Beruflich Dokumente
Kultur Dokumente
The following products and software applications can be used to protect network
devices:
In small offices and homes, computers usually connect directly to the Internet rather
than through a protected LAN. This puts computers that are outside of a LAN at high
risk for viruses and other attacks. At a minimum, these computers should use
firewall, anti-virus, and anti-malware programs. Application software and the
operating system should be updated with the latest patches.
The security policy should determine the level of security applications put in place.
In developing a policy, management should calculate the cost of data loss versus
the expense of security protection and determine which trade-offs are acceptable.
A technician should determine the appropriate techniques to secure equipment and
data for the customer. Depending on the situation, more than one technique may be
required.
Passwords
Using secure, encrypted login information for computers with network access should
be a minimum requirement in any organization. Malicious software monitors the
network and may record plaintext passwords. If passwords are encrypted, attackers
would have to decode the encryption to learn the passwords.
Wireless Configurations
Wireless connections are especially vulnerable to access by attackers. Wireless
clients should be configured to encrypt data.
Security Technologies
Security technologies include hash encoding, symmetric encryption, asymmetric
encryption, and Virtual Private Networks (VPNs). Each technology is used for a
specific purpose:
Hash encoding Hash encoding, or hashing, ensures that messages are not
corrupted or tampered with during transmission. Hashing uses a mathematical
function to create a numeric value that is unique to the data. If even one character
is changed, the function output, called the message digest, will not be the same.
However, the function is one way. Knowing the message digest does not allow an
attacker to recreate the message. This makes it difficult for someone to intercept
and change messages. Hash encoding is illustrated in Figure 1. The names of the
most popular hashing algorithms are SHA and MD5.
Symmetric encryption Symmetric encryption requires both sides of an encrypted
conversation to use an encryption key to encode and decode the data. The sender
and receiver must use identical keys. Symmetric encryption is illustrated in Figure 2.
DES and 3DES are examples of symmetric encryption.
Asymmetric encryption Asymmetric encryption requires two keys, a private key
and a public key. The public key can be widely distributed, including e-mailing in
clear text or posting on the web. The private key is kept by an individual and must
not be disclosed to any other party. These keys can be used in two ways. Public key
encryption is used when a single organization needs to receive encrypted text from
a number of sources. The public key can be widely distributed and used to encrypt
the messages. The intended recipient is the only party to have the private key,
which is used to decrypt the messages. In the case of digital signatures, a private
key is required for encrypting a message, and a public key is needed to decode the
message. This approach allows the receiver to be confident about the source of the
message because only a message encrypted using the originator's private key could
be decrypted by the public key. Asymmetric encryption using digital signatures is
illustrated in Figure 3. RSA is the most popular example of asymmetric encryption.
VPN A VPN uses secure protocols to encrypt and to secure data as if it was
traveling in a private, corporate LAN, even though the data actually travels over any
network, for example, the Internet. The secured data pipelines between points in
the VPN are called secure tunnels. The process is illustrated in Figure 4. VPN
technology often uses IPSec to secure communications between devices.
Computer equipment and data can be secured using overlapping protection
techniques to prevent unauthorized access to sensitive data. An example of
overlapping protection is using two different techniques to protect an asset. This is
known as two-factor security, as shown in Figure 1. When considering a security
program, the cost of the implementation has to be balanced against the value of
the data or equipment to be protected.
Physical Security
Use security hardware to help prevent security breaches and loss of data or
equipment. Physical security access control measures include the following:
Lock This is the most common device for securing physical areas. If a key is lost,
all identically keyed locks must be changed.
Conduit This is a casing that protects the infrastructure media from damage and
unauthorized access.
Card key This is a tool used to secure physical areas. If a card key is lost or stolen,
only the missing card must be deactivated. The card key system is more expensive
than security locks.
Video equipment This records images and sound for monitoring activity. The
recorded data must be monitored for problems.
Security guard This person controls access to the entrance of a facility and
monitors the activity inside the facility.
Network equipment should be mounted in secured areas. All cabling should be
enclosed in conduits or routed inside walls to prevent unauthorized access or
tampering. Network ports that are not in use should be disabled.
Biometric devices, which measure physical information about a user, are ideal for
use in highly secure areas. However, for most small organizations, this type of
solution would be too expensive.
Data Security
You can protect data by using data security devices to authenticate employee
access. Two-factor identification is a method to increase security. Employees must
use both a password and a data security device similar to those listed here:
Smart card This is a device that has the ability to store data safely. The internal
memory is an embedded Integrated Circuit Chip (ICC) that connects to a reader
either directly, or through a wireless connection. Smart cards are used in many
applications worldwide, such as secure ID badges, online authentication devices,
and secure credit card payments.
Security key fob This is a small device that resembles the ornament on a key ring.
It has a small radio system that communicates with the computer over a short
range. The fobs are small enough to attach to a key rings. The computer must
detect the signal from the key fob before it will accept a username and password.
Biometric device This measures a physical characteristic of the user, such as
fingerprints or the patterns of the iris in the eye. The user is granted access if these
characteristics match its database and the correct login information is supplied.
Hardware destruction is the process of removing sensitive data from hardware and
software when data is no longer needed. Hardware destruction must be performed
before recycling or discarding items that store data. Three methods are commonly
used to either destroy or recycle data and hard drives:
Data wiping
The level of security that the customer needs determines which devices are used to
keep data and equipment secure, and how the data should be removed or
destroyed.
Computer equipment and data can be secured using overlapping protection
techniques to prevent unauthorized access to sensitive data. An example of
overlapping protection is using two different techniques to protect an asset. This is
known as two-factor security, as shown in Figure 1. When considering a security
program, the cost of the implementation has to be balanced against the value of
the data or equipment to be protected.
Physical Security
Use security hardware to help prevent security breaches and loss of data or
equipment. Physical security access control measures include the following:
Lock This is the most common device for securing physical areas. If a key is lost,
all identically keyed locks must be changed.
Conduit This is a casing that protects the infrastructure media from damage and
unauthorized access.
Card key This is a tool used to secure physical areas. If a card key is lost or stolen,
only the missing card must be deactivated. The card key system is more expensive
than security locks.
Video equipment This records images and sound for monitoring activity. The
recorded data must be monitored for problems.
Security guard This person controls access to the entrance of a facility and
monitors the activity inside the facility.
Network equipment should be mounted in secured areas. All cabling should be
enclosed in conduits or routed inside walls to prevent unauthorized access or
tampering. Network ports that are not in use should be disabled.
Biometric devices, which measure physical information about a user, are ideal for
use in highly secure areas. However, for most small organizations, this type of
solution would be too expensive.
Data Security
You can protect data by using data security devices to authenticate employee
access. Two-factor identification is a method to increase security. Employees must
use both a password and a data security device similar to those listed here:
Smart card This is a device that has the ability to store data safely. The internal
memory is an embedded Integrated Circuit Chip (ICC) that connects to a reader
either directly, or through a wireless connection. Smart cards are used in many
applications worldwide, such as secure ID badges, online authentication devices,
and secure credit card payments.
Security key fob This is a small device that resembles the ornament on a key ring.
It has a small radio system that communicates with the computer over a short
range. The fobs are small enough to attach to a key rings. The computer must
detect the signal from the key fob before it will accept a username and password.
Biometric device This measures a physical characteristic of the user, such as
fingerprints or the patterns of the iris in the eye. The user is granted access if these
characteristics match its database and the correct login information is supplied.
Hardware destruction is the process of removing sensitive data from hardware and
software when data is no longer needed. Hardware destruction must be performed
before recycling or discarding items that store data. Three methods are commonly
used to either destroy or recycle data and hard drives:
Data wiping
The level of security that the customer needs determines which devices are used to
keep data and equipment secure, and how the data should be removed or
destroyed.
Hardware and software firewalls protect data and equipment on a network from
unauthorized access. A firewall should be used in addition to security software.
Hardware and software firewalls have several modes for filtering network data
traffic:
Packet filter This is a set of rules that allows or denies traffic based on criteria such
as IP addresses, protocols, or ports used.
Proxy firewall This is a firewall installed on a proxy server that inspects all traffic
and allows or denies packets based on configured rules. A proxy server is a server
that is a relay between a client and a destination server on the Internet.
Stateful packet inspection This is a firewall that keeps track of the state of network
connections traveling through the firewall. Packets that are not part of a known
connection are dropped.
Hardware Firewall
A hardware firewall is a physical filtering component that inspects data packets from
the network before they reach computers and other devices on a network. A
hardware firewall is a free-standing unit that does not use the resources of the
computers it is protecting, so there is no impact on processing performance.
Software Firewall
When configuring network share permissions for a computer that has NTFS, you
must create a network share and assign shared permissions to users or groups. Only
users and groups with both NTFS permissions and shared permissions can access a
network share.
NOTE: All router configurations, in this text, are based on the Linksys WRT300N
wireless router. The configuration examples assume you are already logged on to
the wireless router.
Wireless Antennae
The gain and signal pattern of the antenna connected to a wireless access point can
influence where the signal can be received. Avoid transmitting signals outside of the
network area by installing an antenna with a pattern that serves your network
users.
Wired Equivalent Privacy (WEP) This encrypts the broadcast data between the
wireless access point and the client using a 64-bit or 128-bit encryption key. Figure 4
shows the WEP configuration.
Wi-Fi Protected Access (WPA) This is an improved version of WEP. It was created as
a temporary solution until 802.11i became ratified. Now that 802.11i has been
ratified, WPA2 has been released. It covers the entire 802.11i standard. WPA uses
much stronger encryption than WEP encryption.
Wi-Fi Protected Access 2 (WPA2) This is an improved version of WPA. WPA2
supports robust encryption, which provides government-grade security. WPA2 can
be enabled with password authentication (Personal) or server authentication
(Enterprise).
Lightweight Extensible Authentication Protocol (LEAP), also called EAP-Cisco This is
a wireless security protocol created by Cisco to address the weaknesses in WEP and
WPA.
To add wireless security, use the following path:
Wireless > Wireless Security > select a Security Mode > select an Encryption Type
> type the Pre-shared Key > set Key Renewal > Save Settings > Continue.
SSID
A wireless access point broadcasts the SSID by default so that wireless devices can
detect the wireless network. You can disable SSID broadcasting on a wireless
network to prevent the wireless access point or router from revealing the name of
the wireless network.
Disabling SSID broadcasting can make it more difficult for legitimate clients to find
the wireless network. Manually enter the SSID on wireless devices to connect to the
wireless network when the SSID broadcast has been disabled on the wireless router
or access point. Simply turning off the SSID broadcast is not sufficient to prevent
unauthorized clients from connecting to the wireless network. Instead of turning off
the SSID broadcast, use stronger encryption such as WPA or WPA2.
Select Wireless Client List > select the client > Save to MAC Address Filter List >
Add > Save Settings > Continue.
Add a MAC address for each client that you wish to permit or deny access to the
wireless client list.
The MAC address of a wireless NIC can be found by typing ipconfig /all at the
command prompt. For devices other than computers, the MAC address can usually
be found on the label of the device or within the manufacturers instructions. On
wireless networks with a large number of clients, MAC address filtering can become
tedious because you must enter each MAC address in the filter.
MAC address filtering is not a strong layer of security. Instead of using MAC address
filtering, use stronger encryption techniques such as WPA or WPA2.
Firewalls
The Linksys WRT300N wireless router is also a hardware firewall. A hardware firewall
isolates your network from other networks. A hardware firewall will pass two
different types of traffic into your network:
Packet filter This configuration does not allow packets to pass through the firewall,
unless they match the established rule set configured in the firewall. Traffic can be
filtered based on many attributes, such as source IP address, source port or
destination IP address or port, and destination services such as WWW or FTP.
Application layer This configuration intercepts all packets traveling to or from an
application. It prevents all unwanted outside traffic from reaching protected devices.
Proxy This configuration intercepts all traffic between computers and different
networks and uses established rules to determine if data requests should be
allowed.
To configure hardware firewall settings on the Linksys WRT300N, use the following
path:
Security > Firewall > select Enable for SPI Firewall Protection. Then select other
Internet filters and web filters required to secure the network. Click Save Settings >
Continue.
Port triggering allows the router to temporarily forward data through inbound ports
to a specific device. You can use port triggering to forward data to a computer only
when a designated port range is used to make an outbound request.
For example, a video game might use ports 27000 to 27100 for connecting with
other players. These are the trigger ports. A chat client might use port 56 for
connecting the same players so that they can interact with each other. An example
of a port triggering rule is when any gaming traffic uses an outbound port that is
within the triggered port range, inbound chat traffic on port 56 will be forwarded to
the computer that is being used to play the video game and chat with friends. When
the game is over and the triggered ports are no longer in use, port 56 will no longer
be allowed to send traffic of any type to this computer.
opening only the required ports on a firewall, you are implementing a restrictive
security policy. Any packet not explicitly permitted is denied. In contrast, a
permissive security policy permits access through all ports, except those explicitly
denied. In the past, software and hardware were shipped with permissive settings.
As users neglected to configure their equipment, the default permissive settings left
many devices exposed to attackers. Most devices now ship with settings as
restrictive as possible, while still allowing easy setup.
Software Firewalls
Software firewalls can be either an independent application or part of the operating
system. There are several third-party software firewalls. There is also a software
firewall built into Windows XP, as shown in Figure 1.
Automatically The user is prompted to Keep Blocking, Unblock, or Ask Me Later for
any unsolicited requests. These requests may be from legitimate applications that
have not been configured previously or may be from a virus or worm that has
infected the system.
Manage Security Settings The user manually adds the program or ports that are
required for the applications in use on the network.
Windows XP
To add a program, select:
Start > Control Panel > Security Center > Windows Firewall > Exceptions > Add
Program.
Windows Vista
To add a program, select:
Start > Control Panel > Security Center > Windows Firewall > Change Settings >
Continue > Exceptions > Add Program.
The Windows firewall blocks all incoming network connections, except for specific
programs and services. For example, the Windows Update service and Internet
Explorer are allowed through the firewall by default. An exception, as shown in
Figure 2, is a rule that opens a blocked port in the firewall for a specific need. For
instance, to allow an FTP connection you must create an exception that will open up
port 21. Each different type of connection requires a unique port number to pass
data through the firewall.
To add a port exception to the Windows Firewall, select the Exceptions tab.
Click Add port > type a Name > type a Port number > select a Protocol. To specify
that only certain computers will be affected by the exception, click Change scope >
Specify the computers > OK > OK > OK.
Malware is malicious software that is installed on a computer without the knowledge
or permission of the user. Certain types of attacks, such as those performed by
spyware and phishing, collect data about the user that can be used by an attacker
to gain confidential information.
You should run virus and spyware scanning programs to detect and clean unwanted
software. Many browsers now come equipped with special tools and settings that
prevent the operation of several forms of malicious software. It may take several
different programs and multiple scans to completely remove all malicious software:
Employees can be grouped by job requirements and given access to files according
to group permissions. This process helps manage employee access to the network.
Temporary accounts can be set up for employees that need short-term access.
Close management of network access can help to limit areas of vulnerability that
might allow a virus or malicious software to enter the network.
Guest Accounts
Temporary employees and guests may need access to the network. For example,
many visitors might require access to e-mail, the Internet, and a printer on the
network. These resources can be made available to a special account called Guest.
When guests are present, they can be assigned to the Guest account. When no
guests are present, the account can be disabled until the next guest arrives.
Some guest accounts may require extensive access to resources, as in the case of a
consultant or a financial auditor. This type of access should be granted only for the
period of time required to complete the work.
Data backups should be performed on a regular basis. The most current data
backup is usually stored offsite to protect the backup media if anything happens to
the main facility. Backup media is often reused to save on media costs. Always
follow your organization's media rotation guidelines.
Backup operations for Windows XP can be performed at the command line or from a
batch file using the NTBACKUP command. The default parameters for NTBACKUP will
be the ones set in the Windows XP backup utility. Any options you want to override
must be included in the command line. You cannot restore files from the command
line using the NTBACKUP command.
The Windows XP Backup or Restore Utility wizard files have the extension .bkf. A .bkf
file can be saved to a hard drive, a DVD, or to any other recordable media. The
source location and target drive can be either NTFS or FAT.
The Windows Vista backup files have the extension .zip. Backup data is
automatically compressed, and each file has a maximum compressed size of 200
MB. A Windows Vista backup file can be saved to a hard drive, any recordable
media, or to another computer or server connected to your network. The backup
can only be created from an NTFS partition. The target hard drive must be either
NTFS or FAT formatted.
NOTE: You can manually exclude directories in the Windows XP Backup or Restore
Utility wizard. This is not supported in the Windows Vista Backup Files wizard.
You can make a Windows backup manually or schedule how often the backup will
take place automatically. To successfully backup and restore data in Windows, the
appropriate user rights and permissions are required:
All users can back up their own files and folders. They can also back up files for
which they have the Read permission.
All users can restore files and folders for which they have the Write permission.
Members of the Administrators, Backup Operators, and Server Operators (if joined
to a domain) can back up and restore all files (regardless of the assigned
permissions). By default, members of these groups have the Backup Files and
Directories and Restore Files and Directories user rights.
The Windows XP Backup or Restore Utility wizard provides five backup types:
Full or Normal This backup type copies all selected files and marks each file as
having been backed up.
Incremental This backup type backs up only files that have been created or
changed since the last full or incremental backup. Restoring files requires that you
have the last full backup set and all incremental backup sets.
Differential This backup type copies only files that have been created or changed
since the last full backup. Restoring files requires that you have the last full and one
differential backup.
Daily This backup type copies all selected files that have been modified the day
that the daily backup has been performed.
Copy This backup type copies all selected files but does not mark them as having
been backed up.
To start the Windows XP Backup or Restore Utility wizard, select:
Start > All Programs > Accessories > System Tools > Backup. The Backup or
Restore wizard starts. To change the backup setting, select Advanced Mode > Tools
> Options.
To restore a backed up file in Windows XP, in the Backup or Restore wizard, select:
Next > Restore files and settings > Next > select the backed up file > Next > Finish.
To change the backup settings, select Change settings > Change backup settings >
Continue.
backup. It marks files as having been backed up. A differential backup copies files
created or changed since the last normal or incremental backup, but it does not
mark files as having been backed up. Backing up data can take time, so it is
preferable to do backups when the network traffic is low. Other types of backups
include daily backup and copy backup, which do not mark the files as having been
backed up.
The data backup media is just as important as the data on the computer. You should
store the backup media in a climate-controlled offsite storage facility with good
physical security. The backups should be readily available for access in case of an
emergency.