Unit 17 – Local Area Network Security BUSINESS IMPACT SECURITY POLICY DEVELOPMENT VIRUS PROTECTION FIREWALLS AUTHENTICATION AND ACCESS CONTROL ENCRYPTION APPLIED SECURITY SCENARIOS GOVERNMENT IMPACT

BUSINESS IMPACT Network security is a business problem. The development and implementation of a sound network security policy must start with strategic business assessment followed by strong management support throughout the policy development and implementation stages. Enterprise network security goals must be set by corporate presidents and/or board of directors.

SECURITY POLICY DEVELOPMENT Security policy development life cycle (SPDLC). Figure 16-1. A cycle because evaluation processes validate the effectiveness of original analysis stages. Security Requirements Assessment Require a structured approach to ensure that all potential user group/information resource combinations have been considered. A network analyst can create a matrix grid mapping all potential user groups against all potential corporate information resources. Refer Figure 16-3. These security processes: Restrictions to information access imposed upon each user group Definition the responsibilities of each user group for security policy implementation and enforcement. It should be reviewed on a periodic basis through ongoing auditing, monitoring, evaluation, and analysis.

Figure 16-1 The Security Policy Development Life Cycle

SECURITY POLICY DEVELOPMENT Scope Definition and Feasibility Studies Define the scope or limitations of the project Feasibility studies gain vital information on the difficulty of the security policy development process as well as the assets (human and financial) required to maintain such a process. Need to decide on the balance between security and productivity. See Figure 16-4. Need to identify those key values that a corporation should be maintained. Five most typical fundamental values of network security policy development: Identification/Authentication: the process of reliably determining the genuine identity of the communicating computer (host) or user. Access Control / Authorization: authenticated users are only allowed to those information and network resources they are supposed to access. Privacy/Confidentiality: ensure tat data is disclosed only to intended recipients. Data Integrity: assure that data are genuine and cannot be changed without proper controls. Non-Repudiation: users cannot deny the occurrence of given events or transactions.

Figure 16-4 Security vs. Productivity Balance

SECURITY POLICY DEVELOPMENT Assets, Threats, Vulnerabilities, and Risks Most security policy development methodologies boil down to the following six major steps: Identify assets Identify threats Identify vulnerabilities Consider the risks Identify risk domains Take protective measures Assets: corporate property of some value that requires varying degrees of protection. Data or Information can be classified: Unclassified or Public Sensitive Confidential Secret Top Secret

SECURITY POLICY DEVELOPMENT Assets, Threats, Vulnerabilities, and Risks Threats: processes or people that pose a potential danger to identified assets. Vulnerabilities: manner or path by which threats are able to attack assets. Risks: probability of a particular threat successfully attacking a particular asset in a given amount of time via a particular vulnerability. E.g. Intruders or attackers may use social engineering or snooping to obtain user passwords An administrator may incorrectly create or configure user ids, groups, and their associated rights on a file server, resulting in file and login access vulnerabilities Network administrators may overlook security flaws in topology or hardware configuration Network administrators may overlook security flaws in operating system or application configuration; Lack of proper documentation and communication of security policies may lead to deliberate or inadvertent misuse of files or network access; Dishonest or disgruntled employees may abuse the file and access rights they’ve been given; A computer or terminal left logged into the network while its operator goes away may provide an entry point for an intruder; Users or even administrators choose passwords that are easy to guess; Authorized staff may leave computer room doors propped open or unlocked, allowing unauthorized individuals to enter;

SECURITY POLICY DEVELOPMENT Assets, Threats, Vulnerabilities, and Risks Staff may discard disks or backup tapes in “public” waste containers Administrators may neglect to remove access and file rights for employees who have left the organisation. Figure 16-7 shows the relationship between assets, threats, vulnerabilities, risks, and protective measures.

Figure 16-7 Assets, Threats, Vulnerabilities, Risks, and Protective Measures

SECURITY POLICY DEVELOPMENT Attack Strategies Some of common attack strategies as well as potential protective measures: Masquerading : Authentication Eavesdropping: Encryption Man-in-the-Middle-Attack: Digital certificates, digital signatures Address Spoofing: Firewalls Data Diddling: Encrypted message digest Dictionary Attack: Strong passwords, intruder detection Replay Attack: Time stamping or sequence numbering Virus Attack: Virus management policy Trojan Horse Attack: Firewalls Denial of Service Attack: Authentication, service filtering

SECURITY POLICY DEVELOPMENT Management Role and Responsibilities Plan your action to develop and implement a solution. Not to underestimate the labor resources and time requirements necessary to scale up your security analysis to an enterprise-wide security policy development and implementation process. Be sure that all affected user groups are represented on the policy development task force. Potential areas for development of acceptable use policies: Password protection and management, software license, virus protection, internet access, remote access, e-mail, policies regarding penalties/warnings, physical access Policy Implementation Process The policies need the support of executives and managers. Users should also be expected to actively support the implemented acceptable user policies. Security architecture map clearly justified security functional requirements to currently available security technical solution. See Figure 16-13 for the information security architecture.

Figure 16-13 Representative Security Architecture

SECURITY POLICY DEVELOPMENT Auditing Audit and monitor a corporate security policy on a continual basis. Auditing can be automated or manual. Manual audits serve to verify the effectiveness of policy development and implementation Automated audits is able to assess the weaknesses of your network security and security standards, to analyze the network for potential vulnerabilities and make recommendations for corrective action.

VIRUS PROTECTION A comprehensive virus protection plan must combine policy, people, processes and technology in order to be effective. Virus Categories work by infecting other legitimate programs and causing them to become destructive or disrupt the system in some other manner. Use some type of replication method to get the virus to spread and infect other programs, systems, or networks Need some sort of trigger or activation mechanism to set them off. Viruses may remain dormant and undetected for long periods of time. Refer to Figure 16-16 for the major virus categories. Antivirus Strategies Effective antivirus policies and procedures must first focus on the use and checking of all diskettes before pursuing technology-based solutions. Use virus scanning software for detecting virus in collaborative applications to avoid infection/reinfection cycle. Figure 16-18 shows the collaboration software infection/reinfection cycle. Figure16-19 shows virus infection points of attack and protective measures

Figure 16-18 Collaborative Software Infection/Re-infection Cycle

Figure 16-19 Virus Infection Points of Attack and Protective Measures

FIREWALLS Firewall software usually runs on a dedicated server that is connected to, but outside of, the corporate network. Firewalls provide a layer of isolation between the inside network and the outside network. Firewall Architectures Packet Filtering: examines source and destination addresses and determines access based on the entries in a filter table. Packet filter can be breached by hackers known as IP spoofing. Hacker can make a packet appear to come from an authorized or trusted IP address, it can pass through the firewall. Application Gateway filters or Proxies It examine the entire request for data rather than just the source and destination addresses. Secure files can be marked as such and application-level filters will not show those files to be transferred, even to users authorized by port-level filters.

FIREWALLS Dual-homed gateway Trusted gateway See Figure 16-20. Application gateway is physically connected to the private secure network and the packet-filtering router is connected to the nonsecure network. All outside traffic still goes through the application gateway first and then to the information servers. Trusted gateway Certain applications are identified as trusted and are able to bypass the application gateway entirely and are able to establish connections directly rather than executed by proxy. See Figure 16-20.

Figure 16-20 Packet Filters, Application Gateways, Proxies, Trusted Gateways, and Dual- Homed Gateways

AUTHENTICATION AND ACCESS CONTROL Authentication is to ensure that users attempting to gain access to networks are really who they claim to be. Authentication products break down into three overall categories: What you know. Authentication technology that can deliver single sign-on (SSO) access to multiple network attached servers and resources via passwords. What you have. It uses one-time or session passwords or other techniques to authenticate users and validate the authenticity of messages or files. What you are. It validates user based on some physical characteristic. Token Authentication – Smart Cards Token Authentication technology may have multiple forms: Hardware-based Smart Cards In-line authentication device Software token on client PC There are two overall approaches to the token authentication process.

AUTHENTICATION AND ACCESS CONTROL Challenge-response token authentication The user enters an assigned user ID and password at the client workstation. The token authentication server software return a numeric string known as a challenge The challenge number and a personal ID number are entered on the hand-held Smart Card The Smart Card displays a response number on the LCD screen This response number is entered on the client workstation and transmitted back to the token authentication server The token authentication server validates the response against the expected response from this particular user and this particular Smart Card. If the two match, the user is deemed authentic and the login session is enabled. Time synchronous token authentication Every 60 seconds, the time-synchronous Smart Card and the server-based software generate a new access code. The user enters their user ID, a personal ID number, and the access code currently displayed on the Smart Card. The server receives the access code and authenticate the user by comparing the received access code with the expected access code unique to that SmarCard which was generated at the server in time synchronous fashion. See Figure 16-24.

Figure 16-24 Challenge Response vs. Time Synchronous Token Authentication

AUTHENTICATION AND ACCESS CONTROL If the security offered by token authentication is insufficient, biometric authentication can authenticate users based on fingerprints, palm prints, retinal patterns, voice recognition or other physical characteristics. Authorization a subset of authentication. While authentication ensures that only legitimate users can log into the network, authorization ensures that these properly authenticated users access only the network resources for which they are properly authorized. the authorization security software can be either server-based (brokered authorization) or workstation-based (trusted node).

ENCRYPTION A security process complimentary rather than mutually exclusive to authentication and authorization. encryption ensures that the contents of the transmission would be meaningless (called ciphertext) if they were intercepted. Encryption must accompanied by decryption, to change the unreadable text back into its original form. Data Encryption Standard (DES) is often used to allow encryption devices manufactured by different manufacturers to interoprate successfully. The DES encryption standard actually includes two parts for greater security method of encrypting data 64 bits at a time a variable 64-bit key (private key) Private key This private key must be known by both the sending and the receiving encryption devices and allows so many unique combination (2 to the 64th power), that unauthorized decryption is nearly impossible.

ENCRYPTION Public key or Public/private key encryption the process actually combines public and private keys. In public key encryption, the sending encryption device encrypts a document using the intended recipient’s public key and the originating party’s private key. This public key is readily available in a public directory. To decrypt the document, the receiving encryption device must be programmed with the recipient’s private key and the sending party’s public key. This method requires only the receiving party to possess their private key and eliminates the need for transmission of private keys. Digital signature encryption appends an encrypted digital signature to the encrypted document as an electronic means of guaranteeing the authenticity of the sending party and assurance that encrypted documents have not been tampered with during transmission. the digital signature is regenerated at the receiving encryption device from the transmitted document and compared to the transmitted digital signature. See Figure 16-26.

Figure 16-26 Private Key Encryption, Public Key Encryption, and Digital Signature Encryption

APPLIED SECURITY SCENARIOS Overall Design Strategies Some general guidelines the would apply to most situations: Install only software and hardware that you really need on your network. Allow only essential traffic into and out of the corporate network Investigate the business case for outsourcing web-hosting services Use routers to filter traffic by IP address Make sure that router operating system software has been patched Identify those information assets that are most critical to the corporation Implement physical security constraints to hinder physical access to critical resrouces such as servers Monitor system activity logs carefully Develop a simple, effective and enforceable security policy and monitor its implementation and effectiveness Consider installing a proxy server or application layer firewall Block incoming DNS queries and requests for zone transfers Don’t publish the corporation’s complete DNS map on DNS servers that are outside the corporate firewall. Disable all TCP ports and services that are not essential

APPLIED SECURITY SCENARIOS Remote Access Security How to manage the activity of all of the remote access users that have logged in via a variety of multi-vendor equipment and authentication technology. Remote authentication dial-in user service (RADIUS) offers the potential to enable centralized management of remote access users and technology. See Figure 16-28. It enables communication between the following three tiers of technology: Remote access devices such as remote access servers and token authentication technology from a variety of vendors, otherwise known as network access servers (NAS) Enterprise database that contains authentication and access control information RADIUS authentication server Users request connections and provide useRIDs and passwords to the network access servers which, in turn, pass the information along to the RADIUS authentication server for authentication approval or denial.

Figure 16-28 Remote Authentication Dial-In User Services (RADIUS) Architecture

APPLIED SECURITY SCENARIOS RADIUS: Allows network manager to centrally manage remote access users, access methods, and logon restriction. Centralized auditing, e.g. keep track of volume of traffic sent and amount of time on-line Enforces remote access limitations, e.g. server access restrictions or on-line time limitation Supports password authentication protocol (PAP), challenge handshake authentication protocol (CHAP) and Secure ID token authentication. Transmit passwords in encrypted format only Virtual Private Network Security To provide virtual private networking capabilities using the Internet as an enterprise network backbone, specialized tunneling protocols needed to be developed that could establish private, secure channels between connected systems. Two rival standards are examples of such tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer Two Forwarding (L2F)

APPLIED SECURITY SCENARIOS See Figure 16-29. Two rival specifications currently exist for establishing security over VPN tunnels: IPsec and PPTP.

Figure 16-29 Tunneling Protocols Enable Virtual Private Networks

APPLIED SECURITY SCENARIOS Enterprise Network Security To maintain proper security over a widely distributed enterprise network, it is essential to be able to conduct certain security-related processes from a single, centralised, security management location. These processes are: Single point of registration (SPR) allows a network security manager to enter a new user form a single centralized location and assign all associated rights, privileges and access control to enterprise resources Single sign-on (SSO) allows the user to login to the enterprise network and to be authenticated from their client PC location. Single access control view allows the user’s access from their client workstation to only display those resources that the user actually has access to. Security auditing and intrusion detection is able to track and identify suspicious behaviors from both internal employees and potential intruders.

Government agencies play a major role in the area of network security. GOVERNMENT IMPACT Government agencies play a major role in the area of network security. The primary function of these various government agencies is : Standards-making organizations that set standards for the design, implementation, and certification of security technology and systems **** END ****