World Headquarters Jones & Bartlett Learning 5 Wall Street Burlington, MA 01803 978-443-5000 info@jblearning.com www.jblearning.com
Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.
Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to specialsales@jblearning.com.
Copyright © 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company
All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.
The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. Network Security, Firewalls, and VPNs, Second Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.
There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only.
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought.
Production Credits Chief Executive Officer: Ty Field President: James Homer SVP, Editor-in-Chief: Michael Johnson SVP, Curriculum Solutions: Christopher Will Director of Sales, Curriculum Solutions: Randi Roger Senior Marketing Manager: Andrea DeFronzo Associate Marketing Manager: Kelly Thompson VP, Design and Production: Anne Spencer VP, Manufacturing and Inventory Control: Therese Connell Manufacturing and Inventory Control Supervisor: Amy Bacus Editorial Management: High Stakes Writing, LLC, President: Lawrence J. Goodrich Senior Editor, HSW: Ruth Walker Senior Editorial Assistant: Rainna Erikson Production Manager: Susan Schultz
mailto:info@jblearning.com
http://www.jblearning.com
http://www.jblearning.com
mailto:specialsales@jblearning.com
Composition: Gamut+Hue, LLC Cover Design: Kristin E. Parker Director of Photo Research and Permissions: Amy Wrynn Rights & Photo Research Assistant: Joseph Veiga Cover Image: © HunThomas/ShutterStock, Inc. Chapter Opener Image: © Rodolfo Clix/Dreamstime.com Printing and Binding: Edwards Brothers Malloy Cover Printing: Edwards Brothers Malloy
ISBN: 978-1-284-03167-6
Library of Congress Cataloging-in-Publication Data Not available at time of printing.
6048
Printed in the United States of America 17 16 15 14 13 10 9 8 7 6 5 4 3 2 1
http://Dreamstime.com
Contents
Preface
PART ONE Foundations of Network Security
CHAPTER 1 Fundamentals of Network Security
What Is Network Security? What Is Trust? Who—or What—Is Trustworthy? What Are Security Objectives?
What Are You Trying to Protect? Seven Domains of a Typical IT Infrastructure
Goals of Network Security
How Can You Measure the Success of Network Security?
Why Are Written Network Security Policies Important? Planning for the Worst
Who Is Responsible for Network Security?
Examples of Network Infrastructures and Related Security Concerns Workgroups SOHO Networks Client/Server Networks LAN Versus WAN Thin Clients and Terminal Services Remote Control, Remote Access, and VPN Boundary Networks Strengths and Weaknesses of Network Design
Enhancing the Security of Wired Versus Wireless LAN Infrastructures
Internal and External Network Issues
Common Network Security Components Used to Mitigate Threats
Hosts and Nodes IPv4 Versus IPv6 Firewall Virtual Private Networks Proxy Servers Network Address Translation Routers, Switches, and Bridges The Domain Name System Directory Services Intrusion Detection Systems and Intrusion Prevention Systems Network Access Control
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER 2 Firewall Fundamentals
What Is a Firewall? What Firewalls Cannot Do
Why Do You Need a Firewall?
What Are Zones of Risk?
How Firewalls Work and What Firewalls Do
TCP/IP Basics OSI Reference Model Sub-Protocols Headers and Payloads Addressing
Types of Firewalls
Ingress and Egress Filtering
Types of Filtering Static Packet Filtering Stateful Inspection and Dynamic Packet Filtering Network Address Translation (NAT) Application Proxy Circuit Proxy Content Filtering
Software Versus Hardware Firewalls IPv4 Versus IPv6 Firewalls
Dual-Homed and Triple-Homed Firewalls
Placement of Firewalls
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER 3 VPN Fundamentals What Is a Virtual Private Network?
What Are the Benefits of Deploying a VPN?
What Are the Limitations of a VPN? What Are Effective VPN Policies? VPN Deployment Models and Architecture Tunnel Versus Transport Mode
The Relationship Between Encryption and VPNs Symmetric Cryptography Asymmetric Cryptography Hashing
What Is VPN Authentication?
VPN Authorization
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
CHAPTER 4 Network Security Threats and Issues Hacker Motivation
Favorite Targets of Hackers
Threats from Internal Personnel and External Entities
The Hacking Process Fallback Attacks
Common IT Infrastructure Threats
Hardware Failures and Other Physical Threats Natural Disasters Accidents and Intentional Concerns
Malicious Code (Malware) Advanced Persistent Threat
Fast Growth and Overuse
Wireless Versus Wired
Eavesdropping
Replay Attacks
Insertion Attacks
Fragmentation Attacks, Buffer Overflows, and XSS Attacks Fragmentation Attacks Buffer Overflows XSS (Cross-Site Scripting) Attacks
Man-in-the-Middle, Session Hijacking, and Spoofing Attacks Man-in-the-Middle Attacks Session Hijacking Spoofing Attacks
Covert Channels
Network and Resource Availability Threats
Denial of Service (DoS)
Distributed Denial of Service (DDoS)
Hacker Tools
Social Engineering
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
PART TWO Technical Overview of Network Security, Firewalls, and VPNs
CHAPTER 5 Network Security Implementation Seven Domains of a Typical IT Infrastructure
Network Design and Defense in Depth
Protocols
Common Types of Addressing IPv6
Controlling Communication Pathways
Hardening Systems
Equipment Selection
Authentication, Authorization, and Accounting
Communication Encryption
Hosts: Local-Only or Remote and Mobile
Redundancy
Endpoint Security Clients Servers Routers Switches Firewalls and Proxies
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
CHAPTER 6 Network Security Management Network Security Management Best Practices
Fail-Secure, Fail-Open, and Fail-Close Options
Physical Security
Watching for Compromise
Incident Response
Trapping Intruders and Violators
Why Containment Is Important
Imposing Compartmentalization
Using Honeypots, Honeynets, and Padded Cells
Essential Host Security Controls
Backup and Recovery
User Training and Awareness
Network Security Management Tools
Security Checklist
Network Security Troubleshooting
Compliance Auditing
Security Assessment
Configuration Scans
Vulnerability Scanning
Penetration Testing
Post-Mortem Assessment Review
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER 7 Firewall Basics Firewall Rules
Authentication, Authorization, and Accounting
Monitoring and Logging
Understanding and Interpreting Firewall Logs and Alerts
Intrusion Detection
Limitations of Firewalls
Improving Performance
The Downside of Encryption with Firewalls
Firewall Enhancements
Management Interfaces
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER 8 Firewall Deployment Considerations
What Should You Allow and What Should You Block?
Common Security Strategies for Firewall Deployments Security Through Obscurity Least Privilege Simplicity Defense in Depth Diversity of Defense Chokepoint Weakest Link Fail-Safe
Forced Universal Participation
Essential Elements of a Firewall Policy
Software and Hardware Options for Firewalls
Benefit and Purpose of Reverse Proxy
Use and Benefit of Port-Forwarding
Considerations for Selecting a Bastion Host OS
Constructing and Ordering Firewall Rules
Evaluating Needs and Solutions in Designing Security
What Happens When Security Gets in the Way of Doing Business?
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER 9 Firewall Management and Security Best Practices for Firewall Management
Security Measures in Addition to a Firewall
Selecting the Right Firewall for Your Needs
The Difference Between Buying and Building a Firewall
Mitigating Firewall Threats and Exploits
Concerns Related to Tunneling Through or Across a Firewall
Testing Firewall Security
Important Tools for Managing and Monitoring a Firewall
Troubleshooting Firewalls
Proper Firewall Implementation Procedure
Responding to Incidents
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10 Using Common Firewalls Individual and Small Office/Home Office (SOHO) Firewall Options
Uses for a Host Software Firewall Examples of Software Firewall Products
Using Windows 7’s Host Software Firewall
Using a Linux Host Software Firewall
Managing the Firewall on an ISP Connection Device Converting a Home Router into a Firewall
Commercial Software Network Firewalls
Open-Source Software Network Firewalls
Appliance Firewalls
Virtual Firewalls
Simple Firewall Techniques
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
CHAPTER 11 VPN Management VPN Management Best Practices
Developing a VPN Policy
Developing a VPN Deployment Plan
Bypass Deployment Internally Connected Deployment DMZ-Based Implementation
VPN Threats and Exploits
Commercial or Open Source VPNs
Differences Between Personal and Enterprise VPNs
Balancing Anonymity and Privacy
Protecting VPN Security to Support Availability
The Importance of User Training
VPN Troubleshooting
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER 12 VPN Technologies
Differences Between Software and Hardware Solutions
Software VPNs Hardware VPNs
Differences Between Layer 2 and Layer 3 VPNs
Internet Protocol Security (IPSec)
Layer 2 Tunneling Protocol (L2TP)
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) SSL/TLS and VPNs
Secure Shell (SSH) Protocol
Establishing Performance and Stability for VPNs
Performance Stability
Using VPNs with Network Address Translation (NAT)
Types of Virtualization
Desktop Virtualization SSL VPN Virtualization
Differences Between Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6)
The TCP/IP Protocol Suite IPv4 Challenges IPv6 IPSec and IPv6
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
PART THREE Implementation, Resources, and the Future
CHAPTER 13 Firewall Implementation Constructing, Configuring, and Managing a Firewall
SmoothWall
Examining Your Network and Its Security Needs What to Protect and Why Preserving Privacy Firewall Design and Implementation Guidelines Selecting a Firewall
Hardware Requirements for SmoothWall
Planning a Firewall Implementation with SmoothWall Firewalling a Big Organization: Application-Level Firewall and Package
Filtering, a Hybrid System Firewalling a Small Organization: Packet Filtering or Application-Level
Firewall, a Proxy Implementation Firewalling in a Subnet Architecture
Installing a Firewall with SmoothWall
Configuring a Firewall with SmoothWall
Elements of Firewall Deployment
Performing Testing with SmoothWall
Firewall Troubleshooting
Additional SmoothWall Features
Firewall Implementation Best Practices
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER 14 Real-World VPNs Operating System–Based VPNs
VPN Appliances
Configuring a Typical VPN Appliance Client-Side Configuration
Remote Desktop Protocol
Using Remote Control Tools
Using Remote Access
The Technology for Remote Use Choosing Between IPSec and SSL Remote Access VPNs
Terminal Services
TS RemoteApp TS Web Access
Microsoft DirectAccess
DMZ, Extranet, and Intranet VPN Solutions
Intranet VPNs Extranet VPNs
Internet Café VPNs
Online Remote VPN Options Security Wake-on-LAN Support File Sharing Remote Printing Mac Support
The Tor Application
Planning a VPN Implementation Requirements Installation Deployment
Testing and Troubleshooting
VPN Implementation Best Practices
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
CHAPTER 15 Perspectives, Resources, and the Future
What the Future Holds for Network Security, Firewalls, and VPNs Threats Firewall Capabilities Encryption Authentication Metrics Focus Securing the Cloud Securing Mobile Devices Mobile IP Bring Your Own Device (BYOD)
Resource Sites for Network Security, Firewalls, and VPNs
Tools for Network Security, Firewalls, and VPNs
Commercial Off-the-Shelf (COTS) Software Open Source Applications and Tools
The Impact of Ubiquitous Wireless Connectivity
Potential Uses of Security Technologies What Happens When There Is No Perimeter?
Specialized Firewalls Available Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs)
Effect of Honeypots, Honeynets, and Padded Cells
Emerging Network Security Technologies IP Version 6 VPNs, Firewalls, and Virtualization Steganography Anti-Forensics
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX A Answer Key
APPENDIX B Standard Acronyms Glossary of Key Terms
References
Index
Preface
Purpose of This Book
This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (www.jblearning.com). Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.
The first part of this book on network security focuses on the business challenges and threats that you face as soon as you physically connect your organization’s network to the public Internet. It will present you with key concepts and terms, and reveal what hackers do when trying to access your network, thus providing you with the necessary foundation in network security for the discussions that follow. It will define firewalls and virtual private networks (VPNs), providing you with an understanding of how to use them as security countermeasures to solve business challenges.
Part 2 discusses how to implement network security and reviews best practices. It discusses to how select and deploy firewalls and the tools for managing and monitoring them. It also reviews implementing a VPN, the technologies involved, and VPN-management best practices.
Part 3 focuses on the practical, giving concrete, step-by-step examples of how to implement a firewall and a VPN. It also discusses what challenges the future holds for information security professionals involved in network security. It covers the tools and resources available to the professional and scans the horizon of emerging technologies.
Learning Features
The writing style of this book is practical and conversational. Step-by-step examples of information security concepts and procedures are presented throughout the text. Each chapter begins with a statement of learning objectives. Illustrations are used both to clarify the material and to vary the presentation. The text is sprinkled with Notes, Tips, FYIs, Warnings, and sidebars to alert the reader to additional and helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book.
http://www.jblearning.com
Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.
Audience
The material is suitable for undergraduate or graduate computer science majors or information science majors, students at a two-year technical college or community college who have a basic technical background, or readers who have a basic understanding of IT security and want to expand their knowledge.
About the Author
James Michael Stewart has been working with computers and technology for more than 25 years. His work focuses on security, certification, and various operating systems. Recently, Michael has been teaching job-skill and certification courses such as CISSP, CEH, and Security+. He is the primary author of the CISSP Study Guide, 4th Edition and the Security+ 2008 Review Guide. In addition, Michael has written numerous books on other security and Microsoft certification and administration topics. He has developed certification courseware and training materials as well as presented these materials in the classroom. Michael holds the following certifications: CISSP, ISSAP, SSCP, MCT, CEI, CEH, TICSA, CIW SA, Security+, MCSE+Security: Windows 2000, MCSA Windows Server 2003, MCDST, MCSE NT & W2K, MCP+I, Network+, iNet+. He graduated in 1992 from the University of Texas at Austin with a bachelor’s degree in philosophy.
PART ONE
Foundations of Network Security
CHAPTER 1 Fundamentals of Network Security
CHAPTER 2 Firewall Fundamentals
CHAPTER 3 VPN Fundamentals
CHAPTER 4 Network Security Threats and Issues
CHAPTER
1 Fundamentals of Network Security
COMPUTER NETWORK SECURITY is very complex. New threats from inside and outside networks appear constantly. Just as constantly, the security community is developing new products and procedures to defend against threats of the past and unknowns of the future.
As companies merge, people lose their jobs, new equipment comes online, and business tasks change, people do not always do what you expect. Network security configurations that worked well yesterday might not work quite as well tomorrow. In an ever-changing business climate, whom should you trust? Has your trust been violated? How would you even know? Who is attempting to harm your network this time? And why?
Because of these complex issues, you need to understand the essentials of network security. This chapter will introduce you to the basic elements of network security. Once you have a firm grasp of these fundamentals, you will be well equipped to put effective security measures into practice on your organization’s network.
Chapter 1 Topics
This chapter covers the following topics and concepts:
What network security is
What you are trying to protect within the seven domains of a typical IT infrastructure
What the goals of network security are
How you can assess the success of your network security implementation
Why written network security policies are important
Who is responsible for network security
What some examples of network infrastructures and related security concerns are
Which controls can enhance the security of wired vs. wireless local area network (LAN) infrastructures
What some examples of internal and external network issues are
Which common network security components are used to mitigate threats throughout the IT infrastructure
Chapter 1 Goals
When you complete this chapter, you will be able to:
Describe the key concepts and terms associated with network security
Describe the importance of a written security policy and explain how policies help mitigate risk exposure and threats to a network infrastructure
Define network security roles and responsibilities and who within an IT organization is accountable for these security implementations
Identify examples of network security concerns or threats that require enhanced security countermeasures to properly mitigate risk exposure and threats
Describe the security requirements needed for wired versus wireless LAN infrastructures in order to provide an enhanced level of security
Compare and contrast common network security components and devices and their use throughout the IT infrastructure
What Is Network Security?
Network security is the control of unwanted intrusion into, use of, or damage to communications on your organization’s computer network. This includes monitoring for abuses, looking for protocol errors, blocking non-approved transmissions, and responding to problems promptly. Network security is also about supporting essential communication necessary to the organization’s mission and goals, avoiding the unapproved use of resources, and ensuring the integrity of the information traversing the network.
Network security includes elements that prevent unwanted activities while supporting desirable activities. This is hard to do efficiently, cost effectively, and transparently. Efficient network security provides quick and easy access to resources for users. Cost-effective network security controls user access to resources and services without excessive expense. Transparent network security supports the mission and goals of the organization through enforcement of the organization’s network security policies, without getting in the way of valid users performing valid tasks.
Computer networking technology is changing and improving faster today than ever before. Wireless connectivity is now a realistic option for most companies and individuals. Malicious hackers are becoming more adept at stealing identities and money using every means available.
Today, many companies spend more time, money, and effort protecting their assets than they do on the initial installation of the network. And little wonder. Threats, both internal and external, can
cause a catastrophic system failure or compromise. Such security breaches can even result in a company going out of business. Without network security, many businesses and even individuals would not be able to work productively.
Network security must support workers in doing their jobs while protecting against compromise, maintaining high performance, and keeping costs to a minimum. This can be an incredibly challenging job, but it is one that many organizations have successfully tackled.
Network security has to start somewhere. It has to start with trust.
What Is Trust? Trust is confidence in your expectation that others will act in your best interest. With computers and networks, trust is the confidence that other users will act in accordance with your organization’s security rules. You trust that they will not attempt to violate the stability, privacy, or integrity of the network and its resources. Trust is the belief that others are trustworthy.
Unfortunately, sometimes people violate your trust. Sometimes they do this by accident, oversight, or ignorance that the expectation even existed. In other situations, they violate trust deliberately. Because these people can be either internal personnel or external hackers, it’s difficult to know whom to trust.
So how can you answer the question, “Who is trustworthy?” You begin by realizing that trust is based on past experiences and behaviors. Trust is usually possible between people who already know each other. It’s neither easy nor desirable to trust strangers. However, once you’ve defined a set of rules and everyone agrees to abide by those rules, you have established a conditional trust. Over time, as people demonstrate that they are willing to abide by the rules and meet expectations of conduct, then you can consider them trustworthy.
Trust can also come from using a third-party method. If a trustworthy third party knows you and me, and that third party states that you and I are both trustworthy people, then you and I can assume that we can conditionally trust each other. Over time, someone’s behavior shows whether the initial conditional trust was merited or not.
A common example of a third-party trust system is the use of digital certificates that a public certificate authority issues. As shown in Figure 1-1, a user communicates with a Web e-commerce server. The user does not initially know whether a Web server is what it claims to be or if someone is “spoofing” its identity. Once the user examines the digital certificate issued to the Web server from the same certificate authority that issued the user’s digital certificate, the user can then trust that the identity of the Web site is valid. This occurs because both the user and the Web site have a common, trustworthy third party that they both know.
Ultimately, network security is based on trust. Companies assume that their employees are trustworthy and that all of the computers and network devices are trustworthy. But not all trust is necessarily the same. You can (and probably should) operate with different levels or layers of trust. Those with a higher level of trust can be assigned greater permissions and privileges. If someone or something violates your trust, then you remove the violator’s access to the secure environment. For example, companies terminate an untrustworthy employee or replace a defective operating system.
FIGURE 1-1
An example of a third-party trust system.
Who—or What—Is Trustworthy? Determining who or what is trustworthy is an ongoing activity of every organization, both global corporations and a family’s home network. In both cases, you offer trust to others on a conditional basis. This conditional trust changes over time based on adherence to or violation of desired and prescribed behaviors.
If a program causes problems, it loses your trust and you remove it from the system. If a user violates security, that person loses your trust and might have access privileges revoked. If a worker abides by the rules, your trust grows and privileges increase. If an Internet site does not cause harm, you deem it trustworthy and allow access to that site.
To review, trust is subjective, tentative, and changes over time. You can offer trust based on the reputation of a third party. You withhold trust when others violate the rules. Trust stems from actions in the past and can grow based on future behaviors.
In network security, trust is complex. Extending trust to others without proper background investigation can be devastating. A network is only as secure as its weakest link. You need to vet every aspect of a network, including software, hardware, configuration, communication patterns, content, and users, to maintain network security. Otherwise, you will not be able to accomplish the security objectives of your organization’s network.
What Are Security Objectives? Security objectives are goals an organization strives to achieve through its security efforts. Typically, organizations recognize three primary security objectives:
Confidentiality/privacy Integrity/nonrepudiation Availability/uptime
Confidentiality is the protection against unauthorized access, while providing authorized users access to resources without obstruction. Confidentiality ensures that data is not intentionally or unintentionally disclosed to anyone without a valid need to know. A job description defines the person’s need to know. If a task does not require access to a specific resource, then that person does not have a need to know that resource.
Integrity is the protection against unauthorized changes, while allowing for authorized changes performed by authorized users. Integrity ensures that data remain consistent, both internally and externally. Consistent data do not change over time and remain in sync with the real world. Integrity also protects against accidents and hacker modification by malicious code, or software written with malicious intent.
Availability is the protection against downtime, loss of data, and blocked access, while providing consistent uptime, protecting data, and supporting authorized access to resources. Availability ensures that users can get their work done in a timely manner with access to the proper resources.
Authentication is the proof or verification of a user’s identity before granting access to a secured area. This can occur both on a network as well as in the physical, real world. While the most common form of authentication is a password, password access is also the least secure method of authentication. Multifactor authentication is the method most network administrators prefer for secure logon.
Authorization is controlling what users are allowed and not allowed to do. Authorization is dictated by the organization’s security structure, which may focus on discretionary access control (DAC), mandatory access control (MAC), or role-based access control (RBAC). Authorization restricts access based on need to know and users’ job descriptions. Authorization is also known as access control.
Nonrepudiation is the security service that prevents a user from being able to deny having performed an action. For example, nonrepudiation prevents a sender from denying having sent a message. Auditing and public-key cryptography commonly provide nonrepudiation services.
Privacy protects the confidentiality, integrity, and availability of personally identifiable or sensitive data. Private data often includes financial records and medical information. Privacy prevents the unauthorized watching and monitoring of users and employees.
Maintaining and protecting these security objectives can be a challenge. As with most difficult tasks, breaking security down into simpler or smaller components will help you to understand and ultimately accomplish this objective. To support security objectives, you need to know clearly what you are trying to protect.
What Are You Trying to Protect?
In terms of security, the things you want to protect are known as assets. An asset is anything used to
conduct business. Any object, computer, program, piece of data, or other logical or physical component employees need to accomplish a task is an asset.
Assets do not have to be expensive, complicated, or large. In fact, many assets are relatively inexpensive, commonplace, and variable in size. But no matter the characteristics, an asset needs protection. When assets are unavailable for whatever reason, people can’t get their work done.
For most organizations, including SOHO (small office, home office) environments, the assets of most concern include business and personal data. If this information is lost, damaged, or stolen, serious complications result. Businesses can fail. Individuals can lose money. Identities can be stolen. Even lives can be ruined.
What causes these problems? What violates network security? The answer includes accidents, ignorance, oversight, and hackers. Accidents happen, including hardware failures and natural disasters. Poor training equals ignorance. Workers with the best of intentions damage systems if they don’t know proper procedures or lack necessary skills. Overworked and rushed personnel overlook issues that can result in asset compromise or loss. Malicious hackers can launch attacks and exploits against the network, seeking to gain access or just to cause damage.
Hacking originally meant tinkering or modifying systems to learn and explore. However, the term has come to refer to malicious and possibly criminal intrusion into and manipulation of computers. In either case, a malicious or criminal hacker is a serious threat. Every network administrator should be concerned about hacking.
Some important aspects of security stem from understanding the techniques, methods, and motivations of hackers. Once you learn to think like a hacker, you may be able to anticipate future attacks. This enables you to devise new defenses before a hacker can successfully breach your organization’s network.
So how do hackers think? Hackers think along the lines of manipulation or change. They look into the rules to create new ways of bending, breaking, or changing them. Many successful security breaches have been little more than slight variations or violations of network communication rules.
Hackers look for easy targets or overlooked vulnerabilities. Hackers seek out targets that provide them the most gain, often financial rewards. Hackers turn things over, inside out, and in the wrong direction. Hackers attempt to perform tasks in different orders, with incorrect values, outside the boundaries, and with a purpose to cause a reaction. Hackers learn from and exploit mistakes, especially mistakes of the network security professionals who fail to properly protect an organization’s assets.
FIGURE 1-2
The seven domains of a typical IT infrastructure.
Why is thinking like a hacker critically important? A sixth century Chinese military strategist and philosopher, Sun Tzu, in his famous military text The Art of War, stated: “If you know the enemy and know yourself you need not fear the results of a hundred battles.” Once you understand how hackers think, the tools they use, their exploits, and the attack techniques they employ, you can create effective defenses to protect against them.
You’ve often heard that “the best defense is a good offense.” While this statement may have merit elsewhere, most network security administrators do not have the luxury—or legal right—to attack hackers. Instead, you need to turn this strategic phrase around: The best offense is a good defense. While network security administrators cannot legally or ethically attack hackers, they are fully empowered to defend networks and assets against hacker onslaughts.
Seven Domains of a Typical IT Infrastructure Hackers look for any and every opportunity to exploit a target. No aspect of an IT infrastructure is without risk, nor is it immune to the scrutiny of a hacker. When thinking like a hacker, analyze every one of the seven domains of a typical IT infrastructure (Figure 1-2) for potential vulnerabilities and weaknesses. Be thorough. A hacker needs only one crack in the protections to begin chipping away at the defenses. You need to find every possible breach point to secure it and harden the network.
The seven domains of a typical IT infrastructure are:
User Domain—This domain refers to actual users, whether they are employees, consultants, contractors, or other third-party users. Any user who accesses and uses the organization’s IT
infrastructure must review and sign an acceptable use policy (AUP) prior to being granted access to the organization’s IT resources and infrastructure.
Workstation Domain—This domain refers to the end user’s desktop devices such as a desktop computer, laptop, VoIP telephone, or other endpoint device. Workstation devices typically require security countermeasures such as antivirus, anti-spyware, and vulnerability software patch management to maintain the integrity of the device.
LAN Domain—This domain refers to the physical and logical local area network (LAN) technologies (i.e., 100Mbps/1000Mbps switched Ethernet, 802.11 family of wireless LAN technologies) used to support workstation connectivity to the organization’s network infrastructure.
LAN-to-WAN Domain—This domain refers to the organization’s internetworking and interconnectivity point between the LAN and the WAN network infrastructures. Routers, firewalls, demilitarized zones (DMZ), and intrusion detection systems (IDS) and intrusion prevention systems (IPS) are commonly used as security monitoring devices in this domain.
Remote Access Domain—This domain refers to the authorized and authenticated remote access procedures for users to remotely access the organization’s IT infrastructure, systems, and data. Remote access solutions typically involve SSL-128 bit encrypted remote browser access or encrypted VPN tunnels for secure remote communications.
WAN Domain—Organizations with remote locations require a wide area network (WAN) to interconnect them. Organizations typically outsource WAN connectivity from service providers for end-to-end connectivity and bandwidth. This domain typically includes routers, circuits, switches, firewalls, and equivalent gear at remote locations, sometimes under a managed service offering by the service provider.
System/Application Domain—This domain refers to the hardware, operating system software, database software, client/server applications, and data that is typically housed in the organization’s data center and/or computer rooms.
The first step is recognizing that the potential for compromise exists throughout an organization. The next step is to comprehend the goals of network security.
Goals of Network Security
Network security goals vary from organization to organization. Often, however, they include a few common mandates:
Ensure the confidentiality of resources Protect the integrity of data Maintain availability of the IT infrastructure Ensure the privacy of personally identifiable data Enforce access control
Monitor the IT environment for violations of policy Support business tasks and the overall mission of the organization
Whatever your organization’s security goals are, to accomplish them, you need to write down those goals and develop a thorough plan to execute them. Without a written plan, security will be haphazard at best and will likely fail to protect your assets. With a written plan, network security is on the path to success. Once you define your security goals, these goals will become your organization’s roadmap for securing the entire IT infrastructure.
How Can You Measure the Success of Network Security?
An organization measures the security of its network by how well its stated security goals are accomplished and its security standards maintained. In essence, this becomes the organization’s baseline definition for information systems security. For example, if private information on the network does not leak to outsiders, then your efforts to maintain confidentiality were successful. Or, if employees are able to complete their work on time and on budget, then your efforts to provide system integrity protection were successful.
If violations take place that compromise your assets or prevent the accomplishment of a security goal, however, then network security was less than successful. But let’s face it, security is never perfect. In fact, even with well-designed and executed security, accidents, mistakes, and even intentional harmful exploits will dog your best efforts. The perfect security components do not exist. All of them have weaknesses, limitations, backdoors, work-arounds, programming bugs, or some other exploitable element.
Fortunately, though, successful security doesn’t rely on the installation of just a single defensive component. Instead, good network security relies on an interweaving of multiple effective security components. You don’t have just one lock on your house. By combining multiple protections, defenses, and detection systems, you can rebuff many common, easy hacker exploits.
Network security success is not about preventing all possible attacks or compromises. Instead, you work to continually improve the state of security so that in the future, the network is better protected than it was in the past. As hackers create new exploits, security professionals learn about them, adapt their methods and systems, and establish new defenses. Successful network security is all about constant vigilance, not creating an end product. Security is an ongoing effort that constantly changes to meet the challenge of new threats.
Why Are Written Network Security Policies Important?
A clearly written security policy establishes tangible goals. Without solid and defined goals, your security efforts would be chaotic and hard to manage. Written plans and procedures focus security efforts and resources on the most important tasks to support your organization’s overall security objectives.
A written security policy is a road map. With this map, you can determine whether your efforts are
on track or going in the wrong direction. The plan provides a common reference against which security tasks are compared. It serves as a measuring tool to judge whether security efforts are helping rather than hurting the accomplishment of your organization’s security objectives.
With a written security policy, all security professionals strive to accomplish the same end: a successful, secure work environment. By following the written plan, you can track progress so that you install and configure all the necessary components. A written plan validates what you do, defines what you still need to do, and guides you on how to repair the infrastructure when necessary.
Without a written security policy, you cannot trust that your network is secure. Without a written security policy, workers won’t have a reliable guide on what to do, and judging security success will be impossible. Without a written policy, you have no security.
Planning for the Worst Things invariably go wrong. Users make mistakes. Malicious code finds its way into your network. Hackers discover vulnerabilities and exploit them. In anticipating problems that threaten security, you must plan for the worst.
This type of planning has many names, including contingency planning, worst-case scenario planning, business continuity planning, disaster recovery planning, and continuation of operations planning. The name is not important. What’s crucial is that you do the planning itself.
When problems occur, shift into response gear: respond, contain, and repair. Respond to all failures or security breaches to minimize damage, cost, and downtime. Contain threats to prevent them from spreading or affecting other areas of the infrastructure. Repair damage promptly to return systems to normal status quickly and efficiently. Remember, the goals of security are confidentiality, integrity, and availability. Keep these foremost in mind as you plan for the worst.
The key purpose of planning for problems is to be properly prepared to protect your infrastructure. With a little luck, a major catastrophe won’t occur. But better to prepare and not need the response plan than to allow problems to cause your business to fail.
Who Is Responsible for Network Security?
Network security is the responsibility of everyone who uses the network. Within an organization, no one has the luxury of ignoring security rules. This applies to global corporations as well as home networks. Every person is responsible for understanding his or her role in supporting and maintaining network security. The weakest link rule applies here: If only one person fails to fulfill this responsibility, security for all will suffer.
Senior management has the ultimate and final responsibility for security. This is for good reason —senior management is the most concerned about the protection of the organization’s assets. Without the approval and support of senior management, no security effort can succeed. Senior management must ensure the creation of a written security policy that all personnel understand and follow.
Senior management also assigns the responsibility for designing, writing, and executing the security plan to the IT staff. Ideally, the result of these efforts is a secure network infrastructure. The security staff, in turn, must thoroughly manage all assets, system vulnerabilities, imminent threats, and
pertinent defenses. Their task is to design, execute, and maintain security throughout the organization. In their role as overseers of groups of personnel, managers and supervisors must ensure that
employees have all the tools and resources to accomplish their work. Managers must also ensure that workers are properly trained in skills, procedures, policies, boundaries, and restrictions. Employees can mount a legitimate legal case against an organization that requires them to perform work for which they are not properly trained.
Network administrators manage all the organization’s computer resources. Resources include file servers, network access, databases, printer pools, and applications. The network administrator’s job is to ensure that resources are functional and available for users while enforcing confidentiality and network integrity.
An organization’s workers are the network users and operators. They ultimately do the work the business needs to accomplish. Users create products, provide services, perform tasks, input data, respond to queries, and much more. Job descriptions may apply to a single user or a group of users. Each job description defines a user’s tasks. Users must perform these tasks within the limitations of network security.
Auditors watch for problems and violations. Auditors investigate the network, looking for anything not in compliance with the written security policy. Auditors watch the activity of systems and users to look for violations, trends toward bottlenecks, and attempts to perform violations. The information uncovered by auditors can help improve the security policy, adjust security configurations, or guide investigators toward apprehending security violators.
All of these roles exist within every organization. Sometimes different individuals perform these roles. In other situations, a single person performs all of these roles. In either case, these roles are essential to the creation, maintenance, and improvement of security.
Examples of Network Infrastructures and Related Security Concerns
As you design a network, you need to evaluate every aspect in light of its security consequences. With limited budgets, personnel, and time, you must also minimize risk and maximize protection. Consider how each of the following network security aspects affects security for large corporations, small companies, and even home-based businesses.
Workgroups A workgroup is a form of networking in which each computer is a peer or equal. Peers are equal in how much power or controlling authority any one system has over the other members of the same workgroup. All workgroup members are able to manage their own local resources and assets, but not those of any other workgroup member.
Workgroups are an excellent network design for very small environments, such as home family networks or very small companies. In most cases, a workgroup comprises fewer than 10 computers and rarely contains more than 20 computers. No single rule dictates the size of a workgroup. Instead,
the administrative overhead of larger workgroups encourages network managers to move to a client/server configuration.
Figure 1-3 shows a typical workgroup configuration. In this example, a switch interconnects the four desktop workgroup members as well as an Internet connection device and a wireless access point. Additional clients can connect wirelessly via the access point or wired via a cable connecting to the switch.
Workgroups do not have a central authority that controls or restricts network activity or resource access. Instead, each individual workgroup member makes the rules and restrictions over resources and assets. The security defined for one member does not apply to nor affect any other computer in the workgroup.
FIGURE 1-3
An example of a typical workgroup.
Due to system-by-system–based security, a worker or a workgroup member needs to have a user account defined on each of the other workgroup members to access resources on those systems. Each of these accounts is technically a unique user account, even if it is created by using the same characters for the username and password.
This results in either several unique user accounts with different names and different passwords or several unique user accounts with the same name and same password. In either case, security is poor. In the former case, the user must remember several sets of credentials. This often results in the user writing down the credentials. In the later case, an intruder need compromise only one set of credentials.
This lack of central authority is both a strength and weakness of workgroups. This characteristic
is a strength in that each user of each computer can make his or her own choices about sharing resources with others. However, this is at the same time a weakness because of the inconsistent levels of access.
Workgroups are easy to create. Often, the default network configuration of operating systems is to be a member of a workgroup. A new workgroup is created by just defining a unique name on a computer. Once one computer names the workgroup, it now exists. Other computers become members of the new workgroup just by using the same name. Since workgroups lack a central authority, anyone can join or leave a workgroup at any time. This includes unauthorized systems owned by rogue employees or external parties.
Most workgroups use only basic resource-share protections, fail to use encrypted protocols, and are lax on monitoring intrusions. While imposing some security on workgroups is possible, usually each workgroup member is configured individually. Fortunately, since workgroups are small, this does not represent a significant amount of effort.
SOHO Networks SOHO stands for small office, home office. SOHO is a popular term that describes smaller networks commonly found in small businesses, often deployed in someone’s home, garage, portable building, or leased office space. A SOHO environment can be a workgroup or a client/server network. Usually a SOHO network implies purposeful design with business and security in mind.
SOHO networks generally are more secure than a typical workgroup, usually because a manager or owner enforces network security. Security settings defined on each work-group member are more likely to be consistent when the workgroup has a security administrator. Additionally, SOHO networks are more likely to employ security tools such as antivirus software, firewalls, and auditing.
Client/Server Networks A client/server network is a form of network where you designate some computers as servers and others as clients. Servers host resources shared with the network. Clients access resources and perform tasks. Users work from a client computer to interact with resources hosted by servers. In a client/server network, access is managed centrally from the servers. Thus, consistent security is easily imposed across all network members.
Figure 1-4 shows a possible basic layout of a client/server network. In this example, three servers host the resources, such as printers, Internet connectivity, and file storage shared with the network. Both wired and wireless clients are possible. Switches interconnect all nodes. Client/server networks are more likely to use hardware or appliance firewalls.
Client/server networks also employ single sign-on (SSO). SSO allows for a single but stronger set of credentials per user. With SSO, each user must perform authentication to gain access to the client and the network. Once the user has logged on, access control manages resource use. In other words, client/server authentication with SSO is often more complex than workgroup authentication— but it’s more secure. Users only need to log on once, not every time they contact a resource host server.
Because of their complexity, client/server networks are invariably more secure than SOHO and
workgroup networks. But complexity alone is not security. Instead, because they are more complex, client/server networks require more thorough design and planning. Security is an important aspect of infrastructure planning and thus becomes integrated into the network’s design.
FIGURE 1-4
An example of a typical client/server network.
Client/server networks are not necessarily secure because you can deploy a client/server network without any thought toward security. But most organizations understand that if they overlook network security, they are ensuring their ultimate technological downfall. Security is rarely excluded from the deployment process. And some networks are by nature more secure than others.
LAN Versus WAN LAN stands for local area network. A LAN is a network within a limited geographic area. This means that a LAN network is located in a single physical location rather than spread across multiple locations. Some LANs are quite large, while others are very small. A more distinguishing characteristic of a LAN is that all of the segments or links of a LAN are owned and controlled by one organization. A LAN does not contain or use any leased or externally owned connections.
WAN stands for wide area network. A WAN is a network not limited by any geographic boundaries. This means that a WAN network can span a few city blocks, reach across the globe, and
even extend into outer space. A distinguishing characteristic of a WAN is that it uses leased or external connections and links. Most organizations rely on telecommunication service providers (often referred to as telcos) for WAN circuits and links to physical buildings and facilities, including the last-mile connection to the physical demarcation point. Both LAN and WAN networks can be secure or insecure. They are secure if a written security policy guides their use. With a LAN, the owner of the network has the sole responsibility of ensuring that security is enforced. With a WAN, the leasing entity must select a telco that has a secure WAN infrastructure and incorporate service level agreements (SLAs) that define the level of service and performance that is to be provided on a monthly basis for the customer. In most cases, WAN data is secure only if the data sent across leased lines is encrypted before transmission. This service is the responsibility of the data owner, not the telecommunications service provider, unless this option is offered as a value-added service.
Thin Clients and Terminal Services Thin client computing, also known as terminal services, is an old computing idea that has made a comeback in the modern era. In the early days of computers, the main computing core, commonly called a mainframe, was controlled through an interface called a terminal. The terminal was nothing more than a video screen (usually mono-chrome) and a keyboard. The terminal had no local processing or storage capabilities. All activities took place on the mainframe and the results appeared on the screen of the terminal.
With the advent of personal computers (PCs), a computer at a worker’s desk offered local processing and storage capabilities. These PCs became the clients of client/server computers. Modern networking environments can offer a wide range of options for end users. Fully capable PCs used as workstations or client systems are the most common. PCs can run thin-client software, which emulates the terminal system of the past. That means they perform all tasks on the server or mainframe system and use the PC only as a display screen with a keyboard and mouse. Even modern thin client terminals can connect into a server or mainframe without using a full PC.
Remote Control, Remote Access, and VPN Remote control is the ability to use a local computer system to remotely take over control of another computer over a network connection. In a way, this is the application of the thin client concept on a modern fully capable workstation to simulate working against a mainframe or to virtualize your physical presence.