Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITEC 275 Computer Networks – Switching, Routing, and WANs

Similar presentations


Presentation on theme: "ITEC 275 Computer Networks – Switching, Routing, and WANs"— Presentation transcript:

1 ITEC 275 Computer Networks – Switching, Routing, and WANs
Week 8 Professor Robert D’Andrea Fall 2017

2 Agenda Review most troubling midterm exam questions
Learning Activities Security Threats and Risks Security Policy IP Sec Security Mechanisms Wireless Security SNMP

3 Network Security Design The 12 Step Program
Identify network assets Analyze security risks Analyze security requirements and tradeoffs Develop a security plan Define a security policy Develop procedures for applying security policies The first three steps were covered more in Chapter 2. Chapter 8 picks up that discussion and focuses on selecting the right security mechanisms for the different components of a modular network design.

4 The 12 Step Program (continued)
Develop a technical implementation strategy Achieve buy-in from users, managers, and technical staff Train users, managers, and technical staff Implement the technical strategy and security procedures Test the security and update it if any problems are found Maintain security Maintain security by scheduling periodic independent audits, reading audit logs, responding to incidents, reading current literature and agency alerts, installing patches and security fixes, continuing to test and train, and updating the security plan and policy.

5 Network Assets Network Assets An enterprise's assets may be broadly divided into two categories: physical assets which include buildings, machinery, financial assets and infrastructure. Hardware, such as, routers, internetworking devices, cabling, and switches are all necessary devices needed to conduct a business.

6 Network Assets

7 Network Assets Network Assets
The second category of assets, intangible assets which range from human capital and know- how to ideas, brands, designs and other intangible fruits of a company's creative and innovative capacity. Traditionally, physical assets were the bulk of the value of a company, and were considered to be largely responsible for determining the competitiveness of an enterprise in the market place. In recent years, the situation has changed significantly. 

8 Network Assets

9 Network Assets

10 Network Assets Network Assets Increasingly, and largely as a result of the information technologies revolution and the growth of the service economy, companies are realizing that intangible assets are often becoming more valuable than their physical assets.

11 Network Assets Network Assets In countries such as Finland, the UK and the US, investment in intangibles matches or actually outstrips investment in tangibles. Today, many knowledge-based companies possess relatively little tangible capital. For example, in early 2009 physical assets only made up about 5% of Google’s total worth.

12 Network Assets Network Assets Software(Operating systems, applications, and data). Less Obvious Network Assets Intellectual property is the collective wisdom of your employees or customers is vast and waiting to be tapped. Bloomfire is a knowledge base built to capture, archive, and grow the knowledge that already exists within or about your organization.

13 Network Assets Network Assets
Bloomfire develops software that allows companies to share information on a web- based application platform. The software application, launched in 2012, allows users to create team communities where people can post questions and answers, and add or create new content. The content can be uploaded in the form of videos, photos or text documents. The social platform allows users to "follow", "share", and "like" other users' content; it also has screen-recording capabilities. The software aims to increase accessibility to information within a company. The application can be accessed from a device connected to the Internet, such as a PC, laptop, tablet computer, or smartphone.

14 Network Assets Trade secrets is any confidential business information which provides an enterprise a competitive edge, may be considered a trade secret. Trade secrets encompass manufacturing, industrial, and commercial secrets. The unauthorized use of such information by persons other than the holder is regarded as an unfair practice and a violation of the trade secret. A company’s reputation is essential to its survival. The trust and confidence of the consumer can have a direct and profound effect on a company's bottom .

15 Security Risks Hacked network devices Data can be intercepted, analyzed, altered, or deleted User passwords can be compromised Device configurations can be re- configured

16 Security Risks Reconnaissance attacks (initially are used to gather information about a target network or system. At first glance, seem harmless). Denial-of-service (DoS) attacks are increasing Hospital data is encrypted (frozen) in such a way the data cannot be accessed unless a ransom is paid.

17 Security Risks (DoS)

18 Security Tradeoffs Tradeoffs must be made between security goals and other goals: Affordability Usability Performance Availability Manageability The cost of protecting yourself against a threat should be less than the cost of recovering if the threat were to strike you. An example of a tradeoff is that security can reduce network redundancy. If all traffic must go through an encryption device, for example, the device becomes a single point of failure. This makes it hard to meet availability goals.

19 A Security Plan High-level documents that proposes what an organization is going to do to meet security requirements. This is a corporate level decision. Specifies time, people, and other resources that will be required to develop a security policy and achieve implementation of the policy

20 A Security Plan Should reference the network topology and include a list of network services that will be provided. The list should specify who provides the services, who has access to the services, how access is provided, and who administers the services.

21 A Security Policy Informs users, managers, and technical staff of their obligations for protecting technology and information assets. Normally, this is an agreement employees sign as a part of their tenure.

22 Customer Security Policy
IMPORTANT NOTICE TO POLICYHOLDERS CYBER INSURANCE COVERAGE ADDED TO YOUR The renewal of your insurance policy includes Cyber Insurance Coverage, which is designed to protect you in the event of a theft or unauthorized disclosure of protected information of your customers, employees, or tenants. This is an annual aggregate limit of $50K for all coverage combined.

23 Per RFC 2196, “The Site Security Handbook,” a security policy is a
“Formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.” The policy should address Access, accountability, authentication, privacy, and computer technology purchasing guidelines

24 Security Mechanisms Physical security ( Limited access to resources )
Authentication (Who is requesting network services) Authorization (Who can access network resources) Accounting (Auditing – collecting data) Data encryption (a process of scrambling data to protect it’s integrity)

25 Security Mechanisms Packet filters (can be set up on
routers, firewalls, and servers to accept or deny packets from a particular address or service) Firewalls (a device that enforces security policies at the boundary between two or more networks). Traditionally, firewalls are best suited for small businesses needs.

26 Security Mechanisms Detect and prevent denial of service (DoS) attacks with TCP Intercept, Context-Based Access Control (CBAC), and rate-limiting techniques Use Network-Based Application Recognition (NBAR) to detect and filter unwanted and malicious traffic Use router authentication to prevent spoofing and routing attacks Activate basic Cisco IOS filtering features like standard, extended, timed, lock-and-key, and reflexive ACLs to block various types of security threats and attacks, such as spoofing, DoS, Trojan horses, and worms Use black hole routing, policy routing, and Reverse Path Forwarding (RPF) to protect against spoofing attacks

27 Security Mechanisms What is black hole routing? Black holes refer to places in the network where incoming or outgoing traffic is silently discarded (or "dropped"), without informing the source that the data did not reach its intended recipient.

28 Security Mechanisms Apply stateful filtering of traffic with CBAC, including dynamic port mapping Use Authentication Proxy (AP) for user authentication Perform address translation with NAT, PAT, load distribution, and other methods Implement stateful NAT (SNAT) for redundancy Use Intrusion Detection System (IDS) to protect against basic types of attacks Obtain how to instructions on basic logging and learn to easily interpret results Apply IP Sec to provide secure connectivity for site-to-site and remote access connections Read about many, many more features of the IOS firewall for mastery of router security

29 Security Mechanisms The Cisco IOS firewall offers you the feature- rich functionality that you've come to expect from best-of-breed firewalls: address translation, authentication, encryption, stateful filtering, failover, URL content filtering, ACLs, NBAR, and many others. Cisco Router Firewall Security teaches you how to use the Cisco IOS firewall to enhance the security of your perimeter routers and, along the way, take advantage of the flexibility and scalability that is part of the Cisco IOS Software package.

30 Security Mechanisms What is an ACL? It is a network access control list (ACL) which is an optional layer of security for your computer that acts as a firewall for controlling traffic that enters and exits your subnets.

31 Security Mechanisms Intrusion Detection Systems (IDS)
(detects malicious events and notifies an administrator using , paging, or logging of the occurrences). Intrusion Prevention Systems (IPS) (blocks traffic by adding rules to a firewall or by being configured to inspect traffic as it enters a firewall).

32 Encryption for Confidentiality and Integrity
Public/Private key encryption - Asymmetric key system - All devices use the public key to encrypt data to be sent. - Receiving devices decrypt the data using a private key Digital signature Encrypt part of your document with a private key - Receiver decrypts document using your public key

33 Encryption for Confidentiality and Integrity
What is a digital signature? A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. An example of a digital signature is equivalent stamped seal or to a handwritten signature. It is intended to solve the problem of tampering and impersonating a digital transmission or communication.

34 Encryption for Confidentiality and Integrity
After encrypting your document with your private key, you can encrypt the document with another public key (IRS). The IRS decrypts their documents twice.

35 Encryption for Confidentiality and Integrity

36 Encryption for Confidentiality and Integrity

37 Encryption for Confidentiality and Integrity
Figure 8-1. Public/Private Key System for Ensuring Data Confidentiality This page was added on 9/01/10 to address the fact that early printings of the book had the wrong graphic for Figure 8-2. Public/Private Key System for Sending a Digital Signature

38 Modularizing Security Design
Cisco supports reputation filtering and global correlation services, so that an ISP can keep-up-to-date on global security trends and more accurately deny traffic from networks known to be currently associated with botnets, spam, and other malware.

39 Modularizing Security Design
Security defense in depth Network security should be multilayered with many different techniques used to protect the network.

40 Modularizing Security Design
Belt-and-suspenders approach Don’t get caught with your pants down. Each mechanism should have a backup mechanism. The belt and suspender ensure security of the pants (system) staying up. Use a dedicated firewall to limit access to resources and a packet-filtering router that adds another line of defense ( multilayer of defense).

41 Modularizing Security Design
Secure all components of a modular design: Internet connections Public servers and e-commerce servers Remote access networks and VPNs Network services and network management Server farms User services Wireless networks

42 Securing Internet Connections
Physical security Firewalls and packet filters Audit logs, authentication, authorization Well-defined exit and entry points Routing protocols that support authentication Internet routers should be backed up with additional filters to prevent DoS (Denial of Service) and other attacks. In turn, these filters should be backed up additional filters placed on firewall devices. Monitor Internet

43 Securing Internet Connections
Defense-In-Depth Whole Building Design Strategy

44 Cisco SAFE Cisco SAFE Security Reference Model addresses security in every module of a modular network architecture.

45 Securing Public Servers
Place servers in a DMZ that is protected via firewalls Run a firewall on the server itself Enable DoS (denial of service) protection Limit the number of connections per timeframe Use reliable operating systems with the latest security patches Maintain modularity Front-end Web server doesn’t also run other services Security experts recommend that FTP services not run on the same server as Web services. FTP users have more opportunities for reading and possibly changing files than Web users do. A hacker could use FTP to damage a company’s Web pages, thus damaging the company’s image and possibly compromising Web-based electronic-commerce and other applications. In addition, any e-commerce database server that holds sensitive customer financial information should be separate from the front-end Web server that users see.

46 Security Topologies DMZ Enterprise Internet Network
Web, File, DNS, Mail Servers

47 Security Topologies Internet Firewall DMZ Enterprise Network
Web, File, DNS, Mail Servers

48 Securing Remote-Access and Virtual Private Networks (VPN)
Physical security Firewalls Authentication, authorization, and auditing Encryption One-time passwords

49 Securing Remote-Access and Virtual Private Networks
Security protocols Remote users and routers should authenticate with CHAP RADIUS is a network protocol that provides centralized authentication, authorization, and accounting (AAA or Triple A).  RADIUS was developed by Livingston Enterprises, Inc. in 1991 and later brought into the Internet Engineering Task Force (IETF) standards.

50 Securing Remote-Access and Virtual Private Networks
Security protocols Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. RADIUS allows a company to maintain user profiles in a central database that all remote servers can share. It provides better security, allowing a company to set up a policy that can be applied at a single administered network point. Having a central service also means that it's easier to track usage for billing and for keeping network statistics. Created by Livingston (now owned by Lucent), RADIUS is a de facto industry standard used by a number of network product companies and is a proposed IETF standard.

51 Securing Remote-Access and Virtual Private Networks
Security protocols IPsec is an IETF standard that provides confidentiality, data integrity, and authentication between participating peers at the IP layer, IPsec provides a secure path between remote users and a VPN concentrator, and between remote sites and a VPN site-to-site gateway.

52 Securing Remote-Access and Virtual Private Networks
Virtual Private Network (VPN) provides what? It provides a secure connection using the public network. VPN is based on a client server technology. VPN is simple to set up, simply enter the destination IP address and your user name and password. The telephone system in the 1950s proved to be inadequate to with stand a nuclear attack. If on average 15 central offices (CO) were targeted, communications would be totally lost.

53 Securing Remote-Access and Virtual Private Networks
The military wanted a system that was self healing. If a failure occurred at a point (Man-in-the- middle) in the network, the communications path would be rerouted. The Man-in-the-middle is a hacker that listens and copies all data passing through a router.

54 Securing Remote-Access and Virtual Private Networks
What makes VPN so exceptional? Creates a tunnel. VPN uses a tunneling protocol Encrypts the content If the tunnel is penetrated, it is detected. Immediately, the tunnel is shut down and a new circuit is established on the Internet. A hacker sitting on a router is trying to penetraate the tunnel to record/listen to the traffic.

55 Securing Remote-Access and Virtual Private Networks
VPN Microsoft and Cisco have their own VPN client server software. The softwares used to establish the services of VPN must be compatible with each other. Cisco’s VPN client with not communicate with Microsoft VPN server software. OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.

56 Securing Remote-Access and Virtual Private Networks
VPN

57 Securing Network Services
Treat each network device (routers, switches, and so on) as a high-value host and harden it against possible intrusions Require login IDs and passwords for accessing devices Require extra authorization for risky configuration commands Use SSH (Secure Shell) rather than telnet or login Change the welcome banner to be less welcoming

58 Securing Network Services

59 Securing Network Services
Routing protocols should be selected that support authentication, including RIPv2, OSPF, EIGRP, and BGP4. Static and default routes are good choices because they eliminate the need to accept routing updates. Execute minimal necessary services and establish trust in only authenticated partners.

60 Securing Server Farms Deploy network and host IDSs to monitor server subnets and individual servers Configure filters that limit connectivity from the server in case the server is compromised Fix known security bugs in server operating systems Require authentication and authorization for server access and management Limit root password to a few people Avoid guest accounts

61 Securing User Services
Specify which applications are allowed to run on networked PCs in the security policy Require personal firewalls and antivirus software on networked PCs Implement written procedures that specify how the software is installed and kept current Encourage users to log out when leaving their desks Consider using IEEE 802.1X port-based security on switches

62 Securing Wireless Networks
Place wireless LANs (WLANs) in their own subnet or VLAN Simplifies addressing and makes it easier to configure packet filters Require all wireless (and wired) laptops to run personal firewall and antivirus software Disable beacons that broadcast the SSID, and require MAC address authentication Except in cases where the WLAN is used by visitors

63 Securing Wireless Networks
What is the SSID? An SSID (Service Set Identifier) is the public name of a wireless local area network (WLAN), which serves to differentiate it from other wireless networks in the area. For Google Fiber, the SSID is the network name you specify when you configure your Wi-Fi network. Any wireless devices that connect to your network must use this SSID. By default, your Network Box broadcasts a beacon signal, announcing its presence to the world by providing the SSID. Broadcasting the SSID displays the name of your network in the list of available networks when nearby users try to connect their wireless devices.

64 Securing Wireless Networks
IEEE Specifies Two Forms of Authentication - Open key the client is always authenticated, used for guest access. - Shared key authentication, a WEP (Wired Equivalent Privacy) static key must be properly configured in both the client and the access point. Man-in-the-middle is another form of eavesdropping

65 WLAN Security Options Service Set Identifier (SSID)
Wired Equivalent Privacy (WEP) vulnerable to passive attacks and inductive key derivations. If the key is determined, it must be changed on the access point and every client. IEEE i Wi-Fi Protected Access (WPA) IEEE 802.1X Extensible Authentication Protocol (EAP) Lightweight EAP or LEAP (Cisco) Protected EAP (PEAP) Virtual Private Networks (VPNs) Any other acronyms we can think of?) Service Set Identifier (SSID)

66 Wired Equivalent Privacy (WEP)
Defined by IEEE Users must possess the appropriate WEP key that is also configured on the access point 64 or 128-bit key (or passphrase) WEP encrypts the data using the RC4 stream cipher method Infamous for being crackible

67 Vendor enhancements to WEP Temporal Key Integrity Protocol (TKIP)
WEP Alternatives Vendor enhancements to WEP Temporal Key Integrity Protocol (TKIP) Every frame has a new and unique WEP key Advanced Encryption Standard (AES) IEEE i (implemented as WEP2) Wi-Fi Protected Access (WPA) from the Wi-Fi Alliance

68 Extensible Authentication Protocol (EAP)
With 802.1X and EAP, devices take on one of three roles: The supplicant resides on the wireless LAN client The authenticator resides on the access point - An authentication server resides on a RADIUS server EAP authenticates users. authenticates device based (wireless LAN devices)

69 EAP (Continued) An EAP supplicant on the client obtains credentials from the user, which could be a user ID and password The credentials are passed by the authenticator to the server and a session key is developed Periodically the client must re-authenticate to maintain network connectivity Re-authentication generates a new, dynamic WEP key

70 Cisco’s Lightweight EAP (LEAP)
Standard EAP plus mutual authentication The user and the access point must authenticate Used on Cisco and other vendors’ products Mutual authentication means the client authenticates the server and the server authenticates the client.

71 Other EAPs EAP-Transport Layer Security (EAP-TLS) was developed by Microsoft Requires certificates for clients and servers. Protected EAP (PEAP) is supported by Cisco, Microsoft, and RSA Security Uses a certificate for the client to authenticate the RADIUS server The server uses a username and password to authenticate the client EAP-MD5 has no key management features or dynamic key generation Uses challenge text like basic WEP authentication Authentication is handled by RADIUS server

72 VPN Software on Wireless Clients
VPN is the safest way to do wireless networking for corporations Wireless client requires VPN software Connects to VPN concentrator at HQ Creates a tunnel for sending all traffic VPN security provides: User authentication Strong encryption of data Data integrity

73 Facilitates scalability
Network Management Helps an organization achieve availability, performance, and security goals Helps an organization measure how well design goals are being met and adjust network parameters if they are not being met Facilitates scalability Helps an organization analyze current network behavior, apply upgrades appropriately, and troubleshoot any problems with upgrades

74 Network Management Design
Consider scalability, traffic patterns, data formats, cost/benefit tradeoffs Determine which resources should be monitored Determine metrics for measuring performance Determine which and how much data to collect

75 Proactive Network Management
Plan to check the health of the network during normal operation, not just when there are problems Recognize potential problems as they develop Optimize performance Plan upgrades appropriately

76 Network Management Processes According to the ISO
Fault management Configuration management Accounting management Performance management Security management

77 Fault Management Detect, isolate, diagnose, and correct problems Report status to end users and managers Track trends related to problems

78 Configuration Management
Keep track of network devices and their configurations Maintain an inventory of network assets Log versions of operating systems and applications

79 Accounting Management
Keep track of network usage by departments or individuals Facilitate usage-based billing Find users who use more resources than they should

80 Performance Management
Monitor end-to-end performance Also monitor component performance (individual links and devices) Test reachability Measure response times Measure traffic flow and volume Record route changes

81 Security Management Maintain and distribute user names and passwords
Generate, distribute, and store encryption keys Analyze router, switch, and server configurations for compliance with security policies and procedures Collect, store, and examine security audit logs

82 Network Management Components
A managed device is a network node that collects and stores management information An agent is network-management software that resides in a managed device A network-management system (NMS) runs applications to display management data, monitor and control managed devices, and communicate with agents

83 Network Management Architecture
NMS Agent Agent Agent Management Database Management Database Management Database Managed Devices

84 Architecture Concerns
In-band versus out-of-band monitoring In-band is easier to develop, but results in management data being impacted by network problems Centralized versus distributed monitoring Centralized management is simpler to develop and maintain, but may require huge amounts of information to travel back to a centralized network operations center (NOC)

85 Simple Network Management Protocol (SNMP)
Most popular network management protocol SNMPv3 should gradually supplant (substitute) versions 1 and 2 because it offers better authentication and better control of the set command. SNMP works with Management Information Bases (MIBs).

86 Simple Network Management Protocol (SNMP)
What is a MIB?  A MIB (Management Information Base) is a text file which has been written using the ASN.1 (Abstract Syntax Notation) format. This text file is human readable but is special in that it can be compiled by a computer program called a MIB compiler, and then will result in creation of objects called OIDS (Object Identifiers), that can be understood by a network management station using the SNMP (Simple Network Management Protocol) method of communication.

87 Simple Network Management Protocol (SNMP)
What is a MIB? 

88 Simple Network Management Protocol (SNMP)
Why is this important?  SNMP MIBs are crucial in order to manage your network and understand the underlying objects which are being retrieved from SNMP Agents. 

89 Remote Monitoring (RMON)
Developed by the IETF in the early 1990s to address shortcomings in standard MIBs Provides information on data link and physical layer parameters Nine groups of data for Ethernet The statistics group tracks packets, octets, packet-size distribution, broadcasts, collisions, dropped packets, fragments, CRC and alignment errors, jabbers, and undersized and oversized packets

90 Cisco Tools Cisco Discovery Protocol NetFlow Accounting
With the show cdp neighbors detail command, you can display detailed information about neighboring routers and switches, including which protocols are enabled, network addresses for enabled protocols, the number and types of interfaces, the type of platform and its capabilities, and the version of Cisco IOS Software running on the neighbor. NetFlow Accounting An integral part of Cisco IOS Software that collects and measures data as it enters router or switch interfaces

91 Use a top-down approach
Summary Use a top-down approach Chapter 2 talks about identifying assets and risks and developing security requirements Chapter 5 talks about logical design for security (secure topologies) Chapter 8 talks about the security plan, policy, and procedures Chapter 8 also covers security mechanisms and selecting the right mechanisms for the different components of a modular network design

92 Summary Determine which resources to monitor, which data about these resources to collect, and how to interpret that data Develop processes that address performance, fault, configuration, security, and accounting management Develop a network management architecture Select management protocols and tools

93 This Week’s Outcomes Review midterm exam questions Security Threats and Risks Security Policy Security Mechanisms Wireless Security SNMP

94 4-2-2 – Cisco Networking Practical Experience
Due this week 4-2-2 – Cisco Networking Practical Experience Basic Routing and LAN Switching Configuration

95 Next week Read Chapter 8 in Top-Down Network Design – Lab #2

96 Q & A Questions, comments, concerns?


Download ppt "ITEC 275 Computer Networks – Switching, Routing, and WANs"

Similar presentations


Ads by Google