Security+ guide to network security fundamentals fourth edition answers

Security+ Guide to Network Security Fundamentals, Fourth Edition

Chapter 6

Network Security

1

Security Through Network Devices

Not all applications designed, written with security in mind

Network must provide protection

Networks with weak security invite attackers

Aspects of building a secure network

Network devices

Network technologies

Design of the network itself

Security+ Guide to Network Security Fundamentals, Fourth Edition

2

2

Standard Network Devices

Security features found in network hardware

Provide basic level of security

Open Systems Interconnection (OSI) model

Network devices classified based on function

Standards released in 1978, revised in 1983, still used today

Illustrates:

How network device prepares data for delivery

How data is handled once received

Security+ Guide to Network Security Fundamentals, Fourth Edition

3

3

4

Table 6-1 OSI reference model

Using the seven layers of the OSI model, we can explore more fully how data can be transferred between two networked computers

4

Standard Network Devices

Hubs

Connect multiple Ethernet devices together:

To function as a single network segment

Ignorant of data source and destination

Rarely used today because of inherent security vulnerability

5

Switches

Can forward frames sent to that specific device or broadcast to all devices

Use MAC address to identify devices

Provide better security than hubs

5

Security+ Guide to Network Security Fundamentals, Fourth Edition

6

Figure 6-1 Port mirroring

© Cengage Learning 2012

6

Standard Network Devices (cont’d.)

Network administrator should be able to monitor network traffic

Helps identify and troubleshoot network problems

Traffic monitoring methods

Port mirroring

Network tap (test access point)

Sniffer Software

Security+ Guide to Network Security Fundamentals, Fourth Edition

7

7

8

Sniffer Software

Switch Defenses

Use a switch that can close ports with too many MAC addresses

Configure the switch so that only one port can be assigned per MAC address

Use an ARP detection appliance

Secure the switch in a locked room

Keep network connections secure by restricting physical access

8

Standard Network Devices

Load balancers

Help evenly distribute work across a network

Allocate requests among multiple devices

Ex: port 80 for web HTTP

Laymance Apache Load Balancers

9

9

Load Balancing Security

Security advantages of load balancing

Can stop attacks directed at a server or application

Can detect and prevent denial-of-service attacks

Some can deny attackers information about the network

Hide HTTP error pages

Remove server identification headers from HTTP responses

Security+ Guide to Network Security Fundamentals, Fourth Edition

10

10

Removing Headers for Server Security

Typically we have 3 response headers which many people want to remove for security reason.

Server - Specifies web server version.

X-Powered-By - Indicates that the website is "powered by ASP.NET."

X-AspNet-Version - Specifies the version of ASP.NET used.

msdn blogs

Security+ Guide to Network Security Fundamentals, Fourth Edition

11

11

Security+ Guide to Network Security Fundamentals, Fourth Edition

12

Hardware-based network firewall inspects packets

Looks deeply into packets that carry HTTP traffic

Web browsers, FTP

Can block specific sites or specific known attacks

Can block XSS and SQL injection attacks

Firewalls

12

Security+ Guide to Network Security Fundamentals, Fourth Edition

13

Proxy Servers and Reverse Proxy

Computer or application that intercepts and processes user requests

Reverse proxy

Routes incoming requests to correct server

Reverse proxy’s IP address is visible to outside users

Internal server’s IP address hidden

Stronger security

Intercept malware

Hide client system’s IP address

13

Security+ Guide to Network Security Fundamentals, Fourth Edition

14

Figure 6-5 Configuring access to proxy servers

© Cengage Learning 2012

14

Security+ Guide to Network Security Fundamentals, Fourth Edition

15

Figure 6-6 Reverse proxy

© Cengage Learning 2012

Reverse Proxy Server

I am now the user

15

Network Security Hardware (cont’d.)

Spam filters

Enterprise-wide spam filters block spam before it reaches the host

Email systems use three protocols

Simple Mail Transfer Protocol (SMTP)

Handles outgoing mail

Post Office Protocol (POP)

Handles incoming mail

Internet Message Access Protocol (IMAP)

Handles reading email from many different devices

Security+ Guide to Network Security Fundamentals, Fourth Edition

16

16

Network Security Hardware (cont’d.)

Security+ Guide to Network Security Fundamentals, Fourth Edition

Spam filters installed with the SMTP server

Filter configured to listen on port 25

Pass non-spam e-mail to SMTP server listening on another port

Method prevents SMTP server from notifying spammer of failed message delivery

Roll MS Outlook Junk Email Filter

17

17

Network Security Hardware (cont’d.)

Virtual private network (VPN)

Uses unsecured network as if it were secure

All data transmitted between remote device and network is encrypted

Hardware-based generally have better security

Software-based have more flexibility in managing network traffic

Security+ Guide to Network Security Fundamentals, Fourth Edition

18

18

Network Security Hardware (cont’d.)

Internet content filters

Monitor Internet traffic

Block access to preselected Web sites and files

Unapproved sites identified by URL or matching keywords

19

19

Network Security Hardware (cont’d.)

Security+ Guide to Network Security Fundamentals, Fourth Edition

20

Web security gateways

Can block malicious content in real time

Block content through application level filtering

Examples of blocked Web traffic

ActiveX objects, Adware, spyware, Peer to peer file sharing, Script exploits

20

Network Security Hardware (cont’d.)

Network intrusion detection system (NIDS)

Watches for attacks on the network

NIDS sensors installed on firewalls and routers:

Gather information and report back to central device

Passive NIDS will sound an alarm

Active NIDS will sound alarm and take action

Actions may include filtering out intruder’s IP address or terminating TCP session

Security+ Guide to Network Security Fundamentals, Fourth Edition

21

21

Network Security Hardware (cont’d.)

Network intrusion prevention system (NIPS)

Similar to active NIDS

Monitors network traffic to immediately block a malicious attack

22

22

Demilitarized Zone (DMZ)

Demilitarized Zone (DMZ)

Separate network located outside secure network perimeter

Untrusted outside users can access DMZ but not secure network

Security+ Guide to Network Security Fundamentals, Fourth Edition

23

23

Security+ Guide to Network Security Fundamentals, Fourth Edition

24

Figure 6-11 DMZ with one firewall

© Cengage Learning 2012

24

Subnetting

IP address may be split anywhere within its 32 bits

Network can be divided into three parts

Network

Subnet

Host

Each network can contain several subnets

Each subnet can contain multiple hosts

Security+ Guide to Network Security Fundamentals, Fourth Edition

Improves network security by isolating groups of hosts

Allows administrators to hide internal network layout

25

www.ccnapractice.org

26

26

Virtual LANs (VLAN)

Allow scattered users to be logically grouped together:

Even if attached to different switches

Can isolate sensitive data to VLAN members

Communication on a VLAN

If connected to same switch, switch handles packet transfer

Special “tagging” protocol used for communicating between switches\

Use for internal and telecommuters

Wrap up video roll!

https://www.youtube.com/watch?v=2hUUaG4o3DA

Security+ Guide to Network Security Fundamentals, Fourth Edition

27

27