SEC220-Week 9.pptx

Full Transcript

Defense
 Security Through Network Devices

Security can be achieved through using the security
features found in standard networking devices
As well as hardware designed primarily for security

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Standard network devices can be classified by the O S I
layer at which they function

Each layer has different
O S I model breaks networking tasks
networking steps into seven
layers Each layer cooperates Standard
with adjacent layers
Network
Improperly configured
Security functions of
network devices can provide
standard network Devices
devices can introduce
a degree of network security
vulnerabilities

Bridges, switches,
Some devices include: routers, load balancers,
proxies, firewalls…

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Proxies (1 of 4)

Proxies:
A proxy server acts as a gateway
between you and the internet. It’s an
intermediary server separating end users
from the websites they browse.

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Proxies (2 of 4)

There are several types of proxies used in computer
networking
Forward proxy - a computer or an application program that
intercepts user requests from the internal network and processes
that request on behalf of the user
Application/multipurpose proxy - a special proxy server that
“knows” the application protocols that it supports
Reverse proxy – routes requests coming from an external network
to the correct internal server
Transparent proxy – does not require any configuration on the
user’s computer

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for
classroom use.
 Proxies (3 of 4)

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed
with a certain product or service or otherwise on a password-protected website for classroom use.
 Advantages of proxy servers:
Increased speed
Proxies (4 of 4) Reduced costs
Improved management
Stronger security

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Specifically designed security hardware
devices
Provide greater protection than standard
networking devices

Network Firewalls

Can be software-based or hardware-based
Security Both types inspect packets and either accept or
deny entry
Hardware Hardware firewalls tend to be more expensive and
more difficult to configure and manage
Software firewalls running on a device provide
protection to that device only
All modern OSs include a software firewall,
usually called a host-based firewall

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except
for use as permitted in a license distributed with a certain product or service or otherwise on a password-
protected website for classroom use.
Firewalls (1 of 3)

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part,
except for use as permitted in a license distributed with a certain product or service or otherwise on a
password-protected website for classroom use.
 Firewalls (2 of 3)

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part,
except for use as permitted in a license distributed with a certain product or service or otherwise on a
password-protected website for classroom use.
Firewalls (3 of 3)

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part,
except for use as permitted in a license distributed with a certain product or service or otherwise on a
password-protected website for classroom use.
 Network-Based Firewalls (1 of 2)

Methods of firewall packet filtering
Stateless packet filtering
Inspects incoming packet and permits or denies based on conditions set by administrator
Stateful packet filtering
Keeps a record of the state of a connection
Makes decisions based on the connection and conditions
Firewall actions on a packet
Allow (let packet pass through)
Drop (prevent the packet from passing into the network and send no response to
sender)
Reject (prevent the packet from passing into the network but send a message to the
sender)

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Network-Based Firewalls (2 of 2)
Rule-based firewalls:

Rule-based systems are
Use a set of individual Each rule is a separate Rules are stored together
static in nature,
instructions to control instruction processed in in one or more text
file(s) that are read when Cannot do anything other
actions sequence telling the
the firewall starts than what they have been
firewall what action to
configured to do
take

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Application-Based Firewalls

Application-Aware Firewalls
Operate at a higher level by identifying applications that send packets through the
firewall and make decisions about actions to take
Applications can be identified by application-based firewalls through:
Predefined application signatures
Header inspection
Payload analysis
Web application firewall
Special type of application-aware firewall that looks deeply into packets that carry
HTTP traffic
Can block specific sites or specific types of HTTP traffic

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Virtual Private Network (VPN) (1 of 2)
Virtual private network (VPN) - enables authorized users to use an
unsecured public network as if it were a secure private network
All data transmitted between remote device and network is
encrypted
Types of VPNs
Remote-access VPN - a user-to-LAN connection
Site-to-site - multiple sites can connect to other sites over the
Internet
Always-on VPNs – allow the user to always stay connected
Endpoints
The end of the tunnel between VPN devices
May be software on local computer or a VPN concentrator

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Virtual Private Network (VPN) (2 of 2)

VPN concentrator - a dedicated hardware device that aggregates
hundreds or thousands of VPN connections
When using a VPN, there are two options:
All traffic is sent to the VPN concentrator and protected (called a
full tunnel)
Only some traffic is routed over the secure VPN, while other traffic
directly accesses the Internet (called split tunneling)

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Intrusion
detection
system
Can detect attack as it occurs
(IDS)
Network
Inline IDS
Connected directly to the network and monitors Intrusion
the flow of data as it occurs
Detection
Passive IDS
Connected to a port on a switch, which receives a and
copy of network traffic
Prevention
In-band – through the network itself by using
IDS systems network protocols and tools (1 of 5)
can be
managed: Out-of-band – using an independent and dedicated
channel to reach the device

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Network Intrusion Detection and Prevention (2 of 5)

Monitoring methodologies
Anomaly-based monitoring
Compares current detected behavior with baseline
Signature-based monitoring
Looks for well-known attack signature patterns
Behavior-based monitoring
Detects abnormal actions by processes or programs
Alerts user who decides whether to allow or block activity
Heuristic monitoring
Uses experience-based techniques (code logic)

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed
with a certain product or service or otherwise on a password-protected website for classroom use.
 Network Intrusion Detection and Prevention (3 of 5)

Types of IDS - two basic types if IDS
exist
Host intrusion detection system (HIDS)
o A software-based application that can
detect an attack as it occurs
o Installed on each system needing
protection
o Monitors:
System calls and file system access
o Disadvantages of HIDS
Can recognize unauthorized Registry Cannot monitor network traffic that
modification does not reach local system;
Host input and output All log data is stored locally;
communications Resource-intensive and can slow
system.
Detects anomalous activity

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 Network Intrusion Detection and Prevention (4 of 5)

Network intrusion detection system (N I D S)
Watches for attacks on the network
NIDS sensors installed on firewalls and routers:
Gather information and report back to central device
NIDS can sound an alarm and log events
Application-aware IDS
A specialized IDS
Uses “contextual knowledge” in real time
It can know the version of the O S or which application is running
As well as what vulnerabilities are present in the systems being protected

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service
or otherwise on a password-protected website for classroom use.
Intrusion Prevention Systems (IPSs) (5 of 5)
Intrusion Prevention System (IPS)
Monitors network traffic to immediately block a malicious
attack
Similar to NIDS
NIPS is located “in line” on the firewall
Allows the NIPS to more quickly take action to block an
attack
Application-aware IPS
Knows which applications are running as well as the
underlying OS

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for
use as permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
 Security and Information Event Management (SIEM) (1 of 3)

Security and Information Event Management
(SIEM) product
A SIEM consolidates real-time monitoring and
management of security information
Analyzes and reports on security events
A SIEM product can be:
A separate device
Software that runs on a computer
A service that is provided by a third party

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Security and Information Event Management
(SIEM) (2 of 3)

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part,
except for use as permitted in a license distributed with a certain product or service or otherwise on a
password-protected website for classroom use.
 Security and Information Event
Management (SIEM) (3 of 3)

A SIEM typically has the following
features:
Aggregation
Correlation
Automated alerting and triggers
Time synchronization
Event duplication
SIEM logs

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated,
in whole or in part, except for use as permitted in a license distributed with a
certain product or service or otherwise on a password-protected website for
classroom use.
The design of a Elements of a Security
network can secure Creating security
provide a secure network zones Through
foundation for Using network
architectural
resisting design segregation Network
attackers
include: Architecture

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a
license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
 A secure approach is to create zones to partition the
network
So that certain users may enter one zone while access
is prohibited to other users
Security Zones The most common security zones:
Demilitarized zones
Using network address translation to create zones

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain
product or service or otherwise on a password-protected website for classroom use.
 DMZ - a separate network located outside
secure network perimeter
Demilitarized
Zone (DMZ) Untrusted outside users can access DMZ but not
secure network

© 2018 Cengage. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or
service or otherwise on a password-protected website for classroom use.
End