Part06 infrastructure security

3/7/2012

Contents

Crafting a Security Network

Applying Network Security Devices

Protocol Analyzers

Integrated Network Security Hardware

Network Defenses
A Defense-in-Depth Approach
IT Falcuty – DaLat University
March - 2012
2 Phan Thi Thanh Nga

Crafting a Security Network Security through Network Design
Security through Network Design Subnetting
 Network segmentation/ Subnetting  Instead of just having networks and hosts,
 Virtual LAN (VLAN) using subnetting, networks can essentially be
 Demilitarized Zone (DMZ) divided into three parts: network, subnet, and
host
Security through Network Technologies  Each network can contain several subnets
 Network Address Translation (NAT) and each subnet connected through different
 Network Access Control (NAC) routers can contain multiple hosts

3 Phan Thi Thanh Nga 4 Phan Thi Thanh Nga

Security through Network Design Security through Network Design
 Advantages of subnetting


1

3/7/2012

Subnetting: improve network security  Subnetting: improve network security
 Networks can be subnetted so that each  Wireless subnetworks, research and
department, remote office, campus building, development subnetworks, finance
floor in a building, or group of users can have subnetworks, human resource subnetworks,
its own subnet address and subnetworks that face the Internet can all
 Network administrators can utilize network be separate
security tools to make it easier to regulate  The source of potential security issues can
who has access in and out of a particular be quickly addressed
subnetwork


Subnetting: improve network security  Virtual LAN (VLAN)
 It allows network administrators to hide the  ln most network environments, networks are
internal network layout divided or segmented by using switches to
 This can make it more difficult for attackers divide the network into a hierarchy.
to target their attacks.  Core switches reside at the top of the
hierarchy and carry traffic between switches,
while workgroup switches are connected
directly to the devices on the network


 Virtual LAN (VLAN)
 Grouping by user can sometimes be difficult
because all users may not be in the same
location and served by the same switch.
Segment a network by separating devices
into logical groups. This is known as creating
a virtual LAN (VLAN)
 VLANS can be isolated so that sensitive data
is transmitted only to members of the VLAN


2

3/7/2012

 Virtual LAN (VLAN)  Demilitarized Zone (DMZ)
 VLANS can also be victims of attacks  Devices that provide services to outside users
 Because a VLAN is heavily dependent upon are most vulnerable to attack
the switch for correctly directing packets,  If attackers are able to penetrate the security
of these servers,they may be able to access
devices on the internal LAN .
 An additional level of security would be to
isolate these services in their own network.


 Demilitarized Zone (DMZ)
 A demilitarized zone (DMZ) is a separate
network that sits outside the secure network
perimeter
 Outside users can access the DM Z but
cannot enter the secure network


 Demilitarized Zone (DMZ): DMZ with
single firewall
 A single firewall with three network interfaces
is used: the link to the lnternet, the DMZ, and
the secure internal LAN
 this makes the firewall device a single point
of failure for the network
 the firewall device also take care of all of the
traffic to both the DMZ and internal network


3

3/7/2012

Security through Network Technologies Security through Network Technologies

 Network Address Translation (NAT)
 “You cannot attack what you cannot see” is
the security philosophy behind systems using
network address translation (NAT).
 NAT hides the IP addresses of network
devices from attackers.
 An attacker who captures the packet on the
lnternet cannot determine the actual IP address
of the sender
 Without that address, it is more difficult to
identify and attack a computer



 Network Access Control (NAC)
 NAC examines the current state of a system
or network device before it is allowed to
connect to the network
 Any device that does not meet a specified set
of criteria, such as having the most current
antivirus signature or the software firewall
properly enabled is only allowed to connect to
a ''quarantine'' network where the security
deficiencies are corrected



 NAC process  NAC process
 The cient performs a self-assessment using a  If the client is approved by the HRA it is
System Health Agent (SHA) to determine its issued a Health Certificate.
current security posture  The HeaIth Certificate is then presented to the
 The assessment, known as a Statement of network servers to verify that the client's
Hea1th (SoH), is sent to a server called the security condition has been approved.
Health Registration Authority (HRA). This  If the client is not approved, it is connected to
server enforces the security policies of the a quarantine VLAN where the deficien-cies
network. It also integrates with other external are corrected, and then the computer is
authorities such as antivirus and patch allowed to connect to the network
management servers in order to retrieve
current configuration information

4

3/7/2012

Security through Network Technologies Contents
 NAC
 NAC can be an effective tool for identifying Crafting a Security Network
and correcting systems that do not have
adequate security installed and preventing Applying Network Security Devices
these devices from infecting others.
Protocol Analyzers




Applying Network Security Devices Applying Network Security Devices

 Firewall  Firewall
 Proxy Server  A firewall is a hardware or software
component designed to protect one network
 Honey pots
from another
 Network Intrusion Detection Systems  Often, firewalls are deployed between a
(NIDS) private trusted network and a public untrusted
Host and Network Intrusion Prevention network (such as the Internet) or between two
Systems (HIPS/NIPS) networks that belong to the same organization
but are from different departments



 Firewall  There are three basic types of
 Firewalls manage traffic using filters. firewalls, plus an additional form
 A filter is just a rule. If a packet meets the (stateful inspection) that combines the
identification criteria of a rule, then the action features of the first three
of that rule is applied. If a packet doesn’t meet  Packet filter
the criteria of rule, then no action from that
 Circuit-level gateway
rule is applied, and the next rule is checked.
 Application-level gateway
 Stateful inspection firewall


5

3/7/2012

Firewall Firewall

 Packet filter  Circuit-level gateway
 A packet filter firewall filters traffic based on  A circuit-level gateway firewall filters traffic by
basic identification items found in a network monitoring the activity within a session
packet’s header between an internal trusted host and an
 Packet-filtering firewalls operate at the external untrusted host.
Network layer (layer 3) of the OSI model  This monitoring occurs at the Session layer
(layer 5) of the OSI model


Firewall Firewall

 Application-level gateway  Stateful inspection firewall
 Filters traffic based on user access, group  Combines features of the three basic firewall
membership, the application or service used, types and includes the ability to understand
or even the type of resources being the context of communications across multiple
transmitted. packets and across multiple layers.
 This type of firewall operates at the 
Application layer (layer 7) of the OSI model.


Firewall Applying Network Security Devices

 Proxy
 A proxy server is a computer system (or an
application program) that intercepts internal
user requests and then processes that
request on behalf of the user.
 Similar to NAT, the goal of a proxy server is to
hide the IP address of client systems inside
the secure network.


6

3/7/2012


 Reverse proxy
 A reverse proxy does not serve clients but
instead routes incoming requests to the
correct server.
 Requests for services are sent to the reverse
proxy that then forwards it to the server.
 To the outside user the IP address of the
reverse proxy is the final IP address for
requesring services
 Only the reverse proxy can access the
internal servers.


 Honeypot
 A honeypot is a computer typically located in
a DMZ
 Loaded with software and data files that
appear to be authentic, yet they are actually
imitations of real data files.
 Intended to trap or trick attackers


Honeypot Applying Network Security Devices

 There are three primary purposes of a  Network Intrusion Detection Systems
honeypot: (NIDS)
 Deflect attention  Attempts to identify inappropriate activity
• direct an attacker's attention away from legitimate (same functionality as a burglar alarm system)
servers  Host lntrusion Detection Systems (HIDS)
• encourages attackers to spend their time and attempt to monitor and possibly prevent
energy on the decoy server
attempts to attack a local system
 Early warnings of new attacks
 A network intrusion detection system (NIDS)
 Examine attacker techniques watches for attempts to penetrate a network


7

3/7/2012


 Host and Network Intrusion Prevention
Systems (HIPS/NIPS)
 finds malicious traffic deals with it immediately
 block all incoming traffic on a specific port
 HIPS: monitoring and intercepting requests in
order to prevent attacks.
 NIPS: work to protect the entire network and
all devices that are connected to it.


Contents Protocol Analyzers

 There are three ways in which an
intrusion detection system or intrusion
prevention system can detect a
Applying Network Security Devices potential intrusion.
 detect statistical anomalies.
Protocol Analyzers
 examine network traffic and look for well-
known patterns of attack, much like antivirus
scanning.
• the pattern lcgi-bin/pbf? usually indicates that an
attacker is attempting to access a vulnerable script
on a W eb server.


Protocol Analyzers Contents
 Use protocol analyzer technology.
• Protocol analyzers can fully decode application-
layer network protocols
• Once these protocols are decoded, the different
Applying Network Security Devices
parts of the protocol can be analyzed for any
suspicious behavior.
Protocol Analyzers




8

3/7/2012

Integrated Network Security Hardware Integrated Network Security Hardware

 lnformation can be protected either by Dedicated security appliances:
using software that runs on the device  provide a single security service, such as
that is being protected or by a separate firewall or antivirus protection
hardware device.  more easily scale as needs increase.
Software-only defenses are more often  Multipurpose security appliances:
limited to home computers  Provide multiple security functions, such as:
Most organizations use security Antispam and antiphishing, Antivirus and
antispyware, Bandwidth optimization, Content
hardware appliances.
filtering, Encryption, Firewall, lnstant
messaging control, lntrusion protection
system, Web filtering

Integrated Network Security Hardware Contents
 Recent trend:
 Combine or integrate multipurpose security Crafting a Security Network
appliances with a traditional network device
such as a switch or router to create integrated Applying Network Security Devices
network security hardware.
 Advantage: these network devices already Protocol Analyzers

process every packet that flows across the
network. Integrated Network Security Hardware



A Defense-in-Depth Approach A Defense-in-Depth Approach
 Defense in depth increases security by Defense-in-
Data
raising the cost of an attack. Depth
This system places multiple barriers Applications

between an attacker and your business Security Model Hosts

critical information resources: the
deeper an attacker tries to go, the Internal
harder it gets Perimeter


9

3/7/2012

Network Defenses Network Segmentation
 Network Segmentation
Access Points
Routers and Switches
Firewalls
Content Filtering
IDS / IPS
Remote Access
Event Management
Vulnerability Management

Network Access / Entry Points Network Access Points
 Entry points into the network
infrastructure
Classify the access points
Develop a security risk profile for each
access point
Each access point presents a threat for
unauthorized and malicious access to
the network infrastructure.


Routers and Switches Simple Router & Switch Network
 Typically responsible for transporting
data to all areas of the network
Sometimes overlooked as being able to
provide a defense layer
Capable of providing an efficient and
effective security role in a Defense-in-
Depth strategy


10

3/7/2012

Firewalls Firewalls
First defenses thought of when working on a
Defense-in-Depth strategy
Provide granular access controls for a
network infrastructure
Firewall Types:
 Packet filtering
 Proxy based
 Stateful Inspection
Continuing to increase their role by
performing application layer defenses on the
network


Content Filtering Content Filtering
 Protection of application and data content
being delivered across the network
Content filtering looks for:
 Virus
 File attachments
 SPAM
 Erroneous Web Surfing
 Proprietary / Intellectual Property
Commonly used network protocols:
 SMTP, HTTP, FTP, and instant messaging

IDS / IPS IDS / IPS
Detect malicious network traffic and
unauthorized computer usage
Detection Strategies
 Signature-based
 Anomaly-based
 Heuristic-based
 Behavioral-based
View of traffic from a single point
Similar technologies are applied at the
host and network layers

11

3/7/2012

Remote Access Remote Access
Identify all remote access points into
the network infrastructure.
Driven by the need to promote
business productivity
Expanding the perimeter
Requires strict access controls and
continuous activity monitor


Security Event Management Security Event Management
 The collection and correlation events
on all devices attached to the network
infrastructure.
Provides insight into events which
would go unnoticed at other individual
defense layers
Provide automated alerts of suspicious
activity


Vulnerability Management Vulnerability Management
Continuous process of assessing and
evaluating the network infrastructure
Multiple views / perspectives
Integration with Patch Management and
ticketing systems
Configuration & maintenance validation


12

3/7/2012

Additional Defenses References
 Connecting the Hosts & Network James Michael Stewart, Security+ Fass
 Security Policies Pass, Sybex, 2004
 Network Admission Control (NAC) Mark Ciampa, Security+ Guide to Network
 Authentication Services Security Fundamentals, Third Edition
 Data Encryption
Jason A. Wessel, Network Security: A
 Patch Management
Defense-in-Depth Approach, AVP Security
 Application Layer Gateway Services, CADRE – Information Security
CEH v7, Module 16


13

Part06 infrastructure security

More Related Content

What's hot (20)

Similar to Part06 infrastructure security (20)

More from Lê Liêu (15)

Recently uploaded (20)

Part06 infrastructure security