Upload
eric-vanderburg
View
598
Download
0
Embed Size (px)
Citation preview
Information Security © 2006 Eric Vanderburg
Information Security
Chapter 5
Securing the Network Infrastructure
Information Security © 2006 Eric Vanderburg
Cabling• Cable Plant – Network infrastructure• Cable Characteristics
– Bandwidth Rating– Max Segment Length– Segments per network– Devices per segment– Interference Susceptibility (EMI & RFI)– Connection Hardware– Cable Grade (PVC or Plenum Grade Teflon)– Bend radius– Cost (Material, Installation, & Maintenance)
Information Security © 2006 Eric Vanderburg
Coaxial Cable (Coax)• Thicknet (10base5)
– ½ inch thick– RG-11 or RG-8– Vampire tap– AUI (Attachment Unit Interface) - 15 pin DB-15
• Thinnet (10base2)– BNC (British Naval Connector)– 50 ohms impedance – RG-58
• Coax for Broadband (RG-59, 75 Ohm)
Information Security © 2006 Eric Vanderburg
Twisted Pair• Twists reduce crosstalk
• UTP (Unshielded Twisted Pair) 10baseT
• STP (Shielded Twisted Pair)– Foil wrapped around wires
• Phone line (RJ-11)
• TP Network cable (RJ-45)
• 100 Meter max length
Information Security © 2006 Eric Vanderburg
Twisted Pair Categories • Cat1 – voice only, before 1982• Cat2 – 4 wires, 4Mbps• Cat3 – 4 wires, 10Mbps, 3 twists/foot• Cat4 – 8 wires, 16Mbps• Cat5 – 8 wires, 100Mbps• Cat5e – 8 wires, 1Gbps, full-duplex, 100MHz*• Cat6 – 8 wires, 1Gbps, 250MHz*, larger, more sensitive• Cat7 – 8 wires, shielded, 1Gbps, 600MHz*, individually
shielded pairs• *Easier to detect defects with higher frequencies
Information Security © 2006 Eric Vanderburg
Fiber Optic• Signal sent by light• No eavesdropping• No interference• Two cables needed for full duplex• Surrounded by Kevlar• Max length: 2-100 km• 1Gbps & 10Gbps implementations• Difficult to install• Expensive (Cable, Install, Maintenance)
Information Security © 2006 Eric Vanderburg
Fiber Optic Connectors
ST (Straight Tip) SC (Straight Connection)
MT-RJtwo cables in one
RJ-45 clone
SMA (Subminiature Type A)
MIC (Medium Interface Connector)
LC (Link Control)
Information Security © 2006 Eric Vanderburg
Fiber Optic cable types• Single mode
– Laser based– Spans longer distance– One piece of glass– Core: 2-9 microns
• Multi-mode– LED based– Shorter distance– Multiple pieces of glass– Core: 25-200 microns
Information Security © 2006 Eric Vanderburg
Quick Comparison
Type Length Bandwidth Installation Interference Cost
UTP 100 meters 10Mbps-1Gbps Easy High Cheapest
STP 100 meters 16Mbps-1Gbps Moderate Moderate Moderate
Thinnet 185 meters 10Mbps Easy Moderate Cheap
Thicknet 500 meters 10Mbps Hard Low Expensive
Fiber 2-100 kilometers 100Mbps-10Gbps Moderate None Most Expensive
Information Security © 2006 Eric Vanderburg
Sniffers• Captures all data packets that travel on a
network.
• Designed for use in network diagnostics
• Hard to trace because it is passive
• Can be used to find passwords or other sensitive information
• Mitigate with switched networks
• Protect the physical environment
• Watch out for comprimised hosts
Information Security © 2006 Eric Vanderburg
Removable Media• Optical Media
– CD
– DVD
• Magnetic Media– Floppy disk– Hard drive– Micro drive
– Tape
• Flash Media– USB Stick, CF (non microdrive), SD, MMC,
SmartMedia, Game cartridge, PCMCIA, Rom Chips
Information Security © 2006 Eric Vanderburg
Securing Removable Media• Encrypt USB Sticks
• Disable or lock USB ports on the computer
• Physical check that devices are not brought in
Information Security © 2006 Eric Vanderburg
Terms• Workstation
• Server
• Terminal
Information Security © 2006 Eric Vanderburg
Server Types• Domain Controller• Application Server• File Server• Print Server• Communication Server• Web Server• Mail Server• Name Server
Information Security © 2006 Eric Vanderburg
Server Vendors• Microsoft
– Windows NT– Windows 2000– Windows 2003
• Linux (Various Distributions)• Novell Netware• OS/2
Microsoft
Linux BSD MacOSX NetWare 6
UNIX NeXT NetWare v1-5 Mac OS 1-9 OS/2
Operating Systems
• Sun Microsystems – Solaris– Looking Glass
• Apple– Mac OSX Server
• FreeBSD• NeXT
Information Security © 2006 Eric Vanderburg
Equipment• Repeater• Hubs
– Active (powered – regenerates signal)– Passive (unpowered)
• Bridge– Translation bridge – translates differing frame types for different
architectures (ATM, Ethernet)
• Router– Reduces the broadcast domain– Looks at packets– Can filter by packets
Information Security © 2006 Eric Vanderburg
Equipment• Switches
– Cut-through switching – reads only the first part of the frame to forward it.
– Store & forward switching• Reads entire frame before forwarding. Also does error checking
using the CRC field, discards if errors. • Saves bandwidth because bad frames are not forwarded. Requires
faster switches• Fragment free switching – reads enough to know it is not a
malformed or damaged frame– Reduces the collision domain– Looks at frames– VLANs (Virtual LAN)– Core switch – central to the network. Other switches connect
into it– Workgroup switch – connects to network nodes
Information Security © 2006 Eric Vanderburg
Network Management• SNMP (Simple Network Management
Protocol)– Agents– MIB (Management Information Base)– Ports 161 & 162 UDP– SNMP enabled devices are called managed
devices
Information Security © 2006 Eric Vanderburg
Securing Network Devices• Create a custom logon prompt to remove
any info about the device• Disable HTTP or SNMP access if they are
not used– If used, try SSL instead of HTTP– Use SNMP version 3
• Limit access to certain machines or subnets
• Log activity• Encrypt management communications
Information Security © 2006 Eric Vanderburg
Communication Devices• Modem (Modulator / Demodulator)• DSL (Digital Subscriber Line) – uses phone lines
on a much higher frequency. Dedicated line. • Cable Modem – faster max speed but a shared
medium• Central Office (CO) or Head in – local
connection point where a neighborhood of connections terminate and are connected into the ISP’s network.
• Always-on connections can be tempting for attackers. Firewalls are a must.
Information Security © 2006 Eric Vanderburg
Remote Access
• RAS (Remote Access Server) – A computer that allows others to connect into it. – Modem– VPN
• Protect using– Authentication– Privileges– Account lockout policies– Firewalls & ACL
Information Security © 2006 Eric Vanderburg
File Browsing
• UNC (Universal Naming Convention)– Windows shares are named
\\computername\sharename
Information Security © 2006 Eric Vanderburg
Telcos
• PBX (Private Branch Exchange) – private switching station for voice and data services
• PBX attacks– Data modification– Denial of service– Information disclosure– Traffic analysis – where calls go to and from,
frequency, time– Theft of service
Information Security © 2006 Eric Vanderburg
Network Security Devices
• Firewalls – filters packets based on criteria such as an ACL or a rule base
• Routers can serve this purpose but they are not as efficient as a dedicated device
• Personal firewall (host based)• Enterprise software firewall – designed to
run on a powerful machine that analyzes all network traffic running through it.
• Hardware firewall – engineered to be able to process packets quickly and efficiently.
Information Security © 2006 Eric Vanderburg
Firewalls
• Packet filtering– Stateless – allows or denies packets based on rules
– Stateful – keeps a state table of outgoing connections and allows corresponding incoming connections.
• Advanced firewalls– Antivirus scanning– Content filtering – looks at web sites and such. Could
use a database from another vendor which is updated regularly. Enable and disable types of content
– Application layer firewall – looks at many packets together to determine whether to let them in.
Information Security © 2006 Eric Vanderburg
Firewalls
• DMZ (Demilitarized Zone) – area that is closer to the untrusted network than the rest of the LAN. Used for services made available to the Internet.
• These servers may reside there:– Web server– Email server– RAS server– FTP server– Proxy server
Information Security © 2006 Eric Vanderburg
IDS (Intrusion Detection System)• Monitors the packets on the network for
signatures. – Network based - Looks at the overall flow. Positioned
where a lot of traffic flows– Host based – resides on one machine and monitors
the data coming to that machine. It may communicate with a central device. (Agent based)
– Active IDS – can take action when an attack happens.
– Passive IDS – alerts the administrator when there is an attack.
– Anomaly based IDS or IPS (Intrusion Prevention System) – looks at behavior rather than signatures. May result in more positives.
Information Security © 2006 Eric Vanderburg
Other concepts
• Intranet
• Extranet
• NAT (Network Address Translation)
• Honeypot
Information Security © 2006 Eric Vanderburg
Acronyms• CD-ROM, Compact Disk Read Only Memory• CD-R, Compact Disk Recordable• CD-RW, Compact Disk Rewritable• DMZ, Demilitarized Zone• DSL, Digital Subscriber Line• DVD, Digital Versatile Disk• DVD-R, Digital Versatile Disk Recordable• DVD-RAM, Digital Versatile Disk Random
Access Memory• DVD-RW, Digital Versatile Disk Rewritable• IDS, Intrusion Detection System
Information Security © 2006 Eric Vanderburg
Acronyms
• MIB, Management Information base• NAT, Network Address Translation• PAT, Port Address Translation• PBX, Private Branch Exchange• RAS, Remote Access Server• STP, Shielded Twisted Pair• SNMP, Simple Network Management Protocol• UNC, Universal Naming Convention• UTP, Unshielded Twisted pair• VLAN, Virtual Local Area Network