Training Course on Network Administration

Transcription

1 Training Course on Network Administration 03-07, March 2014 National Centre for Physics 1

2 Network Security and Monitoring 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

3 Crafting a Secure Network 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3

4 Network Security Network security is an integral part of computer networking Imporant on any size network. 4

5 Network Security Network security is an integral part of computer networking Imporant on any size network. 5

6 External Threats The most common external threats to networks include: Viruses, worms, and Trojan horses - malicious software and arbitrary code running on a user device Spyware and adware - software installed on a user device that secretly collects information about the user Zero-day attacks, also called zero-hour attacks - an attack that occurs on the first day that a vulnerability becomes known Hacker attacks - an attack by a knowledgeable person to user devices or network resources Denial of service attacks - attacks designed to slow or crash applications and processes on a network device Data interception and theft - an attack to capture private information from an organization s network Identity theft - an attack to steal the login credentials of a user in order to access private data. 6

7 Internal Threats The most common data breaches happen because of internal users of the network. Due to: lost or stolen devices accidental misuse by employees malicious employees With the evolving BYOD strategies, corporate data is much more vulnerable. Therefore, when developing a security policy, it is important to address both external and internal security threats.. 7

8 Security Solutions Network security components for a home or small office network should include: Antivirus and antispyware - to protect user devices from malicious software Firewall filtering - to block unauthorized access to the network. In addition to the above, larger networks and corporate networks often have other security requirements: Dedicated firewall systems - to provide more advanced firewall capability that can filter large amounts of traffic with more granularity Access control lists (ACL) - to further filter access and traffic forwarding Intrusion prevention systems (IPS) - to identify fast-spreading threats, such as zero-day or zero-hour attacks Virtual private networks (VPN) - to provide secure access to remote workers. Policies, procedures, standards guidelines 8

9 Security through Network Design Subnetting IP addresses are actually two addresses: one part is a network address and one part is a host address Subnetting or subnet addressing Splits a large block of IP addresses into smaller groups 9

10 Image from Cisco CCNA Class 1 10

11 Subnetting at CCSF Whole College: / through Eng Dept: / through CNIT Dept: / through Image from Cisco CCNA class 1, modified 11

12 Advantages of Subnetting 12

13 Subnets Improve Security Each subnet can be isolated from the rest of the network Traffic between subnets can be monitored and restricted at the routers Subnets also allow network administrators to hide the internal network layout Outsiders only see your public servers, not your private subnets 13

14 Virtual Local Area Network (VLAN) VLANs segment a network with switches, not routers A VLAN allows scattered users to be logically grouped together even though they may be attached to different switches Can reduce network traffic and provide a degree of security similar to subnetting: VLANs can be isolated so that sensitive data is transmitted only to members of the VLAN 14

15 VLAN Security VLAN communication can take place in two ways All devices are connected to the same switch Traffic is handled by the switch itself Devices are connected to different switches A special tagging protocol must be used, such as the IEEE 802.1Q-2005 A VLAN is heavily dependent upon the switch for correctly directing packets Attackers could take control of the switch itself, if it has a default or weak password Specially crafted traffic can also "hop" from one VLAN to another 15

16 Demilitarized Zone (DMZ) A separate network that sits outside the secure network perimeter Outside users can access the DMZ but cannot enter the secure network 16

17 DMZ with Firewall 17

18 Network Address Translation (NAT) Hides the IP addresses of network devices from attackers Private addresses IP addresses not assigned to any specific user or organization Function as regular IP addresses on an internal network Non-routable addresses--traffic addressed to private addresses is discarded by Internet routers 18

19 Network Address Translation (NAT) NAT removes the private IP address from the sender s packet And replaces it with an alias IP address When a packet is returned to NAT, the process is reversed An attacker who captures the packet on the Internet cannot determine the actual IP address of the sender 19

20 Introducing NAT and PAT 20

21 NAT Example Inside local address The IP address assigned to a host on the inside network. This address is likely to be an RFC 1918 private address. Inside global address A legitimate (Internet routable or public) IP address assigned the service provider that represents one or more inside local IP addresses to the outside world. Outside local address The IP address of an outside host as it is known to the hosts on the inside network. 21

22 NAT Example 1 DA DA SA IP Header Data 2 SA Data IP Header The translation from Private source IP address to Public source IP address. 22

23 NAT Example 1 2 Inside local address The IP address assigned to a host on the inside network. Inside global address A legitimate (Internet routable or public) IP address assigned the service provider. Outside global address The IP address assigned to a host on the outside network. The owner of the host assigns this address. 23

24 NAT Example 4 3 DA SA IP Header DA... Data SA Data IP Header Translation back, from Public destination IP address to Private destination IP address. 24

25 NAT Example NAT allows you to have more than your allocated number of IP addresses by using RFC 1918 address space with smaller mask. However, because you have to use your Public IP addresses for the Internet, NAT still limits the number of hosts you can have access the Internet at any one time (depending upon the number of hosts in your public network mask.) 25

26 PAT Port Address Translation PAT (Port Address Translation) allows you to use a single Public IP address and assign it up to 65,536 inside hosts (4,000 is more realistic). PAT modifies the TCP/UDP source port to track inside Host addresses. Tracks and translates SA, DA and SP (which uniquely identifies each connection) for each stream of traffic. 26

27 PAT Example NAT/PAT table maintains translation of: DA, SA, SP DA DA SA IP Header SA IP Header DP 80 SP 1331 DA Data TCP/UDP Header DP TCP/UDP Header SP DA Data SA IP Header SA IP Header DP 80 SP 3333 Data TCP/UDP Header DP 80 SP 2222 Data TCP/UDP Header 27

28 PAT Example NAT/PAT table maintains translation of: SA (DA), DA (SA), DP (SP) DA SA IP Header DA SA IP Header DP SP DA Data TCP/UDP Header DP TCP/UDP Header SP DA Data SA IP Header SA IP Header DP 3333 SP 80 Data TCP/UDP Header DP 2222 SP 80 Data TCP/UDP Header 28

29 PAT Port Address Translation With PAT a multiple private IP addresses can be translated by a single public address (many-to-one translation). This solves the limitation of NAT which is one-to-one translation. 29

30 PAT Port Address Translation DA DA SA IP Header SA IP Header DP 80 SP 1331 DA Data TCP/UDP Header DP TCP/UDP Header SP DA Data SA IP Header SA IP Header DP 80 SP 3333 Data TCP/UDP Header DP 80 SP 2222 Data TCP/UDP Header 30

31 Configuring Static NAT 31

32 Configuring Dynamic NAT The network address space you have received from ARIN or your ISP is /24. In ISP s routing table: /24 via ISP Translate to these outside addresses Start here Source IP address must match here 32

33 is the address your ISP has assigned you. Instead of a host, you put a router there, running PAT so you can have multiple hosts share that same address. Configure PAT Overload In this example a single Public IP addresses is used, using PAT, source ports, to differentiate between connection streams. 33

34 Configure PAT Overload This is a different example, using the IP address of the outside interface instead specifying an IP address 34

35 NAT/PAT Clear Commands 35

36 Verifying NAT/PAT 36

37 Troubleshooting NAT/PAT 37

38 Issues with NAT/PAT NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses. Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router. Sometimes, this problem can be avoided by implementing static NAT mappings. 38

39 NAT with PAT Web browser: Port Port 1102 Web browser: Port Address Translation Port > Port Port > Port Port > Port

40 Network Access Control (NAC) Examines a computer before it is allowed to connect to the network Each computer must meet security policy first, such as Windows patches up to date Antivirus software Antispyware software Etc. Any device that does not meet the policy is only allowed to connect to a quarantine network where the security deficiencies are corrected 40

41 41

42 Firewall Typically used to filter packets Sometimes called a packet filter Designed to prevent malicious packets from entering the network A firewall can be software-based or hardware-based Hardware firewalls usually are located outside the network security perimeter As the first line of defense 42

43 Firewall (continued) 43

44 Firewall (continued) The basis of a firewall is a rule base Establishes what action the firewall should take when it receives a packet (allow, block, and prompt) Stateless packet filtering Looks at the incoming packet and permits or denies it based strictly on the rule base Stateful packet filtering Keeps a record of the state of a connection between an internal computer and an external server Then makes decisions based on the connection as well as the rule base 44

45 Stateless Firewall Rules 45

46 Stateful Firewall Rules State = Established Note error in textbook in left column, 3rd row 46

47 Inbound and Outbound Traffic Filtering Most personal software firewalls today also filter outbound traffic as well as inbound traffic Filtering outbound traffic protects users by preventing malware from connecting to other computers and spreading But it annoys them with these alerts 47

48 Proxy Server I want to see yahoo.com I will get yahoo.com and save a copy Internet Here is my copy of yahoo.com 48

49 Proxy Server Clients never directly connect to the Internet This saves bandwidth, because one copy of a popular Web page can be used many times Allows a company to block forbidden Web sites It also prevents many attacks the same way NAT does Reverse proxy Does not serve clients but instead routes incoming requests to the correct server 49

50 Reverse Proxy Connect to Web server 1 50

51 Network Intrusion Detection Systems (NIDS) Network intrusion detection system (NIDS) Watches for attempts to penetrate a network NIDS work on the principle of comparing new behavior against normal or acceptable behavior A NIDS looks for suspicious patterns Passive intrusion detection just logs the traffic and sends alerts 51

52 Host Intrusion Prevention Systems (HIPS) Installed on each system that needs to be protected Rely on agents installed directly on the system being protected Work closely with the operating system, monitoring and intercepting requests in order to prevent attacks 52

53 Host Intrusion Prevention Systems (HIPS) Most HIPS monitor the following desktop functions: System calls File system access System Registry settings Host input/output HIPS are designed to integrate with existing antivirus, anti-spyware, and firewalls HIPS provide an additional level of security that is proactive instead of reactive 53

54 Network Intrusion Prevention Systems (NIPS) Work to protect the entire network and all devices that are connected to it By monitoring network traffic NIPS can immediately react to block a malicious attack NIPS are special-purpose hardware platforms that analyze, detect, and react to security-related events Can drop malicious traffic based on their configuration or security policy 54

55 Protocol Analyzers Three ways for detecting a potential intrusion Detecting statistical anomalies (unusual traffic) Examine network traffic and look for well-known patterns of attack Use protocol analyzer technology Protocol analyzers Can fully decode application-layer network protocols Parts of the protocol can be analyzed for any suspicious behavior Such as an overly long User-Agent field in an HTTP GET request 55

56 Internet Content Filters Internet content filters Monitor Internet traffic and block access to preselected Web sites and files A requested Web page is only displayed if it complies with the specified filters Unapproved Web sites can be restricted based on the Uniform Resource Locator (URL) or by matching keywords 56

57 Internet Content Filters (continued) 57

58 Monitoring 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58

59 SNMP is an application layer protocol that provides a message format for communication between what are termed managers and agents Components include SNMP manager SNMP agent Management Information Base 59

60 Get Set Trap - unreliable Trap (SNMPv3 uses ACK) - reliable 60

61 61

62 62

63 63

64 The Management Information Base (MIB) MIB defines each variable as an object ID (OID) Organizes the into a hierarchy of OIDs, usually MIB for any device includes some branches of shown as a tree the tree with variables common to many networking devices and branches with variables specific to that device. Networking equipment vendors like Cisco can define their own private branches of the tree 64

65 MIB tree 65

66 Obtaining MIB value with snmpget -v2c The version on SNMP in use -c community The SNMP password, called a community string The IP address of the monitored device The numeric object identifier (OID) of the MIB variable 66

67 There are two types of community strings in SNMP Version 2c: Read-only (RO): Provides access to the MIB variables, but does not allow these variables to changed, only read. Because security is so weak in Version 2c, many organizations only use SNMP in this read-only mode. Read-write (RW): Provides read and write access to all objects in the MIB. 67

68 R1(config)# ip access-list standard ACL_PROTECTSNMP R1(config-std-nacl)# permit host R1(config-std-nacl)# exit R1(config)# snmp-server community RO ACL_PROTECTSNMP R1(config)# snmp-server location Tampa R1(config)# snmp-server contact Anthony Sequeira R1(config)# end R1# 68

69 R2(config)# ip access-list standard ACL_PROTECTSNMP R2(config-std-nacl)# permit host R2(config-std-nacl)# exit R2(config)# snmp-server community RW ACL_PROTECTSNMP R2(config)# snmp-server location New York R2(config)# snmp-server contact John Sequeira R2(config)# end R2# 69

70 Message integrity: This helps ensure that a packet has not been tampered with in transit Authentication: This helps ensure that the packet came from a known and trusted source Encryption: This helps to ensure that information cannot be read if the data is captured in transit 70

71 71

72 Syslog permits various Cisco devices (and some other non-cisco devices) to send their system messages across the network to syslog servers There are many different Syslog server software packages for Windows and UNIX 72

73 The logging buffer (RAM inside the router or switch) The console line The terminal lines A syslog server 73

74 74

75 A timestamp: *Dec 18 17:10: The facility on the router that generated the message: %LINEPROTO The severity level: 5 A mnemonic for the message: UPDOWN The description of the message: Line protocol on Interface FastEthernet0/0, changed state to down 75

76 76

77 77

78 Verifying R1(config)#logging By default, Cisco routers and switches send log messages for all severity levels to the console. On some IOS versions, the device also buffers those log messages by default R1(config)# logging console R1(config)# logging buffered R1# show logging 78

79 Thank you! 79