Network Access Security Lesson 10
Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches. Interface configurations MAC filtering Traffic filtering Explain the purpose and features of various network appliances. Proxy server Content filter Explain the methods of network access security. ACL MAC filtering IP filtering Port filtering 2.1 4.1 5.2
Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Tunneling and Encryption Given a scenario, install and configure a basic firewall. Types: Software and hardware firewalls Port security Stateful inspection vs. packet filtering Firewall rules: ACL DMZ Categorize different types of network security appliances and methods. IDS and IPS: Network-based Host-based Methods: Honey pots Honey nets Explain the purpose and features of various network appliances. Load balancer Proxy server Content filter VPN concentrator 5.5 5.6 4.1
Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Explain the methods of network access security. Tunneling and encryption: SSL VPN VPN L2TP PPTP IPSec ISAKMP TLS TLS1.2 Site-to-site and client-to-site Remote access: RAS RDP PPPoE PPP ICA SSH 5.2
Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Wireless Authentication and Encryption Best Practices Given a scenario, implement appropriate wireless security measures. Encryption protocols: WEP WPA WPA2 WPA Enterprise Explain common threats, vulnerabilities, and mitigation techniques. Mitigation techniques: Training and awareness Patch management Policies and procedures 5.1 5.4
Firewalls A network firewall: Prevents a hacker or other security threats from entering the network Limits ability of hackers or other security threats from spreading through the network
Network-based Firewalls Reside on the network Are usually hardware in nature but augmented with additional software Many are built into or on top of routers Two common configurations Single firewall: Uses only one firewall Dual firewall: Uses two firewalls Area between dual firewalls is Demilitarized Zone (DMZ)
Single Firewall Configuration
Dual Firewall Configuration
Server Placement with a DMZ
Proxy Server Used as intermediary between networks and servers Purpose built device, or Application running on a server Upon receipt of signal Evaluate and decide to pass it on Interpret and attempt to service (cache) Conceal identity of person requesting Alter requests to avoid restrictions
Network Intrusion Detection System/Network Intrusion Prevention System (NIDS/NIPS) Software designed to look for evidence of intruder activity and stop it once detected Works like IDS and IPS (Lesson 9) Differences from IDS/IPS Where software located; NIDS/NIPS on a network Used for both incoming and outgoing communications
Possible NIDS Placement Locations
Host-based Firewalls Software packages that run on a computer platform Evaluate packets, determine if malicious Host-Based Intrusion Detection System (HIDS); Host-Based Intrusion Prevention System (HIPS) System Intrusion Detection Software (SIDS); System Intrusion Prevention System (SIPS)
Common Features of a Firewall Application layer versus network layer Stateful versus stateless Scanning services Content filters Signature identification Zones
Application Layer Versus Network Layer Application layer firewalls work with protocols and services located on the TCP/IP protocol stack Designed to target one or two protocols Network firewalls work on the network layer of the TCP/IP protocol stack Primarily target packet communications Stateful versus stateless
Network Layer Firewalls (Continued) Stateful Network must track connections through router Router needs to continually know state of every connection Stateless Treat each packet separately Faster speed, lower costs Easier to hijack
Scanning Services Ability of firewall to scan packets and protocols for specific threats Scan http traffic for spyware or viruses Scan e-mail for spam
Content Filters Evaluates incoming data against predefined guidelines Blocks spam due to content Blocks websites containing specific words Parental controls
Signature Identification A process using signatures or definitions to identify threats Threat is compared to signature database Identified threats are sent to the administrator for action Only works against known threats Sofware updates crucial
Zones Creates firewall on a router based groups of interfaces Three rules that always apply Interfaces sharing same zone always talk to each other Interfaces in one zone cannot interface with another zone unless explicit written rules allow it Interfaces not part of a zone cannot talk to those that are part of a zone
Zone-based Firewall
Filtering Access control lists (ACLs) List of rules or policies programmed into a router, or other device, to control what is able to gain access to a network MAC filtering IP filtering Port filtering Port security
Honey Pots Are network security tools Provide hacker with a decoy target to attack rather than the protected network Distracted hacker can be identified and neutralized Method employed to attack decoy is used to strengthen real network security (research laboratory) Honey net is two or more honey pots
Tunneling and Encryption Concepts Site-to-site and client-to-site Site-to-site: Two different remote networks connected Client-to-site: Single computer connected to remote network Secure Sockets Layer (SSL) Secures connection between client and server
Tunneling and Encryption Concepts (Cont.) Transport Layer Security (TLS) TLS Record Protocol Provides security and encryption TLS Handshake Protocol Authenticates and negotiates algorithm Internet Security Association and Key Management Protocol (ISAKMP) Establishes Security Associations and cryptographic keys
Point-to-Point Protocol (PPP) Method to encapsulate multi-protocol datagrams Transports multiple protocols Link Control Protocol (LCP) Establishes, configures, and tests connections Network Control Protocol (NCP) Establishes and configures different protocols
Tunneling Process of establishing a connection through a public network that looks like a point-topoint connection Carrier protocol Encapsulating protocol Passenger protocol
How Tunneling Works
Encryption Algorithm (cipher) process used to encode header or entire network communication packet Plaintext is not encrypted Layer 2 Tunneling Protocol (L2TP) Point-to-Point Tunneling Protocol (PPTP) Layer 2 Forwarding (L2F) Internet Protocol Security (IPSec) Generic Routing Encapsulation (GRE)
L2TP, PPTP, and L2F L2TP Designed to create a tunnel across a public packet switched network PPTP Provides flow and congestion encapsulation service for PPP L2F Designed so PPP can be tunneled over the Internet and used in VPNs
Internet Protocol Security (IPSec) Suite of protocols designed to provide security options to IP Internet Key Exchange (IKE) Authentication Header (AH) Encapsulating Security Payload (ESP) Works in two modes Transport Tunnel
Different Types of Network Communications VPN tunnel mode can be used for network-to-network, network-to-host, and host-to-host communications
Generic Routing Encapsulation (GRE) Encapsulates arbitrary Network layer protocol over any other arbitrary Network layer protocol Most commonly used protocol is IP
Virtual Private Network (VPN) Connects client computer outside local network to an Enterprise LAN Specific form of network tunneling Secure Sockets Layer (SSL) VPN Allows VPN sessions to be set up from within a browser VPN concentrator Concentrates multiple VPN connections into a single device
Remote Access Allows remote end users to access a network and its information as if the users were directly connected to that network Remote Access Services (RAS) Point-to-Point Protocol over Ethernet (PPPoe) Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Independent Computing Architecture (ICA) Secure Shell (SSH)
Remote Access Services (RAS) All the technology, hardware, and software used to make remote access to a network Authentication of user attempting to gain access to network Limiting user access to permitted resources Verifying communications between remote user and local network are not being eavesdropped on by hackers
Point-to-Point Protocol over Ethernet (PPPoe) A method that allows PPP to be used in an Ethernet environment Most commonly used in connection with DSL Discovery stage PPP seeks to discover the MAC address of the client and server computers on the network PPPoE session identification number created and a link established
Point-to-Point Protocol over Ethernet Discovery Stage
Remote Desktop Protocol (RDP) Proprietary protocol from Microsoft to create graphical interface between computers Controls several features 32-bit or lower color support; 128-bit encryption; network level authentication Audio, file system, printer, and port redirection; shared clipboard Terminal Services gateway; support for TLS; multiple monitor support
Virtual Network Computing (VNC) Allows remote access to a desktop computer; similar to Microsoft's RDP Open source Works with any graphical user interface (GUI) Pixel-based Three components: VNC server, VNC client (VNC viewer), and VNC communications protocols
Independent Computing Architecture (ICA) Proprietary protocol which lays down specific rules for passing data between client and server Runs application on server while allowing remote client access Supports Windows, OS/X, various UNIX platforms, and various Linux platforms
Secure Shell Protocol (SSH) Updated and more secure version of TELNET Used to remotely configure devices Allows remote control of a device via command line commands Makes effort to encrypt commands and/or configuration instructions
Wireless Authentication and Encryption Wi-Fi Protected Access (WPA) Wired Equivalent Privacy (WEP) Remote Authentication Dial-In User Service (RADIUS) Temporal Key Integrity Protocol (TKIP)
Wi-Fi Protected Access (WPA) A specification or certification Not a security protocol Replaces WEP WPA created as security placeholding standard WPA2 includes mandatory requirements of IEEE 802.11i Enterprise versions of WPA and WPA2 available
Wired Equivalent Privacy (WEP) Aspired to make wireless communications as secure and private as wired communications Includes streamed cipher RC4 and 32-CRC (Cyclical Redundancy Check) Authentication components Open System Shared Key
Remote Authentication Dial-In User Service (RADIUS) Authenticator allows user onto a wireless network Authentication Server in IEEE 802.1x wireless networks Authorizer controls where user can go on a network
How 802.1X Works
Temporal Key Integrity Protocol (TKIP) Suite of algorithms designed to add additional security on top of that provided by WEP Increases strength and capability Encrypts individual packets Time stamps when packets sent Employs a sequence counter Stronger Cyclical Redundancy Check
Best Practices Policies and Procedures Creating a network security policy Password policies Access policies Reporting problems
Best Practices User Training Single most important tool to ensure policies are understood and implemented New employee orientation Ongoing training procedures Education and inclusion develops support for sustainable policies
Best Practices Patches and Upgrades Patches and upgrades are created when products are found to have bugs or security glitches Implement policies about how and when patches and updates are implemented What policies should contain Procedures to roll it out to production systems Procedure to roll back an update or patch
Summary Firewalls protect networks and limit damage from hackers Network-based firewalls contain hardware and software; many be single- or dual-configured Proxy servers are intermediary devices or applications between networks and servers NIDS/NIPS look for evidence of intruder activity and stop it once detected Host-based firewalls evaluate packets to determine if they're malicious
Summary (Continued) Common features of a firewall include application layers versus network layers, scanning services, content filters, signature identification, and zones Access control lists (ACLs); MAC, IP, and port filtering; and port security are filtering methods to control what is able to gain access to a network Honey pots are hacker distraction security tools Tunneling and encryption concepts connect, secure, authenticate, and encrypt networks and protocols
Summary (Continued) Internet Protocol Security (IPSec) is a suite of protocols designed to provide security options to IP including Internet Key Exchange (IKE), Authentication Header (AH), and Encapsulating Security Payload (ESP) Generic Routing Encapsulation (GRE) encapsulates arbitrary Network layer protocol over any other arbitrary Network layer protocol Virtual Private Network (VPN); connects client computer to an Enterprise LAN with Secure Sockets Layer (SSL) VPN, and VPN concentrator
Summary (Continued) Remote access allows remote end users to access a network as if directly connected to that network using Remote Access Services (RAS), Point-to-Point Protocol over Ethernet (PPPoe), Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), Independent Computing Architecture (ICA), and Secure Shell (SSH)
Summary (Continued) Temporal Key Integration Protocol (TKIP) is a suite of algorithms designed to add additional security on top of that provided by WEP Best practices employ procedures to create a secure network with password, access, user, and patch/update policies; user training; and a system for reporting problems