Download - Part06 infrastructure security
3/7/2012
1
IT Falcuty – DaLat University
March - 2012
Network Defenses
Phan Thi Thanh Nga
Contents
A Defense-in-Depth Approach
Integrated Network Security Hardware
Protocol Analyzers
Applying Network Security Devices
Crafting a Security Network
2
Crafting a Security Network
Security through Network Design
Network segmentation/ Subnetting
Virtual LAN (VLAN)
Demilitarized Zone (DMZ)
Security through Network Technologies
Network Address Translation (NAT)
Network Access Control (NAC)
Phan Thi Thanh Nga3
Security through Network Design
Subnetting
Instead of just having networks and hosts,
using subnetting, networks can essentially be
divided into three parts: network, subnet, and
host
Each network can contain several subnets
and each subnet connected through different
routers can contain multiple hosts
Phan Thi Thanh Nga4
Security through Network Design
Phan Thi Thanh Nga5
Security through Network Design
Advantages of subnetting
Phan Thi Thanh Nga6
3/7/2012
2
Security through Network Design
Subnetting: improve network security
Networks can be subnetted so that each
department, remote office, campus building,
floor in a building, or group of users can have
its own subnet address
Network administrators can utilize network
security tools to make it easier to regulate
who has access in and out of a particular
subnetwork
Phan Thi Thanh Nga7
Security through Network Design
Subnetting: improve network security
Wireless subnetworks, research and
development subnetworks, finance
subnetworks, human resource subnetworks,
and subnetworks that face the Internet can all
be separate
The source of potential security issues can
be quickly addressed
Phan Thi Thanh Nga8
Security through Network Design
Subnetting: improve network security
It allows network administrators to hide the
internal network layout
This can make it more difficult for attackers
to target their attacks.
Phan Thi Thanh Nga9
Security through Network Design
Virtual LAN (VLAN)
ln most network environments, networks are
divided or segmented by using switches to
divide the network into a hierarchy.
Core switches reside at the top of the
hierarchy and carry traffic between switches,
while workgroup switches are connected
directly to the devices on the network
Phan Thi Thanh Nga10
Security through Network Design
Phan Thi Thanh Nga11
Security through Network Design
Virtual LAN (VLAN)
Grouping by user can sometimes be difficult
because all users may not be in the same
location and served by the same switch.
Segment a network by separating devices
into logical groups. This is known as creating
a virtual LAN (VLAN)
VLANS can be isolated so that sensitive data
is transmitted only to members of the VLAN
Phan Thi Thanh Nga12
3/7/2012
3
Security through Network Design
Virtual LAN (VLAN)
VLANS can also be victims of attacks
Because a VLAN is heavily dependent upon
the switch for correctly directing packets,
Phan Thi Thanh Nga13
Security through Network Design
Demilitarized Zone (DMZ)
Devices that provide services to outside users
are most vulnerable to attack
If attackers are able to penetrate the security
of these servers,they may be able to access
devices on the internal LAN .
An additional level of security would be to
isolate these services in their own network.
Phan Thi Thanh Nga14
Security through Network Design
Demilitarized Zone (DMZ)
A demilitarized zone (DMZ) is a separate
network that sits outside the secure network
perimeter
Outside users can access the DM Z but
cannot enter the secure network
Phan Thi Thanh Nga15
Security through Network Design
Phan Thi Thanh Nga16
Security through Network Design
Demilitarized Zone (DMZ): DMZ with
single firewall
A single firewall with three network interfaces
is used: the link to the lnternet, the DMZ, and
the secure internal LAN
this makes the firewall device a single point
of failure for the network
the firewall device also take care of all of the
traffic to both the DMZ and internal network
Phan Thi Thanh Nga17
Security through Network Design
Phan Thi Thanh Nga18
3/7/2012
4
Security through Network Technologies
Network Address Translation (NAT)
“You cannot attack what you cannot see” is
the security philosophy behind systems using
network address translation (NAT).
NAT hides the IP addresses of network
devices from attackers.
Phan Thi Thanh Nga19
Security through Network Technologies
An attacker who captures the packet on the
lnternet cannot determine the actual IP address
of the sender
Without that address, it is more difficult to
identify and attack a computer
Phan Thi Thanh Nga20
Security through Network Technologies
Network Access Control (NAC)
NAC examines the current state of a system
or network device before it is allowed to
connect to the network
Any device that does not meet a specified set
of criteria, such as having the most current
antivirus signature or the software firewall
properly enabled is only allowed to connect to
a ''quarantine'' network where the security
deficiencies are corrected
Phan Thi Thanh Nga21
Security through Network Technologies
Phan Thi Thanh Nga22
Security through Network Technologies
NAC process
The cient performs a self-assessment using a
System Health Agent (SHA) to determine its
current security posture
The assessment, known as a Statement of
Hea1th (SoH), is sent to a server called the
Health Registration Authority (HRA). This
server enforces the security policies of the
network. It also integrates with other external
authorities such as antivirus and patch
management servers in order to retrieve
current configuration informationPhan Thi Thanh Nga23
Security through Network Technologies
NAC process
If the client is approved by the HRA it is
issued a Health Certificate.
The HeaIth Certificate is then presented to the
network servers to verify that the client's
security condition has been approved.
If the client is not approved, it is connected to
a quarantine VLAN where the deficien-cies
are corrected, and then the computer is
allowed to connect to the network
Phan Thi Thanh Nga24
3/7/2012
5
Security through Network Technologies
NAC
NAC can be an effective tool for identifying
and correcting systems that do not have
adequate security installed and preventing
these devices from infecting others.
Phan Thi Thanh Nga25 Phan Thi Thanh Nga
Contents
A Defense-in-Depth Approach
Integrated Network Security Hardware
Protocol Analyzers
Applying Network Security Devices
Crafting a Security Network
26
Applying Network Security Devices
Firewall
Proxy Server
Honey pots
Network Intrusion Detection Systems
(NIDS)
Host and Network Intrusion Prevention
Systems (HIPS/NIPS)
Phan Thi Thanh Nga27
Applying Network Security Devices
Firewall
A firewall is a hardware or software
component designed to protect one network
from another
Often, firewalls are deployed between a
private trusted network and a public untrusted
network (such as the Internet) or between two
networks that belong to the same organization
but are from different departments
Phan Thi Thanh Nga28
Applying Network Security Devices
Firewall
Firewalls manage traffic using filters.
A filter is just a rule. If a packet meets the
identification criteria of a rule, then the action
of that rule is applied. If a packet doesn’t meet
the criteria of rule, then no action from that
rule is applied, and the next rule is checked.
Phan Thi Thanh Nga29
Applying Network Security Devices
There are three basic types of
firewalls, plus an additional form
(stateful inspection) that combines the
features of the first three
Packet filter
Circuit-level gateway
Application-level gateway
Stateful inspection firewall
Phan Thi Thanh Nga30
3/7/2012
6
Firewall
Packet filter
A packet filter firewall filters traffic based on
basic identification items found in a network
packet’s header
Packet-filtering firewalls operate at the
Network layer (layer 3) of the OSI model
Phan Thi Thanh Nga31
Firewall
Circuit-level gateway
A circuit-level gateway firewall filters traffic by
monitoring the activity within a session
between an internal trusted host and an
external untrusted host.
This monitoring occurs at the Session layer
(layer 5) of the OSI model
Phan Thi Thanh Nga32
Firewall
Application-level gateway
Filters traffic based on user access, group
membership, the application or service used,
or even the type of resources being
transmitted.
This type of firewall operates at the
Application layer (layer 7) of the OSI model.
Phan Thi Thanh Nga33
Firewall
Stateful inspection firewall
Combines features of the three basic firewall
types and includes the ability to understand
the context of communications across multiple
packets and across multiple layers.
Phan Thi Thanh Nga34
Firewall
Phan Thi Thanh Nga35
Applying Network Security Devices
Proxy
A proxy server is a computer system (or an
application program) that intercepts internal
user requests and then processes that
request on behalf of the user.
Similar to NAT, the goal of a proxy server is to
hide the IP address of client systems inside
the secure network.
Phan Thi Thanh Nga36
3/7/2012
7
Applying Network Security Devices
Reverse proxy
A reverse proxy does not serve clients but
instead routes incoming requests to the
correct server.
Requests for services are sent to the reverse
proxy that then forwards it to the server.
To the outside user the IP address of the
reverse proxy is the final IP address for
requesring services
Only the reverse proxy can access the
internal servers.
Phan Thi Thanh Nga37
Applying Network Security Devices
Phan Thi Thanh Nga38
Applying Network Security Devices
Honeypot
A honeypot is a computer typically located in
a DMZ
Loaded with software and data files that
appear to be authentic, yet they are actually
imitations of real data files.
Intended to trap or trick attackers
Phan Thi Thanh Nga39
Applying Network Security Devices
Phan Thi Thanh Nga40
Honeypot
There are three primary purposes of a
honeypot:
Deflect attention
• direct an attacker's attention away from legitimate
servers
• encourages attackers to spend their time and
energy on the decoy server
Early warnings of new attacks
Examine attacker techniques
Phan Thi Thanh Nga41
Applying Network Security Devices
Network Intrusion Detection Systems
(NIDS)
Attempts to identify inappropriate activity
(same functionality as a burglar alarm system)
Host lntrusion Detection Systems (HIDS)
attempt to monitor and possibly prevent
attempts to attack a local system
A network intrusion detection system (NIDS)
watches for attempts to penetrate a network
Phan Thi Thanh Nga42
3/7/2012
8
Applying Network Security Devices
Phan Thi Thanh Nga43
Applying Network Security Devices
Host and Network Intrusion Prevention
Systems (HIPS/NIPS)
finds malicious traffic deals with it immediately
block all incoming traffic on a specific port
HIPS: monitoring and intercepting requests in
order to prevent attacks.
NIPS: work to protect the entire network and
all devices that are connected to it.
Phan Thi Thanh Nga44
Phan Thi Thanh Nga
Contents
A Defense-in-Depth Approach
Integrated Network Security Hardware
Protocol Analyzers
Applying Network Security Devices
Crafting a Security Network
45
Protocol Analyzers
There are three ways in which an
intrusion detection system or intrusion
prevention system can detect a
potential intrusion.
detect statistical anomalies.
examine network traffic and look for well-
known patterns of attack, much like antivirus
scanning.
• the pattern lcgi-bin/pbf? usually indicates that an
attacker is attempting to access a vulnerable script
on a W eb server.
Phan Thi Thanh Nga46
Protocol Analyzers
Use protocol analyzer technology.
• Protocol analyzers can fully decode application-
layer network protocols
• Once these protocols are decoded, the different
parts of the protocol can be analyzed for any
suspicious behavior.
Phan Thi Thanh Nga47 Phan Thi Thanh Nga
Contents
A Defense-in-Depth Approach
Integrated Network Security Hardware
Protocol Analyzers
Applying Network Security Devices
Crafting a Security Network
48
3/7/2012
9
Integrated Network Security Hardware
lnformation can be protected either by
using software that runs on the device
that is being protected or by a separate
hardware device.
Software-only defenses are more often
limited to home computers
Most organizations use security
hardware appliances.
Phan Thi Thanh Nga49
Integrated Network Security Hardware
Dedicated security appliances:
provide a single security service, such as
firewall or antivirus protection
more easily scale as needs increase.
Multipurpose security appliances:
Provide multiple security functions, such as:
Antispam and antiphishing, Antivirus and
antispyware, Bandwidth optimization, Content
filtering, Encryption, Firewall, lnstant
messaging control, lntrusion protection
system, Web filtering
Phan Thi Thanh Nga50
Integrated Network Security Hardware
Recent trend:
Combine or integrate multipurpose security
appliances with a traditional network device
such as a switch or router to create integrated
network security hardware.
Advantage: these network devices already
process every packet that flows across the
network.
Phan Thi Thanh Nga51 Phan Thi Thanh Nga
Contents
A Defense-in-Depth Approach
Integrated Network Security Hardware
Protocol Analyzers
Applying Network Security Devices
Crafting a Security Network
52
A Defense-in-Depth Approach
Defense in depth increases security by
raising the cost of an attack.
This system places multiple barriers
between an attacker and your business
critical information resources: the
deeper an attacker tries to go, the
harder it gets
Phan Thi Thanh Nga53
A Defense-in-Depth Approach
Defense-in-
Depth
Security Model
Perimeter
Internal
Hosts
Applications
Data
Phan Thi Thanh Nga54
3/7/2012
10
Network Defenses
Network Segmentation
Access Points
Routers and Switches
Firewalls
Content Filtering
IDS / IPS
Remote Access
Event Management
Vulnerability Management
Phan Thi Thanh Nga55
Network Segmentation
Phan Thi Thanh Nga56
Network Access / Entry Points
Entry points into the network
infrastructure
Classify the access points
Develop a security risk profile for each
access point
Each access point presents a threat for
unauthorized and malicious access to
the network infrastructure.
Phan Thi Thanh Nga57
Network Access Points
Phan Thi Thanh Nga58
Routers and Switches
Typically responsible for transporting
data to all areas of the network
Sometimes overlooked as being able to
provide a defense layer
Capable of providing an efficient and
effective security role in a Defense-in-
Depth strategy
Phan Thi Thanh Nga59
Simple Router & Switch Network
Phan Thi Thanh Nga60
3/7/2012
11
Firewalls
First defenses thought of when working on a
Defense-in-Depth strategy
Provide granular access controls for a
network infrastructure
Firewall Types:
Packet filtering
Proxy based
Stateful Inspection
Continuing to increase their role by
performing application layer defenses on the
network
Phan Thi Thanh Nga61
Firewalls
Phan Thi Thanh Nga62
Content Filtering
Protection of application and data content
being delivered across the network
Content filtering looks for:
Virus
File attachments
SPAM
Erroneous Web Surfing
Proprietary / Intellectual Property
Commonly used network protocols:
SMTP, HTTP, FTP, and instant messaging
Phan Thi Thanh Nga63
Content Filtering
Phan Thi Thanh Nga64
IDS / IPS
Detect malicious network traffic and
unauthorized computer usage
Detection Strategies
Signature-based
Anomaly-based
Heuristic-based
Behavioral-based
View of traffic from a single point
Similar technologies are applied at the
host and network layers Phan Thi Thanh Nga65
IDS / IPS
Phan Thi Thanh Nga66
3/7/2012
12
Remote Access
Identify all remote access points into
the network infrastructure.
Driven by the need to promote
business productivity
Expanding the perimeter
Requires strict access controls and
continuous activity monitor
Phan Thi Thanh Nga67
Remote Access
Phan Thi Thanh Nga68
Security Event Management
The collection and correlation events
on all devices attached to the network
infrastructure.
Provides insight into events which
would go unnoticed at other individual
defense layers
Provide automated alerts of suspicious
activity
Phan Thi Thanh Nga69
Security Event Management
Phan Thi Thanh Nga70
Vulnerability Management
Continuous process of assessing and
evaluating the network infrastructure
Multiple views / perspectives
Integration with Patch Management and
ticketing systems
Configuration & maintenance validation
Phan Thi Thanh Nga71
Vulnerability Management
Phan Thi Thanh Nga72
3/7/2012
13
Additional Defenses
Connecting the Hosts & Network
Security Policies
Network Admission Control (NAC)
Authentication Services
Data Encryption
Patch Management
Application Layer Gateway
Phan Thi Thanh Nga73
References
James Michael Stewart, Security+ Fass
Pass, Sybex, 2004
Mark Ciampa, Security+ Guide to Network
Security Fundamentals, Third Edition
Jason A. Wessel, Network Security: A
Defense-in-Depth Approach, AVP Security
Services, CADRE – Information Security
CEH v7, Module 16
Phan Thi Thanh Nga74