WEEK 6 CIS288: Securing the Network Services and Protocols Slide 1 Introduction Welcome to week 6 of C-I-S 288: Security

Design in a Windows 2003 Environment. In the previous lesson we discussed securing the network management process. In this week we will discuss securing the network services and protocols. Next Slide: When you complete this lesson you will be able to: Design network infrastructure security; Design an I-P Sec policy; Design I-P filtering; Specify the required protocols for a firewall configuration; Secure a D-N-S implementation; Design security for data transmission; Use segmented networks; Design security for wireless networks; Design public and private wireless Lans; And Design eight-zero-two-point-eleven-X authentication for wireless networks. Slide 3 Designing Network Infrastructure Security Next Slide: Designing a secure T-C-P I-P based network begins with thorough planning. The network infrastructure is comprised of hardware and software elements and has both a physical and logical structure. Hardware clearly includes servers, hosts, and gateways, as well as printers, mobile devices, and even the network cabling specifications. The software side includes operating systems applications, and services such as D-H-C-P, and other network protocols, and the N-T-F-S file format, to name a few. The elements involved with designing a secure network infrastructure are: Plan network security; Create secure boundaries; Deploy network security technologies; Deploy server, application, and user security technologies; and deploy network monitoring and auditing.

Slide 2

Objectives

Slide 4

Designing Network Infrastructure Security (continued)

Next Slide: After developing your overall security plan, you need to drill down to design the security for the network infrastructure. Network infrastructure includes those services and protocols used to run network services. As with any security model, you must find a workable balance between security and usability. Finding this balance requires that you take several logical steps to implement the best solution for your firm. These steps include: Assess the risk to your network and system data and determine the appropriate level of security. Identify valuable information; Define security policies based on risk; Determine how security policies can best be implemented in an enterprise; Ensure security management and technology requirements are available and in place; And provide users with an easy and secure method of accessing the appropriate resources.

Slide 5

Common Types of Attacks

Next Slide: We will now list some common types of attacks. Understanding attacks clearly is the key to implementing needed security technologies for your network. Many types of attacks can occur, and it seems someone is figuring out another way to attack a secure computer system almost every day. Some of the common methods are eavesdropping, data modification, I-P address spoofing, password-based attacks, brute force attacks, denial-of-service attacks, man-in-the-middle attacks, compromised key attacks, sniffer attacks, application-layer attacks, and social engineering. Next Slide:

Slide 6

IPSec Overview

I-P Sec is a suite of protocols that provides protection of data integrity, and authentication. It can also provide optional privacy and replay protection. The I-P Sec protocols are defined by the Internet Engineering Task Force, or IE-T-F. I-P Sec provides security services at the transport layer of the T-C-P I-P stack. The I-P Sec driver interfaces with the T-C-U U-D-P transport layer and the Internet layer, making it transparent to users and applications. It can receive network communication and, through the use of filters and rules, it can: Select required security protocols; Determine algorithms to use for a particular service; And Use cryptographic keys required by any of the services. IP-Sec is used to secure the communication channel between computers and to secure the data flowing across that channel. IP-Sec secures data by signing the packet and encrypting data. You can choose to use one or the other, or both. Signing the packet involves using a hash value to make sure the packet has not been tampered with. Encrypting the data involves an encryption algorithm as well as keys for encrypting and decrypting the data.

Slide 7

IPSec Policies Overview

Next Slide: I-P-Sec policy consists of several elements: filter lists, filter actions, and rules. Its critical to understand how these work together to enforce security across the enterprise. Its important for you on the job and will certainly be one of the key topics on the exam. I-P-Sec policies are applied based on rules. A rule provides the ability to create secure communication based on the source, destination, and type of I-P traffic. Each rule contains a list of I-P filters and a set of security actions to take. Each I-P-Sec rule consists of these elements: A selected filter list; A selected filter action; Selected authentication methods; A selected connection type; and Selected tunnel settings. Next Slide:

Slide 8

Designing IP Filtering

When designing I-P filtering, there are a few design suggestions that will make your task easier. These are delineated on the table shown on this slide and describe recommendations for both filter and filter actions. For configuring secure servers, including firewalls and computers in perimeter networks, you can review the common list of T-C-P and U-D-P ports and ensure you block or permit traffic as needed for the correct function of the computer in question. The Internet Assigned Numbers Authority, or I-A-N-A, provides a full list of TC-P and U-D-P ports from zero through sixty-fivethousand-five hundred-thirty-five.

Slide 9

Configuration a Firewall Configuration

Next Slide: Firewalls can be used between segments of a network or to protect the corporate network from the Internet. Since the firewall by definition provides a security boundary, configuring I-P-Sec for a firewall makes sense. To configure a firewall between I-P-Sec computers, it must be configured to: Forward inbound and outbound I-P-Sec traffic on U-D-P source and destination port 500. This allows Isak-M-P traffic to be forwarded; And Forward inbound and outbound I-P protocol fifty, ES-P; Forward inbound and outbound I-P protocol fifty one, AH; Forward inbound and outbound U-D-P source and destination port forty-five-hundred. I-P-Sec can be routed as normal I-P traffic, although the forwarders do not have the ability to examine the packet if it is encrypted with E-S-P. Next Slide:

Slide 10

Securing a DNS

D-N-S is the method of resolving I-P addresses to domain names or domain names to I-P addresses. This vital network service is a target of interest to hackers because access to this data provides valuable data for attacking the network and gaining unauthorized access. There are a number of common threats to D-N-S that must be considered and mitigated when planning security for the enterprise. The table on this slide shows the common threats and how hackers can exploit these threats. Next Slide:

Slide 11

Securing a DNS (continued)

There are a number of ways the D-N-S Server Service can be configured to reduce the risk of and exposure to attack. The first step is to examine the configuration of the D-N-S Service to review settings that affect security. The second step is to manage the discretionary access lists on D-N-S servers that are running on domain controllers. Finally, implementing the N-T-F-S file system on D-N-S servers running any operating system that supports N-T-F-S protects the files on the server. Next Slide: There are a number of other methods for securing data being transmitted in a number of different scenarios. I-P Sec works well in some instances, but other options are more viable and appropriate in other instances. We will now review some of these options. The first is S-S-L T-L-S which stands for Secure Sockets Layer Transport Layer Security. This protocol is typically used to secure H-T-T-P or H-T-T-P-S traffic on Web sites. However, it works below the application layer in the T-CP I-P stack and can be used transparently by applications that require security for application layer protocols such as F-T-P, L-D-A-P, or S-M-T-P. The other option is S-Mime. S-Mime is used to secure email traffic from one end to the other. As mentioned earlier, S-S-L can be used to secure server-to-server traffic, but S-Mime is best suited for end-to-end security. S-Mime is an extension of Mime that supports e-mail by enabling the e-mail originator to digitally sign an e-mail to provide proof of both origin and message integrity. It also enables e-mail to be encrypted to provide confidential

Slide 12

Designing Security for Data Transmission

communication via the Internet. Next Slide: One of the most common methods of securing network data is to segment the network into smaller sections. Switches, routers, gateways, or firewalls can be configured in between these network segments to manage traffic between and among various network segments. Segmenting a network improves the efficiency of the network because multicast and broadcast traffic is kept on the local segment, preventing it from being transmitted across the entire network. By segmenting a network, local traffic stays local and remote traffic is forwarded to the gateway. The gateway can be configured to block or permit different types of traffic to protect network segments from either receiving or sending data to unauthorized networks, segments, or hosts. Slide 14 Designing Security for Wireless Networks Next Slide: Now that we have reviewed how to protect data across the network; we will now discuss how to protect the wireless network. There are four different types of wireless networks, based on their range or scope. They include: Wireless personal area networks; Wireless local area networks; Wireless metropolitan area networks; And Wireless wide area networks. Wireless personal area networks connect wireless personal devices such as cellular phones, personal digital assistants, laptops, or wireless printers. Wireless local area networks are designed to provide connectivity to a local area, typically defined as a building or office. Wireless metropolitan area networks connect buildings within a campus or city through infrared or radio frequency. The infrared implementation has limitations due to the requirement to have line-of-site for connectivity. And wireless wide area networks have existed for a while

Slide 13

Using Segmented Networks

and are most commonly implemented via cell phones. The current technology is not standardized and there are several companies and technologies vying for their place in the standard. Next Slide: Slide 15 Threats to Wireless Networks Before going into the technologies any further, you need to look at some of the threats to wireless networks. Clearly, some of the threats are the same as on a wired network, but there are threats that are specific to wireless networks. Youll look at each threat and find out the best current solution for mitigating that threat. Shown on this slide is a table listing all the different types of threats. Next Slide: Slide 16 Designing Wireless LANs Designing a secure wireless network takes planning and integration with existing infrastructure. Some industry analysts believe that wireless networking will become the de facto standard, so understanding how to design a wireless network will help you both on the job and on the exam. The elements of designing a wireless network include: Designing W-Lan network infrastructure; Designing wireless authentication; And designing wireless access infrastructure. Slide 17 Designing Authenticatio n for Wireless Networks Next Slide: The security mechanisms available for securing a wireless network are the following: Eight-zero-two-point-eleven identity verification and authentication; Eight-zero-two-point-eleven Wired Equivalent Privacy encryption; Eight-zero-two-point- one-X authentication; And I-A-S support for Eight-zero-two-point- one-X authentication. Since each of these security mechanisms differ among their security solutions, it is important to analyze each mechanism in detail. Next Slide:

Slide 18

Summary

We have reached the end of this lesson. Lets take a look at what we have covered. The first half of this lesson was focused on designing network infrastructure security. Designing a secure T-C-P I-P based network begins with thorough planning. The elements involved with designing a secure network infrastructure are: Plan network security; Create secure boundaries; Deploy network security technologies; Deploy server, application, and user security technologies; and deploy network monitoring and auditing. The second half of this lesson focused on Security for wireless networks. There are four different types of wireless networks, based on their range or scope. They include: Wireless personal area networks; Wireless local area networks; Wireless metropolitan area networks; And Wireless wide area networks. Each of these wireless networks has its set of threats. Some of the threats are the same as on a wired network, and others are specific to wireless networks.