chapter 10 introduction to network securitysjkuyath/etee3281/ch10.pdf · •develop a network...
TRANSCRIPT
![Page 1: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/1.jpg)
Chapter 10
Introduction to Network Security
![Page 2: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/2.jpg)
Objectives
• Develop a network security policy
• Secure physical access to network
equipment
• Secure network data
• Use tools to find network security
weaknesses
Guide to Networking Essentials, Fifth Edition 2
![Page 3: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/3.jpg)
Network Security Overview and Policies
• Perceptions of network security vary depending on:– People– Industry
• Network security should be as unobtrusive as possible, allowing network users to concentrate on the tasks they want to accomplish, rather than how to get to the data they need to perform those tasks
• A company that can demonstrate its information systems are secure is more likely to attract customers, partners, and investors
Guide to Networking Essentials, Fifth Edition 3
![Page 4: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/4.jpg)
Developing a Network Security Policy
• A network security policy describes the rules
governing access to a company’s information
resources, the enforcement of those rules, and
the steps taken if rules are breached
– Should also describe the permissible use of those
resources after they’re accessed
– Should be easy for ordinary users to understand and
reasonably easy to comply with
– Should be enforceable
– Should clearly state the objective of each policy so that
everyone understands its purpose
Guide to Networking Essentials, Fifth Edition 4
![Page 5: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/5.jpg)
Elements of a Network Security Policy
• Elements (minimum for most networks)
– Privacy policy
– Acceptable use policy
– Authentication policy
– Internet use policy
– Access policy
– Auditing policy
– Data protection
• Security policy should protect organization legally
• Security policy should be continual work in progress
Guide to Networking Essentials, Fifth Edition 5
![Page 6: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/6.jpg)
Understanding Levels of Security
• Security doesn’t come without a cost
• Before deciding on a level of security, answer:
– What must be protected?
– From whom should data be protected?
– What costs are associated with security being breached and data being lost or stolen?
– How likely is it that a threat will actually occur?
– Are the costs to implement security and train users to use a secure network outweighed by the need to provide an efficient, user-friendly environment?
• Levels: highly restrictive, moderately restrictive, open
Guide to Networking Essentials, Fifth Edition 6
![Page 7: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/7.jpg)
Highly Restrictive Security Policies
• Include features such as:– Data encryption, complex password requirements,
detailed auditing and monitoring of computer and network access, intricate authentication methods, and policies that govern use of the Internet/e-mail
• Might require third-party hardware and software
• High implementation expense– High design and configuration costs for SW and
HW
– Staffing to support the security policies
– Lost productivity (high learning curve for users)
• Used when cost of a security breach is high
Guide to Networking Essentials, Fifth Edition 7
![Page 8: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/8.jpg)
Moderately Restrictive Security Policies
• Most organizations can opt for this type of policy
• Requires passwords, but not overly complex ones
• Auditing detects unauthorized logon attempts, network resource misuse, and attacker activity– Most NOSs contain authentication, monitoring, and
auditing features to implement the required policies
• Infrastructure can be secured with moderately priced off-the-shelf HW and SW (firewalls, ACLs)
• Costs are primarily in initial configuration and support
Guide to Networking Essentials, Fifth Edition 8
![Page 9: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/9.jpg)
Open Security Policies
• Policy might have simple or no passwords, unrestricted access to resources, and probably no monitoring and auditing
• Makes sense for a small company with the primary goal of making access to network resources easy
• Sensitive data, if it exists, might be kept on individual workstations that are backed up regularly and are physically inaccessible to other employees
Guide to Networking Essentials, Fifth Edition 9
![Page 10: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/10.jpg)
Common Elements of Security Policies
• Virus protection for servers and desktop computers is a must
• There should be policies aimed at preventing viruses from being downloaded or spread
• Backup procedures for all data that can’t be easily reproduced should be in place, and a disaster recovery procedure must be devised
• Security is aimed not only at preventing improper use of or access to network resources, but also at safeguarding the company’s information
Guide to Networking Essentials, Fifth Edition 10
![Page 11: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/11.jpg)
Securing Physical Access to the Network
• If there’s physical access to equipment, there is no security
– A computer left alone with a user logged on is particularly vulnerable
• If an administrator account is logged on, a person can even give his/her account administrator control
– If no user is logged on• People could log on to the computer with their own
accounts and access files to which they wouldn’t normally have access
• Computer could be restarted and booted from removable media, bypassing the normal OS security
• Computer or HDs could be stolen and later cracked
Guide to Networking Essentials, Fifth Edition 11
![Page 12: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/12.jpg)
Physical Security Best Practices
• When planning your network, ensure that rooms are available to house servers and equipment– Rooms should have locks and be suitable for the
equipment being housed
• If a suitable room isn’t available, locking cabinets, freestanding or wall mounted, can be purchased to house servers and equipment in public areas
• Wiring from workstations to wiring cabinets should be inaccessible to eavesdropping equipment
• Physical security plan should include procedures for recovery from natural disasters (e.g., fire or flood)
Guide to Networking Essentials, Fifth Edition 12
![Page 13: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/13.jpg)
Physical Security of Servers
• May be stashed away in lockable wiring closet
along with switch to which the server is connected
• Often require more tightly controlled environmental
conditions than patch panels, hubs, and switches
• Server rooms should be equipped with power
that’s preferably on a circuit separate from other
devices
Guide to Networking Essentials, Fifth Edition 13
![Page 14: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/14.jpg)
Security of Internetworking Devices
• Routers and switches contain critical configuration information and perform essential network tasks– Internetworking devices, such as hubs, switches, and
routers, should be given as much attention in terms of physical security as servers
• A room with a lock is the best place for these devices
• Wall-mounted enclosure with a lock is second best– Some cabinets come with a built-in fan or have a
mounting hole for a fan
– They also come with convenient channels for wiring
Guide to Networking Essentials, Fifth Edition 14
![Page 15: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/15.jpg)
Securing Access to Data
• Facets
– Authentication and authorization
– Encryption/decryption
– Virtual Private Networks (VPNs)
– Firewalls
– Virus and worm protection
– Spyware protection
– Wireless security
Guide to Networking Essentials, Fifth Edition 15
![Page 16: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/16.jpg)
Secure Authentication and Authorization
• Administrators must control who has access to the network (authentication) and what users can do to the network (authorization)
– NOSs have tools to specify options and restrictions on how/when users can log on to network
• Password complexity requirements
• Logon hours
• Logon locations
• Remote logons, among others
– File system access controls and user permission settings
Guide to Networking Essentials, Fifth Edition 16
![Page 17: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/17.jpg)
Configuring Password Requirements in a Windows
Environment
• Specify if passwords are required for all users,
how many characters a password must be, and
whether they should meet certain complexity
requirements
• XP allows passwords up to 128 characters
– Minimum of five to eight characters is typical
– If minimum length is 0, blank passwords are allowed
• Other options include Maximum/Minimum
password age, and Enforce password history
• When a user fails to enter a correct password, a
policy can be set to lock the user account
Guide to Networking Essentials, Fifth Edition 17
![Page 18: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/18.jpg)
Configuring Password Requirements in a Windows
Environment
Guide to Networking Essentials, Fifth Edition 18
![Page 19: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/19.jpg)
Configuring Password Requirements in a Linux
Environment
• Linux password configuration can be done
globally or on a user-by-user basis
• Options include maximum/minimum password
age, and number of days’ warning a user has
before password expires
– Linux system must be using shadow passwords, a
secure method of storing user passwords
– Options can be set by editing /etc/login.defs
• Use Pluggable Authentication Modules
(PAM) to set other options like account lockout,
password history, and complexity tests
Guide to Networking Essentials, Fifth Edition 19
![Page 20: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/20.jpg)
Reviewing Password Dos and Don’ts
• Use a combination of uppercase letters, lowercase
letters, and numbers
• Include one or more special characters
• Try using a phrase, e.g., NetW@rk1ng !s C00l
• Don’t use passwords based on your logon name,
family members’ names, or even your pet’s name
• Don’t use common dictionary words unless they
are part of a phrase
• Don’t make your password so complex that you
forget it or need to write it down somewhere
Guide to Networking Essentials, Fifth Edition 20
![Page 21: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/21.jpg)
Restricting Logon Hours and Logon Location
Guide to Networking Essentials, Fifth Edition 21
![Page 22: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/22.jpg)
Restricting Logon Hours and Logon Location
Guide to Networking Essentials, Fifth Edition 22
![Page 23: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/23.jpg)
Authorizing Access to Files and Folders
• Windows OSs have two options for file security
– Sharing permissions are applied to folders (and only folders) shared over the network
• Don’t apply to files/folders if user is logged on locally
• These are the only file security options available in a FAT or FAT32 file system
– NTFS permissions allow administrators to assign permissions to files as well as folders
• Apply to file access by a locally logged-on user too
• Enable administrators to assign permissions to user accounts and group accounts
• Six standard permissions are available for folders
Guide to Networking Essentials, Fifth Edition 23
![Page 24: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/24.jpg)
Authorizing Access to Files and Folders
Guide to Networking Essentials, Fifth Edition 24
![Page 25: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/25.jpg)
Authorizing Access to Files and Folders
Guide to Networking Essentials, Fifth Edition 25
![Page 26: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/26.jpg)
Securing Data with Encryption
• Use encryption to safeguard data as it
travels across the Internet and within the
company network
– Prevents somebody using eavesdropping
technology, such as a packet sniffer, from
capturing packets
• Data on disks can be secured with
encryption
Guide to Networking Essentials, Fifth Edition 26
![Page 27: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/27.jpg)
Using IPSec to Secure Network Data
• The most popular method for encrypting
data as it travels network media is to use an
extension to the IP protocol called IP
Security (IPSec)
– Establishes an association between two
communicating devices
• Association is formed by two devices authenticating
their identities via a preshared key, Kerberos
authentication, or digital certificates
– After the communicating parties are
authenticated, encrypted communication can
commenceGuide to Networking Essentials, Fifth Edition 27
![Page 28: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/28.jpg)
Using IPSec to Secure Network Data
Guide to Networking Essentials, Fifth Edition 28
![Page 29: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/29.jpg)
Using IPSec to Secure Network Data
Guide to Networking Essentials, Fifth Edition 29
![Page 30: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/30.jpg)
Securing Data on Disk Drives
Guide to Networking Essentials, Fifth Edition 30
![Page 31: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/31.jpg)
Securing Communication with Virtual Private
Networks
Guide to Networking Essentials, Fifth Edition 31
![Page 32: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/32.jpg)
VPNs in a Windows Environment
• Windows supports a special TCP/IP protocol called Point-to-Point Tunneling Protocol (PPTP)– A user running Windows can dial up a Windows server
when it’s running RRAS
– A VPN could be established permanently across the Internet by leasing dedicated lines at each end of a two-way link and maintaining ongoing PPTP-based communications across that dedicated link
• Starting with Windows 2000, Windows supports Layer 2 Tunneling Protocol (L2TP)– Supports advanced authentication and encryption
– Requires Windows machines on both sides
Guide to Networking Essentials, Fifth Edition 32
![Page 33: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/33.jpg)
VPN Benefits
• Advantages of using VPNs– Installing several modems on an RRAS server so that
users can dial up the server directly isn’t necessary; instead, users can dial up any ISP
– Remote users can usually access an RRAS server by making only a local phone call, as long as they can access a local ISP
– When broadband Internet connectivity is available (e.g., DSL, cable modem), remote users can connect to the corporate network at high speed, making remote computing sessions more productive
• Additionally, VPNs save costs
Guide to Networking Essentials, Fifth Edition 33
![Page 34: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/34.jpg)
Protecting Networks with Firewalls
• Firewall: HW device or SW program that
inspects packets going into or out of a network or
computer, and then discards/forwards them
based on rules
– Protects against outside attempts to access unauthorized
resources, and against malicious network packets
intended to disable or cripple a corporate network and its
resources
– If placed between Internet and corporate network, can
restrict users’ access to Internet resources
• Firewalls can attempt to determine the context of
a packet (stateful packet inspection (SPI))
Guide to Networking Essentials, Fifth Edition 34
![Page 35: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/35.jpg)
Using a Router as a Firewall
• A firewall is just a router with specialized SW that
facilitates creating rules to permit or deny
packets
• Many routers have capabilities similar to firewalls
– After a router is configured, by default, all packets
are permitted both into and out of the network
– Network administrator must create rules (access
control lists) that deny certain types of packets
• Typically, an administrator builds access control lists so
that all packets are denied, and then creates rules that
make exceptions
Guide to Networking Essentials, Fifth Edition 35
![Page 36: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/36.jpg)
Using Intrusion Detection Systems
• An IDS usually works with a firewall or router
with access control lists
– A firewall protects a network from potential break-ins
or DoS attacks, but an IDS must detect an attempted
security breach and notify the network administrator
– May be able to take countermeasures if an attack is in
progress
– Invaluable tool to help administrators know how often
their network is under attack and devise security
policies aimed at thwarting threats before they have a
chance to succeed
Guide to Networking Essentials, Fifth Edition 36
![Page 37: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/37.jpg)
Using Network Address Translation to Improve
Security
• A benefit of NAT is that the real address of
an internal network resource is hidden and
inaccessible to the outside world
– Because most networks use NAT with private IP
addresses, those devices configured with
private addresses can’t be accessed directly
from outside the network
– An external device can’t initiate a network
conversation with an internal device, thus
limiting an attacker’s options to cause mischief
Guide to Networking Essentials, Fifth Edition 37
![Page 38: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/38.jpg)
Protecting a Network from Worms, Viruses, and
Rootkits
• Malware is SW designed to cause harm/disruption to a computer system or perform activities on a computer without the consent of its owner– A virus spreads by replicating itself into other programs or
documents
– A worm is similar to a virus, but it doesn’t attach itself to another program
– A backdoor is a program installed on a computer that permits access to the computer, bypassing the normal authentication process
– To help prevent spread of malware, every computer should have virus-scanning software running
Guide to Networking Essentials, Fifth Edition 38
![Page 39: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/39.jpg)
Protecting a Network from Worms, Viruses, and
Rootkits
• A Trojan program appears to be something
useful, but in reality contains some type of malware
• Rootkits are a form of Trojan programs that can
monitor traffic to and from a computer, monitor
keystrokes, and capture passwords
• The hoax virus is one of the worst kinds of viruses
– The flood of e-mail from people actually falling for the
hoax is the virus!
• Malware protection can be expensive; however,
the loss of data and productivity that can occur
when a network becomes infected is much more
costly
Guide to Networking Essentials, Fifth Edition 39
![Page 40: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/40.jpg)
Protecting a Network from Spyware and Spam
• Spyware: monitors/controls part of a computer at the expense of user’s privacy and to the gain of a third party– Is not usually self-replicating
– Many anti-spyware programs are available, and some are bundled with popular antivirus programs
• Spam is simply unsolicited e-mail– Theft of e-mail storage space, network bandwidth, and
people’s time
– Detection and prevention is an uphill battle• For every rule or filter anti-spam software places on an e-mail
account, spammers find a way around them
Guide to Networking Essentials, Fifth Edition 40
![Page 41: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/41.jpg)
Implementing Wireless Security
• Attackers who drive around looking for wireless
LANs to intercept are called wardrivers
• Wireless security methods
– Wired Equivalency Protocol (WEP)
– Wi-Fi Protected Access (WPA)
– MAC address filtering
• You should also set policies: limit AP signal
access, change encryption key regularly, etc.
Guide to Networking Essentials, Fifth Edition 41
![Page 42: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/42.jpg)
Using a Cracker’s Tools to Stop Network Attacks
• If you want to design a good, solid network
infrastructure, hire a security consultant who
knows the tools of the cracker’s trade
– A cracker (black hat) is someone who attempts
to compromise a network or computer system for
the purposes of personal gain or to cause harm
– The term hacker has had a number of meanings
throughout the years
• White hats often use the term penetration tester for
their consulting services
Guide to Networking Essentials, Fifth Edition 42
![Page 43: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/43.jpg)
Discovering Network Resources
• Attackers use command-line utilities such as
Ping, Traceroute, Finger, and Nslookup to
get information about the network
configuration and resources
– Other tools used• Ping scanner: automated method for pinging a range of IP
addresses
• Port scanner: determines which TCP and UDP ports are
available on a particular computer or device
• Protocol analyzers are also useful for resource discovery
because they allow you to capture packets and determine which
protocol’s services are running
Guide to Networking Essentials, Fifth Edition 43
![Page 44: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/44.jpg)
Guide to Networking Essentials, Fifth Edition 44
Discovering Network Resources
![Page 45: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/45.jpg)
Guide to Networking Essentials, Fifth Edition 45
Discovering Network Resources
![Page 46: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/46.jpg)
Guide to Networking Essentials, Fifth Edition 46
Discovering Network Resources
![Page 47: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/47.jpg)
Gaining Access to Network Resources
• One of the easiest resources to open is one in which no password is set– Check all devices that support Telnet, FTP, e-mail, and
Web services
– Verify that passwords are set on all devices and disable any unnecessary services
• If an attackers needs to learn user name/password:– Finger may be used to discover user names
– Linux, NetWare, and Windows servers have default administrator names that are often left unchanged
• Attacker may then use a password-cracking tool
Guide to Networking Essentials, Fifth Edition 47
![Page 48: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/48.jpg)
Disabling Network Resources
• A denial-of-service (DoS) attack is an
attacker’s attempt to tie up network bandwidth
or network services so that it renders those
resources useless to legitimate users
– Packet storms typically use the UDP protocol
because it’s not connection oriented
– Half-open SYN attacks use TCP’s handshake to tie
up a server with invalid TCP sessions, thereby
preventing real sessions from being created
– In a ping flood, a program sends a large number of
ping packets to a host
Guide to Networking Essentials, Fifth Edition 48
![Page 49: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/49.jpg)
Summary
• A network security policy describes rules governing
access to a company’s information resources– Should contain these types of policies: privacy policy, acceptable use
policy, authentication policy, Internet use policy, auditing policy, and
data protection policy
• Must secure physical access to network resources
• Securing access to data includes authentication and
authorization, encryption/decryption, VPNs,
firewalls, virus/worm/spyware protection, and
wireless security
• VPNs are an important aspect of network security– Secure remote access to private network (via Internet)
Guide to Networking Essentials, Fifth Edition 49
![Page 50: Chapter 10 Introduction to Network Securitysjkuyath/ETEE3281/ch10.pdf · •Develop a network security policy ... to use a secure network outweighed by the ... –Internetworking](https://reader033.vdocuments.site/reader033/viewer/2022051106/5b14bcae7f8b9af15d8b6ce5/html5/thumbnails/50.jpg)
Summary
• Firewalls filter packets and permit or deny packets
based on a set of defined rules
• Malware can be viruses, worms, Trojans, and
rootkits
• Wireless security involves attention to configuring
SSID correctly and configuring/using wireless
security protocols, such as WEP, WPA, or 802.11i
• Tools that crackers use to compromise a network
can be used to determine whether a network is
secure
• DoS attacks are used to disrupt network operation
Guide to Networking Essentials, Fifth Edition 50