1

Securing the Network Infrastructure

2

Objectives

Work with the network cable plant

Secure removable media Harden network devices Design network topologies

3

Working with the Network Cable Plant Cable plant: physical

infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment

Three types of transmission media: Coaxial cables Twisted-pair cables Fiber-optic cables

4

Coaxial Cables

Coaxial cable was main type of copper cabling used in computer networks for many years

Has a single copper wire at its center surrounded by insulation and shielding

Called “coaxial” because it houses two (co) axes or shafts―the copper wire and the shielding

Thick coaxial cable has a copper wire in center surrounded by a thick layer of insulation that is covered with braided metal shielding

5

Coaxial Cables (continued)

Thin coaxial cable looks similar to the cable that carries a cable TV signal

A braided copper mesh channel surrounds the insulation and everything is covered by an outer shield of insulation for the cable itself

The copper mesh channel protects the core from interference

BNC connectors: connectors used on the ends of a thin coaxial cable

6

Coaxial Cables (continued)

Sheath

Braided Sheilding

Insulation (PVC, Teflon)

Conducting Core

7

Twisted-Pair Cables

Standard for copper cabling used in computer networks today, replacing thin coaxial cable

Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket

Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference

Unshielded twisted-pair (UTP) cables do not have any shielding

Twisted-pair cables have RJ-45 connectors

8

Fiber-Optic Cables

Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal

Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses

A glass tube (cladding) surrounds the core

The core and cladding are protected by a jacket

9

Fiber-Optic Cables (continued) Classified by the diameter of

the core and the diameter of the cladding Diameters are measured in

microns, each is about 1/25,000 of an inch or one-millionth of a meter

Two types: Single-mode fiber cables:

used when data must be transmitted over long distances

Multimode cable: supports many simultaneous light transmissions, generated by light-emitting diodes

10

Securing the Cable Plant

Securing cabling outside the protected network is not the primary security issue for most organizations

Focus is on protecting access to the cable plant in the internal network

An attacker who can access the internal network directly through the cable plant has effectively bypassed the network security perimeter and can launch his attacks at will

11

Securing the Cable Plant (continued) The attacker can capture packets

as they travel through the network by sniffing The hardware or software that

performs such functions is called a sniffer

Physical security First line of defense Protects the equipment and

infrastructure itself Has one primary goal: to

prevent unauthorized users from reaching the equipment or cable plant in order to use, steal, or vandalize it

12

Securing Removable Media

Securing critical information stored on a file server can be achieved through strong passwords, network security devices, antivirus software, and door locks

An employee copying data to a floppy disk or CD and carrying it home poses two risks: Storage media could be lost or

stolen, compromising the information

A worm or virus could be introduced to the media, potentially damaging the stored information and infecting the network

13

Magnetic Media

Record information by changing the magnetic direction of particles on a platter

Floppy disks were some of the first magnetic media developed

The capacity of today’s 3 1/2-inch disks are 1.4 MB

Hard drives contain several platters stacked in a closed unit, each platter having its own head or apparatus to read and write information

Magnetic tape drives record information in a serial fashion

14

Optical Media

Optical media use a principle for recording information different from magnetic media

A high-intensity laser burns a tiny pit into the surface of an optical disc to record a one, but does nothing to record a zero

Capacity of optical discs varies by type A Compact Disc-Recordable

(CD-R) disc can record up to 650 MB of data

Data cannot be changed once recorded

15

Optical Media (continued)

A Compact Disc-Rewriteable (CD-RW) disc can be used to record data, erase it, and record again

A Digital Versatile Disc (DVD) can store much larger amounts of data DVD formats include Digital

Versatile Disc-Recordable (DVD-R), which can record once up to 3.95 GB on a single-sided disc and 7.9 GB on a double-sided disc

16

Electronic Media

Electronic media use flash memory for storage Flash memory is a solid state

storage device―everything is electronic, with no moving or mechanical parts

SmartMedia cards range in capacity

The card itself is only 45 mm long, 37 mm wide, and less than 1 mm thick

17

Electronic Media (continued)

CompactFlash card Consists of a small circuit

board with flash memory chips and a dedicated controller chip encased in a shell

Come in 33 mm and 55 mm thicknesses

USB memory stick is very popular Can hold large amounts of

data (+64Gb)

18

Keeping Removable Media Secure Protecting removable media

involves making sure that antivirus and other security software are installed on all systems that may receive a removable media device, including employee home computers

19

Hardening Network Devices

Each device that is connected to a network is a potential target of an attack and must be properly protected

Network devices to be hardened categorized as: Standard network devices Communication devices Network security devices

20

Hardening Standard Network Devices A standard network device is a

typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router

This equipment has basic security features that you can use to harden the devices

21

Workstations and Servers

Workstation: personal computer attached to a network (also called a client) Connected to a LAN and shares

resources with other workstations and network equipment

Can be used independently of the network and can have their own applications installed

Server: computer on a network dedicated to managing and controlling the network

22

Switches and Routers

Switch Most commonly used in

Ethernet LANs Receives a packet from one

network device and sends it to the destination device only

Limits the collision domain (part of network on which multiple devices may attempt to send packets simultaneously)

A switch is used within a single network

Routers connect two or more single networks to form a larger network

23

Switches and Routers (continued) Switches and routers must also

be protected against attacks Switches and routers can be

managed using the Simple Network Management Protocol (SNMP), part of the TCP/IP protocol suite

Software agents are loaded onto each network device to be managed

24

Switches and Routers (continued) Each agent monitors network

traffic and stores that information in its management information base (MIB)

A computer with SNMP management software (SNMP management station) communicates with software agents on each network device and collects the data stored in the MIBs

25

Hardening Communication Devices A second category of network

devices are those that communicate over longer distances

Include: Modems Remote access servers Telecom/PBX Systems Mobile devices

26

Modems

Most common communication device

Broadband is increasing in popularity and can create network connection speeds of 15 Mbps and higher

Two popular broadband technologies: Digital Subscriber Line (DSL)

transmits data at 15 Mbps over regular telephone lines

Another broadband technology uses the local cable television system

27

Modems (continued)

A computer connects to a cable modem, which is connected to the coaxial cable that brings cable TV signals to the home

Because cable connectivity is shared in a neighborhood, other users can use a sniffer to view traffic

Another risk with DSL and cable modem connections is that broadband connections are charged at a set monthly rate, not by the minute of connect time

28

Remote Access Servers

Set of technologies that allows a remote user to connect to a network through the Internet or a wide area network (WAN)

Users run remote access client software and initiate a connection to a Remote Access Server (RAS), which authenticates users and passes service requests to the network

29

Remote Access Servers (continued)

30

Remote Access Servers (continued) Remote access clients can run

almost all network-based applications without modification Possible because remote

access technology supports both drive letters and universal naming convention (UNC) names

31

Telecom/PBX Systems

Term used to describe a Private Branch eXchange

The definition of a PBX comes from the words that make up its name: Private Branch eXchange

32

Mobile Devices

As cellular phones and personal digital assistants (PDAs) have become increasingly popular, they have become the target of attackers

Some defenses against attacks on these devices use real-time data encryption and passwords to protect the system so that an intruder cannot “beam” a virus through a wireless connection

33

Hardening Network Security Devices The final category of network

devices includes those designed and used strictly to protect the network

Include: Firewalls Intrusion-detection systems Network monitoring and

diagnostic devices

34

Firewalls

Typically used to filter packets Designed to prevent malicious packets

from entering the network or its computers (sometimes called a packet filter)

Typically located outside the network security perimeter as first line of defense

Can be software or hardware configurations

Software firewall runs as a program on a local computer (sometimes known as a personal firewall) Enterprise firewalls are software

firewalls designed to run on a dedicated device and protect a network instead of only one computer

One disadvantage is that it is only as strong as the operating system of the computer

35

Firewalls (continued)

Filter packets in one of two ways: Stateless packet filtering: permits or

denies each packet based strictly on the rule base

Stateful packet filtering: records state of a connection between an internal computer and an external server; makes decisions based on connection and rule base

Can perform content filtering to block access to undesirable Web sites

An application layer firewall can defend against worms better than other kinds of firewalls Reassembles and analyzes packet

streams instead of examining individual packets

36

Intrusion-Detection Systems (IDSs) Devices that establish and

maintain network security Active IDS (or reactive IDS)

performs a specific function when it senses an attack, such as dropping packets or tracing the attack back to a source Installed on the server or, in

some instances, on all computers on the network

Passive IDS sends information about what happened, but does not take action

37

Intrusion-Detection Systems (IDSs) (continued)

Host-based IDS monitors critical operating system files and computer’s processor activity and memory; scans event logs for signs of suspicious activity

Network-based IDS monitors all network traffic instead of only the activity on a computer Typically located just behind the

firewall Other IDS systems are based on

behavior: Watch network activity and

report abnormal behavior Result in many false alarms

38

Network Monitoring and Diagnostic Devices SNMP enables network

administrators to: Monitor network performance Find and solve network

problems Plan for network growth

Managed device: Network device that contains

an SNMP agent Collects and stores

management information and makes it available to SNMP

39

Designing Network Topologies

Topology: physical layout of the network devices, how they are interconnected, and how they communicate

Essential to establishing its security

Although network topologies can be modified for security reasons, the network still must reflect the needs of the organization and users

40

Security Zones

One of the keys to mapping the topology of a network is to separate secure users from outsiders through: Demilitarized Zones (DMZs) Intranets Extranets

41

Demilitarized Zones (DMZs)

Separate networks that sit outside the secure network perimeter

Outside users can access the DMZ, but cannot enter the secure network

For extra security, some networks use a DMZ with two firewalls

The types of servers that should be located in the DMZ include: Web servers E-mail servers Remote access servers FTP servers

42

Demilitarized Zones (DMZs) (continued)

43

Intranets

Networks that use the same protocols as the public Internet, but are only accessible to trusted inside users

Disadvantage is that it does not allow remote trusted users access to information

44

Extranets

Sometimes called a cross between the Internet and an intranet

Accessible to users that are not trusted internal users, but trusted external users

Not accessible to the general public, but allows vendors and business partners to access a company Web site

45

Network Address Translation (NAT) “You cannot attack what you do not see”

is the philosophy behind Network Address Translation (NAT) systems

Hides the IP addresses of network devices from attackers

Computers are assigned special IP addresses (known as private addresses)

These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network

Port address translation (PAT) is a variation of NAT

Each packet is given the same IP address, but a different TCP port number

46

Honeypots

Computers located in a DMZ loaded with software and data files that appear to be authentic

Intended to trap or trick attackers

Two-fold purpose: To direct attacker’s attention

away from real servers on the network

To examine techniques used by attackers

47

Honeypots (continued)

48

Virtual LANs (VLANs)

Segment a network with switches to divide the network into a hierarchy

Core switches reside at the top of the hierarchy and carry traffic between switches

Workgroup switches are connected directly to the devices on the network

Core switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches

49

Virtual LANs (VLANs) (continued)

50

Virtual LANs (VLANs) (continued) Segment a network by grouping

similar users together Instead of segmenting by user,

you can segment a network by separating devices into logical groups (known as creating a VLAN)

51

Summary

Cable plant: physical infrastructure (wire, connectors, and cables that carry data communication signals between equipment)

Removable media used to store information include: Magnetic storage (removable disks,

hard drives) Optical storage (CD and DVD) Electronic storage (USB memory

sticks, FlashCards) Network devices (workstations, servers,

switches, and routers) should all be hardened to repel attackers

A network’s topology plays a critical role in resisting attackers

Hiding the IP address of a network device can help disguise it so that an attacker cannot find it