Chapter 8 – Infrastructure Security pdf
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.03 MB, 119 trang )
Security+
All-In-One Edition
Chapter 8 – Infrastructure
Security
Brian E. Brzezicki
WARNING!
ALOT of the material in these slides and in this
lecture is NOT in the book. This book does a
good job of presenting most of the material
needed for the security+ exam. However the
info in chapter 8 is a little thin… so play close
note to the slides. Perhaps I provide a little
too much depth for the security+ exam… but
it’s well worth doing the extra learning…
especially if you want to take the CISSP or
really understand networks and network
security concepts to be USEFUL in real life!
Infrastructure Security
Infrastructure security is concerned with
providing security for the entire network
infrastructure. Infrastructure security is
concerned with providing availability to
authorized users, ensuring no one is allowed
to access resources in an unauthorized
manner, and ensuring that the network
integrity is maintained. That is Infrastructure
security is concerned with the entire CIA triad.
Devices on the Network
Workstations
Workstations (202)
Often overlooked in security, workstations are a
very attractive target for hackers. Often IT
staff spend time securing servers and don’t
realize the dangers their unprotected
workstations are.
(more)
Workstations (202)
Workstations are often “low hanging fruit”
manned by end users who are themselves
are a security risk. Once a workstation is
infiltrated an attacker may have access to
data directly, via the authorized users on the
system, and that workstation can be used as
an attack point into the network.
Workstation security is CRITICAL to the
“holistic” network health and security.
Workstation Security Best Practices
(basic hardening) (203)
Physical
•
Physically restrict access to workstation
•
Use locking devices to ensure computer cannot be
opened, or be stolen (whether in whole or in part)
•
Set a BIOS password
•
Do not allow booting from removable media / or
allow altering of the boot order
•
Remove removable media attachments if possible
•
Use an encrypted file system (efs) or disk
encryption technology (Bit Locker) if possible
(more)
Workstation Security Best Practices
(basic hardening) (203)
Basic Account hardening
•
Rename the administrator account, set a
strong password
•
Disable un-needed accounts
•
Set strong password policies
(more)
Workstation Security Best Practices
(basic hardening) (203)
Basic software hardening and maintenance
•
Shutdown services that are not needed
•
Remove software that is not needed
•
Use a standard workstation image for consistent
installs and configuration
•
Keep the OS and applications patched!
•
Install anti-virus on the workstation, keep it auto-
updated
(more)
Workstation Security Best Practices
(basic hardening) (203)
Basic System Network Hardening
•
Remove un-necessary protocols such as
NetBIOS or IPX/SPX
•
Remove any file/printer shares (generally
workstations should not share files)
•
Use a host based firewall
•
Use host based IDS if possible
•
Remove workstation remote access (ex.
Modems… remote desktop etc)
Workstation Hardening
Please note the last few slides showed only the
BASIC/minimum levels of workstation
hardening. These are much more specific
details you should be concerned with in real
life. However the last few slides provide the
info the security+ exam is conserned with and
also provide a solid base from which you can
expand to protect your workstations.
Workstation Anti-Virus (202)
Don’t go on the network without it…
And keep it updated (why?)… malware run by people
in your internal network… is an easy access method
Personal / Host Based Firewalls
(n/b)
In the last 10 or so years, host based firewalls
have. Been shipped on every major OS. You
should run them on your workstations as
another layer of defense. (remember defense
in depth/layered defense)
–
Windows Firewall
–
IP filter for Solaris
–
IP tables for Linux
Windows Firewall (n/b)
Quickly walk
everyone through
windows firewall
Servers
Servers (204)
Ok everyone understand that you need to protect servers right?
With servers
•
Follow best practices of securing workstations
•
Identify which servers need to run which services (web,
email, file sharing)
•
Try to ensure only one server runs one specific service and
that service and OS is configured for maximum security
•
Set network service daemons to run as non-privileged users
•
Set strict permissions on network resources
•
Disable or completely remove if possible all NON essential
services
(more)
Servers (204)
•
If you cannot have a dedicated machine for each
specific service, consider using virtualization. (use
virtualization even if you have multiple servers)
•
As an Administrator UNDERSTAND which
processes are required for the OS and service. Try
to ensure only those processes are running and be
weary if you see other processes running
•
Once installed run tripwire or other checksum
software to indentify and verify that critical files don’t
“change” (why is this important, what could it mean?)
(more)
Servers (204)
•
On Internet access servers (mail servers,
web proxies etc) ensure that you have anti-
virus and malware protection on the incoming
data streams, even if your workstations have
anti-virus. If possible use a different anti-virus
product/engine then you use on your
workstations.
–
Layered security / defense in depth
–
Diversity of defense
(more)
Servers (204)
•
Run a host based IDS on your servers
•
Periodically do vulnerability assessments on
your servers
•
Periodically verify software and configuration
files have not changed and no new services
have been run. Use version control if possible
on configuration files.
Virtualization (n/b)
Virtualization is KEY to network security, availability
and maintenance/ease of operation.
(see next slide)
Can anyone describe to me what virtualization is?
What does it allow you to accomplish
How does it make your life as an admin easier
How does it increase availability
How does it allow you to make servers more modular?
How does it increase security and integrity?
Virtualization
Virtualization migration
OSI Model
Oh no…
OSI (n/b)
