13 2 network security
TRANSCRIPT
-
8/10/2019 13 2 Network Security
1/67
6/10/2011
Network Security
User Authentication
-
8/10/2019 13 2 Network Security
2/67
6/10/2011
At the end of this lesson we will beable to
Explain methods of user authentication
Network+2009 Objective 6.4
What we will cover
Public Key Infrastructure (PKI) Kerberos Authentication Authorization Accounting
(AAA) Network Access Control (NAC) Challenge Handshake Authentication Protocol
(CHAP) Extensible Authentication Protocol (EAP)
-
8/10/2019 13 2 Network Security
3/67
6/10/2011
NETWORK AUTHENTICATIONMETHODS
In order to Secure your Network
Verify who is connecting toyour networkAuthentication
What are they allowed todoAuthorization
Log what they have doneAccounting
-
8/10/2019 13 2 Network Security
4/67
6/10/2011
Usernames and passwords
Usernames Unique identifier
Passwords Complex passwords use lower and uppercase
letters, numbers, special characters
Minimum password length
Password protection Use different passwords
Use longer passwords
Use combination of: a-z; A-Z; 0-9; and !@#$%^special characters
Change frequently
Avoid reusing passwords
-
8/10/2019 13 2 Network Security
5/67
6/10/2011
Strong passwords Balance difficulty of remembering with complexity
Create from first letter of title or phrase passphrase
Mix letter cases, add numbers and special characters
Do not using personal information
Authentication factors
Somethingyou know
Password
Somethingyou have
Securitytoken,Smart Card
Somethingyou are
Fingerprint,Retina
-
8/10/2019 13 2 Network Security
6/67
6/10/2011
One-factor authentication
Something you know Windows logon
dialog box Username and
password Something you are
Two-factor authentication
Something you knowPLUS
Something you have Something you are
Token plus a PIN Something you are
Fingerprint Voice Retina
-
8/10/2019 13 2 Network Security
7/67
6/10/2011
Three-factor authentication
Something you know+ something you have+ something you are
A PIN, a card, and afingerprint
Two Minute Activity
Think of scenarios where youmight use one, two, and three-
factor authentication
-
8/10/2019 13 2 Network Security
8/67
6/10/2011
Public Key Encryption
Cryptography - Science of encryption
Convert to Unreadable formatEncryption
Convert back to ReadableformatDecryption
Procedure for Encrypting orDecryptingAlgorithm
Encryption & DecryptionAlgorithm PairCipher
-
8/10/2019 13 2 Network Security
9/67
6/10/2011
The simple ROT13 cipher
Keys are used to Encrypt or Decrypt
Symmetric
Same key forencryption
anddecryption
Asymmetric
Differing keysfor encryption
anddecryption
-
8/10/2019 13 2 Network Security
10/67
6/10/2011
1
Symmetric encryption in action
Public key cryptography use two keys
Two related keys What one encrypts, only the other can decrypt One kept private One shared (public)
Keys mathematically related
-
8/10/2019 13 2 Network Security
11/67
6/10/2011
Asymmetric encryption in action
Public Key Cryptography Characteristics
It is mathematically difficult to derive theprivate key from the public key
Data encrypted with the public key canbe decrypted with only the private key
Data encrypted with the private key canbe decrypted with only the public key
-
8/10/2019 13 2 Network Security
12/67
6/10/2011
1
Public Key Infrastructure (PKI)
Public key infrastructure
Certificate authority (CA)
Registration authority (RA)
Certificate server
-
8/10/2019 13 2 Network Security
13/67
6/10/2011
1
Setup and initialization phase
Registration
Key pair generation
Certificate generation
Certificate dissemination
Administration phase
Key storage
Certificate retrieval and validation
Backup or escrow
Recovery
-
8/10/2019 13 2 Network Security
14/67
6/10/2011
1
Cancellation and history phase
Expiration
Renewal
RevocationSuspension
Destruction
-
8/10/2019 13 2 Network Security
15/67
6/10/2011
1
Kerberos is a network AuthenticationProtocol
Provides Secure Authentication over Insecurenetworks
Protects against Eavesdropping and Replay attacks
Works by issuing tickets to users who log in
Authenticates users over open multi-platform networkusing single login
Kerberos authentication process
-
8/10/2019 13 2 Network Security
16/67
6/10/2011
1
Kerberos security weaknesses
Subject to brute force attacksAssumes all network devices are physically secureCompromised passwords enable easy access toattackersVulnerable to DoS attacksAuthenticating devices need to be loosely synchronizedAccess to AS allows attacker to impersonate anyauthorized userAuthenticating device identifiers shouldnt be reusedon a short-time basis
Authentication
AccountingAuthorization
-
8/10/2019 13 2 Network Security
17/67
6/10/2011
1
Authentication
AuthorizationAccounting
RADIUS TACACS+
RADIUS Provides Authenticationon Wired and Wireless Network
Access
Accounting
-
8/10/2019 13 2 Network Security
18/67
6/10/2011
1
Terminal Access Controller Access-Control System Plus TACACS+
-
8/10/2019 13 2 Network Security
19/67
6/10/2011
1
802.1x - Network Access Control
802.1x
Password Authentication Protocol(PAP)
PAP send plain-text passwords over thenetwork
Insecure Use only as a last resort Client sends username and password Server responds with:
authentication-ACK (if credentials are OK) authentication-NAK (otherwise)
-
8/10/2019 13 2 Network Security
20/67
6/10/2011
2
Challenge Handshake AuthenticationProtocol (CHAP)
Microsoft Challenge HandshakeAuthentication Protocol (MS-CHAP)
MS-CHAPv1 MS-CHAPv2
-
8/10/2019 13 2 Network Security
21/67
6/10/2011
2
Extensible Authentication Protocol(EAP)
Is a Framework Can use Token Cards, One-Time Passwords,
Certificates, Biometrics Runs over Data Link layers Defines formats
LEAP EAP-TLS EAP-FAST
Mutual authentication
Client and server authenticate to each other Also known as two-way authentication Trust other computers digital certificate Can block rogue services
-
8/10/2019 13 2 Network Security
22/67
6/10/2011
2
Review
Public Key Infrastructure (PKI) Kerberos Authentication Authorization Accounting
(AAA) Network Access Control (NAC) Challenge Handshake Authentication Protocol
(CHAP) Extensible Authentication Protocol (EAP)
-
8/10/2019 13 2 Network Security
23/67
6/10/2011
2
Network Access Security
At the end of this lesson we will be able to Explain the methods of network access security
Network+2009 Objective 6.3
-
8/10/2019 13 2 Network Security
24/67
6/10/2011
2
What we will cover
Security Filtering Tunneling and encryption Remote access
SECURITY FILTERING
-
8/10/2019 13 2 Network Security
25/67
6/10/2011
2
Access Control Lists (ACL)
Found on Routers and Firewalls
Controls Traffic In/Out of an Interface
Top-Down List of Permissions
First Match Wins
No Match Drops Packet
MAC filtering
MAC Standard Access List use Source MACaddresses
MAC Extended Access List use Source and
Destination MAC addresses and optionalprotocol type information
-
8/10/2019 13 2 Network Security
26/67
6/10/2011
2
IP Filtering
Also know as Packet Filters
Permit or Deny Traffic based on IP address
Can sometimes also use Port Numbers
Called Stateless Filtering
TUNNELING AND ENCRYPTION
-
8/10/2019 13 2 Network Security
27/67
6/10/2011
2
What is a Virtual Private Network(VPN)
Allows information to securely tunnel
through an insecure network
Secure connection to branches
Secure connection for telecommuters
Helps save WAN connection cost
VPN Protocols
PPTP L2F L2TP IPSec SSL/TLS
-
8/10/2019 13 2 Network Security
28/67
6/10/2011
2
Types of VPNs
Remote Access
Site-to-Site
Extranet
IP Security (IPSEC) providesAuthentication and Encryption over
the IP Authentication Header (AH)
provides data Integrity and Authenticationservices only No Encryption
Encapsulating Security Payload (ESP) provides Encryption as well as data Integrity and
Authentication services
-
8/10/2019 13 2 Network Security
29/67
6/10/2011
2
IPSEC Transport and Tunneling Modes
Tunnel Mode
Secure Sockets Layer (SSL)
Minicomputer
Connection Request
Secure Connection Required
Security Capabilities
SSL Session Established
SSL Connection process
-
8/10/2019 13 2 Network Security
30/67
6/10/2011
3
SSL VPN allows secure access througha standard browser
Layer 2 Tunneling Protocol (L2TP)
Supports non-TCP/IP protocols in VPNs overthe Internet
A combination of Microsofts Point -to-PointTunneling Protocol (PPTP) and Ciscos Layer 2
Forwarding (L2F) Works at the Data Link layer (Layer 2) Does not itself provide any encryption
-
8/10/2019 13 2 Network Security
31/67
6/10/2011
3
Point to Point Tunneling Protocol(PPTP)
Use Generic Routing Encapsulation (GRE)session to secure PPP frames
tunneled PPP traffic can be authenticated withPAP, CHAP, Microsoft CHAP V1/V2 or EAP-TLS
The PPP payload is encrypted using MicrosoftPoint-to-Point Encryption (MPPE) when usingMSCHAPv1/v2 or EAP-TLS
PPTP versus L2TPPPTP L2TP
Encryption Native PPPNegotiations in plaintext
IPsec
Authentication PPP with PAP, CHAP, or MS-CHAP
RADIUS, TACACS+
Data protocols IP IP, IPX, SNA, NetBEUI
Port 1723 (TCP) 1701 (UDP)
-
8/10/2019 13 2 Network Security
32/67
6/10/2011
3
REMOTE ACCESS
Remote Access Services (RAS)
Not a protocol but a combination of hardwareand software required to make a remote-access connection
-
8/10/2019 13 2 Network Security
33/67
6/10/2011
3
Remote Desktop Protocol (RDP)
Allows connection to a computer usingMicrosofts Terminal Services
Graphical desktop-sharing system Allows remote control of a computer Keyboard, mouse, and video are sent over the
network
Remote Destop Connection
-
8/10/2019 13 2 Network Security
34/67
6/10/2011
3
Virtual Network Computing (VNC)
Graphical desktop-sharing system Uses the remote frame buffer (RFB) protocol Allows remote control of a computer Keyboard, mouse, and video are sent over the
network
-
8/10/2019 13 2 Network Security
35/67
6/10/2011
3
Independent Computing Architecture(ICA)
Protocol designed by Citrix Systems Allows clients with virtually any operating
system to access applications on Windowsservers
Typically used by Citrixs WinFrame
Point to Point Protocol (PPP)
Layer 2 protocol Provides authentication, encryption, and
compression services Allows clients to log in remotely
-
8/10/2019 13 2 Network Security
36/67
6/10/2011
3
Point to Point Protocol over Ethernet(PPPoE)
An extension of PPP Encapsulates PPP frames within Ethernet
frames Allows ISP to authenticate DSL and Cable
clients PPPoE works in two stages: discovery and
session Use end-point MAC addresses to create
sessions
Summary
Security Filtering Tunneling and encryption Remote access
-
8/10/2019 13 2 Network Security
37/67
6/10/2011
3
At the end of this lesson we will beable to
Explain the function of hardware and softwaresecurity devices
Network+2009 Objective 6.1
What we will cover
Network Based Firewall Host Based Firewall Intrusion Detection Systems Intrusion Prevention Systems VPN Concentrator
-
8/10/2019 13 2 Network Security
38/67
6/10/2011
3
Network Based Firewall device thatprotects network
Internet
ProtectedNetwork
Host Based Firewall software thatprotects individual host
Internet
-
8/10/2019 13 2 Network Security
39/67
6/10/2011
3
Intrusion Detection Systems monitortraffic to detect Attacks
UNTRUSTED
ProtectedNetwork
IDS
Firewall
In Parallel withTraffic
Intrusion Prevention Systems monitor traffic to block Attacks
ProtectedNetwork U
NTRU
STED
IPSFirewall
In Line withTraffic
-
8/10/2019 13 2 Network Security
40/67
6/10/2011
4
Intrusion Detection/PreventionSystems
IDS/IPS
Network
BasedHost
Based
VPN Concentrator
InternalNetwork
Internet
Firewall
VPNConcentrator
VPN Clients
-
8/10/2019 13 2 Network Security
41/67
6/10/2011
4
Cisco and Netgear VPN Concentrators
Review
Firewall
Network
Based
HostBased
IntrusionDetectionSystems
Network
Based
HostBased
IntrusionPrevention
Systems
Network
Based
HostBased
VPNConcentrator
-
8/10/2019 13 2 Network Security
42/67
6/10/2011
4
Firewall Features
At the end of this lesson we will beable to
Explain common features of a firewall
Network+2009 Objective 6.2
-
8/10/2019 13 2 Network Security
43/67
6/10/2011
4
Agenda Stateful vs. Stateless Application Layer vs. Network Layer Scanning Services Content Filtering Signature Identification
Zones
Stateful vs. Stateless
Stateless checks each packet individually Does not care if part of a message stream Susceptible to DoS attacks and IP spoofing
Stateful firewall keeps track of the variousdata streams passing through it
Better at preventing attacks that exploitexisting connections, or DoS attacks
-
8/10/2019 13 2 Network Security
44/67
6/10/2011
4
Application Layer vs. Network LayerFirewalls
Network layer Inspect only the IP and TCP & UDP
headers
Application Layer Inspect the Application layer data Can handle complex protocols such as
HTTP, FTP, SIP, H.323 Slower
Scanning Services checks incomingtraffic for problems Emails
Scan for Malware, Spam, Too Large Attachments Web
Scan for Malware FTP
Scan for Malware
-
8/10/2019 13 2 Network Security
45/67
6/10/2011
4
Content Filtering is closely related toscanning services Blocking traffic based on the content of the data
rather than the source Used to filter email and website access Ways to filter content
Block Attachment of a certain type, such as .exeBayesian probability estimatingContent-encodingEmail headersLanguage
PhrasesProximity of words to each otherURLs
Ways to filter content
Block Attachment of a certain type, such as .exe
Bayesian probability estimating
Content-encoding
Email headers
LanguagePhrases
Proximity of words to each other
URLs
-
8/10/2019 13 2 Network Security
46/67
6/10/2011
4
Signature Identification - Look forpatterns in traffic
Similar to intrusion detection
Look for specific patterns, known to be
malicious
Signature need to be updated regularly
New attacks may not be detected
Zones allow policy to be appliedbetween groups of interfaces
E2
E4
E6
Interne
t
Zo
ne
InternalZone A
E0
E1
E7 E8 E9
E12
DMZ Zone1
Guest Wireless Zone
FirewallInternalZone B
E10
DMZ Zone2
-
8/10/2019 13 2 Network Security
47/67
6/10/2011
4
Review Firewall types:
Stateful vs. Stateless Application Layer vs. Network Layer
Scanning Services Content Filtering Signature Identification
Zones
Device Security Issues
-
8/10/2019 13 2 Network Security
48/67
6/10/2011
4
At the end of this lesson we will beable to
Explain issues that affect device security
Network+2009 Objective 6.5
What we will cover
Physical Security Restricting Local and Remote Access Secure methods vs. Unsecure Methods
-
8/10/2019 13 2 Network Security
49/67
6/10/2011
4
Physical security
One commonsecurity truism is"Once you have
physical access to abox, all bets are
off."
Physical access control
FencesDoors
LocksMan-trap
Lights
-
8/10/2019 13 2 Network Security
50/67
6/10/2011
5
Surveillance
Securityguards
Guarddogs
Loggingphysicalaccess
tofacility
VideoCameras
ActivityWith your Term or by Yourself
Identifying the risks associated withphysical access to systems
-
8/10/2019 13 2 Network Security
51/67
6/10/2011
5
Restricting local and remote access
Access-Control Principles
Follow the least-privilege model
Separate out administrative duties
Rotate administrator jobs
Utilize implicit denies
-
8/10/2019 13 2 Network Security
52/67
6/10/2011
5
Access-Control Models
Discretionary Access Control (DAC)
Role-Based Access Control (RBAC)
Rule-Based Access Control (RBAC)
Mandatory Access Control (MAD)
SECURE VS. UNSECUREAPPLICATION PROTOCOLS
-
8/10/2019 13 2 Network Security
53/67
-
8/10/2019 13 2 Network Security
54/67
6/10/2011
5
Security Threat MitigationTechniques
At the end of this lesson we will beable to
Identify common security threats and mitigationtechniques
Network+2009 Objective 6.6
-
8/10/2019 13 2 Network Security
55/67
6/10/2011
5
What we will cover
Managing User Account and PasswordSecurity
Security Threats Threat Mitigation Techniques
MANAGING USER ACCOUNT ANDPASSWORD SECURITY
-
8/10/2019 13 2 Network Security
56/67
6/10/2011
5
Network Resource-Sharing SecurityModels
Share Level
Security
User Level
Security
Managing User Accounts
Add & Delete Accounts
Disabling Accounts
Modify Account Authorization
Setting Up Anonymous Accounts
Limiting Connections
Renaming the Maintenance Account
-
8/10/2019 13 2 Network Security
57/67
6/10/2011
5
Creating Strong Passwords
Minimum Length
6 to 8 characters
Using Characters to Make a Strong Password
Word in dictionaryNameDateSequence (1234; abcd; qwert)Same charater type letters,numbers, s ymbols
Weak
At least 8 charactersCombination of Upper and Lowercase Letters, Numbers, and Symbols
B^1d&7St
Strong
Password-Management Features
Automatic Account Lockouts
Password Expiration
Password Histories
-
8/10/2019 13 2 Network Security
58/67
6/10/2011
5
SECURITY THREATS
-
8/10/2019 13 2 Network Security
59/67
6/10/2011
5
Malware is the term for all Viruses,Worms, Trojans, etc. Computer viruses Worms Trojan horses Rootkits - designed to hide the fact that a system
has been compromised Spyware Dishonest adware Crimeware - malware designed specifically to
automate cybercrime
A computer virus is a computerprogram that can copy itself
Attaches itself to an executable
Copies itself (infects) other fileswhen the file is opened
-
8/10/2019 13 2 Network Security
60/67
6/10/2011
6
Worms send copies of themselves toother nodes
Denial of Service (DoS) attacks try tooverwhelm the network
Some botnets are estimated to have 500,000 to 10 million slaves/zombies
-
8/10/2019 13 2 Network Security
61/67
-
8/10/2019 13 2 Network Security
62/67
6/10/2011
6
Man in the Middle
Normal Traffic
Man-in-the-Middle
Rogue Access Points
http://blogs.paretologic.com/malwarediaries/index.php/category/wireless-security/
-
8/10/2019 13 2 Network Security
63/67
-
8/10/2019 13 2 Network Security
64/67
6/10/2011
6
Official looking email sent to fool userto click on link to phishers web site
MITIGATION TECHNIQUES
-
8/10/2019 13 2 Network Security
65/67
6/10/2011
6
Policies and Procedures
Security Software and Devices cannot stop all types ofattacks
Security Policies shouldbe created
Security Procedure defines how torespond to any security event
User TrainingIt makes no sense to create all these policies and procedures andnot train the IT staff and the users.
-
8/10/2019 13 2 Network Security
66/67
6/10/2011
6
Patches and Updates ensure that allyour machines have the latest security
patches
Windows Server Update Services(WSUS)
-
8/10/2019 13 2 Network Security
67/67
6/10/2011
Review
Managing User Account and Password
Security
Security Threats
Threat Mitigation Techniques