Security+ Guide to Network Security Fundamentals, Fifth Edition Chapter 7 Network Security Fundamentals Chapter 7 Network Security Fundamentals

Objectives List the different types of network security devices and explain how they can be used Explain how network technologies can enhance security Describe secure network design elements Objectives List the different types of network security devices and explain how they can be used Explain how network technologies can enhance security Describe secure network design elements Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Security Fundamentals Once information security and network security were virtually synonymous The network was viewed as the protecting wall around which client computers could be kept safe But this approach is untenable: too many entry points that circumvent the network and allow malware to enter: Infected USB flash drive Malware take advantage of common network protocols (HTTP), and could not always be detected or blocked by network security devices Network Security Fundamentals Once information security and network security were virtually synonymous The network was viewed as the protecting wall around which client computers could be kept safe But this approach is untenable: too many entry points that circumvent the network and allow malware to enter: Infected USB flash drive Malware take advantage of common network protocols (HTTP), and could not always be detected or blocked by network security devices Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Security Posture Yet having secure network is essential to comprehensive information security posture: Not all applications are designed and written with security and reliability in mind, so falls to network to provide protection Network-delivered services can scale better for larger environments and can complement server and application functionality Attacker who can successfully penetrate computer network may have access to thousands of desktop systems, servers, and storage devices Network Security Posture Yet having secure network is essential to comprehensive information security posture: Not all applications are designed and written with security and reliability in mind, so falls to network to provide protection Network-delivered services can scale better for larger environments and can complement server and application functionality Attacker who can successfully penetrate computer network may have access to thousands of desktop systems, servers, and storage devices Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Security Strategy Secure network defense still remains critical element in any organization’s security plan Organizations should make network defenses one of first priorities in protecting information Network security strategy: Network devices Network technologies Design of the network Network Security Strategy Secure network defense still remains critical element in any organization’s security plan Organizations should make network defenses one of first priorities in protecting information Network security strategy: Network devices Network technologies Design of the network Security+ Guide to Network Security Fundamentals, Fifth Edition

Standard Network Devices Security functions of standard network devices can be used to provide degree of network security Network devices can be classified based on function in Open systems interconnection (OSI) model Standards released in 1978, revised in 1983, still used today Illustrates: How network device prepares data for delivery How data is handled once received Standard Network Devices Security functions of standard network devices can be used to provide degree of network security Network devices can be classified based on function in Open systems interconnection (OSI) model Standards released in 1978, revised in 1983, still used today Illustrates: How network device prepares data for delivery How data is handled once received Security+ Guide to Network Security Fundamentals, Fifth Edition

OSI Layers OSI model breaks networking steps into seven layers Each layer has different networking tasks Each layer cooperates with adjacent layers OSI Layers OSI model breaks networking steps into seven layers Each layer has different networking tasks Each layer cooperates with adjacent layers Security+ Guide to Network Security Fundamentals, Fifth Edition

OSI Reference Model (Table 7-1) A table with four columns and eight rows. The first row is composed of column headers: Layer number, Layer name, Description, and Function. Row 2. Layer number: Layer 7 Layer name: Application Layer Description: The top layer, Application, provides the user interface to allow network services. Function: Provides services for user applications Row 3. Layer number: Layer 6 Layer name: Presentation Layer Description: The Presentation Layer is concerned with how the data is represented and formatted for the user. Function: Is used for translation, compression, and encryption Row 4. Layer number: Layer 5 Layer name: Session Layer Description: This layer has the responsibility of permitting the two parties on the network to hold ongoing communications across the network. Function: Allows devices to establish and manage sessions Row 5. Layer number: Layer 4 Layer name: Transport Layer Description: The Transport Layer is responsible for ensuring that error-free data is given to the user. Function: Provides connection establishment, management, and termination as well as acknowledgments and retransmissions Row 6. Layer number: Layer 3 Layer name: Network Layer Description: The Network Layer picks the route the packet is to take, and handles the addressing of the packets for delivery. Function: Makes logical addressing, routing, fragmentation, and reassembly available Row 7. Layer number: Layer 2 Layer name: Data Link Layer Description: The Data Link Layer is responsible for dividing the data into frames. Some additional duties of the Data Link Layer include error detection and correction (for example, if the data is not received properly, the Data Link Layer would request that it be retransmitted). Function: Performs physical addressing, data framing, and error detection and handling Row 8. Layer number: Layer 1 Layer name: Physical Layer Description: The job of this layer is to send the signal to the network or receive the signal from the network. Function: Involved with encoding and signaling, and data transmission and reception Security+ Guide to Network Security Fundamentals, Fifth Edition

Hubs Hubs – Used by early LANs to connect multiple Ethernet devices together to function as single network segment Work at Layer 1 of the OSI model Did not read data passing through them so ignorant of data source and destination Essentially multiport repeater Protocol analyzer - Captures packets to decode and analyze their contents; facilitated by hub Hubs rarely used today due to security vulnerability and increased network traffic Hubs Hubs – Used by early LANs to connect multiple Ethernet devices together to function as single network segment Work at Layer 1 of the OSI model Did not read data passing through them so ignorant of data source and destination Essentially multiport repeater Protocol analyzer - Captures packets to decode and analyze their contents; facilitated by hub Hubs rarely used today due to security vulnerability and increased network traffic Security+ Guide to Network Security Fundamentals, Fifth Edition

Switches Switch – Device that connects network devices Operate at Data Link Layer (Layer 2) Determine which device is connected to each port Can forward frames sent to that specific device or broadcast to all devices Use MAC address to identify devices Provide better security than hubs by limiting distribution of frames Switches Switch – Device that connects network devices Operate at Data Link Layer (Layer 2) Determine which device is connected to each port Can forward frames sent to that specific device or broadcast to all devices Use MAC address to identify devices Provide better security than hubs by limiting distribution of frames Security+ Guide to Network Security Fundamentals, Fifth Edition

Traffic Monitoring Network administrator monitors network traffic to help identify and troubleshoot network problems Traffic monitoring methods: Port mirroring - Allows administrator to configure switch to copy traffic that occurs on some or all ports to designated monitoring port on switch Network tap (test access point) - Separate device installed on network Traffic Monitoring Network administrator monitors network traffic to help identify and troubleshoot network problems Traffic monitoring methods: Port mirroring - Allows administrator to configure switch to copy traffic that occurs on some or all ports to designated monitoring port on switch Network tap (test access point) - Separate device installed on network Security+ Guide to Network Security Fundamentals, Fifth Edition

Port Mirroring (Figure 7-1) A figure. At the left is a network analyzer connected with a line to a network switch with mirror port. The switch is connected on one end to the Internet and the other end to the internal network. Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Tap (Figure 7-2) Network Tap (Figure 7-2) A figure. At the left is a network analyzer connected with a line to a Network tap that is connected to the internal network. The tap is connect to a network switch that is connected to the Internet. Security+ Guide to Network Security Fundamentals, Fifth Edition

Protecting the Switch (Table 7-2) A table with three columns and six rows. The first row is composed of column headers: Type of attack, Description, and Security defense. Row 2. Type of attack: MAC flooding Description: An attacker can overflow the switch’s address table with fake MAC addresses, forcing it to act like a hub, sending packets to all devices. Security defense: Use a switch that can close ports with too many MAC addresses. Row 3. Type of attack: MAC address impersonation Description: If two devices have the same MAC address, a switch may send frames to each device. An attacker can change the MAC address on her device to match the target device’s MAC address. Security defense: Configure the switch so that only one port can be assigned per MAC address. Row 4. Type of attack: ARP poisoning Description: The attacker sends a forged ARP packet to the source device, substituting the attacker’s computer MAC address. Security defense: Use an ARP detection appliance. Row 5. Type of attack: Port mirroring Description: An attacker connects his device to the switch’s mirror port. Security defense: Secure the switch in a locked room. Row 6. Type of attack: Network tap Description: A network tap is connected to the network to intercept frames. Security defense: Keep network connections secure by restricting physical access. Security+ Guide to Network Security Fundamentals, Fifth Edition

Routers Router – Network device that forward packets across computer networks Operate at Network Layer (Layer 3) Can be set to filter out specific types of network traffic Routers Router – Network device that forward packets across computer networks Operate at Network Layer (Layer 3) Can be set to filter out specific types of network traffic Security+ Guide to Network Security Fundamentals, Fifth Edition

Load Balancing Load balancing – Technology to help evenly distribute work across network Allocate requests among multiple devices Advantages of load-balancing technology Reduces probability of overloading a single server Optimizes bandwidth of network computers Reduces network downtime Load balancing achieved through software or hardware device Load Balancing Load balancing – Technology to help evenly distribute work across network Allocate requests among multiple devices Advantages of load-balancing technology Reduces probability of overloading a single server Optimizes bandwidth of network computers Reduces network downtime Load balancing achieved through software or hardware device Security+ Guide to Network Security Fundamentals, Fifth Edition

Load Balancers Load balancer - Dedicated hardware device Often grouped into two categories: Layer 4 load balancers - Act upon data found in Network and Transport layer protocols such as Internet Protocol (IP), Transmission Control Protocol (TCP), File Transfer Protocol (FTP), and User Datagram Protocol (UDP) Layer 7 load balancers - Distribute requests based on data found in Application layer protocols such as HTTP Load Balancers Load balancer - Dedicated hardware device Often grouped into two categories: Layer 4 load balancers - Act upon data found in Network and Transport layer protocols such as Internet Protocol (IP), Transmission Control Protocol (TCP), File Transfer Protocol (FTP), and User Datagram Protocol (UDP) Layer 7 load balancers - Distribute requests based on data found in Application layer protocols such as HTTP Security+ Guide to Network Security Fundamentals, Fifth Edition

Load Balancer Techniques Layer 4 and Layer 7 load balancers can distribute work in different ways: Based on a “round-robin” rotation to all devices equally To devices that have the least number of connections Layer 7 load balancers also can use HTTP headers, cookies, or data within application message itself to make decision on distribution Load Balancer Techniques Layer 4 and Layer 7 load balancers can distribute work in different ways: Based on a “round-robin” rotation to all devices equally To devices that have the least number of connections Layer 7 load balancers also can use HTTP headers, cookies, or data within application message itself to make decision on distribution Security+ Guide to Network Security Fundamentals, Fifth Edition

Load Balancers Security Load balancer has security advantages Because load balancers generally are located between routers and servers, can detect and stop attacks directed at a server or application Load balancer can be used detect and prevent denial-of-service (DoS) and protocol attacks that could cripple a single server Some load balancers can hide HTTP error pages or remove server identification headers from HTTP responses, denying attackers additional information about the internal network Load Balancers Security Load balancer has security advantages Because load balancers generally are located between routers and servers, can detect and stop attacks directed at a server or application Load balancer can be used detect and prevent denial-of-service (DoS) and protocol attacks that could cripple a single server Some load balancers can hide HTTP error pages or remove server identification headers from HTTP responses, denying attackers additional information about the internal network Security+ Guide to Network Security Fundamentals, Fifth Edition

Proxies Proxy – Person who authorized to act as substitute or agent on behalf of another human Proxy server - Computer or application that intercepts and processes user requests: If previous request has been fulfilled a copy of Web page may reside in proxy server’s cache If not, proxy server requests item from external Web server using its own IP address Proxies Proxy – Person who authorized to act as substitute or agent on behalf of another human Proxy server - Computer or application that intercepts and processes user requests: If previous request has been fulfilled a copy of Web page may reside in proxy server’s cache If not, proxy server requests item from external Web server using its own IP address Security+ Guide to Network Security Fundamentals, Fifth Edition

Application-Aware Proxies When proxy server receives requested item from web server, item is then forwarded to the client Access to proxy servers is configured in user’s web browser Application-aware proxy - Special proxy server that “knows” the application protocols that it supports (FTP proxy server implements the protocol FTP) Application-Aware Proxies When proxy server receives requested item from web server, item is then forwarded to the client Access to proxy servers is configured in user’s web browser Application-aware proxy - Special proxy server that “knows” the application protocols that it supports (FTP proxy server implements the protocol FTP) Security+ Guide to Network Security Fundamentals, Fifth Edition

Proxy Server (Figure 7-3) A figure. An internal network with four computers is connected to a switch that is connected to a proxy server. The server is connected to a firewall that is connected to the Internet router that is connected to the Internet. Security+ Guide to Network Security Fundamentals, Fifth Edition

Configuring Access To Proxy Servers (Figure 7-4) A screen capture of proxy settings from Internet explorer. The proxy address to use and port fields for HTTP, Secure, FTP and Socks are all blank. Security+ Guide to Network Security Fundamentals, Fifth Edition

Proxy Advantages Proxy server advantages: Increased speed (requests served from the cache) Reduced costs (cache reduces bandwidth required) Improved management - Block specific Web pages or sites Stronger security: Intercept malware Hide client system’s IP address from the open Internet Proxy Advantages Proxy server advantages: Increased speed (requests served from the cache) Reduced costs (cache reduces bandwidth required) Improved management - Block specific Web pages or sites Stronger security: Intercept malware Hide client system’s IP address from the open Internet Security+ Guide to Network Security Fundamentals, Fifth Edition

Reverse Proxies Reverse proxy - Does not serve clients but routes incoming requests to correct server Reverse proxy’s IP address visible to outside users Internal server’s IP address hidden Reverse Proxies Reverse proxy - Does not serve clients but routes incoming requests to correct server Reverse proxy’s IP address visible to outside users Internal server’s IP address hidden Security+ Guide to Network Security Fundamentals, Fifth Edition

Reverse Proxy (Figure 7-5) A figure. The left computer is labeled IP = 192.146.118.20 and says user makes request to get webpage from 123.org. The next computer is the proxy server and labeled that the proxy server replaces source IP with its own IP. The server connects to the Internet that connects to a reverse proxy named server 123.org. The server is connected to Web servers 1, 2, and 3. Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Security Hardware Specifically designed security hardware devices Greater protection than standard networking devices Devices include network firewalls, spam filters, virtual private network concentrators, Internet content filters, Web security gateways, intrusion detection and prevention systems, and Unified Threat Management appliances Network Security Hardware Specifically designed security hardware devices Greater protection than standard networking devices Devices include network firewalls, spam filters, virtual private network concentrators, Internet content filters, Web security gateways, intrusion detection and prevention systems, and Unified Threat Management appliances Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Firewalls Host-based application software firewall runs as program on one client Hardware-based network firewall designed to protected an entire network Both essentially same: to inspect packets and either accept or deny entry Hardware firewalls usually located outside network security perimeter as first line of defense Network Firewalls Host-based application software firewall runs as program on one client Hardware-based network firewall designed to protected an entire network Both essentially same: to inspect packets and either accept or deny entry Hardware firewalls usually located outside network security perimeter as first line of defense Security+ Guide to Network Security Fundamentals, Fifth Edition

Firewall Location (Figure 7-6) A figure. An internal network with four computers is connected to a switch that is connected to a firewall that is connected to the Internet router that is connected to the Internet. Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Firewall Filtering Methods of firewall packet filtering: Stateless packet filtering - Inspects incoming packet and permits or denies based on conditions set by administrator Stateful packet filtering - Keeps record of state of connection and makes decisions based on connection and conditions Network Firewall Filtering Methods of firewall packet filtering: Stateless packet filtering - Inspects incoming packet and permits or denies based on conditions set by administrator Stateful packet filtering - Keeps record of state of connection and makes decisions based on connection and conditions Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Firewall Actions Allow - Let packet pass through and continue on its journey Drop - Prevent packet from passing into network and send no response to sender Reject - Prevent packet from passing into network but send a message to sender that the destination cannot be reached Ask - Inquire what action to take Network Firewall Actions Firewall actions: Allow - Let packet pass through and continue on its journey Drop - Prevent packet from passing into network and send no response to sender Reject - Prevent packet from passing into network but send a message to sender that the destination cannot be reached Ask - Inquire what action to take Security+ Guide to Network Security Fundamentals, Fifth Edition

Rule-Based Firewalls Rule-based firewall uses set of individual instructions to control actions (firewall rules) Each firewall rule is separate instruction processed in sequence Rules stored together in one or more text files that read when firewall starts Rule-based are static in nature and cannot do anything other than what have been expressly configured to do Rule-Based Firewalls Rule-based firewall uses set of individual instructions to control actions (firewall rules) Each firewall rule is separate instruction processed in sequence Rules stored together in one or more text files that read when firewall starts Rule-based are static in nature and cannot do anything other than what have been expressly configured to do Security+ Guide to Network Security Fundamentals, Fifth Edition

Application-Aware Firewalls Application-aware firewall (next-generation firewall or NGFW) - More “intelligent” firewall operates at higher level Identifies applications that send packets through firewall and then make decisions about application (vs. granular rule settings like destination port or protocol) Web application firewall - Special type of application-aware that looks at applications using HTTP Application-Aware Firewalls Application-aware firewall (next-generation firewall or NGFW) - More “intelligent” firewall operates at higher level Identifies applications that send packets through firewall and then make decisions about application (vs. granular rule settings like destination port or protocol) Web application firewall - Special type of application-aware that looks at applications using HTTP Security+ Guide to Network Security Fundamentals, Fifth Edition

Spam Filters Spam filters - Enterprise-wide spam filters block spam before it reaches the host Email systems use two protocols: Simple Mail Transfer Protocol (SMTP) - Handles outgoing mail Post Office Protocol (POP) - Handles incoming mail Spam Filters Spam filters - Enterprise-wide spam filters block spam before it reaches the host Email systems use two protocols: Simple Mail Transfer Protocol (SMTP) - Handles outgoing mail Post Office Protocol (POP) - Handles incoming mail Security+ Guide to Network Security Fundamentals, Fifth Edition

Spam Filters On SMTP Server Spam filters installed with SMTP server Filter configured to listen on port 25 Pass non-spam e-mail to SMTP server listening on another port Method prevents SMTP server from notifying spammer of failed message delivery Spam Filters On SMTP Server Spam filters installed with SMTP server Filter configured to listen on port 25 Pass non-spam e-mail to SMTP server listening on another port Method prevents SMTP server from notifying spammer of failed message delivery Security+ Guide to Network Security Fundamentals, Fifth Edition

Spam Filter With SMTP Server (Figure 7-7) A figure. An email sender (Port 25) connects to an SMTP server that connects to the Internet. A line from the Internet connects via Port 25 to a Spam filter that connects through Port 26 to the SMTP server. This server connects to a POP3 server that connects to the Email receiver via Port 110. Security+ Guide to Network Security Fundamentals, Fifth Edition

Spam Filters On POP3 Server Spam filters installed on POP3 server All spam must first pass through SMTP server and be delivered to user’s mailbox Can result in increased costs of storage, transmission, backup, deletion Third-party entity contracted to filter spam All email directed to third-party’s remote spam filter Email cleansed before being redirected to organization Spam Filters On POP3 Server Spam filters installed on POP3 server All spam must first pass through SMTP server and be delivered to user’s mailbox Can result in increased costs of storage, transmission, backup, deletion Third-party entity contracted to filter spam All email directed to third-party’s remote spam filter Email cleansed before being redirected to organization Security+ Guide to Network Security Fundamentals, Fifth Edition

Spam Filter on POP3 Server (Figure 7-8) A figure. An email sender (Port 25) connects to an SMTP server that connects to the Internet. A line from the Internet connects via Port 25 to the SMTP server. This server connects to a POP3 server with the spam filter that connects to the Email receiver via Port 110. Security+ Guide to Network Security Fundamentals, Fifth Edition

Virtual Private Network Concentrators Virtual private network (VPN) - Uses unsecured network as if were secure All data transmitted between remote device and network is encrypted Types of VPNs: Remote-access VPN - User to LAN connection Site-to-site VPN - Multiple sites can connect to other sites over the Internet Virtual Private Network Concentrators Virtual private network (VPN) - Uses unsecured network as if were secure All data transmitted between remote device and network is encrypted Types of VPNs: Remote-access VPN - User to LAN connection Site-to-site VPN - Multiple sites can connect to other sites over the Internet Security+ Guide to Network Security Fundamentals, Fifth Edition

VPN Endpoints Endpoints – End of tunnel between VPN devices: May be software on local computer May be VPN concentrator (hardware device) May be integrated into another networking device VPNs can be software-based or hardware-based Hardware-based generally have better security Software-based have more flexibility in managing network traffic VPN Endpoints Endpoints – End of tunnel between VPN devices: May be software on local computer May be VPN concentrator (hardware device) May be integrated into another networking device VPNs can be software-based or hardware-based Hardware-based generally have better security Software-based have more flexibility in managing network traffic Security+ Guide to Network Security Fundamentals, Fifth Edition

Internet Content Filters Internet content filters - Monitor Internet traffic and block access to preselected Web sites and files Unapproved sites can be restricted based on: Uniform Resource Locator (URL filtering) Searching for and matching keywords such as sex or hate (content inspection) Looking for malware (malware inspection) Internet Content Filters Internet content filters - Monitor Internet traffic and block access to preselected Web sites and files Unapproved sites can be restricted based on: Uniform Resource Locator (URL filtering) Searching for and matching keywords such as sex or hate (content inspection) Looking for malware (malware inspection) Security+ Guide to Network Security Fundamentals, Fifth Edition

Internet Content Filter Features (Table 7-3) A table with two columns and six rows. The first row is composed of column headers: Feature and Description. Row 2. Feature: URL filtering and content inspection Description: Network administrators can block access to specific websites or allow only specific websites to be accessed while all others are blocked. Blocking can be based on keywords, URL patterns, or lists of prohibited sites. Row 3. Feature: Malware inspection and filtering Description: Filters can assess if a webpage contains any malicious elements or exhibits any malicious behavior, and then flag questionable pages with a warning message. Row 4. Feature: Prohibiting file downloads Description: Executable programs (.exe), audio or video files (.mp3, .avi, .mpg), and archive files (.zip, .rar) can be blocked. Row 5. Feature: Profiles Description: Content-specific websites, such as adult, hacking, and virus-infected websites, can be blocked. Row 6. Feature: Detailed reporting Description: Administrators can monitor Internet traffic and identify users who attempt to foil the filters. Security+ Guide to Network Security Fundamentals, Fifth Edition

Gateways Web security gateway - Can block malicious content in real time Enable higher level of defense by examining content through application-level filtering Examples of blocked web traffic: ActiveX objects Adware, spyware Peer to peer file sharing Script exploits TCP/IP malicious code attacks Gateways Web security gateway - Can block malicious content in real time Enable higher level of defense by examining content through application-level filtering Examples of blocked web traffic: ActiveX objects Adware, spyware Peer to peer file sharing Script exploits TCP/IP malicious code attacks Security+ Guide to Network Security Fundamentals, Fifth Edition

Intrusion Detection and Prevention Intrusion detection system (IDS) - Device that can detect an attack as it occurs IDS systems can use different methodologies for monitoring for attacks IDS can be installed on either local hosts or networks Extension of IDS is an intrusion prevention system (IPS) Intrusion Detection and Prevention Intrusion detection system (IDS) - Device that can detect an attack as it occurs IDS systems can use different methodologies for monitoring for attacks IDS can be installed on either local hosts or networks Extension of IDS is an intrusion prevention system (IPS) Security+ Guide to Network Security Fundamentals, Fifth Edition

Monitoring Methodologies Anomaly-based monitoring - Compares current detected behavior with baseline Signature-based monitoring - Looks for well-known attack signature patterns Behavior-based monitoring - Detects abnormal actions by processes or programs and alerts user who decides whether to allow or block activity Heuristic monitoring - Uses experience-based techniques Monitoring Methodologies Anomaly-based monitoring - Compares current detected behavior with baseline Signature-based monitoring - Looks for well-known attack signature patterns Behavior-based monitoring - Detects abnormal actions by processes or programs and alerts user who decides whether to allow or block activity Heuristic monitoring - Uses experience-based techniques Security+ Guide to Network Security Fundamentals, Fifth Edition

Methodology Comparisons To Trap Port Scanning Application (Table 7-4) A table with three columns and five rows. The first row is composed of column headers: Monitoring methodology, Trap application scanning ports?, and Comments. Row 2. Monitoring methodology: Anomaly-based monitoring Trap application scanning ports?: Depends Comments: Only if this application has tried to scan previously and a baseline has been established Row 3. Monitoring methodology: Signature-based monitoring Trap application scanning ports?: Depends Comments: Only if a signature of scanning by this application has been previously created Row 4. Monitoring methodology: Behavior-based monitoring Trap application scanning ports?: Depends Comments: Only if this action by the application is different from other applications Row 5. Monitoring methodology: Heuristic monitoring Trap application scanning ports?: Yes Comments: IDS is triggered if any application tries to scan multiple ports Security+ Guide to Network Security Fundamentals, Fifth Edition

Host-Based Intrusion Detection System (HIDS) Host-based intrusion detection system (HIDS) - Software-based application that runs on local host computer that can detect an attack as occurs HIDS relies on agents installed directly on system being protected Monitors: System calls File system access System registry settings Host input/output Host-Based Intrusion Detection System (HIDS) Host-based intrusion detection system (HIDS) - Software-based application that runs on local host computer that can detect an attack as occurs HIDS relies on agents installed directly on system being protected Monitors: System calls File system access System registry settings Host input/output Security+ Guide to Network Security Fundamentals, Fifth Edition

HIDS Disadvantages Disadvantages of HIDS: Cannot monitor network traffic that does not reach local system All log data is stored locally Resource-intensive and can slow system HIDS Disadvantages Disadvantages of HIDS: Cannot monitor network traffic that does not reach local system All log data is stored locally Resource-intensive and can slow system Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Intrusion Detection System (NIDS) Network intrusion detection system (NIDS) - Watches for attacks on network. NIDS sensors installed on firewalls and routers to gather information and report back to central device May use one or more of the evaluation techniques Network Intrusion Detection System (NIDS) Network intrusion detection system (NIDS) - Watches for attacks on network. NIDS sensors installed on firewalls and routers to gather information and report back to central device May use one or more of the evaluation techniques Security+ Guide to Network Security Fundamentals, Fifth Edition

NIDS Evaluation Techniques (Table 7-5) A table with two columns and four rows. The first row is composed of column headers: Technique and Description. Row 2. Technique: Protocol stack verification Description: Some attacks use invalid IP, TCP, UDP, or ICMP protocols. A protocol stack verification can identify and flag invalid packets, such as several fragmented IP packets. Row 3. Technique: Application protocol verification Description: Some attacks attempt to use invalid protocol behavior or have a telltale signature (such as DNS poisoning). The NIDS will reimplement different application protocols to find a pattern. Row 4. Technique: Creating extended logs Description: A NIDS can log unusual events and then make these available to other network logging monitoring systems. Security+ Guide to Network Security Fundamentals, Fifth Edition

Application-Aware IDS Once attack detected NIDS can perform different actions to sound an alarm and log event Application-aware IDS - Specialized IDS capable of using “contextual knowledge” in real time Can know the version of the operating system or which application is running as well as what vulnerabilities are present in the systems being protected Improves the speed and accuracy of IDS decisions and reduces the risk of false positives Application-Aware IDS Once attack detected NIDS can perform different actions to sound an alarm and log event Application-aware IDS - Specialized IDS capable of using “contextual knowledge” in real time Can know the version of the operating system or which application is running as well as what vulnerabilities are present in the systems being protected Improves the speed and accuracy of IDS decisions and reduces the risk of false positives Security+ Guide to Network Security Fundamentals, Fifth Edition

Intrusion Prevention System (IPS) Intrusion prevention system (IPS) - Monitors to detect malicious activities like IDS does but also attempts to prevent them by stopping attack Network intrusion prevention system (NIPS) - Similar to active NIDS that monitors network traffic to immediately react to malicious attack Intrusion Prevention System (IPS) Intrusion prevention system (IPS) - Monitors to detect malicious activities like IDS does but also attempts to prevent them by stopping attack Network intrusion prevention system (NIPS) - Similar to active NIDS that monitors network traffic to immediately react to malicious attack Security+ Guide to Network Security Fundamentals, Fifth Edition

NIDS vs. NIPS Major differences between a NIDS and a NIPS is location: NIDS has sensors that monitor traffic entering and leaving firewall, and reports back to central device for analysis NIPS would be located “in line” on firewall itself to allow NIPS to more quickly take action to block attack Application-aware IPS - Knows information like applications and operating systems so that can provide higher degree of accuracy NIDS vs. NIPS Major differences between a NIDS and a NIPS is location: NIDS has sensors that monitor traffic entering and leaving firewall, and reports back to central device for analysis NIPS would be located “in line” on firewall itself to allow NIPS to more quickly take action to block attack Application-aware IPS - Knows information like applications and operating systems so that can provide higher degree of accuracy Security+ Guide to Network Security Fundamentals, Fifth Edition

Unified Threat Management (UTM) Security Appliances Because different types of network security hardware each provide a different defense, network may require multiple devices for comprehensive protection Makes cumbersome to manage multiple devices Unified Threat Management (UTM) - Security product that combines several security functions Unified Threat Management (UTM) Security Appliances Because different types of network security hardware each provide a different defense, network may require multiple devices for comprehensive protection Makes cumbersome to manage multiple devices Unified Threat Management (UTM) - Security product that combines several security functions Security+ Guide to Network Security Fundamentals, Fifth Edition

UTM Functions UTM functions: Antispam and antiphishing Antivirus and antispyware Bandwidth optimization Content filtering Encryption Firewall Instant messaging control Intrusion protection Web filtering UTM Functions UTM functions: Antispam and antiphishing Antivirus and antispyware Bandwidth optimization Content filtering Encryption Firewall Instant messaging control Intrusion protection Web filtering Security+ Guide to Network Security Fundamentals, Fifth Edition

Security Through Network Technologies Network technologies can also help to secure network Two technologies: Network address translation Network access control Security Through Network Technologies Network technologies can also help to secure network Two technologies: Network address translation Network access control Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Address Translation (NAT) Internet routers normally drop packet with private address Network address translation (NAT) - Allows private IP addresses to be used on public Internet Replaces private IP address with public address as leaves network and vice versa when returns Port address translation (PAT) - Variation of NAT that outgoing packets given same IP address but different TCP port number Network Address Translation (NAT) Internet routers normally drop packet with private address Network address translation (NAT) - Allows private IP addresses to be used on public Internet Replaces private IP address with public address as leaves network and vice versa when returns Port address translation (PAT) - Variation of NAT that outgoing packets given same IP address but different TCP port number Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Address Translation (Figure 7-9) A figure. The computer on the left has IP address 192.168.0.3. This is labeled “1. Packet created on computer with private IP address 192.168.0.3.” This connects to a box that shows the original IP address and an alias IP address of 198.146.118.20 labeled “2. NAT replaces IP address with alias.” A line connects to the Internet labeled “3. Packet sent with alias address.” Security+ Guide to Network Security Fundamentals, Fifth Edition

NAT Advantages Advantages of NAT: Masks IP addresses of internal devices Allows multiple devices to share smaller number of public IP addresses NATG Advantages Advantages of NAT: Masks IP addresses of internal devices Allows multiple devices to share smaller number of public IP addresses Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Access Control (NAC) Network access control (NAC) - Examines current state of system or network device before allowing network connection Device must meet set of criteria If not met, NAC allows connection to quarantine network until deficiencies corrected Network Access Control (NAC) Network access control (NAC) - Examines current state of system or network device before allowing network connection Device must meet set of criteria If not met, NAC allows connection to quarantine network until deficiencies corrected Security+ Guide to Network Security Fundamentals, Fifth Edition

Network Access Control (NAC) Framework (Figure 7-10) A figure. At the top is the quarantine network, connected to the client computer that is connected to the health registration authority. This authority is connected to an antivirus server and a patch management server. It is also connected to a network access control network. 1. The client performs a self-assessment using a System Health Agent (SHA) to determine its current security posture. 2. The assessment, known as a Statement of Health (SoH), is sent to a server called the Health Registration Authority (HRA). This server enforces the security policies of the network. It also integrates with other external authorities such as antivirus and patch management servers in order to retrieve current configuration information. 3. If the client is approved by the HRA, it is issued a Health Certificate. 4. The Health Certificate is then presented to the network servers to verify that the client’s security condition has been approved. 5. If the client is not approved, it is connected to a quarantine network where the deficiencies are corrected, and then the computer is allowed to connect to the network. Security+ Guide to Network Security Fundamentals, Fifth Edition

Security Through Network Design Elements Elements of a secure network design Demilitarized zones Subnetting Virtual LANs Remote access Security Through Network Design Elements Elements of a secure network design Demilitarized zones Subnetting Virtual LANs Remote access Security+ Guide to Network Security Fundamentals, Fifth Edition

Demilitarized Zone (DMZ) Demilitarized zone (DMZ) - Separate network located outside secure network perimeter Untrusted outside users can access DMZ but not secure network Most secure approach is have two firewalls Demilitarized Zone (DMZ) Demilitarized zone (DMZ) - Separate network located outside secure network perimeter Untrusted outside users can access DMZ but not secure network Most secure approach is have two firewalls Security+ Guide to Network Security Fundamentals, Fifth Edition

DMZ With One Firewall (Figure 7-11) A figure. An internal network with four computers is connected to a switch that is connected to a proxy server connected to a firewall that is connected to the Internet router that is connected to the Internet. The firewall is also connected to a DMZ which in turn is connected to a switch that is connected to a Web server and mail server. Security+ Guide to Network Security Fundamentals, Fifth Edition

DMZ With Two Firewalls (Figure 7-12) A figure. An internal network with four computers is connected to a switch that is connected to a proxy server connected to a firewall. The firewall is to a DMZ which in turn is connected to a switch that is connected to a Web server and mail server. The DMZ is also connected to a second firewall that is connected to the Internet router that is connected to the Internet. The firewall is also connected. Security+ Guide to Network Security Fundamentals, Fifth Edition

Subnetting IP addresses are 32-bit (4-byte) addresses with network address and host address Classful addressing - Split between the network and host portions on the boundaries between the bytes Subnetting or subnet addressing - IP address split anywhere within its 32 bits Instead of just having networks and hosts networks essentially can be divided into three parts: network, subnet, and host Subnetting IP addresses are 32-bit (4-byte) addresses with network address and host address Classful addressing - Split between the network and host portions on the boundaries between the bytes Subnetting or subnet addressing - IP address split anywhere within its 32 bits Instead of just having networks and hosts networks essentially can be divided into three parts: network, subnet, and host Security+ Guide to Network Security Fundamentals, Fifth Edition

Subnets (Figure 7-13) Subnets (Figure 7-13) A figure. A computer is connected to subnet 186.98.34.0 that is then connected to a router connected to another subnet of 186.98.34.128. This subnet is connected to a router that is then connected to subnet 186.98.33.0. Security+ Guide to Network Security Fundamentals, Fifth Edition

Subnetting Security Each network can contain several subnets, and each subnet connected through different routers can contain multiple hosts Subnets also can improve network security: Single network into multiple smaller subnets in order to isolate groups of hosts Allows network administrators to hide the internal network layout Subnetting Security Each network can contain several subnets, and each subnet connected through different routers can contain multiple hosts Subnets also can improve network security: Single network into multiple smaller subnets in order to isolate groups of hosts Allows network administrators to hide the internal network layout Security+ Guide to Network Security Fundamentals, Fifth Edition

Virtual LANs (VLAN) Virtual LAN (VLAN) - Segment network by separating devices into logical groups VLAN allows scattered users to be logically grouped together even though physically attached to different switches Can reduce network traffic and provide a degree of security similar to subnetting VLANs can be isolated so sensitive data is transported only to members of the VLAN Switch or tagging protocol can be used Virtual LANs (VLAN) Virtual LAN (VLAN) - Segment network by separating devices into logical groups VLAN allows scattered users to be logically grouped together even though physically attached to different switches Can reduce network traffic and provide a degree of security similar to subnetting VLANs can be isolated so sensitive data is transported only to members of the VLAN Switch or tagging protocol can be used Security+ Guide to Network Security Fundamentals, Fifth Edition

Remote Workers Working away from the office commonplace today: Telecommuters Traveling sales representatives Traveling workers Strong security for remote workers must be maintained Transmissions are routed through networks not managed by the organization Remote Workers Working away from the office commonplace today: Telecommuters Traveling sales representatives Traveling workers Strong security for remote workers must be maintained Transmissions are routed through networks not managed by the organization Security+ Guide to Network Security Fundamentals, Fifth Edition

Remote Access Remote access - Any combination of hardware and software that enables remote users to access local internal network Remote access provides remote users with same access and functionality as local users through VPN or dial-up connection Service includes support for remote connection and logon and then displays the same network interface as the normal network Remote Access Remote access - Any combination of hardware and software that enables remote users to access local internal network Remote access provides remote users with same access and functionality as local users through VPN or dial-up connection Service includes support for remote connection and logon and then displays the same network interface as the normal network Security+ Guide to Network Security Fundamentals, Fifth Edition

Security+ Guide to Network Security Fundamentals, Fifth Edition Chapter 7 Network Security Fundamentals Chapter 7 Network Security Fundamentals