1

Network SecurityFundamentals

Steven TaylorPresident, Distributed Networking Associates, Inc.

Publisher/Editor, Webtorialstaylor@webtorials.com

Larry HettickVice President, Wireline Solutions

Current Analysislarry@larryhettick.com

Thanks to the sponsor…This presentation is made possible in part due to the generous support of Nortel Networks.

2

Agenda

Overview of the problemVarious Vulnerabilities

WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)

The Big Picture

Security RequirementsSecurity is a process of balancing risks and benefitsSome potential security threats

WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)Physical security

Make a decision based on a realistic evaluation; not emotion

3

Agenda

Overview of the problemVarious Vulnerabilities

WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)

The Big Picture

Wide Area Network

EthernetSwitch

Router

WirelessEthernetAccessPoint

Firewall

Network Architecture

4

Workstation Security

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Virus Insider Abuseof Network

Laptop Theft Systempenetration

UnauthorizedAccess

Denial ofService

Experienced Threats to Information Security

Source: CSI/FBI 2004 Computer Crime and Security Survey Results. http://www.gocsi.com

5

EthernetSwitch

LAN Security

Traditional (old) EthernetAdvantage

Shared, “broadcast" medium provides easy access

DisadvantageShared, “broadcast" medium is a significant security risk

6

Switched Ethernet

SwitchedMultiple paths through the switch Dedicated full-speed media

ScalableMultiple speeds to match application

Speed Conversion

Inherently more secure

10 Mbps

100 Mbps

Packet sniffing…Can packets be sniffed?

Yes, if youHave physical accessTap the lineDecode Ethernet, plus IP, plus IP encodingCan do this realtimeAnd you could use encryption (more later)

Is switched Ethernet a security risk?Is it worth the trouble? No worse than traditional telephonyDepends on physical access

7

EthernetSwitch

WirelessEthernetAccessPoint

Wireless LAN Security

Wireless Ethernet

Acts like traditional Ethernet without the wire

Shared, “broadcast" medium provides easy access but is a security risk

Multiple Security enhancements available

Security needs to be implemented carefully and fully

8

EthernetSwitch

Router

WirelessEthernetAccessPoint

Security and IP

IP Address Spoofing

IP address is set by the user

Can be spoofedNeed for authentication

But this problem is mostly solved

Network Address Translation (NAT)Additional mechanisms for advanced functions (like Session Initiated Protocol – SIP)

9

EthernetSwitch

Router

WirelessEthernetAccessPoint

Firewall

Firewalls

Firewalls

Internet

Corporate Network

Applications to limit and control connectivity within network environmentsProvide both external access limitationsand internal resource protection

10

Wide Area Network

EthernetSwitch

Router

WirelessEthernetAccessPoint

Firewall

WAN Security

Common WAN ServicesPrivate line, frame relay and ATMPrivate IP VPNsInternet Backbone VPNs

IPSecSSL

11

Private Line, Frame Relay and ATM Security

Private lines provide dedicated bandwidth per circuit

TDM technologyFrame relay and ATM PVC / SVC addresses are set by network operations

SVC user controls connection, not address

At some point, you must trust the service provider(s)

Common issue for all netsEncryption is available, but not usually required

Private IP VPNsIP-based networks that are not based on the public Internet

“Closed User Group” for each enterpriseOften based on Multiprotocol Label Switching (MPLS)

LSPs (Virtual Circuits) automatically configured based on IP address

“Self-configuring” frame relay

Sometimes deployed as “Virtual Routers”Security issues similar toATM and frame relay

Router B

Router A Router C

Label-Switched Paths (LSPs)

12

ISP #4

ISP #3

Internet Backbone VPNsUses IP as the “UNI” to the networkAny-to-Any connectivityNo inherent security

ISP #1 ISP #2Internet

ISP #4

ISP #3

Internet Backbone VPNsUses IP as the “UNI” to the networkAny-to-Any connectivityNo inherent securityMultiple ISPs connected at “Peering Points”

ISP #1 ISP #2

Peering Point

13

Network A Network B Network C

IPSec VPNs

Internet transport layer

Network A Network B Network C

IPSec VPNs

Internet transport layer“Tunnels” through the Internet

14

What is IPSec?Encapsulation method that encrypts IP packets between two points inside another IP messageAuthenticates and secures VPNsover publicIP services

Internet

IPSec MessageIP packet

What is SSL?Similar to IPSec

Similar encryption algorithms

Browser basedAuthenticates between browser and server

Internet

15

Choosing a WAN Architecture

All methods “work”All methods can be secureOne size doesn’t fit allCorporate “religion” is a majordecision-making factor

Agenda

Overview of the problemVarious Vulnerabilities

WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)

The Big Picture

16

Wide Area Network

EthernetSwitch

Router

WirelessEthernetAccessPoint

Firewall

This is Your Network

Wide Area Network

EthernetSwitch

Router

WirelessEthernetAccessPoint

Firewall

Who’s guarding the door?

17

Thank you!Summary

Overview of the problemVarious Vulnerabilities

WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)

The Big PictureFor more information

Webtorialshttp://www.webtorials.com

Nortel NetworksSponsor of this presentationhttp://www.nortelnetworks.com