Network+ Guide to Networks,
Fourth Edition
Chapter 14
Network Security
Network+ Guide to Networks, 4e 2
Objectives
•
Identify security risks in LANs and WANs and
design security policies that minimize risks
•
Explain how physical security contributes to
network security
•
Discuss hardware- and design-based security
techniques
•
Use network operating system techniques to
provide basic security
Network+ Guide to Networks, 4e 3
Objectives (continued)
•
Understand methods of encryption, such as SSL
and IPSec, that can secure data in storage and in
transit
•
Describe how popular authentication protocols,
such as RADIUS, TACACS, Kerberos, PAP,
CHAP, and MS-CHAP, function
•
Understand wireless security protocols, such as
WEP, WPA, and 802.11i
Network+ Guide to Networks, 4e 4
Security Audits
•
Every organization should assess security risks by
conducting a security audit
–
Thorough examination of each aspect of network to
determine how it might be compromised
–
At least annually, preferably quarterly
•
The more devastating a threat’s effects and the
more likely it is to happen, the more rigorously your
security measures should address it
•
In-house or third-party audits
Network+ Guide to Networks, 4e 5
Security Risks
•
Not all security breaches result from manipulation
of network technology
–
Staff members purposely or inadvertently reveal
passwords
–
Undeveloped security policies
•
Malicious and determined intruders may “cascade”
their techniques
Network+ Guide to Networks, 4e 6
Risks Associated with People
•
Human errors, ignorance, and omissions cause
majority of security breaches
•
Risks associated with people:
–
Social engineering or snooping to obtain passwords
–
Incorrectly creating or configuring user IDs, groups,
and their associated rights on file server
–
Overlooking security flaws in topology or hardware
configuration
–
Overlooking security flaws in OS or application
configuration
–
Lack of documentation and communication
Network+ Guide to Networks, 4e 7
Risks Associated with People
(continued)
•
Risks associated with people (continued):
–
Dishonest or disgruntled employees
–
Unused computer or terminal left logged on
–
Easy-to-guess passwords
–
Leaving computer room doors open or unlocked
–
Discarding disks or backup tapes in public waste
containers
–
Neglecting to remove access and file rights when
required
–
Writing passwords on paper
Network+ Guide to Networks, 4e 8
Risks Associated with Transmission
and Hardware
•
Risks inherent in network hardware and design:
–
Transmissions can be intercepted
–
Networks using leased public lines vulnerable to
eavesdropping
–
Network hubs broadcast traffic over entire segment
–
Unused hub, router, or server ports can be exploited
and accessed by hackers
–
Not properly configuring routers to mask internal
subnets
Network+ Guide to Networks, 4e 9
Risks Associated with Transmission
and Hardware (continued)
•
Risks inherent in network hardware and design
(continued):
–
Modems attached to network devices may be
configured to accept incoming calls
–
Dial-in access servers may not be carefully secured
and monitored
–
Computers hosting very sensitive data may coexist
on the same subnet with computers open to public
–
Passwords for switches, routers, and other devices
may not be sufficiently difficult to guess, changed
frequently, or may be left at default value
Network+ Guide to Networks, 4e 10
Risks Associated with Protocols
and Software
•
Networked software only as secure as it is
configured to be
•
Risks pertaining to networking protocols and
software:
–
TCP/IP contains several security flaws
–
Trust relationships between one server and another
may allow hackers to access entire network
–
NOSs may contain “back doors” or security flaws
allowing unauthorized access to system
Network+ Guide to Networks, 4e 11
Risks Associated with Protocols and
Software (continued)
•
Risks pertaining to networking protocols and
software (continued):
–
If NOS allows server operators to exit to a command
prompt, intruders could run destructive command-
line programs
–
Administrators might accept the default security
options after installing an OS or application (often
not optimal)
–
Transactions that take place between applications
may be open to interception
Network+ Guide to Networks, 4e 12
Risks Associated with Internet Access
•
Common Internet-related security issues:
–
Firewall may not be adequate protection, if not
configured properly
•
IP spoofing
–
When user Telnets or FTPs to site over Internet,
user ID and password transmitted in plain text
–
Hackers may obtain information about user IDs from
newsgroups, mailing lists, forms filled out on Web
–
Flashing
–
Denial-of-service attack
Network+ Guide to Networks, 4e 13
An Effective Security Policy
•
Security policy identifies security goals, risks, levels
of authority, designated security coordinator and
team members, responsibilities for team members,
responsibilities for each employee
–
Specifies how to address security breaches
–
Should not state exact hardware, software,
architecture, or protocols used to ensure security
•
Nor how hardware or software will be installed and
configured
–
Details change occasionally
Network+ Guide to Networks, 4e 14
Security Policy Goals
•
Typical goals for security policies:
–
Ensure authorized users have appropriate access to
resources
–
Prevent unauthorized users from gaining access to
network, systems, programs, or data
–
Protect sensitive data from unauthorized access
–
Prevent accidental or intentional damage to
hardware or software
–
Create environment in which network and systems
can withstand and recover from any type of threat
–
Communicate each employee’s responsibilities
Network+ Guide to Networks, 4e 15
Security Policy Content
•
After risks identified and responsibilities assigned,
policy’s outline should be generated
•
Possible subheadings: Passwords; Software
installation; Confidential and sensitive data;
Network access; E-mail use; Internet use; Modem
use; Remote access; Connecting to remote
locations, Internet, and customers’ and vendors’
networks; Use of laptops and loaner machines;
Computer room access
Network+ Guide to Networks, 4e 16
Security Policy Content (continued)
•
Explain to users what they can and cannot do and
how these measures protect network’s security
•
Create separate section of policy that applies only
to users
•
Define what “confidential” means to organization
Network+ Guide to Networks, 4e 17
Response Policy
•
Security response team should regularly rehearse
defense strategy
•
Suggestions for team roles:
–
Dispatcher
–
Manager
–
Technical support specialist
–
Public relations specialist
•
After resolving a problem, team reviews what
happened, determines how it might have been
prevented, implements measures to prevent future
problems
Network+ Guide to Networks, 4e 18
Physical Security
•
Restrict physical access to components
–
Computer room, hubs, routers, switches, etc.
•
Locks may be physical or electronic
–
Electronic access badges
–
Numeric key codes
–
Bio-recognition access
•
Closed-circuit TV systems
•
Most important way to ensure physical security is to
plan for it
Network+ Guide to Networks, 4e 19
Physical Security (continued)
Figure 14-1: Badge access security system
Network+ Guide to Networks, 4e 20
Security in Network Design: Firewalls
•
Selectively filter or block traffic between networks
–
Hardware-based, software-based, or combination
•
Packet-filtering firewall examines header of every
packet of data received
–
Common filtering criteria:
•
IP addresses
•
Ports
•
Flags set in IP header
•
Transmissions that use UDP or ICMP
•
First packet in new data stream?
•
Inbound or outbound?
Network+ Guide to Networks, 4e 21
Security in Network Design: Firewalls
(continued)
•
Factors when choosing a firewall:
–
Supports encryption?
–
Supports user authentication?
–
Allows central management?
–
Easily establishes rules for access?
–
Supports filtering at highest layers of OSI Model?
–
Provides logging, auditing, alerting capabilities?
–
Protects identity of internal LAN’s addresses?
•
Cannot distinguish between user trying to breach
firewall and user authorized to do so
Network+ Guide to Networks, 4e 22
Proxy Servers
•
Proxy service: software that acts as intermediary
between external and internal networks
–
Screen all incoming and outgoing traffic
•
Manage security at Application layer
•
May be combined with Firewall for greater security
•
Improve performance for users accessing
resources external to network by caching files
Network+ Guide to Networks, 4e 23
Proxy Servers (continued)
Figure 14-4: A proxy server used on a WAN
Network+ Guide to Networks, 4e 24
Remote Access
•
Must remember that any entry point to a LAN or
WAN creates potential security risk
•
Remote control:
–
Can present serious security risks
–
Most remote control software programs offer
features that increase security
–
Desirable security features:
•
User name and password requirement
•
Ability of host system to call back
•
Support for data encryption
Network+ Guide to Networks, 4e 25
Remote Access (continued)
•
Remote control (continued):
–
Desirable security features (continued):
•
Ability to leave host system’s screen blank while
remote user works
•
Ability to disable host system’s keyboard and mouse
•
Ability to restart host system when remote user
disconnects