1/28/2010 Network Plus Unit 5 – Section 1 Security

Identify and Describe Security Risks People Transmissions Protocols Internet Access

Network+ Guide to Networks, 5 th Edition6 Risks Associated with People Half of all security breaches –Human errors, ignorance, omissions Social engineering –Strategy to gain password –Phishing Glean access, authentication information Pose as someone needing information

Network+ Guide to Networks, 5 th Edition7 Risks Associated with Transmission and Hardware Physical, Data Link, Network layer security risks –Require more technical sophistication Risks inherent in network hardware and design –Transmission interception Man-in-the-middle attack –Eavesdropping Networks connecting to Internet via leased public lines –Sniffing Network hubs broadcasting traffic over entire segment

Network+ Guide to Networks, 5 th Edition8 Risks Associated with Transmission and Hardware (cont’d.) Risks inherent in network hardware and design (cont’d.) –Private address availability to outside Routers not properly configured to mask internal subnets –Port access via port scanner Unused hub, switch, router, server ports not secured –Router attack Routers not configured to drop suspicious packets

Network+ Guide to Networks, 5 th Edition9 Risks Associated with Transmission and Hardware (cont’d.) Risks inherent in network hardware and design (cont’d.) –Security holes Modems accept incoming calls Dial-in access servers not secured, monitored –General public computer access Computers hosting sensitive data –Insecure passwords Easily guessable, default values

Network+ Guide to Networks, 5 th Edition10 Risks Associated with Protocols and Software Includes Transport, Session, Presentation, and Application layers Networking protocols and software risks –TCP/IP security flaws –NOS Problems Invalid trust relationships NOS back doors, security flaws NOS allows server operators to exit to command prompt Administrators default security options

Network+ Guide to Networks, 5 th Edition12 Risks Associated with Internet Access Common Internet-related security issues –Improperly configured firewall Outsiders obtain internal IP addresses: IP spoofing –Chat session flashing –Denial-of-service attack Smurf attack: hacker issues flood of broadcast ping messages –Telnets or FTPs Transmit user ID, password in plain text –Social media (Facebook, mailing lists, forums) Provide hackers user information

Network Security Technology Router Access Lists Intruder Detection and Prevention Firewalls Proxy Servers

24 Security in Network Design Router Access Lists Control traffic through routers Routers main function –Examine packets, determine where to send Based on Network layer addressing information ACL (access control list) –Known as access list –Routers decline to forward certain packets

25 Router Access Lists (cont’d.) ACL instructs router –Permit or deny traffic according to variables: Network layer protocol (IP, ICMP) Transport layer protocol (TCP, UDP) Source IP address Source netmask Destination IP address Destination netmask TCP, UDP port number

26 Router Access Lists (cont’d.) Router receives packet, examines packet –Refers to ACL for permit, deny criteria –Drops packet if characteristics match Flagged as deny Access list statements –Deny all traffic from source addresses Netmask –Deny all traffic destined for TCP port 23 Separate ACL’s for: –Interfaces –Inbound and outbound traffic

27 Intrusion Detection and Prevention Provides more proactive security measure –Detecting suspicious network activity IDS (intrusion detection system) –Software monitoring traffic On dedicated IDS device On another device performing other functions –Port mirroring Port configured to send copy of all traffic to another port for monitoring purposes –Detects many suspicious traffic patterns Denial-of-service, smurf attacks

28 Intrusion Detection and Prevention (cont’d.) DMZ (demilitarized zone) –Network’s protective perimeter –IDS sensors installed at network edges IDS at DMZ drawback –Number of false positives logged IDS can only detect and log suspicious activity

DMZ In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. An external attacker only has access to equipment in the DMZ, rather than any other part of the network.computer securitysubnetwork

29 Intrusion Detection and Prevention (cont’d.) IPS (intrusion-prevention system) –Reacts to suspicious activity When alerted –Detect threat and prevent traffic from flowing to network Based on originating IP address –Compared to firewalls IPS originally designed as more comprehensive traffic analysis, protection tool Differences now diminished

30 Intrusion Detection and Prevention (cont’d.) Figure 12-2 Placement of an IDS/IPS on a network

Network+ Guide to Networks, 5 th Edition31 Firewalls Specialized device and computer installed with specialized software –Selectively filters, blocks traffic between networks –Involves hardware, software combination –Resides Between two interconnected private networks Between private network and public network (network-based firewall) Firewall default configuration –Block most common security threats Preconfigured to accept, deny certain traffic types –Network administrators often customize settings

Network+ Guide to Networks, 5 th Edition32 Firewalls (cont’d.) Figure 12-3 Placement of a firewall between a private network and the Internet

34 Types of Firewalls Packet-filtering firewall (screening firewall) –Simplest firewall –Blocks traffic into LAN Examines header Check for IP address, Port number, IP header flags –Blocks traffic attempting to exit LAN Stops spread of worms Stops Zombie programs/spyware Port blocking Based on TCPor UDP port numbers Prevents connection to and transmission completion through ports

35 Firewall Configuration Common packet-filtering firewall criteria –Source, destination IP addresses –Source, destination ports –Flags set in the IP header –Transmissions using UDP or ICMP protocols –Packet’s status as first packet in new data stream, subsequent packet –Packet’s status as inbound to, outbound from private network –Logging, auditing capabilities –Protect internal LAN’s address identity

Network+ Guide to Networks, 5 th Edition36 Firewall Functions Firewall may have more complex functions –Encryption –User authentication –Central management –Easy rule establishment –Filtering Content-filtering firewalls Stateful - Monitor data stream from end to end Stateless firewall – Block individual packets

38 Proxy Servers Proxy service –Network host software application Intermediary between external, internal networks Screens all incoming and outgoing traffic Proxy server –Network host running proxy service –Application layer gateway, application gateway, and proxy –Manages security at Application layer

39 Proxy Server Functions Security –Prevent outside world from discovering internal network the addresses Improves performance –Caching files

Network+ Guide to Networks, 5 th Edition40 Proxy Servers (cont’d.) Figure 12-5 A proxy server used on a WAN

41 NOS (Network Operating System) Security Restrict user authorization –Centralized administration Active Directory –Secure access to server files and directories –Public rights Conferred to all users Very limited –Keep software updated with latest patches –Provide strong policies for passwords and logon restrictions

42 Logon Restrictions Additional restrictions –Time of day –Total time logged on –Source address –Unsuccessful logon attempts Secure Password

Network+ Guide to Networks, 5 th Edition44 Passwords Tips Change system default passwords Do not use familiar information or dictionary words –Dictionary attack Use long passwords –Letters, numbers, special characters Do not write down or share Change frequently Do not reuse Use different passwords for different applications

Encryption Use of keys to scramble data to prevent eavesdropping Symmetric vs Asymmetric keys Encryption systems

Network+ Guide to Networks, 5 th Edition45 Encryption Use of algorithm –Scramble data Format read by algorithm reversal (decryption) Purpose –Information privacy Key Encryption –Based on number of bits –Strength of encryption double with each bit

48 Key Encryption Figure 12-6 Key encryption and decryption

49 Private (Symmetric) Key Encryption Data encrypted using single key –Known by sender and receiver Symmetric encryption –Same key used during both encryption and decryption DES (Data Encryption Standard) –Most popular private key encryption –IBM developed (1970s) –56-bit key: secure at the time Triple DES –Weaves 56-bit key three times

Symmetric Key Encryption

50 Private Key Encryption AES (Advanced Encryption Standard) –Weaves 128, 160, 192, 256 bit keys through data multiple times –Uses Rijndael algorithm More secure than DES Much faster than Triple DES –Replaced DES in high security level situations Private key encryption drawback –Sender must somehow share key with recipient

51 Public (Asymmetric) Key Encryption Data encrypted using two keys –Private key: user knows –Public key: anyone may request Public key server –Publicly accessible host –Freely provides users’ public keys Key pair –Combination of public key and private key Asymmetric encryption –Requires two different keys

52 Figure 12-8 Public key encryption

54 Public Key Encryption PKI – Public Key Infrastructure RC4 –Key up to 2048 bits long –Highly secure, fast – , browser program use Lotus Notes, Netscape Digital certificate –Password-protected, encrypted file –Holds identification information Public key CA (certificate authority) –Issues, maintains digital certificates –Example: Verisign

Data Encryption Systems Pretty Good Privacy (PGP) –Used with Secure Sockets Layers (SSL) –Used with HTTPS Secure Shell (SSH) –Replaces Telenet – uses SSL Secure Copy (SCP) –Replaces FTP – Uses SSL IP Security (IP Sec) –Used at Network layer with VPNs

56 PGP (Pretty Good Privacy) Secures transmissions Developed by Phil Zimmerman (1990s) Public key encryption system –Verifies sender authenticity –Encrypts data in transmission Administered at MIT Freely available –Open source and proprietary Also used to encrypt storage device data

57 SSL (Secure Sockets Layer) Encrypts TCP/IP transmissions –Web pages, Web form data entered into Web forms En route between client and server –Using Public key encryption technology Web pages using HTTPS –HTTP over Secure Sockets Layer, HTTP Secure –Data transferred from server to client (vice versa) Using SSL encryption –HTTPS uses TCP port 443 Used by SSL VPNs

58 SSL (cont’d.) SSL session –Association between client and server Specific set of encryption techniques –Created by SSL handshake protocol Allows client and server to authenticate SSL –Netscape originally developed –IETF attempted to standardize TLS (Transport Layer Security) protocol

HTTPS Based on SSL –Presentation layer encyrption Uses Port 443 Browser may show padlock symbol or green color

59 SSH (Secure Shell) Collection of protocols Provides Telnet capabilities with security Guards against security threats –Unauthorized host access –IP spoofing –Interception of data in transit –DNS spoofing Encryption algorithm (depends on version) –DES, Triple DES, RSA, Kerberos

61 SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol) Part of SSH which runs on Port 22 SCP (Secure CoPy) utility –Extension to OpenSSH –Allows copying of files from one host to another securely –Replaces insecure file copy protocols (FTP) Does not encrypt user names, passwords, data Proprietary SSH version (SSH Communications Security) –Requires SFTP (Secure File Transfer Protocol) to copy files Slightly different from SCP (does more than copy files)

63 IPSec (Internet Protocol Security) Defines encryption, authentication, key management –Works at Network layer for TCP/IP transmissions Native IPv6 standard Difference from other methods –Encrypts data by adding security information to all IP packet headers –Transforms data packets Operates at Network layer (Layer 3) Used by L2TP VPN connections

66 IPSec (cont’d.) Figure 12-9 Placement of a VPN concentrator on a WAN

Network Authentication Allow a user to login to a server or service without revealing the user password to packet sniffers. Requires some form of encryption Secure Login Systems

67 Authentication Protocols Authentication –Process of verifying a user’s credentials Grant user access to secured resources Authentication protocols –Rules computers follow to accomplish authentication Several authentication protocol types –RADIUS/TACACS –PAP –CHAP –EAP and 802.1x (EAPoL) –Kerberos

68 RADIUS and TACACS Provides centralized network authentication, accounting for multiple users –Defined by IETF –Runs over UDP RADIUS server –Central Authentication of users –Does not replace functions performed by remote access server TACACS (Terminal Access Controller Access Control System) –Similar, earlier centralized authentication version

70 RADIUS and TACACS (cont’d.) Figure A RADIUS server providing centralized authentication

71 PAP (Password Authentication Protocol) PAP authentication protocol –Operates over PPP –Simple two-step authentication process –Not secure Sends client’s credentials in clear text Subject to Eavesdropping and packet sniffing

Network+ Guide to Networks, 5 th Edition72 PAP (cont’d.) Figure Two-step authentication used in PAP

73 CHAP Operates over PPP and encrypts user names, passwords –Password never transmitted alone –Password never transmitted in clear text Uses three-way handshake Figure Three-way handshake used in CHAP

MS-CHAP (cont’d.) MS-CHAP (Microsoft Challenge Authentication Protocol) –Similar authentication protocol Windows-based computers Potential CHAP, MS-CHAP authentication flaw –Eavesdropping could capture character string encrypted with password, then decrypt Solution –MS-CHAPv2 (Microsoft Challenge Authentication Protocol, version 2) –Uses stronger encryption 74

78 CHAP and MS-CHAP (cont’d.) Figure Windows Vista Advanced Security Settings dialog box

79 EAP (Extensible Authentication Protocol) Another authentication protocol –Part of PPP suite – authorized client and server –Provides process to verify client – server credentials Works with other encryption, authentication schemes Requires authenticator to initiate authentication process –Ask connected computer to verify itself EAP’s advantages: –Flexibility –Works with bio-recognition devices

x (EAPoL) Codified by IEEE –Specifies use of one of many authentication methods plus EAP Grant access to and dynamically generate and update authentication keys for transmissions to a particular port Primarily used with wireless networks –Originally designed for wired LAN EAPoL (EAP over LAN) Only defines process for authentication Commonly used with RADIUS authentication Also called Port based authentication

x (EAPoL) (cont’d.) Figure x authentication process

82 Kerberos Cross-platform authentication protocol –Uses Private Key encryption service called AS Verifies client identity Securely exchanges information after client logs on Terms –KDC (Key Distribution Center) – issues key to client –AS (authentication service) –Ticket - used to prove identity of user has been validated –Principal Ticket Granting service (TGS) –Issues tickets to client

83 Kerberos TGS Original process Kerberos AS issued separate ticket for each service accessed by client Ticket-Granting Service (TGS) added –AS issues Ticket-Granting Ticket (TGT) –TGT is used by client to get ticket from TGS for each service

Wireless Security Options

84 Wireless Network Security Wireless Susceptible to eavesdropping –War driving Effective for obtaining private information Forms of Wireless Encryption –WEP –802.11i Uses EAPoL –WPA –WPA2 Based on i

85 WEP (Wired Equivalent Privacy) standard security –None by default –SSID: only item required WEP –Requires authentication to access WAP –Uses a single private key for entire session –Encrypt data in transit –Keys may be “cracked” using software No longer considered secure from Eavesdropping or packet sniffing

87 Figure Entering a WEP key in the Windows XP wireless network properties dialog box

88 IEEE i and WPA (Wi-Fi Protected Access) i uses 802.1x (EAPoL) –Authenticate devices Dynamically assigns every transmission its own key –Relies on TKIP Encryption key generation, management scheme –Uses AES encryption

WPA and WPA2 WPA (Wi-Fi Protected Access) –Subset of i –Same authentication as i –Uses RC4 encryption –Has been cracked WPA2 –Follows i –Uses AES security –Replaces WPA2

Setting Wireless Security

Network+ Guide to Networks, 5 th Edition The End