Chapter 14Network Security

Network+ Guide to Networks, Fourth Edition

Objectives

• Identify security risks in LANs and WANs and design security policies that minimize risks

• Explain how physical security contributes to network security

• Discuss hardware- and design-based security techniques

• Use network operating system techniques to provide basic security

Objectives (continued)

• Understand methods of encryption, such as SSL and IPSec, that can secure data in storage and in transit

• Describe how popular authentication protocols, such as RADIUS, TACACS, Kerberos, PAP, CHAP, and MS-CHAP, function

• Understand wireless security protocols, such as WEP, WPA, and 802.11i

Security Audits

• Every organization should assess security risks by conducting a security audit– Thorough examination of each aspect of network to

determine how it might be compromised

– At least annually, preferably quarterly

• The more devastating a threat’s effects and the more likely it is to happen, the more rigorously your security measures should address it

• In-house or third-party audits

Security Risks

• Not all security breaches result from manipulation of network technology– Staff members purposely or inadvertently reveal

passwords

– Undeveloped security policies

• Malicious and determined intruders may “cascade” their techniques

Risks Associated with People

• Human errors, ignorance, and omissions cause majority of security breaches

• Risks associated with people:– Social engineering or snooping to obtain passwords– Incorrectly creating or configuring user IDs, groups, and

their associated rights on file server– Overlooking security flaws in topology or hardware

configuration– Overlooking security flaws in OS or application

configuration– Lack of documentation and communication

Risks Associated with People

• Risks associated with people (continued):– Dishonest or disgruntled employees

– Unused computer or terminal left logged on

– Easy-to-guess passwords

– Leaving computer room doors open or unlocked

– Discarding disks or backup tapes in public waste containers

– Neglecting to remove access and file rights when required

– Writing passwords on paper

Risks Associated with Transmission and Hardware

• Risks inherent in network hardware and design:– Transmissions can be intercepted

– Networks using leased public lines vulnerable to eavesdropping

– Network hubs broadcast traffic over entire segment

– Unused hub, router, or server ports can be exploited and accessed by hackers

– Not properly configuring routers to mask internal subnets

Risks Associated with Transmission and Hardware

• Risks inherent in network hardware and design (continued):– Modems attached to network devices may be configured

to accept incoming calls

– Dial-in access servers may not be carefully secured and monitored

– Computers hosting very sensitive data may coexist on the same subnet with computers open to public

– Passwords for switches, routers, and other devices may not be sufficiently difficult to guess, changed frequently, or may be left at default value

Risks Associated with Protocols and Software

• Networked software only as secure as it is configured to be

• Risks pertaining to networking protocols and software:– TCP/IP contains several security flaws

– Trust relationships between one server and another may allow hackers to access entire network

– NOSs may contain “back doors” or security flaws allowing unauthorized access to system

Risks Associated with Protocols and Software

• Risks pertaining to networking protocols and software (continued):– If NOS allows server operators to exit to a command

prompt, intruders could run destructive command-line programs

– Administrators might accept the default security options after installing an OS or application (often not optimal)

– Transactions that take place between applications may be open to interception

Risks Associated with Internet Access

• Common Internet-related security issues:– Firewall may not be adequate protection, if not configured

properly• IP spoofing

– When user Telnets or FTPs to site over Internet, user ID and password transmitted in plain text

– Hackers may obtain information about user IDs from newsgroups, mailing lists, forms filled out on Web

– Flashing

– Denial-of-service attack

An Effective Security Policy

• Security policy identifies security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for team members, responsibilities for each employee– Specifies how to address security breaches

– Should not state exact hardware, software, architecture, or protocols used to ensure security

• Nor how hardware or software will be installed and configured

– Details change occasionally

Security Policy Goals

• Typical goals for security policies:– Ensure authorized users have appropriate access to

resources– Prevent unauthorized users from gaining access to

network, systems, programs, or data– Protect sensitive data from unauthorized access– Prevent accidental or intentional damage to hardware or

software– Create environment in which network and systems can

withstand and recover from any type of threat– Communicate each employee’s responsibilities

Security Policy Content

• After risks identified and responsibilities assigned, policy’s outline should be generated

• Possible subheadings: Passwords; Software installation; Confidential and sensitive data; Network access; E-mail use; Internet use; Modem use; Remote access; Connecting to remote locations, Internet, and customers’ and vendors’ networks; Use of laptops and loaner machines; Computer room access

Security Policy Content

• Explain to users what they can and cannot do and how these measures protect network’s security

• Create separate section of policy that applies only to users

• Define what “confidential” means to organization

Response Policy

• Security response team should regularly rehearse defense strategy

• Suggestions for team roles:– Dispatcher– Manager– Technical support specialist– Public relations specialist

• After resolving a problem, team reviews what happened, determines how it might have been prevented, implements measures to prevent future problems

Physical Security

• Restrict physical access to components– Computer room, hubs, routers, switches, etc.

• Locks may be physical or electronic– Electronic access badges

– Numeric key codes

– Bio-recognition access

• Closed-circuit TV systems• Most important way to ensure physical security is to

plan for it

Physical Security

Figure 14-1: Badge access security system

Security in Network Design: Firewalls

• Selectively filter or block traffic between networks– Hardware-based, software-based, or combination

• Packet-filtering firewall examines header of every packet of data received– Common filtering criteria:

• IP addresses• Ports • Flags set in IP header• Transmissions that use UDP or ICMP• First packet in new data stream?• Inbound or outbound?

Security in Network Design: Firewalls

• Factors when choosing a firewall:– Supports encryption?

– Supports user authentication?

– Allows central management?

– Easily establishes rules for access?

– Supports filtering at highest layers of OSI Model?

– Provides logging, auditing, alerting capabilities?

– Protects identity of internal LAN’s addresses?

• Cannot distinguish between user trying to breach firewall and user authorized to do so

Proxy Servers

• Proxy service: software that acts as intermediary between external and internal networks– Screen all incoming and outgoing traffic

• Manage security at Application layer• May be combined with Firewall for greater security• Improve performance for users accessing resources

external to network by caching files

Proxy Servers

Figure 14-4: A proxy server used on a WAN

Remote Access

• Must remember that any entry point to a LAN or WAN creates potential security risk

• Remote control:– Can present serious security risks

– Most remote control software programs offer features that increase security

– Desirable security features:• User name and password requirement

• Ability of host system to call back

• Support for data encryption

Remote Access

• Remote control (continued):– Desirable security features (continued):

• Ability to leave host system’s screen blank while remote user works

• Ability to disable host system’s keyboard and mouse

• Ability to restart host system when remote user disconnects

Remote Access

• Dial-up networking – Effectively turns remote workstation into node on

network

– Secure remote access server package should include at least:

• User name and password authentication

• Ability to log all dial-up connections, their sources, and their connection times

• Ability to perform callbacks to users

• Centralized management of dial-up users and their rights on network

Network Operating System Security

• Regardless of NOS, can implement basic security by restricting what users authorized to do– Limit public rights

– Administrators should group users according to security levels

Logon Restrictions

• Additional restrictions that network administrators can use to strengthen security of network:– Time of day

– Total time logged on

– Source address

– Unsuccessful logon attempts

Passwords

• Tips for making and keeping passwords secure:– Always change system default passwords

– Do not use familiar information

– Do not use dictionary words

– Make password longer than eight characters

– Choose combination of letters and numbers

– Do not write down or share passwords

– Change password at least every 60 days

– Do not reuse passwords

Encryption

• Use of algorithm to scramble data into format that can be read only by reversing the algorithm

• Encryption provides following assurances:– Data not modified after sender transmitted it and before

receiver picked it up

– Data can only be viewed by intended recipient

– All data received at intended destination truly issued by stated sender and not forged by an intruder

Key Encryption

• Key: random string of characters• Weaves key into original data’s bits to generate

unique data block– Ciphertext

– Longer keys make it more difficult to decrypt

– Hackers may attempt to crack a key by using brute force attack

• Keys randomly generated by encryption software

Key Encryption

Figure 14-5: Key encryption and decryption

Private Key Encryption

• Data encrypted using single key that only sender and receiver know

• Data Encryption Standard (DES): 56-bit key– Triple DES (3DES): weaves 56-bit key through data three

times

• Advanced Encryption Standard (AES): weaves 128-, 160-, 192-, or 256-bit keys through data multiple times– Used in military communication

• Sender must share key with recipient

Private Key Encryption (continued)

Figure 14-6: Private key encryption

Public Key Encryption

• Data encrypted using two keys: – Private key– Public key associated with user

• Public key server: publicly accessible host that freely provides list of users’ public keys

• Key pair: combination of public key/private key• Public keys more vulnerable than private keys

– Use longer keys– RSA: most popular public key algorithm

• Digital certificate: password-protected, encrypted file that holds identification information

Public Key Encryption

Figure 14-7: Public key encryption

PGP (Pretty Good Privacy)

• Typical e-mail communication is highly insecure• PGP: public key encryption system that can verify

authenticity of an e-mail sender and encrypt e-mail data in transmission– Freely available

– Most popular tool for encrypting e-mail

– Can be used to encrypt data on storage devices or with applications other than e-mail

SSL (Secure Sockets Layer)

• Method of encrypting TCP/IP transmissions en route between client and server – Public key encryption

• HTTPS (HTTP over Secure Sockets Layer): uses TCP port 443, rather than port 80

• SSL session: association between client and server defined by agreement on specific set of encryption techniques– Created by SSL handshake protocol

• IETF has attempted to standardize SSL with Transport Layer Security (TLS)

SSH (Secure Shell)

• Provides remote connections to hosts– With authentication and security for transmitting data– Guards against unauthorized access to host, IP spoofing,

interception of data in transit, and DNS spoofing– Variety of encryption algorithms can be used

• To form secure connection, must be running on client and server

• Must first generate public and private keys on client workstation – ssh keygen command

SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol)

• SCP: allows secure copying of files from one host to another– Replaces FTP

• SFTP: slightly different from SCP– Used with proprietary version of SSH

– Does more than copy files

IPSec (Internet Protocol Security)

• Defines encryption, authentication, and key management for TCP/IP transmissions– Encrypts data by adding security information to header of

IP packets

– Operates at Network layer

• Accomplishes authentication in two phases:– Key management: Internet Key Exchange (IKE)

– Encryption: authentication header (AH) or Encapsulating Security Payload (ESP)

• Can be used with any type of TCP/IP transmission

Authentication Protocols: RADIUS and TACACS

• Authentication protocols: rules that computers follow to accomplish authentication

• RADIUS: provides centralized network authentication and accounting for multiple users– Runs over UDP

– Can operate as software application on remote access server or on a RADIUS server

– Often used with dial-up networking connections

• Terminal Access Controller Access Control System (TACACS): similar to RADIUS

Authentication Protocols: RADIUS and TACACS (continued)

Figure 14-8: A RADIUS server providing centralized authentication

PAP (Password Authentication Protocol)

• Authentication protocol that works over PPP– Simple, not very secure

– Does not protect against possibility of malicious intruder attempting to guess user’s password through brute force attack

Figure 14-9: Two-step authentication used in PAP

CHAP and MS-CHAP

• Challenge Handshake Authentication Protocol (CHAP): operates over PPP– Encrypts user names and passwords– Three-way handshake– Password never transmitted alone or as clear text

• Microsoft Challenge Authentication Protocol (MS-CHAP): similar to CHAP– Used on Windows systems– MS-CHAPv2 uses stronger encryption

• Mutual authentication: both computers verify credentials of the other

CHAP and MS-CHAP (continued)

Figure 14-10: Three-way handshake used in CHAP

EAP (Extensible Authentication Protocol)

• Another extension to PPP protocol suite– Does not perform encryption or authentication

– Requires authenticator to initiate authentication process by asking connected computer to verify itself

– Flexible: supported by most OSs and can be used with any authentication method

– Works with biorecognition and wireless protocols

Kerberos

• Cross-platform authentication protocol – Uses key encryption to verify identity of clients and to

securely exchange information

– Significant advantages over NOS authentication• Does not automatically trust clients

• Requires client to prove identity through third party

– Key Distribution Center (KDC): server that issues keys

– authentication service (AS): authenticates a principal• Issues a ticket

Kerberos (continued)

• Purpose of Kerberos is to connect valid user with a service– User and service must register keys with authentication

service– AS issues session key to both

• Randomly generated

– AS creates ticket allowing user to use service• Contains key that can only be decrypted by service

– User’s computer creates time stamp for request• Encrypts with session key (authenticator)

Wireless Network Security: WEP (Wired Equivalent Privacy)

• Wireless transmissions susceptible to eavesdropping– War driving

• By default, 802.11 standard does not offer security– Allows for optional encryption using WEP

• Uses keys to authenticate network clients and encrypt data in transit

• Network key

• On Windows XP, network key can be saved as part of wireless connection’s properties

• Current versions of WEP allow 28-bit network keys

IEEE 802.11i and WPA (Wi-Fi Protected Access)

• Uses EAP with strong encryption scheme– Dynamically assigns every transmission own key

– Logging on to wireless network more complex than with WEP

– AP acts as proxy between remote access server and station until station successfully authenticates

– Requires mutual authentication

– After authentication, remote access server instructs AP to allow traffic from client into network

– Client and server agree on encryption key

IEEE 802.11i and WPA (continued)

• 802.11i specifies AES encryption method – Mixes each packet in data stream with different key

• WPA: subset of 802.11i standard– Main difference from 802.11i is that WPA specifies RC4

encryption rather than AES

Summary

• Every organization should assess its security risks by conducting a security audit at least annually

• One of the most common methods by which an intruder gains access to a network is to simply ask a user for his password

• There are many security risks that a network administrator must guard against, including risks associated with people, network transmission and design, and network protocols and software

Summary (continued)

• A security policy identifies an organization’s security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for each team member and each employee, and strategies for addressing security breaches

• A firewall is a specialized device that selectively filters or blocks traffic between networks

• A proxy service is a software application on a network host that acts as an intermediary between the external and internal networks, screening all incoming and outgoing traffic

Summary (continued)

• Every NOS provides at least some security by allowing you to limit users’ access to files and directories on the network

• Choosing secure passwords is one of the easiest and least expensive ways to guard against unauthorized access

• Encryption is the use of an algorithm to scramble data into a format that can be read only by reversing the algorithm

• Key encryption comes in two forms: public and private key encryption

Summary (continued)

• Popular methods of encryption include PGP, SSL, SSH and OpenSSH, and IPSec

• Authentication protocols used with PPP connections include RADIUS, TACACS, PAP, CHAP, and MS-CHAP

• Because WEP uses the same key for all stations attaching to an AP and for all transmissions, it is not very secure

• In 802.11i, the EAP authentication method is combined with AES encryption