Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/28/2010 Network Plus Unit 5 – Section 1 Security.

Published byKatrina Harmon Modified over 9 years ago

Similar presentations

Presentation on theme: "1/28/2010 Network Plus Unit 5 – Section 1 Security."— Presentation transcript:

1

2 1/28/2010 Network Plus Unit 5 – Section 1 Security

3 Identify and Describe Security Risks People Transmissions Protocols Internet Access

4 Network+ Guide to Networks, 5 th Edition6 Risks Associated with People Half of all security breaches –Human errors, ignorance, omissions Social engineering –Strategy to gain password –Phishing Glean access, authentication information Pose as someone needing information

5 Network+ Guide to Networks, 5 th Edition7 Risks Associated with Transmission and Hardware Physical, Data Link, Network layer security risks –Require more technical sophistication Risks inherent in network hardware and design –Transmission interception Man-in-the-middle attack –Eavesdropping Networks connecting to Internet via leased public lines –Sniffing Network hubs broadcasting traffic over entire segment

6 Network+ Guide to Networks, 5 th Edition8 Risks Associated with Transmission and Hardware (cont’d.) Risks inherent in network hardware and design (cont’d.) –Private address availability to outside Routers not properly configured to mask internal subnets –Port access via port scanner Unused hub, switch, router, server ports not secured –Router attack Routers not configured to drop suspicious packets

7 Network+ Guide to Networks, 5 th Edition9 Risks Associated with Transmission and Hardware (cont’d.) Risks inherent in network hardware and design (cont’d.) –Security holes Modems accept incoming calls Dial-in access servers not secured, monitored –General public computer access Computers hosting sensitive data –Insecure passwords Easily guessable, default values

8 Network+ Guide to Networks, 5 th Edition10 Risks Associated with Protocols and Software Includes Transport, Session, Presentation, and Application layers Networking protocols and software risks –TCP/IP security flaws –NOS Problems Invalid trust relationships NOS back doors, security flaws NOS allows server operators to exit to command prompt Administrators default security options

9 Network+ Guide to Networks, 5 th Edition12 Risks Associated with Internet Access Common Internet-related security issues –Improperly configured firewall Outsiders obtain internal IP addresses: IP spoofing –Chat session flashing –Denial-of-service attack Smurf attack: hacker issues flood of broadcast ping messages –Telnets or FTPs Transmit user ID, password in plain text –Social media (Facebook, mailing lists, forums) Provide hackers user information

10 Network Security Technology Router Access Lists Intruder Detection and Prevention Firewalls Proxy Servers

11 24 Security in Network Design Router Access Lists Control traffic through routers Routers main function –Examine packets, determine where to send Based on Network layer addressing information ACL (access control list) –Known as access list –Routers decline to forward certain packets

12 25 Router Access Lists (cont’d.) ACL instructs router –Permit or deny traffic according to variables: Network layer protocol (IP, ICMP) Transport layer protocol (TCP, UDP) Source IP address Source netmask Destination IP address Destination netmask TCP, UDP port number

13 26 Router Access Lists (cont’d.) Router receives packet, examines packet –Refers to ACL for permit, deny criteria –Drops packet if characteristics match Flagged as deny Access list statements –Deny all traffic from source addresses Netmask 255.255.255.255 –Deny all traffic destined for TCP port 23 Separate ACL’s for: –Interfaces –Inbound and outbound traffic

14 27 Intrusion Detection and Prevention Provides more proactive security measure –Detecting suspicious network activity IDS (intrusion detection system) –Software monitoring traffic On dedicated IDS device On another device performing other functions –Port mirroring Port configured to send copy of all traffic to another port for monitoring purposes –Detects many suspicious traffic patterns Denial-of-service, smurf attacks

15 28 Intrusion Detection and Prevention (cont’d.) DMZ (demilitarized zone) –Network’s protective perimeter –IDS sensors installed at network edges IDS at DMZ drawback –Number of false positives logged IDS can only detect and log suspicious activity

16 DMZ In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. An external attacker only has access to equipment in the DMZ, rather than any other part of the network.computer securitysubnetwork

17 29 Intrusion Detection and Prevention (cont’d.) IPS (intrusion-prevention system) –Reacts to suspicious activity When alerted –Detect threat and prevent traffic from flowing to network Based on originating IP address –Compared to firewalls IPS originally designed as more comprehensive traffic analysis, protection tool Differences now diminished

18 30 Intrusion Detection and Prevention (cont’d.) Figure 12-2 Placement of an IDS/IPS on a network

19 Network+ Guide to Networks, 5 th Edition31 Firewalls Specialized device and computer installed with specialized software –Selectively filters, blocks traffic between networks –Involves hardware, software combination –Resides Between two interconnected private networks Between private network and public network (network-based firewall) Firewall default configuration –Block most common security threats Preconfigured to accept, deny certain traffic types –Network administrators often customize settings

20 Network+ Guide to Networks, 5 th Edition32 Firewalls (cont’d.) Figure 12-3 Placement of a firewall between a private network and the Internet

21 34 Types of Firewalls Packet-filtering firewall (screening firewall) –Simplest firewall –Blocks traffic into LAN Examines header Check for IP address, Port number, IP header flags –Blocks traffic attempting to exit LAN Stops spread of worms Stops Zombie programs/spyware Port blocking Based on TCPor UDP port numbers Prevents connection to and transmission completion through ports

22 35 Firewall Configuration Common packet-filtering firewall criteria –Source, destination IP addresses –Source, destination ports –Flags set in the IP header –Transmissions using UDP or ICMP protocols –Packet’s status as first packet in new data stream, subsequent packet –Packet’s status as inbound to, outbound from private network –Logging, auditing capabilities –Protect internal LAN’s address identity

23 Network+ Guide to Networks, 5 th Edition36 Firewall Functions Firewall may have more complex functions –Encryption –User authentication –Central management –Easy rule establishment –Filtering Content-filtering firewalls Stateful - Monitor data stream from end to end Stateless firewall – Block individual packets

24 38 Proxy Servers Proxy service –Network host software application Intermediary between external, internal networks Screens all incoming and outgoing traffic Proxy server –Network host running proxy service –Application layer gateway, application gateway, and proxy –Manages security at Application layer

25 39 Proxy Server Functions Security –Prevent outside world from discovering internal network the addresses Improves performance –Caching files

26 Network+ Guide to Networks, 5 th Edition40 Proxy Servers (cont’d.) Figure 12-5 A proxy server used on a WAN

27 41 NOS (Network Operating System) Security Restrict user authorization –Centralized administration Active Directory –Secure access to server files and directories –Public rights Conferred to all users Very limited –Keep software updated with latest patches –Provide strong policies for passwords and logon restrictions

28 42 Logon Restrictions Additional restrictions –Time of day –Total time logged on –Source address –Unsuccessful logon attempts Secure Password

29 Network+ Guide to Networks, 5 th Edition44 Passwords Tips Change system default passwords Do not use familiar information or dictionary words –Dictionary attack Use long passwords –Letters, numbers, special characters Do not write down or share Change frequently Do not reuse Use different passwords for different applications

30 Encryption Use of keys to scramble data to prevent eavesdropping Symmetric vs Asymmetric keys Encryption systems

31 Network+ Guide to Networks, 5 th Edition45 Encryption Use of algorithm –Scramble data Format read by algorithm reversal (decryption) Purpose –Information privacy Key Encryption –Based on number of bits –Strength of encryption double with each bit

32 48 Key Encryption Figure 12-6 Key encryption and decryption

33 49 Private (Symmetric) Key Encryption Data encrypted using single key –Known by sender and receiver Symmetric encryption –Same key used during both encryption and decryption DES (Data Encryption Standard) –Most popular private key encryption –IBM developed (1970s) –56-bit key: secure at the time Triple DES –Weaves 56-bit key three times

34 Symmetric Key Encryption

35 50 Private Key Encryption AES (Advanced Encryption Standard) –Weaves 128, 160, 192, 256 bit keys through data multiple times –Uses Rijndael algorithm More secure than DES Much faster than Triple DES –Replaced DES in high security level situations Private key encryption drawback –Sender must somehow share key with recipient

36 51 Public (Asymmetric) Key Encryption Data encrypted using two keys –Private key: user knows –Public key: anyone may request Public key server –Publicly accessible host –Freely provides users’ public keys Key pair –Combination of public key and private key Asymmetric encryption –Requires two different keys

37 52 Figure 12-8 Public key encryption

38 54 Public Key Encryption PKI – Public Key Infrastructure RC4 –Key up to 2048 bits long –Highly secure, fast –E-mail, browser program use Lotus Notes, Netscape Digital certificate –Password-protected, encrypted file –Holds identification information Public key CA (certificate authority) –Issues, maintains digital certificates –Example: Verisign

39 Data Encryption Systems Pretty Good Privacy (PGP) –Used with email Secure Sockets Layers (SSL) –Used with HTTPS Secure Shell (SSH) –Replaces Telenet – uses SSL Secure Copy (SCP) –Replaces FTP – Uses SSL IP Security (IP Sec) –Used at Network layer with VPNs

40 56 PGP (Pretty Good Privacy) Secures e-mail transmissions Developed by Phil Zimmerman (1990s) Public key encryption system –Verifies e-mail sender authenticity –Encrypts e-mail data in transmission Administered at MIT Freely available –Open source and proprietary Also used to encrypt storage device data

41 57 SSL (Secure Sockets Layer) Encrypts TCP/IP transmissions –Web pages, Web form data entered into Web forms En route between client and server –Using Public key encryption technology Web pages using HTTPS –HTTP over Secure Sockets Layer, HTTP Secure –Data transferred from server to client (vice versa) Using SSL encryption –HTTPS uses TCP port 443 Used by SSL VPNs

42 58 SSL (cont’d.) SSL session –Association between client and server Specific set of encryption techniques –Created by SSL handshake protocol Allows client and server to authenticate SSL –Netscape originally developed –IETF attempted to standardize TLS (Transport Layer Security) protocol

43 HTTPS Based on SSL –Presentation layer encyrption Uses Port 443 Browser may show padlock symbol or green color

44 59 SSH (Secure Shell) Collection of protocols Provides Telnet capabilities with security Guards against security threats –Unauthorized host access –IP spoofing –Interception of data in transit –DNS spoofing Encryption algorithm (depends on version) –DES, Triple DES, RSA, Kerberos

45 61 SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol) Part of SSH which runs on Port 22 SCP (Secure CoPy) utility –Extension to OpenSSH –Allows copying of files from one host to another securely –Replaces insecure file copy protocols (FTP) Does not encrypt user names, passwords, data Proprietary SSH version (SSH Communications Security) –Requires SFTP (Secure File Transfer Protocol) to copy files Slightly different from SCP (does more than copy files)

46 63 IPSec (Internet Protocol Security) Defines encryption, authentication, key management –Works at Network layer for TCP/IP transmissions Native IPv6 standard Difference from other methods –Encrypts data by adding security information to all IP packet headers –Transforms data packets Operates at Network layer (Layer 3) Used by L2TP VPN connections

47 66 IPSec (cont’d.) Figure 12-9 Placement of a VPN concentrator on a WAN

48 Network Authentication Allow a user to login to a server or service without revealing the user password to packet sniffers. Requires some form of encryption Secure Login Systems

49 67 Authentication Protocols Authentication –Process of verifying a user’s credentials Grant user access to secured resources Authentication protocols –Rules computers follow to accomplish authentication Several authentication protocol types –RADIUS/TACACS –PAP –CHAP –EAP and 802.1x (EAPoL) –Kerberos

50 68 RADIUS and TACACS Provides centralized network authentication, accounting for multiple users –Defined by IETF –Runs over UDP RADIUS server –Central Authentication of users –Does not replace functions performed by remote access server TACACS (Terminal Access Controller Access Control System) –Similar, earlier centralized authentication version

51 70 RADIUS and TACACS (cont’d.) Figure 12-10 A RADIUS server providing centralized authentication

52 71 PAP (Password Authentication Protocol) PAP authentication protocol –Operates over PPP –Simple two-step authentication process –Not secure Sends client’s credentials in clear text Subject to Eavesdropping and packet sniffing

53 Network+ Guide to Networks, 5 th Edition72 PAP (cont’d.) Figure 12-11 Two-step authentication used in PAP

54 73 CHAP Operates over PPP and encrypts user names, passwords –Password never transmitted alone –Password never transmitted in clear text Uses three-way handshake Figure 12-12 Three-way handshake used in CHAP

55 MS-CHAP (cont’d.) MS-CHAP (Microsoft Challenge Authentication Protocol) –Similar authentication protocol Windows-based computers Potential CHAP, MS-CHAP authentication flaw –Eavesdropping could capture character string encrypted with password, then decrypt Solution –MS-CHAPv2 (Microsoft Challenge Authentication Protocol, version 2) –Uses stronger encryption 74

56 78 CHAP and MS-CHAP (cont’d.) Figure 12-14 Windows Vista Advanced Security Settings dialog box

57 79 EAP (Extensible Authentication Protocol) Another authentication protocol –Part of PPP suite – authorized client and server –Provides process to verify client – server credentials Works with other encryption, authentication schemes Requires authenticator to initiate authentication process –Ask connected computer to verify itself EAP’s advantages: –Flexibility –Works with bio-recognition devices

58 80 802.1x (EAPoL) Codified by IEEE –Specifies use of one of many authentication methods plus EAP Grant access to and dynamically generate and update authentication keys for transmissions to a particular port Primarily used with wireless networks –Originally designed for wired LAN EAPoL (EAP over LAN) Only defines process for authentication Commonly used with RADIUS authentication Also called Port based authentication

59 81 802.1x (EAPoL) (cont’d.) Figure 12-15 802.1x authentication process

60 82 Kerberos Cross-platform authentication protocol –Uses Private Key encryption service called AS Verifies client identity Securely exchanges information after client logs on Terms –KDC (Key Distribution Center) – issues key to client –AS (authentication service) –Ticket - used to prove identity of user has been validated –Principal Ticket Granting service (TGS) –Issues tickets to client

61 83 Kerberos TGS Original process Kerberos AS issued separate ticket for each service accessed by client Ticket-Granting Service (TGS) added –AS issues Ticket-Granting Ticket (TGT) –TGT is used by client to get ticket from TGS for each service

62 Wireless Security Options

63 84 Wireless Network Security Wireless Susceptible to eavesdropping –War driving Effective for obtaining private information Forms of Wireless Encryption –WEP –802.11i Uses EAPoL –WPA –WPA2 Based on 802.11i

64 85 WEP (Wired Equivalent Privacy) 802.11 standard security –None by default –SSID: only item required WEP –Requires authentication to access WAP –Uses a single private key for entire session –Encrypt data in transit –Keys may be “cracked” using software No longer considered secure from Eavesdropping or packet sniffing

65 87 Figure 12-16 Entering a WEP key in the Windows XP wireless network properties dialog box

66 88 IEEE 802.11i and WPA (Wi-Fi Protected Access) 802.11i uses 802.1x (EAPoL) –Authenticate devices Dynamically assigns every transmission its own key –Relies on TKIP Encryption key generation, management scheme –Uses AES encryption

67 WPA and WPA2 WPA (Wi-Fi Protected Access) –Subset of 802.11i –Same authentication as 802.11i –Uses RC4 encryption –Has been cracked WPA2 –Follows 802.11i –Uses AES security –Replaces WPA2

68 Setting Wireless Security

69 Network+ Guide to Networks, 5 th Edition The End

Download ppt "1/28/2010 Network Plus Unit 5 – Section 1 Security."

Similar presentations

Network Security.

Network Security.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Network+ Guide to Networks, Fourth Edition

Network+ Guide to Networks, Fourth Edition
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Chapter 12 Network Security.

Chapter 12 Network Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Chapter 14: Networking Security Network+ Guide to Networks Third Edition.

Chapter 14: Networking Security Network+ Guide to Networks Third Edition.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Chapter Fifteen NetworkSecurity. Objectives Identify security risks in LANs and WANs Explain how physical security contributes to network security Discuss.

Chapter Fifteen NetworkSecurity. Objectives Identify security risks in LANs and WANs Explain how physical security contributes to network security Discuss.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google