Always Remember Chapter #1: Network Device Configuration There is no 100 percent secure system, and there is nothing that is foolproof! 2 Outline Learn about the Security+ exam Learn basic terminology and the basic approaches associated with computer and information security Implement security configuration parameters on network devices Implement security configuration parameters on other technologies This graphic is taken from The Abdus Salam International Centre for Theoretical Physics. 3 4 1
Security+ Exam Changes in Requirements CompTIA Domain % of Examination in 301 % of Examination in 401 Site Apply credits Job MCSx (MCSA, MCSE etc.) 1.0 21% 20% 2.0 Compliance and Operational Security 18% 18% 3.0 Threats and Vulnerabilities 21% 20% 4.0 Application, Data and Host Security 16% 15% 5.0 Access Control and Identity Management 13% 15% 6.0 Cryptography 11% 12% Total 100% 100% 5 6 The CIA of Security Protection Confidentiality to ensure that only those individuals who have the authority to In the operational model Protection = view a piece of information may do so Integrity Only authorized individuals should ever be able to change (or delete) information Availability to ensure that the data, or the system itself, is available for use when the authorized user wants it 7 8 2
Security Principles Issues emphasis is placed on controlling access to internal computers network environments - number of computers, applications, users, configurations, servers architecture Ch. 3 Physical security Controlling access to internal computers from external entities Routers, authentication hardware and software, encryption Firewalls, intrusion detection systems (IDSs) 9 10 s in Networks Least Privilege File Authentication Directory Print Applicable to many physical environments as well as Mail E-Commerce RealTime Communication Application s network and host security User, application, or process should have only the necessary rights and privileges to perform its task Management Proxy Streaming Media Mobile Communication Operating systems and applications have different ways of implementing rights, permissions, and privileges Content Management Active Directory FTP Web Plan should be devised and standardized methods developed 11 12 3
Least Privilege Least Privilege Implement a hierarchy of administrators backups of workstations and servers setting up new user accounts performing password management Manage switches, routers Trusting relationships between domains Security context of applications Admin Tools -> Local Security Settings -> SW Security policies defined for users Admin Tools -> Computer Management -> Local Users and Groups guest accounts general user applications lower level system tasks (backup, developer, helpdesk) top level system administrators (sysadmins, netadmins) Don t run everything under the administrator account! 13 14 Layered Security Layered Software Protection Every environment needs multiple layers of security routers firewalls network segments IDSs encryption authentication software physical security traffic control Firewalls A traditional scanner, such as antivirus, antimalware, and antispyware software A specialized Web-scanning layer A behavior-monitoring layer Newest version of your favorite browser Network-based restrictions and user management software Data encryption software Online backup system 15 16 4
Diversity of Defense Security Through Obscurity More firewalls demilitarized zone (DMZ) e.g. one firewall between Internet and the DMZ other firewall may be between the DMZ and the internal network Filtering for FTP, SNMP, Telnet, SMTP, SSH, HTTP, SSL etc. Environment and protection mechanisms are confusing or supposedly not generally known Protecting something by hiding it (e.g. change port) Does not provide actual protection Use products from different vendors (Microsoft, Cisco, etc.) Trade-offs 17 18 KISS Causes of Threats Keep it simple BUT! Causes of network security threats Technology weaknesses Configuration weaknesses Policy weaknesses Human error 19 20 5
Technology Weaknesses Configuration Weaknesses TCP/IP Operating systems Network equipment Unsecured accounts System accounts with easily guessed passwords Misconfigured Internet services Unsecured default settings Misconfigured network equipment Trojan horse programs Vandals Viruses 21 22 Policy Weaknesses Human Error Lack of a written security policy Politics High turnover Concise access controls not applied Software and hardware installation and changes do not follow policy Proper security Nonexistent disaster recovery plan Accident Ignorance Workload Dishonesty Impersonation Disgruntled employees Snoops Denial-of-service attacks 23 24 6
Network Devices Firewalls Firewalls Routers/Gateways Switches Load balancers Proxies Internet Internal Network Virtual private network (VPN) concentrators Firewall 25 26 Features On A Firewall Network Address Translation Direction Control Service Control User Control Network Address Translation Source 192.168.10.1 131.107.2.200 Destination 200.200.20.1 Behavior Control Internet 131.107.2.200 Internal Network Auditing Network Address Translation (NAT) Port Mapping Firewall 192.168.10.1 192.168.10.2 27 28 7
Port Mapping Routers Port Mapping Source Destination Port 131.107.2.200 200.200.20.1 192.168.10.3 80 80 Routers operate at the network layer Use the network address (typically an IP address), utilize routing protocols to determine optimal routing paths Inspect packets from every communication looking at the destination 200.200.20.1 Internal Network address Internet 192.168.10.3 Examine the header to determine the next hop Use algorithms and tables to determine where to send the packet It is also possible to examine the source address and determine whether 131.107.2.200 Firewall 192.168.10.1 192.168.10.2 or not to allow a packet to pass SNMP 29 30 Switches Other Devices Switches originally operated at the data-link layer, with routing occurring at the network layer New breeds of switches can now switch at the network layer For intranets, switches have become what routers are on the Internet the device of choice for connecting machines While moving the packets, it is possible to inspect the packet headers and enforce access control lists security function They are intelligent network devices and are therefore subject to hijacking by hackers SNMP Load balancer distribute the processing load over two or more systems Proxies filter out undesirable traffic Web Security Gateways security threats and pitfalls unique to web-based traffic VPN provide a secure communication channel between users across public networks 31 32 8
Intrusion Detection Systems Logical Setup A host-based IDS examines activity on an individual system, such as a mail server, web server, or individual PC (HIDS). It is concerned only with an individual system and usually has no visibility into the activity on the network or systems around it. A network-based IDS examines activity on the network itself (NIDS). It has visibility only into the traffic crossing the network link it is monitoring and typically has no idea of what is happening on individual systems. 33 34 Advantages of HIDSs Disadvantages of HIDSs They can be very operating system specific and have more detailed signatures They can reduce false positive rates They can examine data after it has been decrypted They can be very application specific They can determine whether or not an alarm may impact that specific system The IDS must have a process on every system you want to watch The IDS can have a high cost of ownership and maintenance The IDS uses local system resources The IDS has a very focused view and cannot relate to activity around it The IDS, if logged locally, could be compromised or disabled 35 Networ 36 Networ 9
Advantages of a NIDS Disadvantages of a NIDS It takes fewer systems to provide IDS coverage Deployment, maintenance, and upgrade costs are usually lower A network-based IDS has visibility into all network traffic It is ineffective when traffic is encrypted It can t see traffic that does not cross it It must be able to handle high volumes of traffic It doesn t know about activity on the hosts themselves and can correlate attacks among multiple systems 37 38 Host-Based IPSs Network-Based IPSs Active IDS (intrusion prevention systems) will contain all the same components and capabilities with one critical exception the active IDS can react to the activity it is analyzing Reactions running a script to turn a process on or off modifying file permissions terminating the offending processes logging off specific users reconfiguring local capabilities to prevent specific users from logging in Like in HIPSs Most common defensive capability for an active IDS is to send a TCP reset message RST tells both sides of the connection to drop the session and stop communicating immediately There is one serious drawback a reset message affects only the current session Networ 39 40 10
Network Analyzers/Protection Tools Protocol Analyzers capture and decode network traffic Spam Filter protection againts unsolicited or undesired bulk electronic messages UTM Security all-in-one solution: firewall, IDS/IPS, antivirus, but can also include VPN capabilities, anti-spam, malicious web traffic filtering, anti-spyware, content filtering, traffic shaping, and so on Web Application Firewall vs. Network Firewall Application-aware Devices content-level filtering and hence are capable of application-level monitoring 41 42 43 44 11
There is no 100 percent secure system, and there is nothing that is foolproof! Stay Alert! 12