5-Network Defenses. Dr. John P. Abraham Professor UTPA. Introduction. A common mistake in network security Attempt to patch vulnerabilities in a weak network that was poorly conceived and implemented from the start - PowerPoint PPT Presentation
5-Network DefensesDr. John P. AbrahamProfessorUTPAIntroductionA common mistake in network securityAttempt to patch vulnerabilities in a weak network that was poorly conceived and implemented from the startSecuring a network begins with the design of the network and includes secure network technologies
Crafting a Secure NetworkSecurity through designSubnetting, VLAN, DMZ, etc.Security through network technologiesNAT, NAC, etc.Network Security DevicesFirewall, proxy server, honeypot, NIDS, etc.Intrusion Prevention SystemsSecurity+ Guide to Network Security Fundamentals, Third EditionSecurity through Network DesignSubnettingIP addresses are actually two addresses: one part is a network address and one part is a host addressClassful addressingThe split between the network and host portions of the IP address originally was set on the boundaries between the bytesSubnetting or subnet addressingAllows an IP address to be split anywhereNetworks can essentially be divided into three parts: network, subnet, and host44SubnettingIsolates organizational groupsDecreased network trafficImproved troubleshootingImproved utilization of addressesMinimal impact on external routersBetter organization
VLAN (virtual LAN)Scattered individual units under same organizational unit can be grouped together (logical grouping rather than physical grouping)In most network environments, networks are divided or segmented by using switchesA VLAN allows scattered users to be logically grouped together even though they may be attached to different switchesCan reduce network traffic and provide a degree of security similar to subnetting:VLANs can be isolated so that sensitive data is transmitted only to members of the VLAN
Convergence technologies (VOIP, video, etc) vulnerabilityPhones affected as OS is attackedVOIP protocols have very little securityLack of encryption for voip packagesSpam callsDemilitarized Zone (DMZ)Devices that provides service to outside users are isolated, such as email and web servers.If penetrated, confined to that server rather than the LAN itself.DMZ example
Network Address Translation (NAT)NAT hides the private IP addresses assigned to individual machines. A single or pool of public IPs are used for public visibility.Available private IP 10.0.0.0, 172.16.0.0 and 192.168.0.0The NAT device removes the senders private IP from the packet and replaces it with an alias. The NAT device then keeps a table of it and the process is reversed when a packet arrives.A variation is port address translation. Each packet is given the same IP address but a different port number.Security+ Guide to Network Security Fundamentals, Third EditionSecurity through Network TechnologiesNetwork Address Translation (NAT)Hides the IP addresses of network devices from attackersPrivate addressesIP addresses not assigned to any specific user or organizationFunction as regular IP addresses on an internal networkNon-routable addresses1212Security+ Guide to Network Security Fundamentals, Third EditionSecurity through Network Technologies (continued)NAT removes the private IP address from the senders packetAnd replaces it with an alias IP addressWhen a packet is returned to NAT, the process is reversedAn attacker who captures the packet on the Internet cannot determine the actual IP address of the sender1313Security+ Guide to Network Security Fundamentals, Third EditionSecurity through Network Technologies (continued)14
14Network Access Control (NAC)A special quarantined network area where new devices or guests are allowed to connect to. Only after passing required security checks they are allowed to connect to the LAN.CISCO network admission controlMicrosoft Network Access protectionJuniper Unified access controlTrusted computing group trusted network connectSecurity+ Guide to Network Security Fundamentals, Third EditionApplying Network Security DevicesDevices include:FirewallsProxy serversHoneypotsNetwork intrusion detection systemsHost and network intrusion prevention systemsProtocol analyzersInternet content filtersIntegrated network security hardware1616FirewallFiltering data packets a gatekeeper to the network.Rule basedAllow, block, prompt.Stateful packet filteringPacket is not allowed to pass to a client, unless the client requested it from the server.Example packet filtering rulesSee table 5-6 p 167Source address = anyDestitation address = internal ipPort =80Proxy ServerIntercepts internal user requests and processes that request on behalf of the user. It hides the IP address of the client system inside the secure networkWhen a request for webpage is made the client actually contacts the proxy server, which checks to see if that page exists in the cache
HoneypotIntended to trap attackers.A honeypot is a computer located in a DMZ that is loaded with software and data files that appear to be the real thing.Deflect attentionEarly warnings of new attacksExamine attacker techniquesNetwork Intrusion Detection Systems (NIDS)Watches for attempts to penetrate a network.Table 5-9 p.171NIDs looks for suspicious patterns.