Presentation is loading. Please wait.

Presentation is loading. Please wait.

CEG 2400 FALL 2012 Chapter 11 Network Security 1.

Published byRegina Harper Modified over 9 years ago

Similar presentations

Presentation on theme: "CEG 2400 FALL 2012 Chapter 11 Network Security 1."— Presentation transcript:

1 CEG 2400 FALL 2012 Chapter 11 Network Security 1

2 Security Assessment What is at risk? –Consider effects of risks Different organization types have different risk levels Posture assessment –Thorough network examination –Determine possible compromise points –Performed in-house by IT staff –Performed by third party called security audit 2

3 Security Risks Terms Hacker –Individual who gains unauthorized access to systems Vulnerability –Weakness of a system, process, or architecture Exploit –Means of taking advantage of a vulnerability Zero-day exploit –Taking advantage of undiscovered software vulnerability 3

4 Risks Associated with People Half of all security breaches caused by people Social engineering, strategy to gain password –Glean access, authentication information –Pose as someone needing information –Web pages Easiest way to circumvent network security –Take advantage of human error –Default passwords –Writing passwords, etc on paper –Overlooking security flaws 4

5 Transmission and Hardware Risks Risks inherent in network hardware and design –Transmission interception Man-in-the-middle attack –Eavesdropping Networks connecting to Internet via leased public lines –Sniffing Repeating devices broadcast traffic over entire segment 5

6 Transmission and Hardware Risks Risks inherent in network hardware and design (cont’d.) –Port access via port scanner –Private address availability to outside –Router attack Routers not configured to drop suspicious packets –Access servers not secured, monitored –Computers hosting sensitive data: Coexist on same subnet as public computers –Insecure passwords Easily guessable or default values 6

7 Protocols and Software Risks Includes Transport, Session, Presentation, and Application layers Networking protocols and software risks –TCP/IP security flaws –Invalid trust relationships –NOS back doors, security flaws –Buffer overflow –Administrators default security options 7

8 Internet Access Risks Outside threats –Web browsers permit scripts to access systems –Users provide information to sites Common Internet-related security issues –Improperly configured firewall –Telnets or FTPs Transmit user ID and password in plain text –Denial-of-service attack Smurf attack: hacker issues flood of broadcast ping messages 8

9 Forming an Effective Security Policy Security policy –Identifies security goals, risks, authority levels, designated security coordinator, and team members –Responsibilities of each employee –How to address security breaches Not included in policy: –Hardware, software, architecture, and protocols used A general policy 9

10 Security Policy Goals Typical goals –Ensure authorized users have appropriate resource access –Prevent unauthorized user access –Protect unauthorized sensitive data access –Prevent accidental and intentional hardware and software damage –Create secure environment –Communicate employees’ responsibilities 10

11 Security Policy Goals Strategy used to form goals –Form committee Involve as many decision makers as possible –Understand risks Conduct posture assessment –Assign person responsible for addressing threats 11

12 Security Policy Content Outline policy content –Define policy subheadings –Ex. Password policy, sensitive data policy, remote access policy, etc Explain to users: –What they can and cannot do –How these measures protect network’s security Define what confidential means to the organization 12

13 Response Policy What happens after security breach occurrence –Provide planned response Identify response team members –Dispatcher –Manager –Technical support specialist –Public relations specialist After problem resolution –Review process –Regularly rehearse defense Threat drill 13

14 Physical Security Restrict physical access to network components –Lock computer rooms, telco rooms, wiring closets, and equipment cabinets –Locks can be physical or electronic 14

15 Physical Security Physical barriers –Gates, fences, walls, and landscaping Surveillance cameras –Central security office capabilities Display several camera views at once –Video footage can be used in investigation and prosecution Consider losses from salvaged and discarded computers hard disks –Solutions Run specialized disk sanitizer program Remove disk and use magnetic hard disk eraser Pulverize or melt disk 15

16 Security in Network Design Preventing external LAN security breaches –Restrict access at every point where LAN connects to rest of the world Router Access Lists –Control traffic through routers –Router’s main functions Examine packets Determine destination based on Network layer addressing information –ACL (access control list) Routers can decline to forward certain packets 16

17 Router Access Lists ACL variables used to permit or deny traffic –Network layer protocol (IP, ICMP) –Transport layer protocol (TCP, UDP) –Source or destination IP address –Source or destination netmask –TCP or UDP port number Access list examples –Deny all traffic from source address with netmask 255.255.255.255 –Deny all traffic destined for TCP port 23 Separate ACL’s for: –Interfaces; inbound and outbound traffic 17

18 Intrusion Detection and Prevention Proactive security measure –Detecting suspicious network activity –Two Types – IDS and IPS IDS (intrusion detection system) –Software monitoring traffic IDS software detects many suspicious traffic patterns –Examples: denial-of-service, smurf attacks IDS can only detect and log suspicious activity 18

19 Intrusion Detection and Prevention IPS (intrusion-prevention system) –Can react to suspicious activity when alerted –Detects threat and prevents traffic from flowing to network NIPS (network-based intrusion prevention) –Protects entire networks HIPS (host-based intrusion prevention) –Protects certain hosts 19

20 20 Placement of an IDS/IPS on a network

21 Firewalls –Selectively filters and blocks traffic between networks –Involves hardware and software combination Packet-filtering firewall –Simplest firewall –Examines header of every entering packet –Can block traffic entering or exiting a LAN –Cannot distinguish user trying to breach firewall from authorized user Common packet-filtering firewall criteria –Source, destination IP addresses –Source, destination ports 21

22 22 Placement of a firewall between a private network and the Internet

23 Proxy Servers Proxy server –Network host running proxy service Proxy service –Network host software application Intermediary between external and internal networks Fundamental function –Prevent outside world from discovering internal network addresses Improves performance for external users –File caching 23

24 24 A proxy server used on a WAN

25 Scanning Tools Used during posture assessment –Duplicate hacker methods NMAP (Network Mapper) –Designed to scan large networks –Provides information about network and hosts Nessus –Performs more sophisticated scans than NMAP There are other scanning tools –http://sectools.org/ 25

26 NOS (Network Operating System) Security Restrict user authorization –Access to server files and directories Logon restrictions to strengthen security –Time of day –Total time logged on –Source address –Unsuccessful logon attempts 26

27 Passwords Choose secure password Communicate password guidelines and reasons to users Tips –Change system default passwords –Do not use familiar information or dictionary words –Use long passwords Letters, numbers, special characters –Do not write down or share –Change frequently –Do not reuse 27

28 Encryption Use of algorithm to scramble data Designed to keep information private Many encryption forms exist Provides assurances –Data not modified between being sent and received –Data can be viewed only by intended recipient –Data was not forged by an intruder 28

29 Key Encryption Key – one type of encryption –Random string of characters –Woven into original data’s bits –Generates unique data block Ciphertext –Scrambled data block 29

30 30 Key encryption and decryption

31 Key Encryption Private key encryption * –Data encrypted using single key Known only by sender and receiver Drawback - Sender must somehow share key with recipient –Symmetric encryption Same key used during both encryption and decryption DES (Data Encryption Standard) –56-bit key: secure at the time –Triple DES - Weaves 56-bit key three times AES (Advanced Encryption Standard) –Weaves 128, 160, 192, 256 bit keys through data multiple times 31

32 Key Encryption Public key encryption * –Data encrypted using two keys –Key pair Combination of public key and private key –Private key: user knows –Public key: anyone may request Public key server –Publicly accessible host that freely provides users’ public keys Key Encryption Types –Diffie-Hellman (1975) (first) –RSA (most popular) –RC4 (more secure, Weaves key multiple times) 32

33 Key Encryption Digital certificates * –Key management system –Holds identification information –Includes public key CA (certificate authority) –Issues and maintains digital certificates –Example: Verisign PKI (public key infrastructure) –Use of certificate authorities to associate public keys with certain users 33

34 PGP (Pretty Good Privacy) SSL (Secure Sockets Layer) PGP - Secures e-mail transmissions –Developed by Phil Zimmerman (1990s) –Public key encryption system SSL - Encrypts TCP/IP transmissions –Web pages and Web form data between client and server –Uses public key encryption technology Web pages using HTTPS –HTTP over Secure Sockets Layer, HTTP Secure –Uses TCP port 443 34

35 SSH (Secure Shell) Collection of protocols –Secure Shell Client - Provides Telnet capabilities with security, SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol) Guards against security threats Encryption algorithm (depends on version) –DES, Triple DES, RSA, Kerberos, others Open source versions available: OpenSSH Secure connection requires SSH running on both machines Requires public and private key generation 35

36 IPSec (Internet Protocol Security) Defines encryption, authentication, key management for TCP/IP transmissions Enhancement to IPv4 Native in IPv6 Difference from other methods –Encrypts data and adds security information to all IP packet headers 36

37 IPSec Two phase authentication –First Phase - Key management Two nodes agree on common parameters for key use IKE (Internet Key Exchange) – negotiate and authenticate keys ISAKMP (internet security association and key management protocol) – policies for verification –Second Phase - Encryption Uses AH (authentication header) or ESP (Encapsulating Security Payload) Used with any TCP/IP transmission –Most commonly used in a VPN context 37

38 Authentication Protocols Authentication –Process of verifying user’s credentials Authentication protocols –Rules computers follow to accomplish authentication Several authentication protocol types –Vary by encryption scheme and steps taken to verify credentials 38

39 AAA AAA (authentication, authorization, and accounting) –AAA is a category of protocols that provide service –Establish client’s identity –Examine credentials and allow or deny access –Track client’s system or network usage 39

40 RADIUS RADIUS (Remote Authentication Dial-In User Service) –Can operate as application on remote access server Or on dedicated RADIUS server –Highly scalable –May be used to authenticate wireless connections –Can work in conjunction with other network servers Centralized service –Often used to manage resource access 40

41 41 A RADIUS server on a network

42 PAP (Password Authentication Protocol) PAP authentication protocol –Plays a role in AAA –Operates over PPP –Uses two-step authentication process –Simple –Not secure Sends client’s credentials in clear text 42

43 43 Two step authentication used in PAP

44 CHAP CHAP (Challenge Handshake Authentication Protocol) –Operates over PPP –Encrypts user names, passwords –Uses three-way handshake Benefit over PAP –Password never transmitted alone –Password never transmitted in clear text 44

45 45 Three-way handshake used in CHAP

46 MS-CHAP MS-CHAP (Microsoft Challenge Authentication Protocol) –Used on Windows-based computers MS-CHAPv2 (Microsoft Challenge Authentication Protocol, version 2) –Uses stronger encryption –Does not use same encryption strings for transmission, reception CHAP, MS-CHAP vulnerability –Eavesdropping could capture character string encrypted with password, then decrypt 46

47 EAP (Extensible Authentication Protocol) Another authentication protocol –Operates over PPP Works with/needs other encryption and authentication schemes to work EAP’s advantages: flexibility, adaptability 47

48 802.1x –Specifies use of one of many authentication methods plus EAP –Grant access to and dynamically generate and update authentication keys for transmissions to a particular port Primarily used with wireless networks Originally designed for wired LAN –EAPoL (EAP over LAN) Only defines process for authentication Commonly used with RADIUS authentication 48

49 Kerberos Cross-platform authentication protocol Uses key encryption to verifies client identity Provides significant security advantages over simple NOS authentication Terms –KDC (Key Distribution Center), issues keys –AS (authentication service), KDC runs on it –Ticket, issued by AS to client –Principal, kerberos client Kerberos is a single sign-on –Single authentication to access multiple systems or resources 49

50 Wireless Network Security Wireless transmissions –Susceptible to eavesdropping Techniques for encrypting wireless data –None –WEP –WPA –WPA2 (replaced WPA) 50

51 WEP (Wired Equivalent Privacy) 802.11 standard security –None by default –Access points No client authentication required prior to communication –SSID: only item required WEP –Uses keys, same for all users (WEP flaw) –Encrypts data in transit –First: 64-bit keys Current: 128-bit, 256-bit keys 51

52 IEEE 802.11i and WPA (Wi-Fi Protected Access) 802.11i uses 802.1x –Authenticate devices –Dynamically assign every transmission its own key –Relies on TKIP (Temporal Key Integrity Protocol) to generate keys –Uses AES encryption WPA (Wi-Fi Protected Access), Now WPA2 –Subset of 802.11i –Same authentication as 802.11i –Uses RC4 encryption instead of AES 52

53 53 Notable encryption and authentication methods

54 Summary Posture assessment used to evaluate security risks Router’s access control list directs forwarding or dropping packets based on certain criteria Intrusion detection and intrusion prevention systems used to monitor, alert, and respond to intrusions Firewalls selectively filter or block traffic between networks Various encryption algorithms Wireless security solutions 54

55 Misc Security Policies –http://www.sans.org/resources/policies Password Security –http://www.microsoft.com/security/online- privacy/passwords-create.aspx WiFi Security –http://www.wi-fi.org/discover-and-learn/security 55

56 End of Chapter 11 Questions 56

Download ppt "CEG 2400 FALL 2012 Chapter 11 Network Security 1."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Network Security.

Network Security.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Network+ Guide to Networks, Fourth Edition

Network+ Guide to Networks, Fourth Edition
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
7.3 Network Security Controls 1Network Security / G.Steffen.

7.3 Network Security Controls 1Network Security / G.Steffen.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Chapter 14: Networking Security Network+ Guide to Networks Third Edition.

Chapter 14: Networking Security Network+ Guide to Networks Third Edition.
Chapter Fifteen NetworkSecurity. Objectives Identify security risks in LANs and WANs Explain how physical security contributes to network security Discuss.

Chapter Fifteen NetworkSecurity. Objectives Identify security risks in LANs and WANs Explain how physical security contributes to network security Discuss.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google