Embed Size (px)
Citation preview
1
Chapter Overview
Password Protection Security Models Firewalls Security Protocols
2
Using Passwords Passwords are the most common method of securing
network resources. Passwords can be an effective security mechanism, or they
can be useless, depending on how they are used. The strength of any password protection is based on the
password policies that administrators set. Most operating systems include tools that allow
administrators to impose password policies on users, such as
Password length restrictions Password change intervals
Password policies are typically available in network operating systems that use a directory service to authenticate users and grant them access to network resources.
3
Controlling User Account Password Settings
4
Using the Windows 2000 Group Policy Interface
5
Setting a Minimum Password Length
6
Setting a Password Change Interval
7
Enforcing Password Complexity
8
Setting Account Lockout Policies
9
Client/Server Networks
User accounts are stored in a central location. A user logs on to the network from a computer
that transmits the user name and password to a server, which either grants or denies access to the network.
Account information can be stored in a centralized directory service or on individual servers.
A directory service, such as the Microsoft Windows 2000 Active Directory service or Novell Directory Services (NDS), provides authentication services for an entire network.
10
Peer-to-Peer Networks Each computer maintains its own security
information and performs its own authentications.
Computers on this type of network can function as both clients and servers.
When a computer functioning as a client attempts to use resources (called shares) on another computer that is functioning as a server, the server itself authenticates the client before granting it access.
11
Granting User Permissions
12
Peer-to-Peer User-Level Security When users log on to their computers, they are
authenticated against an account on that system. If several people use the same computer, each must
have a separate user account. When users elsewhere on the network attempt to
access server resources on that computer, they are also authenticated against the accounts on the computer that hosts the resources.
The user-level, peer-to-peer security model is suitable only for relatively small networks.
If users want to change their account passwords, they must change them on every computer on which they have an account.
13
Client/Server User-Level Security Administrators create user accounts in a directory
service, such as Active Directory in Windows 2000 or a Microsoft Windows NT domain.
When users log on to their computers, the directory service authenticates them.
When you want to allow other network users to gain access to resources on your computer, you select their user accounts from a list provided by the domain controller.
With all accounts stored in a centralized directory service, administrators and users can make changes more easily.
14
Peer-to-Peer Share Level Security Microsoft Windows Me, Microsoft Windows 98, and
Microsoft Windows 95 cannot maintain their own user accounts.
In peer-to-peer mode, Windows Me, Windows 98, and Windows 95 operate by using share-level security.
In share-level security, users assign passwords to the individual shares they create on their computers.
When network users want to access a share on another computer, they must supply the appropriate password.
The share passwords are stored on the individual computers. When sharing drives, users can specify two different
passwords to provide both read-only access and full control of the share.
Share-level security is not as flexible as user-level security and does not provide as much protection.
15
Setting Share-Level Passwords
16
What Is a Firewall? A firewall is a hardware or software product
designed to protect a network from unauthorized access.
A network connected to the Internet must have a firewall to protect it from Internet intruders.
A firewall is a barrier between two networks that evaluates all incoming or outgoing traffic to determine whether it should be permitted to pass to the other network.
Some firewalls are dedicated routers with additional software that monitors incoming and outgoing traffic.
Some firewalls are software products that run on a standard computer.
17
Packet Filtering
The most basic type of firewall Functions
Examines arriving packets Decides whether to allow the packets to
gain access to the network, based on the information found in the protocol headers used to construct the packets
18
Packet Filter Types Hardware addresses. Filter packets based on
hardware addresses, enabling only certain computers to transmit data to the network
IP addresses. Permit only traffic destined to or originating from specific addresses to pass through to the network
Protocol identifiers. Filter packets based on the protocol that generated the information carried within an Internet Protocol (IP) datagram
Port numbers. Filter packets based on the source or destination port number specified in a packet’s transport layer protocol header
19
NAT NAT stands for network address translation. NAT is a network layer technique that protects the
computers on your network from Internet intruders by masking their IP addresses.
NAT allows you to assign unregistered IP addresses to your computers.
The router that provides Internet access can use NAT. The NAT router functions as an intermediary between
the private network and the Internet. NAT is implemented in numerous firewall products,
ranging from high-end routers used on large corporate networks to inexpensive Internet connection-sharing solutions.
20
Proxy Servers Proxy servers are similar to NAT routers, except that they function
at the application layer of the Open Systems Interconnection (OSI) reference model.
A proxy server acts as an intermediary between the clients on a private network and the Internet resources they want to access.
Clients send their requests to the proxy server, which sends a duplicate request to the desired Internet server.
The Internet server replies to the proxy server, which relays the response to the client.
Proxy servers can cache the information they receive from the Internet.
Administrators can configure proxy servers to filter the traffic they receive, blocking users on the private network from accessing certain services.
The main problem with proxy servers is that you sometimes must configure applications to use them.
21
Configuring a Proxy Server Client
22
IPSec IPSec stands for Internet Protocol Security. IPSec is a series of draft standards published by
the Internet Engineering Task Force (IETF). IPSec defines a methodology that uses
authentication and encryption to secure the data transmitted over a local area network (LAN).
IPSec consists of two separate protocols that provide different levels of security protection: IP Authentication Header (AH) and IP Encapsulating Security Payload (ESP).
Using the two protocols together provides the best possible security IPSec can offer.
23
IP AH Protocol AH provides authentication and guaranteed
integrity of IP datagrams. AH adds an extra header, right after the IP header,
to the datagrams generated by the transmitting computer.
When you use AH, the Protocol field in the IP header identifies the AH protocol, instead of the transport layer protocol contained in the datagram.
The AH header contains A sequence number that prevents unauthorized computers
from replying to a message An integrity check value (ICV) that the receiving computer
uses to verify that incoming packets have not been altered
24
IP ESP Protocol
Provides datagram encryption Encapsulates the transport layer data in
each datagram by using its own header and trailer
Encrypts all of the data following the ESP header
Also contains a sequence number and an ICV
25
L2TP L2TP stands for Layer 2 Tunneling Protocol. L2TP is derived from the Cisco Systems
Layer 2 Forwarding protocol and the Microsoft Point-to-Point Tunneling Protocol (PPTP).
IPSec can operate in tunnel mode independently or with L2TP.
L2TP creates a tunnel by encapsulating Point-to-Point Protocol (PPP) frames inside User Datagram Protocol (UDP) packets.
26
SSL SSL stands for Secure Sockets Layer. SSL is a special-purpose security protocol that
is designed to protect the data transmitted between Web servers and their client browsers.
Virtually all of the Web servers and browsers available today support SSL.
For example, when you access a secured site on the Internet to purchase a product with a credit card, your browser is probably using SSL to communicate with the server.
Like IPSec, SSL provides authentication and encryption services.
27
Kerberos Kerberos is an authentication protocol typically used
by directory services, such as Active Directory, to provide users with a single network logon capability.
Kerberos was developed at the Massachusetts Institute of Technology and is now standardized by the IETF.
When a server running Kerberos (called an authentication server) authenticates a client, the server grants that client the credentials needed to access resources anywhere on the network.
Windows 2000 and other operating systems rely heavily on Kerberos to secure their client/server network exchanges.
28
Chapter Summary Password policies ensure that users choose effective
passwords. User-level security requires a separate account for
each user. In share-level security, all users access shares by
using the same passwords. A firewall is a hardware or software product that
protects a network from unauthorized access, using techniques such as packet filtering, NAT, or proxy servers.
Applications and operating systems use security protocols, such as IPSec, L2TP, SSL, and Kerberos, to protect their data as it is transmitted over the network.
