NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Transcription

1 NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus CSCI Network Security and Perimeter Protection CATALOG DESCRIPTION This course will cover infrastructure security issues. Network operating systems and network architectures will be discussed together with the respective security related issues. The students will learn about the threats to computer networks through exploitation of weaknesses in the design of network infrastructure and security flaws in the network infrastructure protocols. Issues related to the security of content and applications such as , DNS, web servers will be discussed. Security techniques including intrusion detection, forensics, cryptography, authentication and access control are analysed. Developments in IPSEC, transport protocols, secure mail, directory services, and multimedia services are discussed. Prerequisites: CSCI 345. Corequisite: CSCI 385 or equivalent. Semester: Fall 2012 Instructor: Bill Mihajlovic Class meeting: Th 8:35 11:15 PM Office hours: Th 7:35 8:35 PM COURSE OBJECTIVES: To introduce the students to operation and performance oriented computer networks design with security threats and network defense related theory and technology. MEASURABLE STUDENT LEARNING OUTCOMES: After successful completion of this course, the students will be able to: 1. Define and implement defense in depth network security strategy. 2. Design secure computer network in layers bounded by security perimeters. 3. Select matching data filtering method for each perimeter of the network defense system. 4. Distribute redundant dynamic firewalls to achieve better network security. 5. Install and configure Linux based router and firewall. 6. Compare network activity monitoring syslog facility in PIX firewall and UNIX data collection server. 7. Use existing VPN protocols 8. Identify, position and configure relevant perimeter protection devices using network authentication, authorization and accounting (AAA) protocols. 9. Analyze and evaluate network perimeter security, estimate possible threats and propose applicable security solutions. 10. Specify standard security management policy and accountability structure.

2 TOPICS The Essentials of Network Perimeter Security - Perimeter Security Fundamentals (Chapter 1) Definitions Perimeter Definition Border Routers Firewalls Intrusion Detection Systems Intrusion Prevention Systems Virtual Private Networks Software Architecture DMZ Defense-in-Depth Components o The Perimeter o The Internal Network o The Human Factor - Packet Filtering (Chapter 2) TCP/IP Primer: How Packet Filtering Works TCP and UDP Ports TCP s Three-way Handshake Cisco Routers as Packet Filters IPChains CISCO ACLs Effective Uses of Packet-Filtering Devices Egress Filtering Shortcomings of Packet Filtering Dynamic Packet Filtering and the Reflexive Access List - Stateful Firewalls (Chapter 3) How Does a Stateful Firewall Work The Concept of State Stateful Filtering and Stateful Inspection - Proxy Firewalls (Chapter 4) Fundamentals of Proxying Pros and Cons of Proxy Firewalls Types of Proxies Tools for Proxying - Security Policy (Chapter 5) Firewalls Are Policy How to Develop Policy Perimeter Considerations Fortifying the Security Perimeter - The Role of a Router (Chapter 6) The Router as a Perimeter Device The Router as a Security Device Router Hardening - Virtual Private Networks (Chapter 7) VPN Basics Advantages and Disadvantages of VPNs IPSec Basics

3 Other VPN Protocols: PPTP and L2TP - Network Intrusion Detection (Chapter 8) Network Intrusion Detection Basics The Roles of Network IDS in a Perimeter Defense IDS Sensor Placement - Host Hardening (Chapter 9) The Need for Host Hardening Removing or Disabling of Unnecessary Programs Limiting Access to Data and Configuration Files Controlling User and Privileges Maintaining Host Security Logs Applying Patches Additional Hardening Guidelines - Host Defense Components (Chapter 10) Hosts and the Perimeter Antivirus Software Host-Based Firewalls Host-Based Intrusion Detection Challenges of Host Defense Components - Intrusion Prevention Systems (Chapter 11) What Is IPS? IPS Limitations NIPS Host-Based Intrusion Prevention Systems Designing a Secure Network Perimeter - Fundamentals of Secure Perimeter Design (Chapter 12) Gathering Design Requirements Design Elements for Perimeter Security - Separating Resources (Chapter 13) Security Zones Common Design Elements VLAN-Based Separation - Wireless Network Security (Chapter 14) Fundamentals Securing Wireless Networks Auditing Wireless Security - Software Architecture (Chapter 15) Software Architecture and Network Defense How Software Architecture Affects Network Defense Software Component Placement Identifying Potential Software Architecture Issues Software Testing Network Defense Design Recommendations - VPN Integration (Chapter 16) Secure Shell Secure Sockets Layer Remote Desktop Solutions IPSec Other VPN Considerations - Tuning the Design for Performance (Chapter 17)

4 Performance and Security Network Security Design Elements That Impact Performance Impact of Encryption Using Load Balancing to Improve Performance Mitigating the Effects of DoS Attacks - Sample Designs (Chapter 18) Review of Security Design Criteria Maintaining and Monitoring Perimeter Security - Maintaining a Security Perimeter (Chapter 19) System and Network Monitoring Incident Response Accommodating Change - Network Log Analysis (Chapter 20) The Importance of Network Log Files Log Analysis Basics Analyzing Router Logs Analyzing Network Firewall Logs Analyzing Host-Based Firewall and IDS L - Troubleshooting Defense Components (Chapter 21) The Process of Troubleshooting Troubleshooting Rules of Thumb The Troubleshooter's Toolbox - Assessment Techniques (Chapter 22) Roadmap for Assessing the Security of Your Network Planning Reconnaissance Network Service Discovery Vulnerability Discovery Verification of Perimeter Components Remote Access Exploitation Results Analysis and Documentation - Design Under Fire (Chapter 23) The Hacker Approach to Attacking Networks Adversarial Review Practical Designs - A Unified Security Perimeter: The Importance of Defense in Depth (Chapter 24) Example of Defense-in-Depth Architecture Absorbent Perimeters Defense in Depth with Information

5 COURSE REQUIREMENTS Class Participation Regular attendance and class participation will be graded. Attendance A student is expected to attend each class session on a regular and punctual Policy from the basis in order to obtain the educational benefits, which each meeting affords. NYIT Catalog Students shall be informed by their instructors exactly how often they will be allowed to be late or absent during the semester. Students who exceed these limits may be withdrawn from the course by the instructor. In the event of a student s absence from a test, the instructor will generally determine whether the student will be allowed to make up the work that was missed. Lack of Academic Dishonesty Late work Reading Class Participation Homework Term Paper or Term Project Examinations: Final Grade Incomplete: I grade Withdrawal: W grade preparation is not an adequate excuse for missing an examination. Academic dishonesty, use of consultants at exam time, copying exams or plagiarizing homework assignments will result in an F grade on the exam or assignment. If it occurs more than once, the course grade will be F. Late homework assignments will be accepted only during the initial three weeks of the semester. All late homework assignments will be subject of the 10% penalty. There are no exceptions for any reasons. Reading assignments should be completed prior to the first class of the week in which they are assigned. Attendance, class participation, discussions and class interaction will be graded, contributing 10% to the final grade score. Homework assignments will be graded, contributing 10% to the final grade score. Term paper or term project on the assigned topic will be graded as 10% of the final grade score. There will be 3 quizzes each contributing 10% to the final grade score. In addition there will be one midterm exam plus the final cumulative examination, which will cover the entire semester's work, each contributing 20% to the final grade score. Missed examination will be graded as 0. All quizzes and examinations are taken in class. Final grade reflects overall performance and achievements and is based on the weighted average of the individual scores mentioned above, referred to as the final grade score. A grade of incomplete, I, can by given by the instructor after consultation with the Department Chair. It is used when a student, because of some unavoidable circumstance, has been unable to complete all assigned work for the course. The instructor must document that the student s work is passing at this point and the student must agree to complete the missing work. A grade of I will become an F in the following situation: I is given in the fall semester and not made up by the end of the following summer. I is given in the spring semester and not made up by the end of the following fall. Students who miss six (6) classes will be withdrawn from the class. Students can withdraw up to the 8 th week of the semester and receive a grade of W. After the 8 th week deadline, a student may withdraw and receive a W only if the student is passing the course. Otherwise, a student withdrawing after the 8 th week will receive a grade of WF.

6 COURSE OUTLINES: Textbook: Stephen Northcutt, Lenny Zeltser, Scott Wintters, Karen Kent, Ronald W Ritchney Inside Network Perimeter Security, Sams Publishing, 2nd edition, 2005, ISBN: References: [1] Nagananand Doraswamy, Dan Harkins, IPSec, The New Security Standard for the Internet, Intraanets, and Virtual Private Networks, Prentice Hall PTR, 1999, ISBN: [2] Saadat Malik, Network Security Principles and Practicies, Cisco Press, 2003, ISBN [3] By Alex Noordergraaf, Minimizing the Solaris Operating Environment for Security, White paper, Sun Microsystems, CSCI Network Security and Perimeter Protection Week Topic Reading Assignments 1 The Essentials of Network Perimeter Ch.1, Assignment 1: Defense in depth. Security, Security Zones and Perimeters [2]Ch.2 2 IP Network Protocols, Packet Filtering, Stateteful Firewalls Ch.2, 3 Assignment 2: IP Spoofing. IP Fragmentation attacks. 3 PIX Firewall Programming and Admin Account Management, IOS Firewalls, Safeguarding Against DOS Attack. [2]Ch.8,9 Assignment 3: Configuration of a router IOS for basic packet filtering. 4 Non Stateful, Circuit Level Firewall, Proxy Firewall 5 Device Security, Secure Routing and Secure LAN Switching, PIX Firewall NAT & DHCP 6 DMZ, Host Hardening, Defense Components and Bastion Host protection, Host Hardening. 7 Network Intrusion Detection and Prevention Systems, Network Extrusion Detection 8 Midterm Exam. 9 Inspecting Traffic and Network Activity Logging, PIX syslog Facility Programming Ch.4 Ch.6 [2]Ch.3,4,5 Ch.9, 10 [3] Ch.8, 11 [2]Ch.14, 15 Ch.20 Assignment 4: Configuration of a router IOS for statefull packet filtering. Assignment 5: Programming NAT & DHCP on PIX Firewall Project: DMZ design. Assignment 7: High level proxy monitoring data traffic. Project: Programming syslog Facility on PIX Firewall and UNIX data collection server. Assignment 10: Identification & analysis of VPN devices. 10 VPN Protocols, GRE, L2TP, Ch.7, [2] Ch.11, IPSec Protocols, ESP, AH and IKE. [1] Ch.3, 4, 7 Assignment 11: Host based configuring of IPsec. 12 Network Access Control, Authentication, [2] Ch.16, 17, Assignment 12: Configuring IOS Authorization and Accounting AAA 18 of a firewall to perform AAA Protocols, RADIUS and TACACS+ activities. 13 Building Secure Connectivity, Firewall Availability with Failover, Firewall Load Balancing. Network, Security Policies. Troubleshooting and Auditing Network Security Implementations with Tuning of 14 Design for Performance. 15 Final Exam Ch.5, 12, 13 Ch.17, 21 Term Project: Secure Network Design. Assignment 14: Network security auditing.

7