MIST5770-QUEST3-chapter10
Firewalls
A firewall controls the flow of traffic by preventing unauthorized network traffic from entering or leaving a particular portion of the network
Firewall-Deployment Techniques
Border firewalls Screened subnet (or DMZ) firewalls Multilayered firewalls
Router Placement
Border routers A border router is subject to direct attack from an outside source. When you configure any router, you should determine whether it is the only point of defense or if it is one part of a multilayered defense. Of course, a multilayered defense is far better and more secure. The lone defense router can protect internal resources but is subject to attack itself. Internal routers An internal router can also provide enhanced features to your internal networks. Internal routers can help keep subnet traffic separate. They can keep traffic out of a subnet and keep traffic in a subnet. For example, an internal router that sits between the network of an organization's research department network and the network for the rest of the organization can keep the two networks separate. These routers can keep confidential traffic inside the research department. They can also keep nonresearch traffic from crossing over into the research network from the organization's other networks.
Network Security Risks (cont.)
Distributed DoS (DDoS) Uses multiple compromised systems to flood the network from many different directions Telephony denial of service (TDoS) Attempts to prevent telephone calls from being successfully initiated or received by some person or organization
IP Addressing (cont.)
Dynamic Host Configuration Protocol (DHCP) Is used within a network to simplify the configuration of each user's computer
Firewall Security Features
Flood guard Rules can limit traffic bandwidth from hosts, reducing the ability for any one host to flood a network Loop protection Firewalls can look at message addresses to determine whether a message is being sent around an unending loop (for example, from another form of flooding) Network separation Filtering rules enforce divisions between networks, keeping traffic from moving from one network to another
LAN Devices: Hubs and Switches
LAN Devices: Hubs and Switches Hubs Contain a number of plugs (or ports) where you can connect Ethernet cables for different network systems When they hub receive packets, they automatically retransmit those packets to all the other ports Switches Perform intelligent filtering "Know" the MAC address of the system connected to each port When they receive a packet on the network, they look at the destination MAC address and send the packet only to the port where the destination system resides
Common Ports
Network port a number that tells a receiving device where to send messages it receives
Network Security Risks
Reconnaissance The act of gathering information about a network for use in a future attack Eavesdropping When an attacker an attacker taps the data cable to see all data passing through it Denial of service (DoS) Flooding a network with traffic and shutting down a single point of failure
Border Firewall
Separates the protected network from the Internet
Local Area Networks (LANs)
Systems on the same LAN do not protect themselves from each other Good security is important
Wireless Network Security Controls
VPN over Wireless Wireless encryption WEP (insecure and flawed) Counter Mode Cipher Block Chaining Message Authentication Code Protocol Wi-Fi Protected Access (WPA) SSID broadcast MAC address filtering
The Main Types of Networks
Wide Area Networks Connect systems over a large geographic area Local Area Networks Provide network connectivity for computers located in the same geographic area
Wireless Networks
Wireless access points (WAPs) The connection between a wired and wireless network Fences don't stop wireless signals Anyone within radio range of wireless network can capture all data sent on that network if not encrypted
Virtual LANs (VLANs)
Any broadcast domain that is isolated from other domains A collection of logically related network devices that are viewed as a partitioned network segment Used to isolate logical groups of devices to reduce network traffic and increase security
Network Access Control
Enable you to add more security requirements before allowing a device to connect to your network Perform authentication and posture checking IEEE 802.1x standard
Basic Network Security Defense Tools
Firewalls Virtual private networks and remote access Network access control (NAC)
IP Addressing
IPv4 addresses Four-byte (32-bit) addresses that uniquely identify every device on the network Still the most common IPv6 addresses Are 128 bits long Provide more unique device addresses Are more secure
Unified Threat Management (UTM)
URL filter Filters web traffic by examining the URL as opposed to the IP address Content inspection The device looks at some or all network packet content to determine if the packet should be allowed to pass Malware inspection A specialized form of content inspection, the device looks at packet content for signs of malware
Internet Control Message Protocol (ICMP)
A management and control protocol for IP Delivers messages between hosts about the health of the network ICMP tools: Ping sends a single packet to a target IP address (ICMP echo request) Traceroute uses ICMP echo request packets to identify the path that packets travel through a network
TCP/IP and How It Works
A suite of protocols that operate at both the Network and Transport layers of the OSI Reference Model Governs all activity across the Internet and through most corporate and home networks Developed by the DoD to provide a highly reliable and fault-tolerant network infrastructure (security was not a focus)
Major VPN Technologies
Point-to-Point Tunneling Protocol (PPTP) Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet Protocol Security (IPSec) • Point-to-Point Tunneling Protocol (PPTP): PPTP was once the predominant VPN protocol. For many years, almost all VPNs used PPTP. It is easy to set up on client computers because most operating systems include PPTP support. • Secure Sockets Layer (SSL): SSL encrypts web communications, and many VPNs use SSL to provide encrypted communication. Users connect to an SSL-protected webpage and log on. Their web browser then downloads software that connects them to the VPN. Due to recent security issues, use TLS whenever possible. • Internet Protocol Security (IPSec): IPSec is a suite of protocols designed to connect sites securely. Although some IPSec VPNs are available for end users, they often require the installation of third-party software on the user's system and are not popular. Many organizations use IPSec to connect one site to another securely over the Internet. The required IPSec VPN functionality is built into many routers and firewalls, allowing for easy configuration.
Ethernet Networks
The Ethernet standard: Defines the way that computers communicate on the network Governs both the Physical and Data Link layers Defines how computers use MAC addresses to communicate with each other on the network Ethernet has become the most common LAN technology in use
Wide Area Networks
The Internet is an open network Can't guarantee privacy Consider the security issues surrounding the use of an open network Develop your own private WAN
Additional Wireless Security Techniques: Hardware
• Antenna types: Wireless device antennas can have a large impact on the device's area of coverage. Generally, external antennas can reach farther than internal antennas. Also, antennas can transmit and receive in different ways. They can be omnidirectional (all directions), semidirectional (limited direction), or highly directional (focused direction). Choose the right antenna for your organization's use. • Antenna placement: Once you select the best antennas for your devices, carefully place the antennas to provide coverage that you want, and not for anyone else. Placing an omnidirectional antenna near an external wall will likely make your wireless network available to people outside your building. • Power-level controls: You can change the power a wireless device uses from the configuration settings. Lowering the power settings from the default will reduce the area the device covers. This setting can be helpful when attempting to limit the visibility of your wireless networks. • Captive portals: A captive portal is a webpage that is displayed for all new connections. Your wireless device can redirect all traffic to the captive portal until the connection is authenticated. The most common use of a captive portal is to provide a logon page for your wireless network. • Site surveys: One of the most important nontechnical aspects to securing wireless networks is the site survey. Examine the physical area you want to serve with a wireless network. Facility floor plans can help determine the best placement for wireless devices. Use diagrams to plan your wireless network before you physically place devices.
OSI (Open system interconnection) Reference Model
• Application Layer: This layer is responsible for interacting with end users. The Application Layer includes all programs on a computer that interact with the network. For example, your email software is included, since it must transmit and receive messages over the network. A simple game like Solitaire doesn't fit here because it does not require the network in order to operate. • Presentation Layer: This layer is responsible for the coding of data. The Presentation Layer includes file formats and character representations. From a security perspective, encryption generally takes place at the Presentation Layer. • Session Layer: This layer is responsible for maintaining communication sessions between computers. The Session Layer creates, maintains, and disconnects communications that take place between processes over the network. • Transport Layer: This layer is responsible for breaking data into packets and properly transmitting it over the network. Flow control and error checking take place at the Transport Layer. • Network Layer: This layer is responsible for the logical implementation of the network. One very important feature of the Network Layer, covered later in this chapter, is logical addressing. In TCP/ IP networking, logical addressing takes the familiar form of IP addresses. • Data Link Layer: This layer is responsible for transmitting information on computers connected to the same local area network (LAN). The Data Link Layer uses Media Access Control (MAC) addresses. Device manufacturers assign each hardware device a unique MAC address. • Physical Layer: This layer is responsible for the physical operation of the network. The Physical Layer must translate the binary ones and zeros of computer language into the language of the transport medium. In the case of copper network cables, it must translate computer data into electrical pulses. In the case of fiber optics, it must translate the data into bursts of light. 记忆点:all people seem to need data processing https://www.youtube.com/watch?v=LANW3m7UgWs&t=262s 这7个层是为了帮助你理解网络是如何operates的. 第一层就是硬件层,通过hardware进行数据的传送. 第二层就是
Firewall Types
• Packet filtering: A packet-filtering firewall is very basic. It compares received traffic with a set of rules that define which traffic it will permit to pass through the firewall. It makes this decision for each packet that reaches the firewall and has no memory of packets it has encountered in the past. • Stateful inspection: A stateful inspection firewall remembers information about the status of a network communication. Once the firewall receives the first packet in a communication, the firewall remembers that communication session until it is closed. This type of firewall does not have to check its rules each time it receives a packet. It only needs to check rules when a new communication session starts. • Application proxy: An application proxy firewall goes further than a stateful inspection firewall. It doesn't actually allow packets to travel directly between systems on opposite sides of the firewall. The firewall opens separate connections with each of the two communicating systems and then acts as a broker (or proxy) between the two. This allows for an added degree of protection, because the firewall can analyze information about the application in use when making the decision to allow or deny traffic.