chapter 5 - network defenses
TRANSCRIPT
-
7/25/2019 Chapter 5 - Network Defenses
1/27
Network Defenses
Niken D CahyaniGandeva Bayu Satrya
Telkom Institute of Technology
-
7/25/2019 Chapter 5 - Network Defenses
2/27
Learning Objectives
After completing this chapter you should be able to do the
following:
Explain how to enhance security through network
design Define network address translation and network access
control
List the different types of network security devices and
explain how they can be used
-
7/25/2019 Chapter 5 - Network Defenses
3/27
Network Design - Subnetting
Subnetting identifies a network device (called a host! by its uni"ue
#nternet $rotocol (#$! address% which is a &'bit ()byte! address
such as *+',*)-,**.,'/, grouped into classes (0lass A% 1% 0% and special 0lasses D and
2!, #$ addresses are actually two addresses: one part is a network
address (such as *+',*)-,**.! and one part is a host address
(such as '/!,
improved addressing techniques in *+.3 that allowed an #$address to be split anywhere within its &' bits% known as
subnetting,
-
7/25/2019 Chapter 5 - Network Defenses
4/27
Security - Subnetting
Subnetting a single network into multiple smaller subnets in order to
isolategroups of hosts,
4tili5e network security tools to make it easier to regulate who has
access in and out of a particular subnetwork,
Addresses instantly recognizable so that the source of potential
security issues can be "uickly addressed, 6or example% any #$
address beginning with *+',*-.,3/ can indicate mobile users%
*+',*-.,*'3 may designate executive users% and *+',*-.,'// can
indicate wireless network users,
Allows network administrators to hide the internal network layout
to make it difficult for attackers,
-
7/25/2019 Chapter 5 - Network Defenses
5/27
Subnetting Example
-
7/25/2019 Chapter 5 - Network Defenses
6/27
Avantages of Subnetting
-
7/25/2019 Chapter 5 - Network Defenses
7/27
Network Design - !LAN
A 7LA8 allows scattered users to be logically grouped
together even though they may be attached to different
switches,
A degree of security similar to subnetting: isolation% sothat sensitive data is transmitted only to members of the
7LA8
Attacks on the switch that attempt to exploit
vulnerabilities such as weak passwords or defaultaccounts are common
-
7/25/2019 Chapter 5 - Network Defenses
8/27
Network Design - "onvergence
# 0onvergence of voice and data traffic over a single #$ network,
# 9wo important convergence technologies :$ 7oice over #$ (7o#$!
$ #$ telephony# 1enefits :
$ 0ost savings$ anagement$ Application development$ #nfrastructure re"uirements$ #ncreased user productivity$ #ncrease security : manage only one network
-
7/25/2019 Chapter 5 - Network Defenses
9/27
"onvergence - !ulnerability
-
7/25/2019 Chapter 5 - Network Defenses
10/27
Network Design - Demilitari%e &one 'D(&)
A separate network that sits outside the secure network
perimeter
-
7/25/2019 Chapter 5 - Network Defenses
11/27
Objectives
After completing this chapter you should be able to do the
following:
Define network address translation and network
access control List the different types of network security devices and
explain how they can be used
-
7/25/2019 Chapter 5 - Network Defenses
12/27
Network *ec+nologies $ Network
Aress *ranslation 'NA*) 8A9 hides the #$ addresses of network devices from attackers,
-
7/25/2019 Chapter 5 - Network Defenses
13/27
Network *ec+nologies $ Network Access "ontrol
'NA")
8A0 examines the current state of a system or network
device before it is allowed to connect to the network,
A specified set of criteria to meet% such as having the
most current antivirus signature% if not% is only allowed toconnect to a "uarantine network where the security
deficiencies are corrected,
After the problems are solved% the device is connected to
the normal network, 9o prevent computers with suboptimal security from
potentially infecting other computers through the network
-
7/25/2019 Chapter 5 - Network Defenses
14/27
Network Access "ontrol 'NA")
-
7/25/2019 Chapter 5 - Network Defenses
15/27
Network Access "ontrol 'NA")
-
7/25/2019 Chapter 5 - Network Defenses
16/27
Objectives
After completing this chapter you should be able to do the
following:
List the different types of network security devices
and explain how they can be used
-
7/25/2019 Chapter 5 - Network Defenses
17/27
Network Security Devices - ,irewall
;ule base which establishes what action the firewall
should take when it receives a packet, 9he options are: Allow
1lock
$rompt
Stateless packet filtering looks at the incoming packet
and permits or denies it based strictly on the rule base
Stateful packet filtering keeps a record of the state of a
connection between an internal computer and an external
server and then makes decisions based on the connection
as well as the rule base,
-
7/25/2019 Chapter 5 - Network Defenses
18/27
,irewall - ules
-
7/25/2019 Chapter 5 - Network Defenses
19/27
,irewall - ules
-
7/25/2019 Chapter 5 - Network Defenses
20/27
Network Security Devices $ .roxy
Server
A computer system (or an application program! that
intercepts internal user re"uests and then processes that
re"uest on behalf of the user,
A reverse proxy does not serve clients but instead routesincoming re"uests to the correct server, ;e"uests for
services are sent to the reverse proxy that then forwards it
to the server,
9o the outside user the #$ address of the reverse proxy isthe final #$ address for re"uesting services% yet only the
reverse proxy can access the internal servers,
-
7/25/2019 Chapter 5 - Network Defenses
21/27
.roxy Server
-
7/25/2019 Chapter 5 - Network Defenses
22/27
8etwork Security Devices s attention away from
legitimate servers,
Early warnings of new attacks
Examine attacker techniques
9ypes of honeypots : roduction !oneypots and
"esearch !oneypots
-
7/25/2019 Chapter 5 - Network Defenses
23/27
8etwork #ntrusion Detection System
(#DS!
An intrusion detection system #$DS% attempts to
identify inappropriate activity by comparing new
behavior against normal or acceptable behavior and
issuing an alert, 2xamples functions of #DS:
0onfigure the firewall to filter out the #$ address of the intruder,
Launch a separate program to handle the event, Save the packets
in an evidence file for further analysis, Send email% page% or a
cell phone message to the network administrator,
9erminate the 90$ session by forging a 90$ 6#8 packet to force
a connection to terminate,
-
7/25/2019 Chapter 5 - Network Defenses
24/27
-
7/25/2019 Chapter 5 - Network Defenses
25/27
$rotocol Analy5ers
Detect a potential intrusion by : detect statistical anomalies,
examine network traffic and look for wellknown patterns of attack% much like
antivirus scanning,
protocol analy5er technology,
$rotocol analy5ers can fully decode applicationlayer
network protocols% such as
-
7/25/2019 Chapter 5 - Network Defenses
26/27
/nternet "ontent ,ilter
-
7/25/2019 Chapter 5 - Network Defenses
27/27
/ntegrate Network Security
0arware
ultipurpose security appliances that provide multiple security
functions% such as: Antispam and antiphishing
Antivirus and antispyware
1andwidth optimi5ation 0ontent filtering
2ncryption
6irewall
#ntrusion protection system
0ombine or integrate multipurpose security appliances with atraditional network device such as a switch or router to create
integrated network security hardware,