Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unit 17 – Local Area Network Security

Published byVivien Miles Modified over 9 years ago

Similar presentations

Presentation on theme: "Unit 17 – Local Area Network Security"— Presentation transcript:

1 Unit 17 – Local Area Network Security
BUSINESS IMPACT SECURITY POLICY DEVELOPMENT VIRUS PROTECTION FIREWALLS AUTHENTICATION AND ACCESS CONTROL ENCRYPTION APPLIED SECURITY SCENARIOS GOVERNMENT IMPACT

2 BUSINESS IMPACT Network security is a business problem.
The development and implementation of a sound network security policy must start with strategic business assessment followed by strong management support throughout the policy development and implementation stages. Enterprise network security goals must be set by corporate presidents and/or board of directors.

3 SECURITY POLICY DEVELOPMENT
Security policy development life cycle (SPDLC). Figure 16-1. A cycle because evaluation processes validate the effectiveness of original analysis stages. Security Requirements Assessment Require a structured approach to ensure that all potential user group/information resource combinations have been considered. A network analyst can create a matrix grid mapping all potential user groups against all potential corporate information resources. Refer Figure 16-3. These security processes: Restrictions to information access imposed upon each user group Definition the responsibilities of each user group for security policy implementation and enforcement. It should be reviewed on a periodic basis through ongoing auditing, monitoring, evaluation, and analysis.

4 Figure 16-1 The Security Policy Development Life Cycle

5 SECURITY POLICY DEVELOPMENT
Scope Definition and Feasibility Studies Define the scope or limitations of the project Feasibility studies gain vital information on the difficulty of the security policy development process as well as the assets (human and financial) required to maintain such a process. Need to decide on the balance between security and productivity. See Figure 16-4. Need to identify those key values that a corporation should be maintained. Five most typical fundamental values of network security policy development: Identification/Authentication: the process of reliably determining the genuine identity of the communicating computer (host) or user. Access Control / Authorization: authenticated users are only allowed to those information and network resources they are supposed to access. Privacy/Confidentiality: ensure tat data is disclosed only to intended recipients. Data Integrity: assure that data are genuine and cannot be changed without proper controls. Non-Repudiation: users cannot deny the occurrence of given events or transactions.

6 Figure 16-4 Security vs. Productivity Balance

7 SECURITY POLICY DEVELOPMENT
Assets, Threats, Vulnerabilities, and Risks Most security policy development methodologies boil down to the following six major steps: Identify assets Identify threats Identify vulnerabilities Consider the risks Identify risk domains Take protective measures Assets: corporate property of some value that requires varying degrees of protection. Data or Information can be classified: Unclassified or Public Sensitive Confidential Secret Top Secret

8 SECURITY POLICY DEVELOPMENT
Assets, Threats, Vulnerabilities, and Risks Threats: processes or people that pose a potential danger to identified assets. Vulnerabilities: manner or path by which threats are able to attack assets. Risks: probability of a particular threat successfully attacking a particular asset in a given amount of time via a particular vulnerability. E.g. Intruders or attackers may use social engineering or snooping to obtain user passwords An administrator may incorrectly create or configure user ids, groups, and their associated rights on a file server, resulting in file and login access vulnerabilities Network administrators may overlook security flaws in topology or hardware configuration Network administrators may overlook security flaws in operating system or application configuration; Lack of proper documentation and communication of security policies may lead to deliberate or inadvertent misuse of files or network access; Dishonest or disgruntled employees may abuse the file and access rights they’ve been given; A computer or terminal left logged into the network while its operator goes away may provide an entry point for an intruder; Users or even administrators choose passwords that are easy to guess; Authorized staff may leave computer room doors propped open or unlocked, allowing unauthorized individuals to enter;

9 SECURITY POLICY DEVELOPMENT
Assets, Threats, Vulnerabilities, and Risks Staff may discard disks or backup tapes in “public” waste containers Administrators may neglect to remove access and file rights for employees who have left the organisation. Figure 16-7 shows the relationship between assets, threats, vulnerabilities, risks, and protective measures.

10 Figure 16-7 Assets, Threats, Vulnerabilities, Risks, and Protective Measures

11 SECURITY POLICY DEVELOPMENT
Attack Strategies Some of common attack strategies as well as potential protective measures: Masquerading : Authentication Eavesdropping: Encryption Man-in-the-Middle-Attack: Digital certificates, digital signatures Address Spoofing: Firewalls Data Diddling: Encrypted message digest Dictionary Attack: Strong passwords, intruder detection Replay Attack: Time stamping or sequence numbering Virus Attack: Virus management policy Trojan Horse Attack: Firewalls Denial of Service Attack: Authentication, service filtering

12 SECURITY POLICY DEVELOPMENT
Management Role and Responsibilities Plan your action to develop and implement a solution. Not to underestimate the labor resources and time requirements necessary to scale up your security analysis to an enterprise-wide security policy development and implementation process. Be sure that all affected user groups are represented on the policy development task force. Potential areas for development of acceptable use policies: Password protection and management, software license, virus protection, internet access, remote access, , policies regarding penalties/warnings, physical access Policy Implementation Process The policies need the support of executives and managers. Users should also be expected to actively support the implemented acceptable user policies. Security architecture map clearly justified security functional requirements to currently available security technical solution. See Figure for the information security architecture.

13 Figure 16-13 Representative Security Architecture

14 SECURITY POLICY DEVELOPMENT
Auditing Audit and monitor a corporate security policy on a continual basis. Auditing can be automated or manual. Manual audits serve to verify the effectiveness of policy development and implementation Automated audits is able to assess the weaknesses of your network security and security standards, to analyze the network for potential vulnerabilities and make recommendations for corrective action.

15 VIRUS PROTECTION A comprehensive virus protection plan must combine policy, people, processes and technology in order to be effective. Virus Categories work by infecting other legitimate programs and causing them to become destructive or disrupt the system in some other manner. Use some type of replication method to get the virus to spread and infect other programs, systems, or networks Need some sort of trigger or activation mechanism to set them off. Viruses may remain dormant and undetected for long periods of time. Refer to Figure for the major virus categories. Antivirus Strategies Effective antivirus policies and procedures must first focus on the use and checking of all diskettes before pursuing technology-based solutions. Use virus scanning software for detecting virus in collaborative applications to avoid infection/reinfection cycle. Figure shows the collaboration software infection/reinfection cycle. Figure16-19 shows virus infection points of attack and protective measures

16 Figure 16-18 Collaborative Software Infection/Re-infection Cycle

17 Figure 16-19 Virus Infection Points of Attack and Protective Measures

18 FIREWALLS Firewall software usually runs on a dedicated server that is connected to, but outside of, the corporate network. Firewalls provide a layer of isolation between the inside network and the outside network. Firewall Architectures Packet Filtering: examines source and destination addresses and determines access based on the entries in a filter table. Packet filter can be breached by hackers known as IP spoofing. Hacker can make a packet appear to come from an authorized or trusted IP address, it can pass through the firewall. Application Gateway filters or Proxies It examine the entire request for data rather than just the source and destination addresses. Secure files can be marked as such and application-level filters will not show those files to be transferred, even to users authorized by port-level filters.

19 FIREWALLS Dual-homed gateway Trusted gateway See Figure 16-20.
Application gateway is physically connected to the private secure network and the packet-filtering router is connected to the nonsecure network. All outside traffic still goes through the application gateway first and then to the information servers. Trusted gateway Certain applications are identified as trusted and are able to bypass the application gateway entirely and are able to establish connections directly rather than executed by proxy. See Figure

20 Figure 16-20 Packet Filters,
Application Gateways, Proxies, Trusted Gateways, and Dual- Homed Gateways

21 AUTHENTICATION AND ACCESS CONTROL
Authentication is to ensure that users attempting to gain access to networks are really who they claim to be. Authentication products break down into three overall categories: What you know. Authentication technology that can deliver single sign-on (SSO) access to multiple network attached servers and resources via passwords. What you have. It uses one-time or session passwords or other techniques to authenticate users and validate the authenticity of messages or files. What you are. It validates user based on some physical characteristic. Token Authentication – Smart Cards Token Authentication technology may have multiple forms: Hardware-based Smart Cards In-line authentication device Software token on client PC There are two overall approaches to the token authentication process.

22 AUTHENTICATION AND ACCESS CONTROL
Challenge-response token authentication The user enters an assigned user ID and password at the client workstation. The token authentication server software return a numeric string known as a challenge The challenge number and a personal ID number are entered on the hand-held Smart Card The Smart Card displays a response number on the LCD screen This response number is entered on the client workstation and transmitted back to the token authentication server The token authentication server validates the response against the expected response from this particular user and this particular Smart Card. If the two match, the user is deemed authentic and the login session is enabled. Time synchronous token authentication Every 60 seconds, the time-synchronous Smart Card and the server-based software generate a new access code. The user enters their user ID, a personal ID number, and the access code currently displayed on the Smart Card. The server receives the access code and authenticate the user by comparing the received access code with the expected access code unique to that SmarCard which was generated at the server in time synchronous fashion. See Figure

23 Figure Challenge Response vs. Time Synchronous Token Authentication

24 AUTHENTICATION AND ACCESS CONTROL
If the security offered by token authentication is insufficient, biometric authentication can authenticate users based on fingerprints, palm prints, retinal patterns, voice recognition or other physical characteristics. Authorization a subset of authentication. While authentication ensures that only legitimate users can log into the network, authorization ensures that these properly authenticated users access only the network resources for which they are properly authorized. the authorization security software can be either server-based (brokered authorization) or workstation-based (trusted node).

25 ENCRYPTION A security process complimentary rather than mutually exclusive to authentication and authorization. encryption ensures that the contents of the transmission would be meaningless (called ciphertext) if they were intercepted. Encryption must accompanied by decryption, to change the unreadable text back into its original form. Data Encryption Standard (DES) is often used to allow encryption devices manufactured by different manufacturers to interoprate successfully. The DES encryption standard actually includes two parts for greater security method of encrypting data 64 bits at a time a variable 64-bit key (private key) Private key This private key must be known by both the sending and the receiving encryption devices and allows so many unique combination (2 to the 64th power), that unauthorized decryption is nearly impossible.

26 ENCRYPTION Public key or Public/private key encryption
the process actually combines public and private keys. In public key encryption, the sending encryption device encrypts a document using the intended recipient’s public key and the originating party’s private key. This public key is readily available in a public directory. To decrypt the document, the receiving encryption device must be programmed with the recipient’s private key and the sending party’s public key. This method requires only the receiving party to possess their private key and eliminates the need for transmission of private keys. Digital signature encryption appends an encrypted digital signature to the encrypted document as an electronic means of guaranteeing the authenticity of the sending party and assurance that encrypted documents have not been tampered with during transmission. the digital signature is regenerated at the receiving encryption device from the transmitted document and compared to the transmitted digital signature. See Figure

27 Figure Private Key Encryption, Public Key Encryption, and Digital Signature Encryption

28 APPLIED SECURITY SCENARIOS
Overall Design Strategies Some general guidelines the would apply to most situations: Install only software and hardware that you really need on your network. Allow only essential traffic into and out of the corporate network Investigate the business case for outsourcing web-hosting services Use routers to filter traffic by IP address Make sure that router operating system software has been patched Identify those information assets that are most critical to the corporation Implement physical security constraints to hinder physical access to critical resrouces such as servers Monitor system activity logs carefully Develop a simple, effective and enforceable security policy and monitor its implementation and effectiveness Consider installing a proxy server or application layer firewall Block incoming DNS queries and requests for zone transfers Don’t publish the corporation’s complete DNS map on DNS servers that are outside the corporate firewall. Disable all TCP ports and services that are not essential

29 APPLIED SECURITY SCENARIOS
Remote Access Security How to manage the activity of all of the remote access users that have logged in via a variety of multi-vendor equipment and authentication technology. Remote authentication dial-in user service (RADIUS) offers the potential to enable centralized management of remote access users and technology. See Figure It enables communication between the following three tiers of technology: Remote access devices such as remote access servers and token authentication technology from a variety of vendors, otherwise known as network access servers (NAS) Enterprise database that contains authentication and access control information RADIUS authentication server Users request connections and provide useRIDs and passwords to the network access servers which, in turn, pass the information along to the RADIUS authentication server for authentication approval or denial.

30 Figure 16-28 Remote Authentication Dial-In User Services (RADIUS) Architecture

31 APPLIED SECURITY SCENARIOS
RADIUS: Allows network manager to centrally manage remote access users, access methods, and logon restriction. Centralized auditing, e.g. keep track of volume of traffic sent and amount of time on-line Enforces remote access limitations, e.g. server access restrictions or on-line time limitation Supports password authentication protocol (PAP), challenge handshake authentication protocol (CHAP) and Secure ID token authentication. Transmit passwords in encrypted format only Virtual Private Network Security To provide virtual private networking capabilities using the Internet as an enterprise network backbone, specialized tunneling protocols needed to be developed that could establish private, secure channels between connected systems. Two rival standards are examples of such tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer Two Forwarding (L2F)

32 APPLIED SECURITY SCENARIOS
See Figure Two rival specifications currently exist for establishing security over VPN tunnels: IPsec and PPTP.

33 Figure 16-29 Tunneling Protocols Enable Virtual Private Networks

34 APPLIED SECURITY SCENARIOS
Enterprise Network Security To maintain proper security over a widely distributed enterprise network, it is essential to be able to conduct certain security-related processes from a single, centralised, security management location. These processes are: Single point of registration (SPR) allows a network security manager to enter a new user form a single centralized location and assign all associated rights, privileges and access control to enterprise resources Single sign-on (SSO) allows the user to login to the enterprise network and to be authenticated from their client PC location. Single access control view allows the user’s access from their client workstation to only display those resources that the user actually has access to. Security auditing and intrusion detection is able to track and identify suspicious behaviors from both internal employees and potential intruders.

35 Government agencies play a major role in the area of network security.
GOVERNMENT IMPACT Government agencies play a major role in the area of network security. The primary function of these various government agencies is : Standards-making organizations that set standards for the design, implementation, and certification of security technology and systems **** END ****

Download ppt "Unit 17 – Local Area Network Security"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Access Control Methodologies

Access Control Methodologies
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Similar presentations

Ads by Google