Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter Fifteen NetworkSecurity. Objectives Identify security risks in LANs and WANs Explain how physical security contributes to network security Discuss.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter Fifteen NetworkSecurity. Objectives Identify security risks in LANs and WANs Explain how physical security contributes to network security Discuss."— Presentation transcript:

1 Chapter Fifteen NetworkSecurity

2 Objectives Identify security risks in LANs and WANs Explain how physical security contributes to network security Discuss hardware- and design-based security techniques

3 Objectives Use network operating system techniques to provide basic security Implement enhanced security through specialized software Describe the elements of an effective security policy

4 Terminology A hacker is someone who masters the inner workings of operating systems and utilities in an effort to better understand them A cracker is someone who uses his or her knowledge of operating systems and utilities to intentionally damage or destroy data or systems In general, root refers to a highly privileged user ID that has all rights to create, delete, modify, move, read, write, or execute files on a system A firewall is a specialized device that selectively filters or blocks traffic between networks

5 Security Audits Assessment of an organization’s security risks Regular security audits should be performed at least annually and preferably quarterly You should also conduct a security audit after making any significant changes to your network

6 Security Risks Social engineering Manipulating relationships to circumvent network security measures and gain access to a system Manipulating relationships to circumvent network security measures and gain access to a system Some risks associated with people: Intruders or attackers using social engineering or snooping to obtain passwords Intruders or attackers using social engineering or snooping to obtain passwords An administrator incorrectly creating or configuring user IDs, groups, and their associated rights on a file server An administrator incorrectly creating or configuring user IDs, groups, and their associated rights on a file server

7 Security Risks Some risks associated with people (cont.): Network administrators overlooking security flaws in topology or hardware configuration Network administrators overlooking security flaws in topology or hardware configuration Network administrators overlooking security flaws in operating system or application configuration Network administrators overlooking security flaws in operating system or application configuration Lack of proper documentation and communication of security policies Lack of proper documentation and communication of security policies Dishonest or disgruntled employees abusing their file and access rights Dishonest or disgruntled employees abusing their file and access rights An unusual computer or terminal being left logged into the network An unusual computer or terminal being left logged into the network

8 Security Risks Some risks associated with people (cont.): Users or administration choosing easy-to-guess passwords Users or administration choosing easy-to-guess passwords Authorized staff leaving computer room doors open or unlocked Authorized staff leaving computer room doors open or unlocked Staff discarding disks or backup tapes in public waste containers Staff discarding disks or backup tapes in public waste containers Administrators neglecting to remove access files and rights for former employees Administrators neglecting to remove access files and rights for former employees Users leaving passwords out in open spaces Users leaving passwords out in open spaces

9 Risks Associated with Hardware and Network Design Inherent risks in network hardware and design: Wireless transmission can typically be intercepted Wireless transmission can typically be intercepted Networks that use leased lines are vulnerable to eavesdropping Networks that use leased lines are vulnerable to eavesdropping Network hubs broadcast traffic over the entire segment Network hubs broadcast traffic over the entire segment If they are not disabled, unused hubs, routers, or server ports can be exploited and accessed by crackers If they are not disabled, unused hubs, routers, or server ports can be exploited and accessed by crackers

10 Risks Associated with Hardware and Network Design Inherent risks in network hardware and design (cont.): If routers are not properly configured to mask internal subnets, users on outside networks can read the private addresses If routers are not properly configured to mask internal subnets, users on outside networks can read the private addresses Modems attached to network devices may be configured to accept incoming calls Modems attached to network devices may be configured to accept incoming calls Dial-in access servers used by telecommuting or remote staff may not be carefully secured and monitored Dial-in access servers used by telecommuting or remote staff may not be carefully secured and monitored Computers hosting very sensitive data may coexist on the same subnet with computers open to the general public Computers hosting very sensitive data may coexist on the same subnet with computers open to the general public

11 Risks Associated with Protocols and Software Some risks pertaining to networking protocols and software: TCP/IP contains several security flaws TCP/IP contains several security flaws Trust relationships between one server and another may allow a cracker to access the entire network because of a single flaw Trust relationships between one server and another may allow a cracker to access the entire network because of a single flaw Network operating system software typically contains “backdoors” or security flaws Network operating system software typically contains “backdoors” or security flaws

12 Risks Associated with Protocols and Software Some risks pertaining to networking protocols and software (cont.): If the network operating system allows server operators to exit to a command prompt, intruders could run destructive command-line programs If the network operating system allows server operators to exit to a command prompt, intruders could run destructive command-line programs Administrators might accept the default security options after installing an operating system or application Administrators might accept the default security options after installing an operating system or application Transactions that take place between applications may be left open to interception Transactions that take place between applications may be left open to interception

13 Risks Associated with Internet Access Common Internet-related security breaches: IP spoofing IP spoofing Outsiders obtain internal IP addresses, then use those addresses to pretend that they have authority to access your internal network from the Internet When a user Telnets or FTPs to your site over the Internet, his or her user ID and password will be transmitted in plain text When a user Telnets or FTPs to your site over the Internet, his or her user ID and password will be transmitted in plain text Crackers may obtain information about your user ID from newsgroups, mailing lists, or forms filled out on the Web Crackers may obtain information about your user ID from newsgroups, mailing lists, or forms filled out on the Web

14 Risks Associated with Internet Access Common Internet-related security breaches (cont.): Flashing Flashing Internet user send commands to another Internet user’s machine that cause the screen to fill with garbage characters Denial-of-service attack Denial-of-service attack Occurs when a system becomes unable to function because it has been deluged with messages or otherwise disrupted

15 Addressing Risks Associated with People An effective security policy Typical goals for security policies: Typical goals for security policies: Ensuring that authorized users have appropriate access to the resources they need Preventing unauthorized users from gaining access to the network, systems, programs, or data Protecting sensitive data from unauthorized access

16 Addressing Risks Associated with People Typical goals for security policies (cont.): Preventing accidental damage to hardware or software Preventing accidental damage to hardware or software Preventing intentional damage to hardware or software Preventing intentional damage to hardware or software Creating an environment where the network and systems can withstand and quickly recover from any type of threat Creating an environment where the network and systems can withstand and quickly recover from any type of threat Communicating each employee’s responsibilities with respect to maintaining data integrity and system security Communicating each employee’s responsibilities with respect to maintaining data integrity and system security

17 Security Policy Content After risks are identified and responsibilities for managing them are assigned, the policy’s outline should be generated with those risks in mind The security policy should explain clearly to users: What they can and cannot do What they can and cannot do How these measures protect the network’s security How these measures protect the network’s security

18 Response Policy Suggestions for team roles Dispatcher Dispatcher Manager Manager Technical support specialist Technical support specialist Public relations specialist Public relations specialist

19 Passwords Tips for making and keeping passwords secure: Do not use the familiar types of passwords Do not use the familiar types of passwords Do not use any word that might appear in a dictionary Do not use any word that might appear in a dictionary Make passwords longer than six characters Make passwords longer than six characters

20 Passwords Tips for making and keeping passwords secure (cont.): Choose a combination of letters and numbers Choose a combination of letters and numbers Do not write down your password or share it with others Do not write down your password or share it with others Change your password at least every 90 days Change your password at least every 90 days

21 Physical Security FIGURE 15-1 Badge access security system

22 Physical Security Bio-recognition access Device scans an individual’s unique physical characteristics Device scans an individual’s unique physical characteristics Relevant questions in assessing physical security: Which rooms contain critical systems or data and need to be secured? Which rooms contain critical systems or data and need to be secured? Through what means might intruders gain access to the facility, computer room, telecommunications room, wiring closet, or data storage areas? Through what means might intruders gain access to the facility, computer room, telecommunications room, wiring closet, or data storage areas?

23 Physical Security Relevant questions in assessing physical security (cont.): How and to what extent are authorized personnel granted entry? How and to what extent are authorized personnel granted entry? Are employees instructed to ensure security after entering or leaving secured areas? Are employees instructed to ensure security after entering or leaving secured areas? Are authentication methods difficult to forge or circumvent? Are authentication methods difficult to forge or circumvent?

24 Physical Security Relevant questions in assessing physical security (cont.): Do supervisors or security personnel make periodic physical security checks? Do supervisors or security personnel make periodic physical security checks? Are all combinations, codes, or other access means to computer facilities protected at all times? Are all combinations, codes, or other access means to computer facilities protected at all times? Does a plan exist for documenting and responding to physical security breaches? Does a plan exist for documenting and responding to physical security breaches?

25 Addressing Risks Associated with Hardware and Design Firewall Specialized device that selectively filters or blocks traffic between networks Specialized device that selectively filters or blocks traffic between networks Figure 15-2: Placement of a firewall between a private network and the Internet

26 Firewalls Packet filtering firewall Router that operates at the Data Link and Transport layers of the OSI Model Router that operates at the Data Link and Transport layers of the OSI Model Also called screening firewalls Also called screening firewalls Figure 15-3: Packet filtering firewall

27 Firewalls Criteria that a firewall might use to accept or deny data: Source and destination IP addresses Source and destination IP addresses Source and destination ports Source and destination ports TCP, UDP, or ICMP protocols TCP, UDP, or ICMP protocols

28 Firewalls Criteria that a firewall might use to accept or deny data (cont.): Packet’s status as the first packet in a new data stream or a subsequent packet Packet’s status as the first packet in a new data stream or a subsequent packet Packet’s status as inbound or outbound to or from your private network Packet’s status as inbound or outbound to or from your private network Packet’s status as originating from or being destined for an application on your private network Packet’s status as originating from or being destined for an application on your private network

29 Firewalls Proxy service Software application on a network host that acts as an intermediary between external and internal networks Software application on a network host that acts as an intermediary between external and internal networks Network host that runs the proxy service is known as a proxy server, or gateway Network host that runs the proxy service is known as a proxy server, or gateway

30 Firewalls Figure 15-4: Proxy server used on a WAN

31 Firewalls Questions to ask when choosing a firewall: Does the firewall support encryption? Does the firewall support encryption? Does the firewall support authentication? Does the firewall support authentication? Does the firewall allow you to manage it centrally and through a standard interface? Does the firewall allow you to manage it centrally and through a standard interface?

32 Firewalls Questions to ask when choosing a firewall (cont.): How easily can you establish rules for access to and from the firewall? How easily can you establish rules for access to and from the firewall? Does the firewall support filtering at the highest layers of the OSI Model? Does the firewall support filtering at the highest layers of the OSI Model? Does the firewall provide logging and auditing capabilities, or alert you to intrusions? Does the firewall provide logging and auditing capabilities, or alert you to intrusions? Does the firewall protect the identity of your internal LAN’s addresses from the outside world? Does the firewall protect the identity of your internal LAN’s addresses from the outside world?

33 Remote Access Remote access Capability for traveling employees, telecommuters, or distant vendors to access an organization’s private LAN or WAN through specialized remote access servers Capability for traveling employees, telecommuters, or distant vendors to access an organization’s private LAN or WAN through specialized remote access servers

34 Remote Control Important security features for a remote control program: Login ID and password requirements for gaining access to the host system Login ID and password requirements for gaining access to the host system Ability for the host system to call back Ability for the host system to call back Support for data encryption on transmissions between the remote user and the system Support for data encryption on transmissions between the remote user and the system

35 Remote Control Important security features for a remote control program (cont.): Ability to leave the host system’s screen blank while a remote user works on it Ability to leave the host system’s screen blank while a remote user works on it The ability to disable the host system’s keyboard and mouse The ability to disable the host system’s keyboard and mouse Ability to restart the host system when a remote user disconnects from the system Ability to restart the host system when a remote user disconnects from the system

36 Dial-Up Networking Recommended features for a secure remote access server package: Login ID and password authentication Login ID and password authentication Ability to log all dial-up connections, their resources, and their connection times Ability to log all dial-up connections, their resources, and their connection times Ability to perform callbacks to users who initiate connections Ability to perform callbacks to users who initiate connections Centralized management of dial-up users and their rights on the network Centralized management of dial-up users and their rights on the network

37 Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access Control System (TACACS) Centralized authentication system for remote access servers that is similar to RADIUS Centralized authentication system for remote access servers that is similar to RADIUS Figure 15-5: RADIUS server providing central authentication

38 Addressing Risks Associated with Protocols and Software Restriction that network administrators can use to strengthen the security of their networks Some users may be valid only during specific hours Some users may be valid only during specific hours Some user IDs may be restricted to a specific number of hours per day of logged-in time Some user IDs may be restricted to a specific number of hours per day of logged-in time You can specify that user IDs can log in only from certain workstation or certain areas of the network You can specify that user IDs can log in only from certain workstation or certain areas of the network Set a limit on how many unsuccessful login attempts from a single user the server will accept before blocking that ID from even attempting to log on Set a limit on how many unsuccessful login attempts from a single user the server will accept before blocking that ID from even attempting to log on

39 Encryption Use of an algorithm to scramble data into a format that can be read only by reversing the algorithm In order to protect data, encryption provides the following assurances: Data were not modified after the sender transmitted them and before receiver picked them up Data were not modified after the sender transmitted them and before receiver picked them up Data can only be viewed by their intended recipient (or at their intended destination) Data can only be viewed by their intended recipient (or at their intended destination) All of the data received at intended destination were truly issued by the stated sender and not forged by an intruder All of the data received at intended destination were truly issued by the stated sender and not forged by an intruder

40 Encryption The most popular kind of encryption weaves a key (random string of characters) into the original data’s bits to generate a unique data block The scrambled data block is known as cipher text The scrambled data block is known as cipher text The longer the key, the less easily the cipher text can be decrypted by an unauthorized system The longer the key, the less easily the cipher text can be decrypted by an unauthorized system

41 Encryption Figure 15-6: Key encryption and decryption

42 Encryption Private key encryption Data are encrypted using a single that only the sender and receiver know Data are encrypted using a single that only the sender and receiver know Also known as symmetric encryption Also known as symmetric encryption The most popular private key encryption is the data encryption standard (DES) The most popular private key encryption is the data encryption standard (DES)

43 Encryption Figure 15-17: Private key encryption

44 Encryption Public key encryption Data are encrypted using two keys Data are encrypted using two keys Also know as asymmetric encryption Also know as asymmetric encryption Public-key server Freely provides provides a list of users’ public keys Freely provides provides a list of users’ public keys Combination of public key and private key is known as key pair

45 Encryption Digital certificates Password- protected and encrypted file holding an individual’s identification information Password- protected and encrypted file holding an individual’s identification information Figure 15-8: Public key encryption

46 Encryption

47 Kerberos Cross-platform authentication protocol using key encryption to verify identity of clients and to securely exchange information once a client logs onto a system The server issuing keys to clients during initial client authentication is known as a key distribution center (KDC) In order to authenticate a client, KDC runs an authentication service (AS) An AS issues a ticket (temporary set of credentials) An AS issues a ticket (temporary set of credentials) A kerberos client, or user, is known as a principal

48 Kerberos Session key Issues to both client and service by authentication service that uniquely identifies their session Issues to both client and service by authentication service that uniquely identifies their sessionAuthenticator User’s timestamp encrypted with the session key User’s timestamp encrypted with the session key Ticket granting service (TGS) Application separate from AS that also runs on the KDC Application separate from AS that also runs on the KDC TGS issues client a ticket granting ticket (TGT) TGS issues client a ticket granting ticket (TGT)

49 PGP and SSL Pretty Good Privacy (PGP) Public key encryption system that verifies authenticity of an e-mail sender and encrypts e-mail data in transmission Public key encryption system that verifies authenticity of an e-mail sender and encrypts e-mail data in transmission Secure Sockets Layer (SSL) Method of encrypting TCP/IP transmissions en route between client and server using public key encryption technology Method of encrypting TCP/IP transmissions en route between client and server using public key encryption technology

50 SSL HTTP URL prefix indicating a Web page requires its data to be exchanged between client and server using SSL encryption URL prefix indicating a Web page requires its data to be exchanged between client and server using SSL encryption SSL session Association between the client and server identified by an agreement on a specific set of encryption techniques Association between the client and server identified by an agreement on a specific set of encryption techniques Handshake protocol Perhaps the most significant protocol within SSL Perhaps the most significant protocol within SSL

51 SSL Client_hello Message issued from the client to the server Message issued from the client to the serverServer_hello Message issues from the server to the client Message issues from the server to the client Transport Layer Security (TLS) Version of SSL being standardized by the IETF Version of SSL being standardized by the IETF

52 Internet Protocol Security (IPSec) Defines encryption, authentication, and key management for TCP/IP transmissions IPSec accomplishes authentication in two phases: Key management Key management Key encryption Key encryption

53 Internet Protocol Security (IPSec) Key management IPSec relies on Internet Key Exchange (IKE) for its key management IPSec relies on Internet Key Exchange (IKE) for its key management In IPSec, two type of encryption may be used: Authentication header (AH) Authentication header (AH) Encapsulation security payload (ESP) Encapsulation security payload (ESP)

54 Virtual Private Networks (VPNs) Point-to-Point Protocol (PPTP) Expands on IPP by encapsulating it so that any type of PPP data can traverse the Internet masked as pure IP transmissions Expands on IPP by encapsulating it so that any type of PPP data can traverse the Internet masked as pure IP transmissions Tunneling Tunneling Process of encapsulating one protocol to make it appear as another type of protocol

55 Virtual Private Networks (VPNs) Layer 2 Forwarding (L2F) Similar to PPTP Similar to PPTP Layer 2 Tunneling Protocol Enhanced version of L2F Enhanced version of L2F Will gradually replace PPTP and L2F Will gradually replace PPTP and L2F

56 Chapter Summary A hacker is someone who masters the inner workings of operating systems and utilities in an effort to better understand them The root is a highly privileged user ID that has all rights on a system Authentication is the process of verifying a user’s validity and authority on a system Every organization should conduct a security audit at least annually and preferably quarterly The first step in securing your network should be to devise and implement an enterprise-wide security policy

57 Chapter Summary A firewall is a specialized device that selectively filters or blocks traffic between networks A more sophisticated security technique is necessary to perform user authentication Remote control systems enable a user to connect to a host system on a network from a distance and use that system’s resources Encryption is the use of an algorithm to scramble data into a format that can be read only by reversing the algorithm Virtual private networks (VPNs) are private networks that use public channels to connect clients and servers

Download ppt "Chapter Fifteen NetworkSecurity. Objectives Identify security risks in LANs and WANs Explain how physical security contributes to network security Discuss."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Network+ Guide to Networks, Fourth Edition

Network+ Guide to Networks, Fourth Edition
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Information Security Chapter 13 Modified by: Brierley 4/16/2017.

Information Security Chapter 13 Modified by: Brierley 4/16/2017.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World

Similar presentations

Ads by Google