Chapter 10
Specialized security devices
Firewalls and I D S/I P S systems
Network authentication and logon restrictions
Harden your network by requiring secure passwords to authenticate to the network
Next Generation Firewalls (N G F W)
Have built-in Application Control features and are application aware (They can monitor and limit traffic of specific applications), Adapt to the class of a specific user or user group, May also be context aware (They adapt to various applications, users, and devices)
S I E M systems can be configured to evaluate all log data
Looking for significant events that require attention from the IT staff
Signature-based detection
Looks for identifiable patterns (signatures) of code that are known to indicate specific vulnerabilities, exploits, or other undesirable traffic
Directory service
Maintains a database of account information, such as, usernames, passwords, and other authentication credentials
Redundancy allows data the option of traveling through more than one switch
Makes a network less vulnerable to hardware malfunctions
Troubleshooting firewalls
Most common cause of firewall failure is firewall misconfiguration, Configuration must not be so strict that it prevents authorized users from transmitting and receiving necessary data (But no so lenient that you unnecessarily risk security breaches), You may need to create exceptions to the rules
R B A C (role-based access control)
Most popular authorization method, Administrator assigns privileges and permissions necessary for users to perform their roles (duties), Administrators create groups associated with certain roles
Two types of agents
Nonpersistent agent remains on the device long enough to verify compliance and complete authentication and then uninstalls (Also called dissolvable agent), Persistent agent is permanently installed on a device
I D S drawback
Number of false positives
T A C A C S+ (Terminal Access Controller Access Control System Plus)
Offers the option of separating authentication, authorization, and auditing capabilities
Port mirroring
One port makes copy of traffic and sends to second port for monitoring
RADIUS (Remote Authentication Dial-In User Service)
Open-source and standardized by the I E T F, Runs in the Application layer and can use either U D P or T C P in the Transport layer, Can operate as application on remote access server Or on dedicated RADIUS server, Highly scalable, May be used to authenticate wireless, mobile, and remote users, RADIUS services are often combined with other network services on a single machine
host-based firewalls
Other types of firewalls only protect the computer on which they are installed
Port blocking
Prevents connection to and transmission completion through ports
Root guard
Prevents switches beyond the configured port from becoming the root bridge
Terms of kerberos
Principal, K D C (Key Distribution Center), Ticket
Authentication
Process of verifying user's credentials to grant user access to secured resources
M F A (multifactor authentication
Process that requires two or more pieces of information
H I P S (host-based intrusion prevention)
Protects certain hosts
N I P S (network-based intrusion prevention)
Protects entire networks
Using multiple options for network security results in layered security
Provides more protection than any one type of device
Reverse proxy
Provides services to Internet clients from servers on its own network, Provides identity protection for the server rather than the client, Useful when multiple Web servers are accessed through the same public I P address
Non-security devices with security features
Proxy servers and A C Ls
Newer (faster) versions of S T P include
R S T P (Rapid Spanning Tree Protocol) and M S T P (Multiple Spanning Tree Protocol)
I P S (intrusion prevention system
Reacts to suspicious activity when alerted, Detects threat and prevents traffic from flowing to network, Based on originating IP address
Router receives packet, examines packet
Refers to A C L for permit, deny criteria, Drops packet if deny characteristics match, Forwards packet if permit characteristics match, If the packet does not match any criteria given, the packet is dropped
Differences of TACACS+ from RADIUS
Relies on T C P, not U D P, at the Transport layer, Proprietary protocol developed by Cisco Systems, Inc., Typically installed on a router or switch, rather than a server, Encrypts all information transmitted for AAA
if a switch is removed
S T P will recalculate the best loop-free data paths between the remaining switches
Unified Threat Management (U T M)-
Security strategy that combines multiple layers of security appliances and technologies into a single safety net, Requires a great deal of processing power
Switch path management 3 steps
Select root bridge based on Bridge I D (B I D), Examine possible paths between network bridge and root bridge, Disables links not part of shortest path
Devices that do not meet compliance requirements can be placed in a quarantine network
Separate from sensitive network resources
Five categories of authentication factors-
Something you know—password or PIN, Something you have—A T M or smart card, Something you are—fingerprint or facial pattern, Somewhere you are—location in a specific building, Something you do—specific way you type or speak
Common packet-filtering firewall criteria-
Source and destination IP addresses, Source and destination ports, Flags set in the T C P header, Transmissions using U D P or I C M P protocols, Packet's status as the first packet in new data stream, subsequent packet, Packet's status as inbound to, outbound from private network
I D S (intrusion detection system)
Stand-along device, an application, or a built-in feature running on a workstation, server, switch, router, or firewall, Monitors network traffic and generates alerts about suspicious activity, Commonly exists as an embedded feature in U T M solutions or N G F Ws
L D A P (Lightweight Directory Access Protocol)
Standard protocol for accessing an existing directory, All the above are built to be L D A P-compliant,
In Windows
Switch from local authentication to network authentication on the domain using the System Properties dialog box
On a Juniper switch
The mac-limit command restricts the number of MAC addresses allowed in the MAC address table, Allowed MAC addresses are configured with the allowed-mac command
A C Ls do affect router performance
The more statements or tests a router must scan the more time it takes a router to act
User access to network resources falls into one of the two categories
The privilege or right to execute, install, and uninstall software, Permission to read, modify, create, or delete files and folders
Authentication protocols
The rules computers follow to accomplish authentication
Additional authentication restrictions that strengthen network security
Time of day, Total time logged on, Source address, Unsuccessful logon attempts, Geographic location (geofencing)
Network technicians should review raw data on a regular basis
To ensure no glaring indicators are being missed by existing rules
Accounting
To keep an account of the client's system or network usage
A firewall is a specialized device or software that selectively filters or blocks traffic between networks
Typically involves hardware and software combination
Unused physical and virtual ports on switches and other network devices should be disabled
Use the shutdown command on Cisco, Huawei, and Arista routers and switches, Use the no shutdown command to enable them again
Recall a disadvantage of W E P
Used a shared key for all clients and the key might never change
A C L (access control list)
Used by routers to decline forwarding certain packets
2F A (two-factor authentication)
User must provide something and know something
Local authentication
Usernames and passwords are stored locally which has both advantages and disadvantages-Low security, Convenience varies, Reliable backup access
Uses key encryption
Verifies client identity, Securely exchanges information after client logs on
S T P information is transmitted between switches
Via B P D Us (Bridge Protocol Data Units)
Network administrators can fine-tune a S I E M's configuration rules for the specific needs
Which event should trigger responses
To make networks more fault tolerant
You install multiple (redundant) switches at critical junctures
M F A requires at least one authentication method from
at least two different categories
Several types of
authentication services and protocols exist
Controlling users' access to a network and its resources consists of three major elements
authentication, authorization, accounting
N A C authenticates and authorizes devices
before it can be authenticated-Monitors device's status to determine the device's compliance
punching a hole in the firewall
create exceptions to the rules
A network access control (N A C) solution
employs a set of rules called network policies which determine the level and type of access granted to a device when it joins a network
Implicit deny rule
if the packet does not match any criteria given, the packet is dropped
A log file viewer can be
installed to make it easier to monitor log files for interesting or suspicious events
A stateless firewall
manages each incoming packet as a stand-along entity without regard to active connections
N I D S (network-based I D S)
protects a network and is usually situated at the edge of the network or in the D M Z (demilitarized zone)-Network's protective perimeter
H I D S (host-based I D S)
runs on a single computer to alert about attacks to that one host-Might also include F I M (file integrity monitoring) which alerts when any changes made to files that shouldn't change
Packet-filtering firewall
simplest firewall, Examines header of every entering packet (inbound traffic), Can block traffic entering or exiting a LAN (outbound traffic)
The access-list command is used to assign
statement to an already-installed A C L, it must identify the A C L and include a permit or deny argument
Two primary methods for detecting threats
statistical anomaly detection, signature based detection
I D S can only detect and log
suspicious activity
AD is configured to use
the Kerberos protocol
A user can be authenticated to
the local device or to the network
A potential problem with redundant paths is
traffic loops
In Windows, use Event viewer to
view Windows logs
Firewall default configuration
-Blocks most common security threats, Preconfigured to accept and deny certain traffic types, Network administrators often customize settings
S S O
-Form of authentication in which a client signs on one time to access multiple systems or resources, Primary advantage is convenience, Disadvantage is that once authentication is cleared, the user has access to numerous resources
Examples of directory services
A D (Active Directory) in Windows, Open L D A P, 389 Directory Server
Kerberos server runs two services
A S (authentication service)-Initially validates a client, T G S (ticket-granting service)-An application running separate from the AS that also runs on the K D C, Alleviates the need for the client to request a new ticket from the T G S each time it wants to use a different service on the network
S P B (Shortest Path Bridging)
A descendent of S T P that operates at Layer 3, Keeps all potential paths active while managing flow of data
Security token
A device or application that stores or generates information
T R I L L (Transparent Interconnection of Lots of Links)
A multipath, link-state protocol
Proxy server
Acts as an intermediary between external and internal networks, Screens all incoming and outgoing traffic, Manages security at Application layer, Appears as an internal network server to the outside world, but is a filtering device for internal LAN, One of its most important functions is preventing the outside world from discovering the addresses of the internal network
ACL (access control list)
Acts like a filter to instruct the router to permit or deny traffic according to one or more of the following variables: Network layer protocol (e.g., IP or I C M P), Transport layer protocol (e.g., T C P or U D P), Source IP address, Destination IP address, T C P or U D P port number
Another Cisco command (also used on Arista devices) to secure switch access ports-
Another Cisco command (also used on Arista devices) to secure switch access ports-
Security precautions that must be configured on S T P-enabled interfaces
BPDU Guard, BPDU filter, Root guard
Firewall location
Between two interconnected private networks, Between private and public networks (network-based firewall), May also see firewall features integrated in routers, switches, and other network devices
B P D U guard
Blocks B P D Us on any port serving network hosts, Ensures these devices aren't considered as possible paths
S T P prevents traffic loops
Calculating paths avoiding potential loops, Artificially blocking links completing loop
B P D U filter
Can be used to disable S T P on specific ports
Statistical anomaly detection
Compares network traffic samples to a predetermined baseline in order to detect anomalies
Kerberos
Cross-platform authentication protocol
S T P (Spanning Tree Protocol)
Defined in I E E E standard 802.1D, Operates in Data Link layer
Effectiveness of the S I E M
Determined by the amount of storage space needed for the amount of data generated
Authorization
Determines what the user can and cannot do with network resources
On most routers, each interface must be assigned a separate A C L
Different A C Ls may be associated with inbound and outbound
Role separation-
Each user can only be a member of a single group
Optional firewall functions
Encryption, User authentication, Centralized management, Easy rule establishment, Content-filtering based on data contained in packets, Logging, auditing capabilities, Protect internal LAN's address identity, Monitor packets according to existing traffic streams (stateful firewall)
With local authentication
Every computer on the network is responsible for securing its own resources
Router's main functions
Examine packets, Determine destination based on Network layer addressing information
Some switch manufacturers have designed proprietary versions of S T P
Example: Cisco and Extreme Networks