7/27/2019 cis341_week06_ch05

1/8

WEEK 6 CIS288: Securing the Network Services and Protocols

Slide 1 Introduction Welcome to week 6 of C-I-S 288: Security Design in aWindows 2003 Environment.

In the previous lesson we discussed securing the networkmanagement process.

In this week we will discuss securing the network services

and protocols.

Next Slide:

Slide 2 Objectives When you complete this lesson you will be able to:

Design network infrastructure security;

Design an I-P Sec policy;Design I-P filtering;

Specify the required protocols for a firewall configuration;

Secure a D-N-S implementation;

Design security for data transmission;Use segmented networks;

Design security for wireless networks;

Design public and private wireless Lans; AndDesign eight-zero-two-point-eleven-X authentication for

wireless networks.

Next Slide:Slide 3 DesigningNetwork

Infrastructure

Security

Designing a secure T-C-P I-P based network begins withthorough planning. The network infrastructure is

comprised of hardware and software elements and has

both a physical and logical structure. Hardware clearly

includes servers, hosts, and gateways, as well as printers,mobile devices, and even the network cabling

specifications. The software side includes operating

systems applications, and services such as D-H-C-P, andother network protocols, and the N-T-F-S file format, to

name a few.

The elements involved with designing a secure network

infrastructure are:

Plan network security; Create secure boundaries; Deploy

network security technologies; Deploy server, application,and user security technologies; and deploy network

monitoring and auditing.

7/27/2019 cis341_week06_ch05

2/8

Next Slide:

Slide 4 Designing

NetworkInfrastructure

Security

(continued)

After developing your overall security plan, you need to

drill down to design the security for the networkinfrastructure. Network infrastructure includes those

services and protocols used to run network services. As

with any security model, you must find a workablebalance between security and usability.

Finding this balance requires that you take several logicalsteps to implement the best solution for your firm. These

steps include:

Assess the risk to your network and system data anddetermine the appropriate level of security.

Identify valuable information;

Define security policies based on risk;

Determine how security policies can best be implemented

in an enterprise;Ensure security management and technology requirements

are available and in place;And provide users with an easy and secure method of

accessing the appropriate resources.

Next Slide:

Slide 5 Common

Types ofAttacks

We will now list some common types of attacks.

Understanding attacks clearly is the key to implementingneeded security technologies for your network.

Many types of attacks can occur, and it seems someone isfiguring out another way to attack a secure computer

system almost every day. Some of the common methods

are eavesdropping, data modification, I-P addressspoofing, password-based attacks, brute force attacks,

denial-of-service attacks, man-in-the-middle attacks,

compromised key attacks, sniffer attacks, application-layerattacks, and social engineering.

Next Slide:

7/27/2019 cis341_week06_ch05

3/8

Slide 6 IPSec

Overview

I-P Sec is a suite of protocols that provides protection of

data integrity, and authentication. It can also provideoptional privacy and replay protection. The I-P Sec

protocols are defined by the Internet Engineering Task

Force, or IE-T-F.

I-P Sec provides security services at the transport layer of

the T-C-P I-P stack. The I-P Sec driver interfaces with theT-C-U U-D-P transport layer and the Internet layer,

making it transparent to users and applications. It can

receive network communication and, through the use of

filters and rules, it can:Select required security protocols; Determine algorithms

to use for a particular service; And Use cryptographic keys

required by any of the services.

IP-Sec is used to secure the communication channelbetween computers and to secure the data flowing acrossthat channel.

IP-Sec secures data by signing the packet and encryptingdata. You can choose to use one or the other, or both.

Signing the packet involves using a hash value to make

sure the packet has not been tampered with. Encrypting

the data involves an encryption algorithm as well as keysfor encrypting and decrypting the data.

Next Slide:Slide 7 IPSec Policies

Overview

I-P-Sec policy consists of several elements: filter lists,

filter actions, and rules. Its critical to understand howthese work together to enforce security across the

enterprise. Its important for you on the job and will

certainly be one of the key topics on the exam.

I-P-Sec policies are applied based on rules. A rule

provides the ability to create secure communication based

on the source, destination, and type of I-P traffic. Eachrule contains a list of I-P filters and a set of security

actions to take.

Each I-P-Sec rule consists of these elements:

A selected filter list; A selected filter action; Selected

authentication methods; A selected connection type; andSelected tunnel settings.

Next Slide:

7/27/2019 cis341_week06_ch05

4/8

Slide 8 Designing IP

Filtering

When designing I-P filtering, there are a few design

suggestions that will make your task easier. These aredelineated on the table shown on this slide and describe

recommendations for both filter and filter actions.

For configuring secure servers, including firewalls andcomputers in perimeter networks, you can review the

common list of T-C-P and U-D-P ports and ensure youblock or permit traffic as needed for the correct function

of the computer in question. The Internet Assigned

Numbers Authority, or I-A-N-A, provides a full list of T-

C-P and U-D-P ports from zero through sixty-five-thousand-five hundred-thirty-five.

Next Slide:

Slide 9 Configuration

a FirewallConfiguration

Firewalls can be used between segments of a network or

to protect the corporate network from the Internet. Sincethe firewall by definition provides a security boundary,

configuring I-P-Sec for a firewall makes sense.

To configure a firewall between I-P-Sec computers, it

must be configured to:

Forward inbound and outbound I-P-Sec traffic on U-D-P

source and destination port 500. This allows Isak-M-Ptraffic to be forwarded;

And Forward inbound and outbound I-P protocol fifty, E-

S-P;

Forward inbound and outbound I-P protocol fifty one, A-H;

Forward inbound and outbound U-D-P source anddestination port forty-five-hundred.

I-P-Sec can be routed as normal I-P traffic, although the

forwarders do not have the ability to examine the packet ifit is encrypted with E-S-P.

Next Slide:

7/27/2019 cis341_week06_ch05

5/8

Slide 10 Securing a

DNS

D-N-S is the method of resolving I-P addresses to domain

names or domain names to I-P addresses. This vitalnetwork service is a target of interest to hackers because

access to this data provides valuable data for attacking the

network and gaining unauthorized access.

There are a number of common threats to D-N-S that must

be considered and mitigated when planning security forthe enterprise. The table on this slide shows the common

threats and how hackers can exploit these threats.

Next Slide:

Slide 11 Securing aDNS

(continued)

There are a number of ways the D-N-S Server Service canbe configured to reduce the risk of and exposure to attack.

The first step is to examine the configuration of the D-N-S

Service to review settings that affect security. The secondstep is to manage the discretionary access lists on D-N-S

servers that are running on domain controllers. Finally,

implementing the N-T-F-S file system on D-N-S servers

running any operating system that supports N-T-F-Sprotects the files on the server.

Next Slide:

Slide 12 Designing

Security for

Data

Transmission

There are a number of other methods for securing data

being transmitted in a number of different scenarios. I-P

Sec works well in some instances, but other options are

more viable and appropriate in other instances. We willnow review some of these options.

The first is S-S-L T-L-S which stands for Secure SocketsLayer Transport Layer Security. This protocol is typically

used to secure H-T-T-P or H-T-T-P-S traffic on Web sites.

However, it works below the application layer in the T-C-P I-P stack and can be used transparently by applications

that require security for application layer protocols such as

F-T-P, L-D-A-P, or S-M-T-P.

The other option is S-Mime. S-Mime is used to secure e-mail traffic from one end to the other. As mentioned

earlier, S-S-L can be used to secure server-to-servertraffic, but S-Mime is best suited for end-to-end security.

S-Mime is an extension of Mime that supports e-mail by

enabling the e-mail originator to digitally sign an e-mail toprovide proof of both origin and message integrity. It also

enables e-mail to be encrypted to provide confidential

7/27/2019 cis341_week06_ch05

6/8

communication via the Internet.

Next Slide:

Slide 13 UsingSegmented

Networks

One of the most common methods of securing networkdata is to segment the network into smaller sections.

Switches, routers, gateways, or firewalls can beconfigured in between these network segments to manage

traffic between and among various network segments.

Segmenting a network improves the efficiency of the

network because multicast and broadcast traffic is kept onthe local segment, preventing it from being transmitted

across the entire network. By segmenting a network, local

traffic stays local and remote traffic is forwarded to thegateway. The gateway can be configured to block or

permit different types of traffic to protect network

segments from either receiving or sending data tounauthorized networks, segments, or hosts.

Next Slide:

Slide 14 Designing

Security for

WirelessNetworks

Now that we have reviewed how to protect data across the

network; we will now discuss how to protect the wireless

network.

There are four different types of wireless networks, based

on their range or scope. They include:Wireless personal area networks;

Wireless local area networks;Wireless metropolitan area networks; And

Wireless wide area networks.

Wireless personal area networks connect wireless personal

devices such as cellular phones, personal digital assistants,laptops, or wireless printers.

Wireless local area networks are designed to provideconnectivity to a local area, typically defined as a building

or office.

Wireless metropolitan area networks connect buildingswithin a campus or city through infrared or radio

frequency. The infrared implementation has limitations

due to the requirement to have line-of-site forconnectivity.

And wireless wide area networks have existed for a while

7/27/2019 cis341_week06_ch05

7/8

and are most commonly implemented via cell phones.

The current technology is not standardized and there areseveral companies and technologies vying for their place

in the standard.

Next Slide:Slide 15 Threats to

Wireless

Networks

Before going into the technologies any further, you need

to look at some of the threats to wireless networks.

Clearly, some of the threats are the same as on a wired

network, but there are threats that are specific to wirelessnetworks. Youll look at each threat and find out the best

current solution for mitigating that threat.

Shown on this slide is a table listing all the different typesof threats.

Next Slide:

Slide 16 Designing

WirelessLANs

Designing a secure wireless network takes planning and

integration with existing infrastructure. Some industryanalysts believe that wireless networking will become the

de facto standard, so understanding how to design a

wireless network will help you both on the job and on theexam.

The elements of designing a wireless network include:Designing W-Lan network infrastructure;

Designing wireless authentication;

And designing wireless access infrastructure.

Next Slide:

Slide 17 DesigningAuthenticatio

n for Wireless

Networks

The security mechanisms available for securing a wirelessnetwork are the following:

Eight-zero-two-point-eleven identity verification andauthentication;

Eight-zero-two-point-eleven Wired Equivalent Privacy

encryption;

Eight-zero-two-point- one-X authentication;And I-A-S support for Eight-zero-two-point- one-X

authentication.

Since each of these security mechanisms differ among

their security solutions, it is important to analyze each

mechanism in detail.

Next Slide:

7/27/2019 cis341_week06_ch05

8/8

Slide 18 Summary We have reached the end of this lesson. Lets take a look

at what we have covered.

The first half of this lesson was focused on designing

network infrastructure security. Designing a secure T-C-P

I-P based network begins with thorough planning. Theelements involved with designing a secure network

infrastructure are: Plan network security; Create secureboundaries; Deploy network security technologies; Deploy

server, application, and user security technologies; and

deploy network monitoring and auditing.

The second half of this lesson focused on Security for

wireless networks. There are four different types of

wireless networks, based on their range or scope. Theyinclude: Wireless personal area networks; Wireless local

area networks; Wireless metropolitan area networks; AndWireless wide area networks. Each of these wirelessnetworks has its set of threats. Some of the threats are the

same as on a wired network, and others are specific to

wireless networks.