networking cmpc531\tc_17.ppt \\ page 17 - 1 unit 17 – local area network security n business...

$: Networking CMPC531\tc_17.ppt \\ page 17 - 1 Unit 17 – Local Area Network Security n BUSINESS IMPACT n SECURITY POLICY DEVELOPMENT n VIRUS PROTECTION n$
NetworkingNetworking

CMPC531\tc_17.ppt \\ page 17 - 1

Unit 17 – Local Area Network Security

BUSINESS IMPACT SECURITY POLICY DEVELOPMENT VIRUS PROTECTION FIREWALLS AUTHENTICATION AND ACCESS CONTROL ENCRYPTION APPLIED SECURITY SCENARIOS GOVERNMENT IMPACT



BUSINESS IMPACT Network security is a business problem. The development and implementation of a sound network security policy

must start with strategic business assessment followed by strong management support throughout the policy development and implementation stages.

Enterprise network security goals must be set by corporate presidents and/or board of directors.



SECURITY POLICY DEVELOPMENT Security policy development life cycle (SPDLC). Figure 16-1. A cycle because evaluation processes validate the effectiveness of original

analysis stages. Security Requirements Assessment

Require a structured approach to ensure that all potential user group/information resource combinations have been considered.

A network analyst can create a matrix grid mapping all potential user groups against all potential corporate information resources.

Refer Figure 16-3. These security processes:

Restrictions to information access imposed upon each user group Definition the responsibilities of each user group for security policy implementation

and enforcement. It should be reviewed on a periodic basis through ongoing auditing, monitoring,

evaluation, and analysis.



Figure 16-1 The Security Policy Development Life Cycle



SECURITY POLICY DEVELOPMENT Scope Definition and Feasibility Studies

Define the scope or limitations of the project Feasibility studies gain vital information on the difficulty of the security policy

development process as well as the assets (human and financial) required to maintain such a process.

Need to decide on the balance between security and productivity. See Figure 16-4. Need to identify those key values that a corporation should be maintained. Five most typical fundamental values of network security policy development:

Identification/Authentication: the process of reliably determining the genuine identity of the communicating computer (host) or user.

Access Control / Authorization: authenticated users are only allowed to those information and network resources they are supposed to access.

Privacy/Confidentiality: ensure tat data is disclosed only to intended recipients. Data Integrity: assure that data are genuine and cannot be changed without proper

controls. Non-Repudiation: users cannot deny the occurrence of given events or transactions.



Figure 16-4 Security vs. Productivity Balance



SECURITY POLICY DEVELOPMENT Assets, Threats, Vulnerabilities, and Risks

Most security policy development methodologies boil down to the following six major steps:

1. Identify assets

2. Identify threats

3. Identify vulnerabilities

4. Consider the risks

5. Identify risk domains

6. Take protective measures Assets: corporate property of some value that requires varying degrees of

protection. Data or Information can be classified:

Unclassified or Public Sensitive Confidential Secret Top Secret




Threats: processes or people that pose a potential danger to identified assets. Vulnerabilities: manner or path by which threats are able to attack assets. Risks: probability of a particular threat successfully attacking a particular asset in a given amount of ti

me via a particular vulnerability. E.g. Intruders or attackers may use social engineering or snooping to obtain user passwords An administrator may incorrectly create or configure user ids, groups, and their associated rights

on a file server, resulting in file and login access vulnerabilities Network administrators may overlook security flaws in topology or hardware configuration Network administrators may overlook security flaws in operating system or application

configuration; Lack of proper documentation and communication of security policies may lead to deliberate or

inadvertent misuse of files or network access; Dishonest or disgruntled employees may abuse the file and access rights they’ve been given; A computer or terminal left logged into the network while its operator goes away may provide an

entry point for an intruder; Users or even administrators choose passwords that are easy to guess; Authorized staff may leave computer room doors propped open or unlocked, allowing

unauthorized individuals to enter;




Staff may discard disks or backup tapes in “public” waste containers Administrators may neglect to remove access and file rights for employees

who have left the organisation. Figure 16-7 shows the relationship between assets, threats,

vulnerabilities, risks, and protective measures.


CMPC531\tc_17.ppt \\ page 17 - 10

Figure 16-7 Assets, Threats,Vulnerabilities, Risks,and ProtectiveMeasures


CMPC531\tc_17.ppt \\ page 17 - 11

SECURITY POLICY DEVELOPMENT Attack Strategies

Some of common attack strategies as well as potential protective measures: Masquerading : Authentication Eavesdropping: Encryption Man-in-the-Middle-Attack: Digital certificates, digital signatures Address Spoofing: Firewalls Data Diddling: Encrypted message digest Dictionary Attack: Strong passwords, intruder detection Replay Attack: Time stamping or sequence numbering Virus Attack: Virus management policy Trojan Horse Attack: Firewalls Denial of Service Attack: Authentication, service filtering


CMPC531\tc_17.ppt \\ page 17 - 12

SECURITY POLICY DEVELOPMENT Management Role and Responsibilities

Plan your action to develop and implement a solution. Not to underestimate the labor resources and time requirements necessary to

scale up your security analysis to an enterprise-wide security policy development and implementation process.

Be sure that all affected user groups are represented on the policy development task force.

Potential areas for development of acceptable use policies: Password protection and management, software license, virus protection, internet

access, remote access, e-mail, policies regarding penalties/warnings, physical access

Policy Implementation Process The policies need the support of executives and managers.

Users should also be expected to actively support the implemented acceptable user policies.

Security architecture map clearly justified security functional requirements to currently available security technical solution.

See Figure 16-13 for the information security architecture.


CMPC531\tc_17.ppt \\ page 17 - 13

Figure 16-13Representative SecurityArchitecture


CMPC531\tc_17.ppt \\ page 17 - 14

SECURITY POLICY DEVELOPMENT Auditing

Audit and monitor a corporate security policy on a continual basis. Auditing can be automated or manual. Manual audits serve to verify the effectiveness of policy development and

implementation Automated audits is able to assess the weaknesses of your network security and

security standards, to analyze the network for potential vulnerabilities and make recommendations for corrective action.


CMPC531\tc_17.ppt \\ page 17 - 15

VIRUS PROTECTION A comprehensive virus protection plan must combine policy, people, processes and t

echnology in order to be effective. Virus Categories

work by infecting other legitimate programs and causing them to become destructive or disrupt the system in some other manner.

Use some type of replication method to get the virus to spread and infect other programs, systems, or networks

Need some sort of trigger or activation mechanism to set them off. Viruses may remain dormant and undetected for long periods of time.

Refer to Figure 16-16 for the major virus categories.

Antivirus Strategies Effective antivirus policies and procedures must first focus on the use and checking of all d

iskettes before pursuing technology-based solutions. Use virus scanning software for detecting virus in collaborative applications to avoid infect

ion/reinfection cycle. Figure 16-18 shows the collaboration software infection/reinfection cycle. Figure16-19 shows virus infection points of attack and protective measures


CMPC531\tc_17.ppt \\ page 17 - 16

Figure 16-18 Collaborative Software Infection/Re-infection Cycle


CMPC531\tc_17.ppt \\ page 17 - 17

Figure 16-19 Virus Infection Points of Attack and Protective Measures


CMPC531\tc_17.ppt \\ page 17 - 18

Firewall software usually runs on a dedicated server that is connected to, but outside of, the corporate network.

Firewalls provide a layer of isolation between the inside network and the outside network.

Firewall Architectures Packet Filtering: examines source and destination addresses and determines

access based on the entries in a filter table. Packet filter can be breached by hackers known as IP spoofing. Hacker can make a

packet appear to come from an authorized or trusted IP address, it can pass through the firewall.

Application Gateway filters or Proxies It examine the entire request for data rather than just the source and destination

addresses. Secure files can be marked as such and application-level filters will not show those

files to be transferred, even to users authorized by port-level filters.

FIREWALLS


CMPC531\tc_17.ppt \\ page 17 - 19

Dual-homed gateway Application gateway is physically connected to the private secure network and the pac

ket-filtering router is connected to the nonsecure network. All outside traffic still goes through the application gateway first and then to the infor

mation servers. Trusted gateway

Certain applications are identified as trusted and are able to bypass the application gateway entirely and are able to establish connections directly rather than executed by proxy.

See Figure 16-20.

FIREWALLS


CMPC531\tc_17.ppt \\ page 17 - 20

Figure 16-20 Packet Filters, Application Gateways, Proxies,Trusted Gateways, and Dual-Homed Gateways


CMPC531\tc_17.ppt \\ page 17 - 21

Authentication is to ensure that users attempting to gain access to networks are really who they claim to be.

Authentication products break down into three overall categories: What you know. Authentication technology that can deliver single sign-on

(SSO) access to multiple network attached servers and resources via passwords. What you have. It uses one-time or session passwords or other techniques to

authenticate users and validate the authenticity of messages or files. What you are. It validates user based on some physical characteristic.

Token Authentication – Smart Cards Token Authentication technology may have multiple forms:

Hardware-based Smart Cards In-line authentication device Software token on client PC

There are two overall approaches to the token authentication process.

AUTHENTICATION AND ACCESS CONTROL


CMPC531\tc_17.ppt \\ page 17 - 22

Challenge-response token authentication1. The user enters an assigned user ID and password at the client workstation.2. The token authentication server software return a numeric string known as a challenge3. The challenge number and a personal ID number are entered on the hand-held Smart Card4. The Smart Card displays a response number on the LCD screen5. This response number is entered on the client workstation and transmitted back to the toke

n authentication server6. The token authentication server validates the response against the expected response from

this particular user and this particular Smart Card. If the two match, the user is deemed authentic and the login session is enabled.

Time synchronous token authentication1. Every 60 seconds, the time-synchronous Smart Card and the server-based software generat

e a new access code.2. The user enters their user ID, a personal ID number, and the access code currently displaye

d on the Smart Card.3. The server receives the access code and authenticate the user by comparing the received ac

cess code with the expected access code unique to that SmarCard which was generated at the server in time synchronous fashion.

4. See Figure 16-24.



CMPC531\tc_17.ppt \\ page 17 - 23

Figure 16-24 Challenge Response vs. TimeSynchronous TokenAuthentication


CMPC531\tc_17.ppt \\ page 17 - 24

If the security offered by token authentication is insufficient, biometric authentication can authenticate users based on fingerprints, palm prints, retinal patterns, voice recognition or other physical characteristics.

Authorization a subset of authentication. While authentication ensures that only legitimate

users can log into the network, authorization ensures that these properly authenticated users access only the network resources for which they are properly authorized.

the authorization security software can be either server-based (brokered authorization) or workstation-based (trusted node).



CMPC531\tc_17.ppt \\ page 17 - 25

A security process complimentary rather than mutually exclusive to authentication and authorization.

encryption ensures that the contents of the transmission would be meaningless (called ciphertext) if they were intercepted. Encryption must accompanied by decryption, to change the unreadable text back into its original form.

Data Encryption Standard (DES) is often used to allow encryption devices manufactured by different manufacturers to interoprate successfully. The DES encryption standard actually includes two parts for greater security method of encrypting data 64 bits at a time a variable 64-bit key (private key)

Private key This private key must be known by both the sending and the receiving

encryption devices and allows so many unique combination (2 to the 64th power), that unauthorized decryption is nearly impossible.

ENCRYPTION


CMPC531\tc_17.ppt \\ page 17 - 26

Public key or Public/private key encryption the process actually combines public and private keys. In public key encryption, the sending encryption device encrypts a document

using the intended recipient’s public key and the originating party’s private key. This public key is readily available in a public directory.

To decrypt the document, the receiving encryption device must be programmed with the recipient’s private key and the sending party’s public key.

This method requires only the receiving party to possess their private key and eliminates the need for transmission of private keys.

Digital signature encryption appends an encrypted digital signature to the encrypted document as an

electronic means of guaranteeing the authenticity of the sending party and assurance that encrypted documents have not been tampered with during transmission.

the digital signature is regenerated at the receiving encryption device from the transmitted document and compared to the transmitted digital signature.

See Figure 16-26.

ENCRYPTION


CMPC531\tc_17.ppt \\ page 17 - 27

Figure 16-26 Private KeyEncryption, Public KeyEncryption, and Digital Signature Encryption


CMPC531\tc_17.ppt \\ page 17 - 28

Overall Design Strategies Some general guidelines the would apply to most situations:

Install only software and hardware that you really need on your network. Allow only essential traffic into and out of the corporate network Investigate the business case for outsourcing web-hosting services Use routers to filter traffic by IP address Make sure that router operating system software has been patched Identify those information assets that are most critical to the corporation Implement physical security constraints to hinder physical access to critical resrouces

such as servers Monitor system activity logs carefully Develop a simple, effective and enforceable security policy and monitor its

implementation and effectiveness Consider installing a proxy server or application layer firewall Block incoming DNS queries and requests for zone transfers Don’t publish the corporation’s complete DNS map on DNS servers that are outside

the corporate firewall. Disable all TCP ports and services that are not essential

APPLIED SECURITY SCENARIOS


CMPC531\tc_17.ppt \\ page 17 - 29

Remote Access Security How to manage the activity of all of the remote access users that have logged in

via a variety of multi-vendor equipment and authentication technology. Remote authentication dial-in user service (RADIUS) offers the potential to

enable centralized management of remote access users and technology. See Figure 16-28. It enables communication between the following three tiers of technology:

Remote access devices such as remote access servers and token authentication technology from a variety of vendors, otherwise known as network access servers (NAS)

Enterprise database that contains authentication and access control information RADIUS authentication server

Users request connections and provide useRIDs and passwords to the network access servers which, in turn, pass the information along to the RADIUS authentication server for authentication approval or denial.



CMPC531\tc_17.ppt \\ page 17 - 30

Figure 16-28 Remote Authentication Dial-In User Services (RADIUS) Architecture


CMPC531\tc_17.ppt \\ page 17 - 31

RADIUS: Allows network manager to centrally manage remote access users, access methods,

and logon restriction. Centralized auditing, e.g. keep track of volume of traffic sent and amount of time on-

line Enforces remote access limitations, e.g. server access restrictions or on-line time

limitation Supports password authentication protocol (PAP), challenge handshake authentication

protocol (CHAP) and Secure ID token authentication. Transmit passwords in encrypted format only

Virtual Private Network Security To provide virtual private networking capabilities using the Internet as an

enterprise network backbone, specialized tunneling protocols needed to be developed that could establish private, secure channels between connected systems.

Two rival standards are examples of such tunneling protocols: Point-to-Point Tunneling Protocol (PPTP) and Layer Two Forwarding (L2F)



CMPC531\tc_17.ppt \\ page 17 - 32

See Figure 16-29. Two rival specifications currently exist for establishing security over VPN

tunnels: IPsec and PPTP.



CMPC531\tc_17.ppt \\ page 17 - 33

Figure 16-29 Tunneling Protocols Enable Virtual Private Networks


CMPC531\tc_17.ppt \\ page 17 - 34

Enterprise Network Security To maintain proper security over a widely distributed enterprise network, it is

essential to be able to conduct certain security-related processes from a single, centralised, security management location. These processes are: Single point of registration (SPR) allows a network security manager to enter a new

user form a single centralized location and assign all associated rights, privileges and access control to enterprise resources

Single sign-on (SSO) allows the user to login to the enterprise network and to be authenticated from their client PC location.

Single access control view allows the user’s access from their client workstation to only display those resources that the user actually has access to.

Security auditing and intrusion detection is able to track and identify suspicious behaviors from both internal employees and potential intruders.



CMPC531\tc_17.ppt \\ page 17 - 35

Government agencies play a major role in the area of network security. The primary function of these various government agencies is :

Standards-making organizations that set standards for the design, implementation, and certification of security technology and systems

GOVERNMENT IMPACT

**** END ****

networking cmpc531\tc_17.ppt \\ page 17 - 1 unit 17 – local area network security n business...

Documents