Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg

Chapter 10 Appendix
Security

Networking Concepts – Eric Vanderburg ©2005

Security
 Know

the costs

 Costs

due to loss of data
 Costs of downtime
 Cost of implementing security measures
 Physical

must be protected first
 Share oriented security (Win9x)
 User oriented security (Win2k, 2k3, XP)
Networking Concepts – Eric
Vanderburg ©2005

Security
 Securing

data

 Make

it safe from intruders
 Make sure damaged data can be replaced
 Plan

for network security

 Identify

threats
 Communicate with other managers in office
to make sure security system meets needs
(it is not only about IT & think of the users)
Vanderburg ©2005

Windows Security Features
 Kerberos
 PKI

(Public Key Infrastructure)
 Group Policy
 VPN (Virtual Private Network)
 IPSec (IP Security)

Vanderburg ©2005

Windows 2003
 CLR

(Command Language Runtime) –
reduces bugs that leave Windows vulnerable
by reducing the power of individual programs,
placing them under the control of the OS.
 IIS 6.0 – configured for maximum security by
default & disabled by default
 Unsecured clients cannot login – Windows 95,
and NT prior to SP4 cannot login to Windows
2003 domain by default; certificates and
encryption required by all clients
Vanderburg ©2005

Kerberos
 Authentication

Method (Win2k &2k3

default)
 Based on RFC 1510
 Uses Kerberos version 5
 Replaces NTLM (NT LAN Manager) &
NTLMv2 – still used with pre 2k clients

Vanderburg ©2005

Kerberos Components
KDC (Key Distribution Center)
 AS (Authentication Service)
 Verifies identity through AD
 Gives TGT (Ticket Granting Ticket) which gives access to certain
resources
 TGS (Ticket-Granting Service)
 Verifies TGT
 Creates a service ticket & session key for a resource based on
TGT. Client can present the service ticket to another server to
access it’s content.
NOTE: Servers have tickets too.
 Only services it’s own domain. Must refer to another TGS for
interdomain resource access (gives referral ticket)
 Server with the desired resource
 Client


Vanderburg ©2005

Items of Note
 Delegation

with Forwarding and Proxy For a server such as a database server
to access resources on your behalf.
(given proxy or forwarding ticket)
 NTP (Network Time Protocol) is used to
synchronize time between machines.
Keys are based on system time so all
must be the same.
Vanderburg ©2005

PKI
 Deploying

a PKI allows you to perform
tasks such as:
 Digitally

signing files (documents and
applications)
 Securing e-mail
 Enabling secure connections between
computers,
 Better user authentication (smart cards)
Vanderburg ©2005

Certificates




Digital certificates Electronic
credentials,
consisting of public
keys, which are used
to
sign and encrypt
data.
Certificate Vendors:
Entrust, Verisign

Vanderburg ©2005

Select CA Role

Certificates


Create certificate
templates so
subordinates can
issue certs

Certificate Template

Certificate Details
Vanderburg ©2005

Certificates
 CA

(Certification Authority)
Issues digital certificates. Form a
hierarchy
 Root CA
 Subordinate CA
Intermediate CA
Issuing CA
Rudimentary CA
restricted to issuing certain certs
Vanderburg ©2005

Certificates
Certificate policy and practice statements The two documents that
outline how the CA and its certificates are to be used, the degree of
trust that can be placed in these certificates, legal liabilities if the
trust is broken, and so on.
 Certificate repositories - Where certificates are stored and
published. (AD)
 CRL (Certificate Revocation List) - List of certificates that have been
revoked before reaching the scheduled expiration date
 CTL (Certificate Trust List) - The list of the certificates you trust. If
you trust a root, you trust all certs from that root.


Double click to see cert
View issued certs from
Certificates MMC
Vanderburg ©2005

Certificate Server Role







Publish certificates - The PKI administrator makes certificate
templates available to clients (users, services, applications, and
computers) and enables additional CAs to issue certificates.
Enroll clients - Users, services, or computers request and receive
certificates from an issuing CA or a Registration Authority (RA).
The CARA administrator or enrollment agent uses the
information provided to authenticate the identity of the requester
before issuing a certificate.
Publish CRL & CTL - Users need to know which certificates are
revokes and which servers are trusted by their CA.
Renew or revoke certificates

Vanderburg ©2005

Group Policy
AD Users & Computers MMC
Select your
group policy

Group Policy MMC

Edit as needed

Vanderburg ©2005

Group Policy

Properties

Double click
an item to edit
the properties
for it

Vanderburg ©2005

VPN
 Encapsulates

& encrypt one packet

inside another
 Server to Server - Connecting LANs
 Client to Server - Remote users &
Extranet

Vanderburg ©2005

VPN Protocols




L2TP (Layer 2 Tunneling Protocol)
 Encrypts with IPSec
 Works on many protocols (X.25, ATM, IP, Frame
Relay)
PPTP (Point to Point Tunneling Protocol)
 Encrypts with MPPE (Microsoft Point to Point
Encryption) - 40, 56, or 128bit
 Authenticates with PAP (Password Authentication
Protocol), CHAP (Challenge Handshake
Authentication Protocol), MSCHAP, or EAP
 Works only over IP
Vanderburg ©2005

VPN Advantages
 Distance

is not a concern
 More scalable - can adjust bandwidth to use
 Less reliant on expensive modem pools

Vanderburg ©2005

IPSec





Tunnel - encrypts the header and the payload of each
packet
Transport - encrypts the payload only.
All systems must be IPSec compliant
Encryption


Authentication Encryption





Data Encryption






SHA (Secure Hash Algorithm) - 160bit, high overhead.
MD5 (Message Digest 5) - 128bit
DES (Data Encryption Standard) 56bit
3DES (Triple DES) - high processor overhead
AES

IPv6 has IPSec built-in
Vanderburg ©2005

IPSec
 IPSec

filters specifies what type of traffic
will be accepted by a machine
 Permit

(unsecured packets sent)
 Request Security (Preference is IPSec
encrypted packets but plaintext is allowed)
 Require Security (Packets must be
encrypted)

Vanderburg ©2005

Security
 Firewalls
 IDS
 Honeypot
 Malicious

Code

 Wireless
A

“hardened” OS is
one that has been
made as secure as
possible Networking Concepts – Eric
Vanderburg ©2005

Hardware Firewalls
Screening Router - filters
packets & closes ports

Screened host - hardware
firewall filters packets & ports.
Bastion host does application
filtering. NAT or proxy
Multiple DMZ – each section has
its own set of firewalls and DMZ
separating it from the others

Screened Subnet/DMZ
(Demilitarized Zone) – put
external access machines in
between 2 firewalls

Vanderburg ©2005

Hardware requirements
 Storage

– large amounts of log files will
be present on this computer so there
must be a large amount of storage
 Processor – this computer will be
analyzing many packets
 2 NICs – must be able to connect the
outside with the inside

Vanderburg ©2005

Software Firewalls
 Most

are cumbersome to configure and control
 Inexpensive extra layer of protection
 Firewall places itself in between the NIC and
the TCP/IP stack
 Vendors
Windows Firewall (built-in)
 Novell Border Manager (built-in)
 Macintosh Firewall (built-in)
 Norton Internet Security
 BlackIce
 ZoneAlarm


Vanderburg ©2005

IDS (Intrusion Detection System)








NIDS (Network IDS) – analyzes network traffic
HIDS (Host IDS) – analyzes traffic sent only to its host
LIDS (Linux IDS) – Open source IDS for linux clients
or servers (http://www.lids.org/)
Looks at network or host traffic based on rules to
determine whether an attack is in progress
The IDS can be configured to respond accordingly ex:
close ports, ban IP addresses, alert admins, close
shares, disable accounts, ect..
Examples: snort

Vanderburg ©2005

Rules
 Rule

base – set of rules that tell the
firewall or IDS what action to take when
types of traffic flow through it.
 Should

be based on security policy

Vanderburg ©2005

Honeypot
A

lure for a hacker
 Wastes the hackers time
 Fake computer or network behind
security barriers
 Can be analyzed to view attack methods
and improve security. Identify what they
are after, what is their skill level, and
what tools they use.
Vanderburg ©2005

Malicious Code
Virus - self-replicating code segment which is be attached to an
executable. When the program is started, the virus code may also run. If
possible, the virus will replicate by attaching a copy of itself to another
file. A virus may also have an additional ``payload'' that runs when
specific conditions are met.
 Trojan horse - malicious code pretending to be a legitimate application.
The user believes they are running an innocent application when the
program is actually initiating its ulterior activities. Trojan horses do not
replicate.
 Worm - self-replicating program, does not require a host program,
creates a copy and causes it to execute; no user intervention is required.
Worms commonly utilize network services to propagate to other
computer systems
 Spyware - a program that secretly monitors your actions. Could be a
remote control program used by a hacker, or it could be used to gather
data about users for advertising, aggregation/research, or preliminary
information for an attack. Some spyware is configured to download other
programs on the computer.


Vanderburg ©2005

Viruses
 Implement

virus protection at these locations:

Workstation – protects a single computer by
scanning files from server or e-mail messages
 Server – scans data read from or written to
server; prevents virus from server spreading
throughout network
 Internet gateway – scans all Web browser,
FTP, and e-mail traffic; stops viruses before
they enter network. Do not infect those checking
your website


Vanderburg ©2005

Wireless Security
 Site

Survey - adjust location and range
so that wireless access extends only to
business borders
 Passwords should be changed and so
should WEP keys. WEP should be
enabled.
 Filter MACs
 Disable SSID broadcasting
Vanderburg ©2005

Auditing
 Records

certain actions for security and
troubleshooting
 Failed

access
 Granted access
 Should

use auditing sparingly – uses
resources & more is harder to utilize
effectively

Vanderburg ©2005

Enabling Auditing






Administrative Tools 
Local Security Policy
Local Policies  Audit
Policy.
Double-click the policy
that you want to enable or
disable.
Click the Success (An
audited security access
attempt that succeeds)
and Fail (audited
security access attempt
that fails)

Vanderburg ©2005

Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg

More Related Content

What's hot (20)

Viewers also liked (17)

Similar to Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg (20)

More from Eric Vanderburg (20)

Recently uploaded (20)

Networking Concepts Lesson 10 part 2 - Security Appendix - Eric Vanderburg