1 guide to network defense and countermeasures chapter 2
TRANSCRIPT
![Page 1: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/1.jpg)
1
Guide to Network Defense and Countermeasures
Chapter 2
![Page 2: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/2.jpg)
2
Chapter 2 - Designing a Network Defense
Understand covert channeling and other common attack threats you need to defend against
Describe the network security components that make up a layered defense configuration
List the essential activities that need to be performed in order to protect a network
Integrate an intrusion detection system (IDS) into a network security configuration
![Page 3: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/3.jpg)
3
The kinds of security attacks faced include: Covert channeling is a way to gain unauthorized
access to systems through communications ports Denial of Service (DoS) attacks shut down networks Remote procedure call abuses that give hackers
access using Windows networking services Viruses and Trojan horses enter through e-mail
messages or downloaded files Man-in-the-middle attacks can destroy privacy Fragmented IP packets can be used to sneak in
malicious code
Common Attack Threats
![Page 4: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/4.jpg)
4
Network vulnerabilities include services and computers that might present openings: Vulnerable services that a hacker may be able to
exploit in a server program E-mail gateways where hackers can attach a virus
payload to a message; when the recipient opens it, the program runs and the virus installs itself
Porous border can result when a computer is listening on a virtual channel that is not being used
Gullible employees can be fooled by hackers
Common Attack Threats
![Page 5: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/5.jpg)
5
Denial of Service (DoS) attacks are launched against network servers The server is flooded with more requests to view
Web pages and access files than it can handle The server is so busy sending response messages
to the requests that result from the DoS attack that it is unable to process legitimate requests and, as a result, the network is effectively blocked
Numerous types of DoS attacks exist; the more common are SYN floods and address spoofing
Common Attack Threats
![Page 6: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/6.jpg)
6
DoS attacks (cont): In SYN flood attacks, the attacker sends a TCP packet
to the host with the SYN flag set; the server responds by sending an ACK, which the attacker never responds to - the server uses its resources as it waits; the attacker then sends a flood of TCP SYN requests without responding and eventually the server exhausts its resources
In an address spoofing attack, the attacker finds an open port, then sends a packet containing a spoofed address and the same source IP address as the server’s own - this can crash the server
Common Attack Threats
![Page 7: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/7.jpg)
7
![Page 8: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/8.jpg)
8
Other attacks: In a Remote Procedure Call (RPC) attack, RPC
packets that contain spoofed addresses are sent to a server; when the RPC server is unable to interpret the spoofed address, it sends an RPC REJECT packet; if enough spoofed RPC packets are sent, the resulting REJECTs drain server resources
A virus is computer code that copies itself from one place to another and performs actions that range from benign to harmful; worms create files that copy themselves over and over and take up disk space
Common Attack Threats
![Page 9: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/9.jpg)
9
Other attacks (cont.): A Trojan horse is a harmful computer program that
creates a back door - an opening to a computer such as an unused port or terminal service that gives a hacker the ability to control a computer
In a man-in-the-middle attack, a hacker intercepts part of an encrypted data session to gain control over what is being exchanged; as a result, the hacker can impersonate the intended recipient
By assigning a packet a false fragment number and embedding IP header data within it, a hacker can sometimes fool a host into letting the packets in
Common Attack Threats
![Page 10: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/10.jpg)
10
![Page 11: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/11.jpg)
11
Providing Layers of Network Defense
Good network protection involves arranging a group of components in such a way that they provide layers of network defense Layer 1: Physical security protects computers from
theft (use locks), fire, or environmental disaster Layer 2: Password security means using good
passwords, securing them, changing as needed Layer 3: Operating system security involves installing
operating system patches, hotfixes and service packs; also disabling guest accounts
![Page 12: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/12.jpg)
12
Providing Layers of Network Defense
Layers of network defense (cont.): Layer 4: Using anti-virus protection means setting up
anti-virus software and updating definitions Layer 5: Packet filtering blocks or allows the
transmission of packets based on port, IP address, protocol, or other criteria; packet filters come in the form of routers, operating systems, or firewalls; stateless packet filtering decides on packets based on established connections, whereas stateful packet filtering goes beyond stateless and maintains an intelligent rule base and state table
![Page 13: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/13.jpg)
13
![Page 14: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/14.jpg)
14
Providing Layers of Network Defense
Layers of network defense (cont.): Layer 6: Firewalls reflect the heart of a company’s
security policy in that they control the amount of traffic the network receives and the ease with which users can access external networks; two firewall approaches exist: permissive, which allows traffic through by default and blocks on a case-by-case basis; restrictive, which blocks all traffic by default and allows it on a case-by-case basis; another function performed by firewalls is Network Address Translation (NAT), which converts internal IP address to different ones
![Page 15: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/15.jpg)
15
![Page 16: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/16.jpg)
16
![Page 17: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/17.jpg)
17
Providing Layers of Network Defense
Layers of network defense (cont.): Layer 7: Proxy servers can conceal end users in a
network and act as a go-between, forwarding data between internal users and external hosts; proxies work by examining the port each service uses, screening all traffic into and out of each port and deciding whether to block or allow traffic based on rules set up by the proxy server administrator; ultimately, because of their strengths and weaknesses, proxy servers and packet filters need to be used together in a firewall
![Page 18: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/18.jpg)
18
![Page 19: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/19.jpg)
19
![Page 20: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/20.jpg)
20
Providing Layers of Network Defense
Layers of network defense (cont.): Layer 8: DMZ, or demilitarized zone, is a network that
sits outside the internal network (but is connected to the firewall), and makes services publicly available while protecting the internal LAN; DMZs are a standard in e-commerce to protect and ensure that successful electronic transactions take place; the most common type of DMZ is a screened subnet, created by grouping public service servers and combining them with the firewall’s subnet; often, a company will add a second firewall for an extra level of security
![Page 21: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/21.jpg)
21
![Page 22: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/22.jpg)
22
![Page 23: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/23.jpg)
23
Providing Layers of Network Defense
Layers of network defense (cont.): Layer 9: Intrusion detection systems (IDSs) work by
recognizing the signs of a possible attack and sending a notification to an administrator
Layer 10: Virtual private networks (VPNs) provide relatively low-cost and secure connection between organizations that use the public Internet; VPNs encrypt packets, provide user authentication, and encapsulate encrypted packets
Layer 11: Logging and administration involves reviewing and analyzing firewall and IDS log files
![Page 24: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/24.jpg)
24
Essential Network Security Activities
The most common activities of any network security configuration are: Encryption, which is the process of concealing
information to render it unreadable to all but the intended recipients; an encrypted code called a digital signature is attached to the files that are exchanged during the transaction so that each party can ensure the other’s identity
Authentication is the act of reliable determining whether an entity is whom they claim to be
![Page 25: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/25.jpg)
25
Essential Network Security Activities
Security configuration activities (cont.): Developing a packet filtering rule base, which is a
set of individual rules that the filter reviews when it encounters a packet
Virus protection is a central activity that needs to be performed to protect a network and its users; it should scan the content of e-mail messages
Secure remote access is one of the biggest security challenges facing organizations that communicate via the Internet and need to provide access for remote users; a VPN provides an ideal solution
![Page 26: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/26.jpg)
26
Essential Network Security Activities
Security configuration activities (cont.): Working with log files involves reviewing and
maintaining these files so that you can detect intrusion attempts by suspicious patterns of activity
Managing log files is tedious and time consuming, but the network administrator must read log files to see who is accessing the network from the Internet
Log files compiled by firewalls allow you to see active data, recently recorded data, system events, security events, traffic and packets; be sure to use graphic displays of log file entries
![Page 27: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/27.jpg)
27
![Page 28: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/28.jpg)
28
![Page 29: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/29.jpg)
29
![Page 30: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/30.jpg)
30
Integrating Intrusion Detection Systems (IDSs)
An IDS fits into an overall network security program in the following ways: The best way to configure an IDS is to anticipate what
attacks you are likely to encounter so that you can make sure the IDS has the appropriate signatures or rules available to it
A good IDS system notifies the appropriate individuals and provides information about what type of event occurred and where it took place
The logical place for locating an IDS is near the point where the internal network has an interface with the external Internet
![Page 31: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/31.jpg)
31
![Page 32: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/32.jpg)
32
![Page 33: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/33.jpg)
33
![Page 34: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/34.jpg)
34
Chapter Summary
This chapter gives you a rundown of the fundamental network security tools and approaches you need to design a defensive perimeter. An effective network security strategy involves many layers of defense working together to prevent many different kinds of threats
You begin by reviewing the common security threats you need to guard against. These include Denial of Service attacks such as SYN floods and address spoofing; covert channeling attacks; virus attacks; and man-in-the-middle attacks
![Page 35: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/35.jpg)
35
Chapter Summary
The following are the layers of network security that you can set up: Layer 1, or physical security - lock computers, provide
environmental controls, use alarm systems Layer 2, or password security - use good passwords and
change them regularly Layer 3, or operating system security - install operating
system patches and updates to plug obvious holes such as unused ports
Layer 4, or use of anti-virus protection - set up anti-virus software and update virus definitions periodically
Layer 5, or packet filtering - set up a packet filtering rule base
![Page 36: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/36.jpg)
36
Chapter Summary
Layers of network security (cont.): Layer 6, or use of firewalls - set up a DMZ and firewall to
protect your internal LAN while providing external clients with public services such as Web pages
Layer 7, or use of proxy server - set up a proxy server to conceal the identity of internal hosts
Layer 8, or use of DMZ, place proxy servers, Web servers, e-mail servers, and other servers in an area outside of the internal Internet but still protected by the firewall called a DMZ
Layer 9, use of Intrusion Detection System (IDS) - set up an IDS to notify you when security events occur
![Page 37: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/37.jpg)
37
Chapter Summary
Layers of network security (cont.): Layer 10, or use of virtual private network (VPN) -
set up a VPN and secure remote clients with firewalls and anti-virus software
Layer 11, or use of logging and administration - keep reviewing your firewall, packet filtering, and IDS logs on a regular basis
Encryption protects data as it passes from one network to another, and authentication limits access to authorized users
![Page 38: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/38.jpg)
38
Chapter Summary
Packet filtering to allow or block packets based on a set of rules, and virus protection helps prevent computer systems from being attacked
Secure remote access gives contractors and mobile users a way to connect to the home network; log files give the network administrator the ability to analyze who is accessing the network from the Internet, as well as a way of detecting intrusion attempts based on patterns of suspicious activity
![Page 39: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/39.jpg)
39
Chapter Summary
An IDS is an ideal tool for real-world situations in which security breaches occur. The IDS can notify you by e-mail, by log file alert messages, or even by sending a message to your pager. The IDS should be located on the perimeter of the network, but it can be located in any number of places - either on a server in the DMZ, between the external router and the Internet, or between the router and the LAN
![Page 40: 1 Guide to Network Defense and Countermeasures Chapter 2](https://reader034.vdocuments.net/reader034/viewer/2022042717/56649e205503460f94b0c40c/html5/thumbnails/40.jpg)
40
Chapter Summary
When you receive an alert from an IDS, react rationally and use the alerts to assess whether the network has actually been breached or not, to track what resources, if any, have been affected