. Physical Security (continued) Figure 14-1: Badge access security system Network+ Guide to Networks, 4e

  11. Security in Network Design: Firewalls • Selectively filter or block traffic between networks • Hardware-based, software-based, or combination • Packet-filtering firewall examines header of every packet of data received • Common filtering criteria: • IP addresses • Ports • Flags set in IP header • Transmissions that use UDP or ICMP • First packet in new data stream? • Inbound or outbound? Network+ Guide to Networks, 4e

  12. Proxy Servers • Proxy service:software that acts as intermediary between external and internal networks • Screen all incoming and outgoing traffic • Manage security at Application layer • May be combined with Firewall for greater security • Improve performance for users accessing resources external to network by caching files Network+ Guide to Networks, 4e

  13. Proxy Servers (continued) Figure 14-4: A proxy server used on a WAN Network+ Guide to Networks, 4e

  14. Remote Access • Must remember that any entry point to a LAN or WAN creates potential security risk • Remote control: • Can present serious security risks • Most remote control software programs offer features that increase security • Desirable security features: • User name and password requirement • Ability of host system to call back • Support for data encryption Network+ Guide to Networks, 4e

  15. Remote Access (continued) • Remote control (continued): • Desirable security features (continued): • Ability to leave host system’s screen blank while remote user works • Ability to disable host system’s keyboard and mouse • Ability to restart host system when remote user disconnects Network+ Guide to Networks, 4e

  16. Remote Access (continued) • Dial-up networking • Effectively turns remote workstation into node on network • Secure remote access server package should include at least: • User name and password authentication • Ability to log all dial-up connections, their sources, and their connection times • Ability to perform callbacks to users • Centralized management of dial-up users and their rights on network Network+ Guide to Networks, 4e

  17. Network Operating System Security • Regardless of NOS, can implement basic security by restricting what users authorized to do • Limit public rights • Administrators should group users according to security levels Network+ Guide to Networks, 4e

  18. Logon Restrictions • Additional restrictions that network administrators can use to strengthen security of network: • Time of day • Total time logged on • Source address • Unsuccessful logon attempts Network+ Guide to Networks, 4e

  19. Passwords • Tips for making and keeping passwords secure: • Always change system default passwords • Do not use familiar information • Do not use dictionary words • Make password longer than eight characters • Choose combination of letters and numbers • Do not write down or share passwords • Change password at least every 60 days • Do not reuse passwords Network+ Guide to Networks, 4e

  20. Encryption • Use of algorithm to scramble data into format that can be read only by reversing the algorithm • Encryption provides following assurances: • Data not modified after sender transmitted it and before receiver picked it up • Data can only be viewed by intended recipient • All data received at intended destination truly issued by stated sender and not forged by an intruder Network+ Guide to Networks, 4e

  21. Private Key Encryption • Data encrypted using single key that only sender and receiver know • Data Encryption Standard (DES): 56-bit key • Triple DES (3DES): weaves 56-bit key through data three times • Advanced Encryption Standard (AES): weaves 128-, 160-, 192-, or 256-bit keys through data multiple times • Used in military communication • Sender must share key with recipient Network+ Guide to Networks, 4e

  22. Private Key Encryption (continued) Figure 14-6: Private key encryption Network+ Guide to Networks, 4e

  23. Public Key Encryption • Data encrypted using two keys: • Private key • Public key associated with user • Public key server: publicly accessible host that freely provides list of users’ public keys • Key pair: combination of public key/private key • Public keys more vulnerable than private keys • Use longer keys • RSA: most popular public key algorithm • Digital certificate: password-protected, encrypted file that holds identification information Network+ Guide to Networks, 4e

  24. PGP (Pretty Good Privacy) • Typical e-mail communication is highly insecure • PGP: public key encryption system that can verify authenticity of an e-mail sender and encrypt e-mail data in transmission • Freely available • Most popular tool for encrypting e-mail • Can be used to encrypt data on storage devices or with applications other than e-mail Network+ Guide to Networks, 4e

  25. SSL (Secure Sockets Layer) • Method of encrypting TCP/IP transmissions en route between client and server • Public key encryption • HTTPS (HTTP over Secure Sockets Layer): uses TCP port 443, rather than port 80 • SSL session: association between client and server defined by agreement on specific set of encryption techniques • Created by SSL handshake protocol • IETF has attempted to standardize SSL with Transport Layer Security (TLS) Network+ Guide to Networks, 4e

  26. IPSec (Internet Protocol Security) • Defines encryption, authentication, and key management for TCP/IP transmissions • Encrypts data by adding security information to header of IP packets • Operates at Network layer • Accomplishes authentication in two phases: • Key management: Internet Key Exchange (IKE) • Encryption: authentication header (AH) or Encapsulating Security Payload (ESP) • Can be used with any type of TCP/IP transmission Network+ Guide to Networks, 4e

  27. PAP (Password Authentication Protocol) • Authentication protocol that works over PPP • Simple, not very secure • Does not protect against possibility of malicious intruder attempting to guess user’s password through brute force attack Figure 14-9: Two-step authentication used in PAP Network+ Guide to Networks, 4e

  28. CHAP and MS-CHAP • Challenge Handshake Authentication Protocol (CHAP): operates over PPP • Encrypts user names and passwords • Three-way handshake • Password never transmitted alone or as clear text • Microsoft Challenge Authentication Protocol (MS-CHAP): similar to CHAP • Used on Windows systems • MS-CHAPv2 uses stronger encryption • Mutual authentication: both computers verify credentials of the other Network+ Guide to Networks, 4e

  29. CHAP and MS-CHAP (continued) Figure 14-10: Three-way handshake used in CHAP Network+ Guide to Networks, 4e

  30. EAP (Extensible Authentication Protocol) • Another extension to PPP protocol suite • Does not perform encryption or authentication • Requires authenticator to initiate authentication process by asking connected computer to verify itself • Flexible: supported by most OSs and can be used with any authentication method • Works with biorecognition and wireless protocols Network+ Guide to Networks, 4e

  31. Kerberos • Cross-platform authentication protocol • Uses key encryption to verify identity of clients and to securely exchange information • Significant advantages over NOS authentication • Does not automatically trust clients • Requires client to prove identity through third party • Key Distribution Center (KDC): server that issues keys • authentication service (AS): authenticates a principal • Issues a ticket Network+ Guide to Networks, 4e

  32. Wireless Network Security: WEP (Wired Equivalent Privacy) • Wireless transmissions susceptible to eavesdropping • War driving • By default, 802.11 standard does not offer security • Allows for optional encryption using WEP • Uses keys to authenticate network clients and encrypt data in transit • Network key • On Windows XP, network key can be saved as part of wireless connection’s properties • Current versions of WEP allow 28-bit network keys Network+ Guide to Networks, 4e

  33. IEEE 802.11i and WPA (Wi-Fi Protected Access) • Uses EAP with strong encryption scheme • Dynamically assigns every transmission own key • Logging on to wireless network more complex than with WEP • AP acts as proxy between remote access server and station until station successfully authenticates • Requires mutual authentication • After authentication, remote access server instructs AP to allow traffic from client into network • Client and server agree on encryption key Network+ Guide to Networks, 4e

  34. IEEE 802.11i and WPA (continued) • 802.11i specifies AES encryption method • Mixes each packet in data stream with different key • WPA: subset of 802.11i standard • Main difference from 802.11i is that WPA specifies RC4 encryption rather than AES Network+ Guide to Networks, 4e

More Related