Telecommunications Case Assignment
Network Security, Firewalls,
and VPNs
Lesson 7
Future Trends and Best Practices
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Port Security
If internal network ports are not secure, they can be exploited by an attacker that has access to your facility.
Attackers can/will
Plug a computer into a port and listen.
Run port scanners to look for computers that can be compromised.
Install drop boxes on the network.
Network Access Control (NAC):is a method of bolstering the security of a network by restricting the availability of network resources to endpoint devices that comply with a defined security policy.
The client is not permitted to access anything unless it complies with a business defined policy; including anti-virus protection level, system update level and configuration.
While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate (resolve or update) any issues.
Once the policy is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system.
NAC is mainly used for endpoint health checks, but it is often tied to Role based Access. Access to the network will be given according to profile of the person and the results of a posture/health check.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Port Security
Goals of NAC
Mitigation of non-zero-day attacks: The main benefit of NAC solutions is to prevent end-stations that lack antivirus, patches, or host intrusion prevention software from accessing the network and placing other computers at risk of cross-contamination of computer worms.
Policy enforcement: NAC solutions allow network operators to define policies, such as the types of computers or roles of users allowed to access areas of the network, and enforce them in switches.
Identity and access management: Forces authentication of endpoint devices to gain access to the network. It typically uses some form of 802.1x along with radius/diameter.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Port Security
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data Center
Components:
Racks of equipment (of course)
Servers
Storage
Networking
Cooling:
Temperature between 64*-81*F (18*-27*C)
Humidity between: 40%-55% (too little humidity can be as bad as too much)
Make sure you have redundant cooling!
Power
Uninterruptable Power Supplies (UPS): battery back up
Real advantage is a constant, consistent flow of power
Generator: natural gas or diesel
Sensors: To test heat, noise, humidity, smoke, and water.
Physical Security
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Storage
Hard disks
Two basic types of drives:
Serial ATA (SATA): Adv: Cheaper
Serially Attached SCSI (SAS): Adv: faster? and much more reliable
Just a bunch of disks (JBOD): an architecture involving multiple hard drives, while making them accessible either as independent hard drives, or as a combined (spanned) single logical volume
Redundant Array of Independent Drives (RAID): combines multiple disk drive components into a logical unit for the purposes of data redundancy or performance improvement.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
RAID 0: Striping
RAID 0 is the fastest RAID mode since it write data across all of the volume’s disks. But it is very susceptible to failure.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
RAID 1: Mirroring
RAID 1 keeps two copies of the data.
Therefore, it reduces storage capacity by 50%.
Disks should be same size and speed.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
RAID 5: Block Striping with Distributed Parity
Write data across all disks in a volume and a parity block for each data block.
If one physical disk fails, the data can be recreated using the parity blocks.
RAID 5 is very fast
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
RAID 5: Block Striping with Double Distributed Parity
Write data across all disks in a volume and two parity blocks for each data block.
If two physical disks fail, the data can be recreated using the parity blocks.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
RAID 1+0 (AKA, RAID 10)
Combines the protection of RAID 1 with the performance of RAID 0.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Network Attached Storage (NAS)
A file server combining low processing power and some form of RAID.
A self contained unit.
Many times uses either SMB/CIFS (Windows file sharing) or NFS (UNIX/Linux file sharing).
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Storage Area Network (SAN)
SAN: dedicated network that provides access to consolidated storage.
A SAN differs from a NAS in that it does not provide a file system.
A NAS appears as a server to a client where as a SAN appears to be a directly attached hard drive to the server.
Note: Both SANs and NASs use RAID internally.
One SAN array of disks can be split up in to multiple logical disks (often called LUNs or logical unit number)
Two types of SANS:
Fiber channel: fastest, very fault tolerant
iSCSI: fast, not as fault tolerant, very simple to setup
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fiber Channel
Up to 16Gbps (2,4,8, and 16Gbps versions
Requires dedicated switches
Each server requires a Host Bus Adapter (HBA).
Uses fiber optic cabling.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
iSCSI
Uses IP based networks for your SAN
Advantage:
Off the rack networking equipment will work including switches and server NICs
Existing knowledge of networking is applicable.
Disadvantage:
Data in motion is not encrypted. If someone can listen to your iSCSI network than can see all of the data
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Virtual Private Networks
Virtual Private Network (VPN): extends a private network across a public network, such as the Internet.
The extended network resources are accessed in the same way as resources available within the private network.
Uses:
VPNs allow employees to securely access their company's intranet while traveling outside the office (Remote VPNs).
VPNs securely connect geographically separated offices of an organization, creating one cohesive network (site-to-site VPNs).
All data is encrypted using various algorithms/protocols.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VoIP
Voice over IP (VoIP) is a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet.
VoIP communication has reduced the cost of international calls dramatically.
In general, the term Voice over IP is associated with equipment that provides the ability to dial telephone numbers and communicate with parties on the other end of a connection who have either another VOIP system or a traditional analog telephone.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VoIP
VoIP can be implemented in the following ways:
ATA
The simplest and most common way is through the use of a device called an ATA (analog telephone adaptor). The ATA allows you to connect a standard phone to your computer or your Internet connection for use with VoIP. The ATA is an analog-to-digital converter. It takes the analog signal from your traditional phone and converts it into digital data for transmission over the Internet.
IP Phones
These are specialized phones look just like normal phones with a handset, cradle and buttons. But instead of having the standard RJ-11 phone connectors, IP phones have an Ethernet connector sockets. IP phones connect directly to your router and have all the hardware and software necessary right on board to handle the IP call. Wi-Fi phones allow subscribing callers to make VoIP calls from any Wi-Fi hot spot. This method is most commonly employed in corporate networks.
Computer-to-computer
This is certainly the easiest way to use VoIP. You don’t even have to pay for long-distance calls. There are several companies offering free or very low-cost software that you can use for this type of VoIP. All you need is the software, a microphone, speakers, a sound card and an Internet connection.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VOIP
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VoIP Components
VoIP Server
VoIP Gateway: is used to connect the Public Switched Telephone Network (PSTN) with the VoIP system
VoIP Client
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VoIP Protocols
Session Initiation Protocol (SIP)
The Session Initiation Protocol (SIP) is a signaling protocol, widely used in VoIP systems.
The SIP protocol is simple and text based like the HTTP protocol.
The protocol defines the messages that are sent between peers which govern establishment, termination and other essential elements of a call.
SIP requires a SIP server and a SIP client to work properly.
Real Time Transport Protocol (RTP)
The Real-time Transport Protocol (RTP) defines a standardized packet format for delivering audio and video over IP networks.
RTP is used extensively in communication and entertainment systems that involve streaming media, such as telephony, video teleconference applications, television services and web-based push-to-talk features.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Quality of Service (QOS)
Jitter: refers to non-uniform packet delays. It is often caused by low bandwidth situations in VOIP and can be exceptionally detrimental to the overall QoS. Variations in delays can be more detrimental to QoS than the actual delays themselves. Jitter can cause packets to arrive and be processed out of sequence.
Latency: refers to the time it takes for a voice transmission to go from its source to its destination. Ideally, we would like to keep latency as low as possible but there are practical lower bounds on the delay of VOIP.
Packet Loss: VOIP is exceptionally intolerant of packet loss. Packet loss can result from excess latency, where a group of packets arrives late and must be discarded in favor of newer ones. It can also be the result of jitter, that is, when a packet arrives after its surrounding packets have been flushed from the buffer, making the received packet useless.
Bandwidth: data transfer rate – the amount of data that can be carried from one point to another in a given time period (usually a second). So it is obvious that the more bandwidth we have better the call quality.
Note: One of the great attractions of VOIP, data and voice sharing the same wires, is also a potential headache for implementers who must allocate the necessary bandwidth for both networks in a system normally designed for one. Congestion of the network causes packets to be queued, which in turn contributes to the latency of the VOIP system. Low bandwidth can also contribute to non-uniform delays (jitter), since packets will be delivered in spurts when a window of opportunity opens up in the traffic.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VoIP Security Issues
Call Interception
One of the most commonly encountered problems with VoIP setups is data that passes through VoIP gateways are not encrypted by default. If a malicious attacker is able to find the source of the stream he is easily able to hijack the signal and listen in on all our conversations.
The attacker only requires physical access to a LAN segment that the VOIP packets travel across. Most enterprises use Ethernet switches instead of hubs and this limits the number of locations that such an exploit is possible. Call interception is more of a risk if companies make use of unsecured wireless networks, this can be used to easily enter a corporate network and listen in on calls.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VoIP Security Issues
Denial of Service attacks
Gulp tool can be used to create SIP flood that too more than 200mpbs from thousands of random sources consistently changing the SIP headers to avoid detection. The tool can also be used to send malformed or spoofed request to cause damages to SIP devices.
Exfiltration of Data
Attackers can make use RTP sessions to exfiltrate confidential information from a corporate environment, since firewalls do not block VoIP traffic it becomes nearly impossible to stop such attacks.
VoIP packets unlike data packets in other formats are much more difficult to scan for hidden content or data without introducing delay into the entire data stream. Exfiltration attacks are usually carried out by VoIP Trojans that send data out of the host system as an RTP stream.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VoIP Security Issues
Caller Id spoofing
Caller Id is used to identify the caller’s information.
Caller id will contain the time of call, duration of call and callers information.
There are different websites that are available which can be used to spoof calls ex spooftell, covertcalling etc.
By spoofing, the call will appear to us a legitimate call from the bank asking for confidential information which can further lead to data breaches.
Viruses and malware
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VoIP Security Issues
Registration Hijacking
When a user agent (IP phone) is plugged in to a VoIP network, it will try connecting to SIP server for registration and the phone is available for use after registration is done.
Attackers impersonate the user agent and try to connect to the SIP server to become a part of the network.
When registration is hijacked the calls intended for a particular user will be diverted to a rouge person.
The fact that registration is hijacked is because the registration method used in VoIP is UDP rather than TCP and the authentication mechanism from user agent to server is very weak.
Scanners (SiVus) are available to check the weakness of VoIP security and registration hijacking is one such exploit that can be carried out.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
VoIP Security Issues Countermeasures
Encryption
Firewalls
Traffic Analysis Deep packet inspection tools are essential to protect organizations from VoIP threats. VoIP packets are notoriously difficult inspect stripping useful data from the traffic requires high quality packet inspection tools. Such tools can attempt to look for hidden data within VoIP traffic, security devices such as NGFW’s offer deep packet inspection capabilities.
Authentication mechanisms IP phones should carry certificates to verify its identity on the voip network. Ideally the certificates in IP phones are signed by certificate authority and are verified by the certificates store that is present in the server.
Physical Security and Awareness VoIP gateways should be properly secured in data centers and controls should be in place to prevent unauthorized physical access to such machines.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Future of Network Security, Firewalls, and VPNs: Trends
Threats
Firewall capabilities
Encryption
Authentication
Metrics
Industry focus
Cloud security
Mobile device security
IPv6 support
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Threats
Ten years ago, major of malicious threats were waged against operating systems. Today, the focus is on applications and mainly browsers. We now see a lot of hacking, targeted attacks against companies, viruses that target credit card numbers, bank account information and Social Security numbers, DoS attacks, and root kits that turn hosts into zombies.
In the future, you will see more resilient networks that mitigate the risk of traffic-based attacks, more secure operating systems and applications to resist malware, and intrusion prevention systems that will respond instantly to attacks, choking them off before they can damage your infrastructure.
Firewall Capabilities
Firewalls have been adding capabilities since they were first introduced. Early firewalls contained some limited filtering and NAT capabilities, and not much else. Today’s firewalls offer a wide range of capabilities and specialties, which we will discuss later in the chapter.
Encryption
Encryption is a standard that is constantly evolving. We have gone from DES, a 56-bit algorithm, to 3DES, an effective 168-bit algorithm, to AES, which supports a 256-bit algorithm.
Encryption’s popularity has been growing as concerns with respect to protecting data at rest, in transit, and while archived. The key to keep in mind as you look into encryption solutions is ensuring they support AES or an equivalent algorithm, and be sure that you encrypt your data everywhere it is vulnerable.
Authentication
Another area where you can expect to see dramatic changes in future capabilities is in authentication, especially with respect to identity and access management.
One trend is moving away from passwords to tokens, smart cards, and biometric authentication as a replacement or supplement to existing user ID and password solutions.
Identity and account management solutions provide automation, full account life cycle management, and associated auditing. However, the solutions are complex to install and maintain.
Metrics
Trend has been moving toward metrics and is expected to continue. There are now a number of standards available for generating metrics. The most popular is ITIL, the Information Technology Infrastructure Library, which is a set of concepts you can use to formalize your security management practice and the associated reporting.
Industry Focus
What is the industry focused on securing? Initially, information security was about keeping the bad guys out of your network.
Focus shifted from network to host: patch management, hardening operating systems, and installing host-based firewalls.
Attackers shifted to attacking applications on our hosts, so we focused on integrating security into the software development life cycle, penetration testing, and firewall and proxy server deployment.
Next shift in focus for information security is on data. Industry heading towards a data-centric security model, a significant paradigm shift from previous models. A data-centric model will force companies to focus on classifying and applying values to their data.
Securing the Cloud
You have to trust the vendor providing your cloud. This requires a shift in focus from deploying security technologies to ensuring your vendors are contractually obligated to keep your data secure. You also need to be able to evaluate vendors to determine how trustworthy they are, and if you have the available resources, you should be auditing the vendor(s) to ensure they continue to keep your data secure.
Securing Mobile Devices
There are already virus protection, mobile device management, and encryption applications available for mobile devices. The challenge you’ll typically see in both current and future implementations is that these types of devices are frequently overlooked or discounted when security risks are being documented. Be sure to keep these on your list of risks – there is an alarming amount of storage and processing capacity on these devices, which makes it easy for an employee to put confidential information on them without thinking twice about it.
IPv6 Support IPv6 includes a native information security framework (IPsec) which provides for both data and control packets. This means that what you currently do with a traditional VPN you will be able to do natively with any IPv6 device. At a high level that means you can run your IPsec VPN without requiring a client, but the implications are significantly more profound than just that. In a fully IPv6 environment, any connection can be configured to utilize an IPsec connection. This means that any connection from a user to an application, host-to-host, or even peer-to-peer connection will be authenticated and encrypted as it passed across the network.
6/23/16
28
Firewall Management Best Practices
Create a written firewall policy
Evaluate potential and known threats
Confirm that the existing firewall policy and setup is sufficient or correct based on known threats
Maintain physical security control over all access to firewalls
Limit and filter Internet connectivity
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Create a written firewall policy.
Every host should have a local software firewall.
Every border communication point should have a firewall.
Every transition between subnets of different trust, risk, or purpose should have a firewall.
Confirm, after evaluating potential and known threats, that the existing firewall policy and setup is sufficient or correct.
Maintain physical security control over all personnel access to firewalls.
Limit and filter Internet connectivity.
Filter systems attached to the network
Defense in depth–layer defenses along pathways of communication and transaction
A written firewall policy establishes a documentation trail that everyone in the organization can read, consider, and follow. To have a plan, you must thoroughly understand your organization’s infrastructure, its mission and goals, and the processes necessary to produce its products and services.
Systems connected to the network are vulnerable to both malicious code (Trojans, viruses, worms, etc.) and malicious traffic (spam, phishing attacks, etc.) and should have adequate filters.
6/23/16
29
Firewall Management Best Practices
Filter systems attached to the network
Defense in depth – layer defenses along pathways of communication and transaction
Use Internet Protocol Security (IPSec) to secure all intranet communications
Harden internal and border firewalls
Default-deny is better than default-permit
Monitor logs for signs of breach attempts
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Harden internal and border firewalls.
Set passwords
Examine all default settings
When in doubt, set all settings to private
Close all ports you aren’t actively using
Monitor logs for signs of breach attempts (firewall, database, software, etc.); an error may be a programming flaw or an indication of an injection attack.
6/23/16
30
Firewall Management Best Practices
Create an intrusion and incident response plan
Create business continuity and disaster recovery plans
Prioritize securing against the largest threats first
Probability, frequency, and consequences
Develop and periodically confirm your firewall checklist
Periodically reassess your security assumptions against current evolving guidelines
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Firewall Management Best Practices
Perform internal compliance audits periodically
Use an ethical hacking team to attempt penetration of the network
There are always new lessons to be learned
and new challenges to be met –
keep educating yourself!
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Tools for Monitoring Firewalls
Firewalls are incomplete security on their own
Tools and software will be dictated by budget and threat evaluation—don’t over buy or under buy
The nature of exploits and attack methodologies can change quickly which limits the useful lifespan of any recommendation
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Tools for Monitoring Your Firewall
Nmap (Zenmap)
Netstat
Tcpview
Fport
Snort
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Nmap – a network mapper, port scanner, and OS fingerprinting tool. Can check the state of ports, identify targets, and probe services
Netstat – a simple command line tool to list the current open, listening, and connection sockets on a system
Tcpview – a GUI tool to list the current open, listening, and connection sockets on a system as well as the service/program related to each socket
Fport - a command line tool to list the current open, listening, and connection sockets on a system as well as the service/program related to each socket
Snort – a open source rule-based IDS that can detect firewall breaches
Nessus – an open source vulnerability assessment engine that can scan for known vulnerabilities
Wireshark – a free packet capture/protocol analyzer/sniffer that can analyze packets/frames as the enter or leave a firewall
Netcat – a hacker tool that creates network communication links using UDP or TCP ports that support the transmission of standard input and output. Commonly creates covert channels to control a target system remotely or bypass a firewall. Can test a firewall’s ability to detect and block covert channels. Cryptcat offers similar capabilities using encryption
Backtrack – a Linux distribution that includes hundreds of security and hacking tools, including Nessus and Metasploit. Can perform attacks against or through a firewall for testing purposes
Syslog – a centralized logging service that hosts a duplicate copy of log files. Provides real-time backup of every log on every participating host
6/23/16
34
Tools for Monitoring Your Firewall
Nessus
OpenVAS
Wireshark
Netcat
Backtrack
Syslog
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Nmap – a network mapper, port scanner, and OS fingerprinting tool. Can check the state of ports, identify targets, and probe services
Netstat – a simple command line tool to list the current open, listening, and connection sockets on a system
Tcpview – a GUI tool to list the current open, listening, and connection sockets on a system as well as the service/program related to each socket
Fport - a command line tool to list the current open, listening, and connection sockets on a system as well as the service/program related to each socket
Snort – a open source rule-based IDS that can detect firewall breaches
Nessus – an open source vulnerability assessment engine that can scan for known vulnerabilities
Wireshark – a free packet capture/protocol analyzer/sniffer that can analyze packets/frames as the enter or leave a firewall
Netcat – a hacker tool that creates network communication links using UDP or TCP ports that support the transmission of standard input and output. Commonly creates covert channels to control a target system remotely or bypass a firewall. Can test a firewall’s ability to detect and block covert channels. Cryptcat offers similar capabilities using encryption
Backtrack – a Linux distribution that includes hundreds of security and hacking tools, including Nessus and Metasploit. Can perform attacks against or through a firewall for testing purposes
Syslog – a centralized logging service that hosts a duplicate copy of log files. Provides real-time backup of every log on every participating host
6/23/16
35
Testing Firewall Security
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fuzzing tools:
Use a brute-force technique to craft packets and other forms of input directed toward the target
Stress a system to determine whether it will react improperly, fail, or reveal unknown vulnerabilities.
Can discover coding errors, buffer overflows, race conditions, remote exploit flaws, injection weaknesses, and so on
Can take a significant amount of time to discover anything interesting
6/23/16
36
Simulated firewall tests
Virtual firewall tests
Laboratory tests
Basic Firewall Troubleshooting
Trouble involving network security demands a prompt resolution
Be patient
Know your firewall thoroughly
Focus
Isolate the problem
Simplify
Try the quick-and-easy fixes first
Avoid destructive or non-reversible solutions
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Have patience – keeping your cool and taking your time will pay off by allowing you to find a solution quickly without making mistakes, overlooking essential details, or intensifying the problem further.
Know your firewall thoroughly – the more you already know about the firewall, hardware and software, the more you will know how it functions and can immediately use that knowledge to seeking out a solution.
Focus – seek to find a solution to the current most critical problem. Don’t waste time fixing, repairing, upgrading, resetting, or configuring any other problem or aspect of the firewall system until you’ve resolved the primary problem. You can become distracted by minor details that “only take a second” to address; make a list of these smaller issues and come back to them later.
Isolate the problem – whenever possible, isolate elements or components of the firewall system that are functioning correctly to narrow the range of suspects of potential problem sources.
Simplify – disable or disconnect software and hardware non-essential to the function of the firewall. This will reduce the complexity of the situation and may assist in discovering the cause.
Try the quick and easy fixes first – try the fast and easy stuff before the hard and complicated options. You might be lucky, but if not, undoing easily attempted failed solutions will be simpler than the more complex options.
Avoid destructive or non-reversible solutions until last – attempts to use an irreversible fix is a poor idea early in the troubleshooting process; only after reversible and/or safe solutions have failed should you attempt more drastic measures.
6/23/16
37
Basic Firewall Troubleshooting
Try the free options before the costly ones
Let the problem guide and direct you
Make fixes one at a time
Test after each attempt
Reverse or undo solution failures
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Try the free options before the costly ones – always try to perform repairs and fixes in-house using tools and resources that you already own or can obtain for free. Hold off on purchasing new resources or hiring technical support until you’ve exhausted other options.
Let the problem guide and direct you – the more you understand how your firewall operates and what the problem is, the more the problem directs you toward the affected area or the source of the issue.
Make fixes one at a time – only try one fix or repair option at a time; attempting multiple fixes at once is more complex and might mask the successful resolution.
Test after each attempt – after each fix is made, test the repair to see if it was successful.
Reverse or undo solution failures – if a fix does not resolve the issue, undo it to return to the previous state. Leaving failed fixes in place may cause other problems or may intensify the main problem.
6/23/16
38
Basic Firewall Troubleshooting
Review change documentation
Review previous troubleshooting logs
Update the troubleshooting log
Repeat the failure
Perform a post-mortem review
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Review change documentation – could a recent change be responsible for the unwanted activity? If so, try to undo the change to see if the problem stops.
Review previous troubleshooting logs – consider whether the current problem is the same as or similar to recent problems already in the log. Try repeating successful solutions.
Update the troubleshooting log – with every action attempted, whether successful or not. Record it into the troubleshooting log and use it as a journal. Think of something, then write it down and try the solution; write it down, then test for effectiveness; write it down, then repeat the failure fix; write it down, then repeat until resolved; write down the successful solution and make note of any other thoughts, ideas, or observations.
Repeat the failure – sometimes causing the failure to repeat can assist in identifying the cause. However, only do so when the repetition will not cause further harm or loss.
Perform post-mortem review – the most valuable result of a problem, especially a resolved problem, is your ability to learn something from the event. Always review the entire troubleshooting response process. Look for ways to improve the response for future problems.
6/23/16
39
Documentation
Good documentation and planning makes troubleshooting firewalls simpler
Useful troubleshooting information
Complete hardware and software inventory (relative to firewalls)
Written and electronic copies of configuration settings
Firewall policy
Change documentation
Previous troubleshooting logs
Activity, error, and alert logs
Maintenance logs
Any information about the current problem
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
How an Intrusion Detection System (IDS) Works
IDS detects an attack and alerts operators—manual intervention needed.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
How an Intrusion Detection System (IDS) Works
IPS detects attack, alerts operators, and then modifies firewall and router configuration to address the attack.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
How an Intrusion Detection System (IDS) Works
Placement of the IDS so it gets unfiltered traffic for analysis.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
How an Intrusion Detection System (IDS) Works
An IDS deployed behind a screening firewall.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Commonly Available Network Monitoring Tools (Open Source)
Nagios – network management and monitoring
SmokePing –monitors network latency
Can visualize the entire network
GroundWork – highly scalable network management and monitoring
Ganglia – geared toward clusters and grids
Cacti
Ntop
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Commonly Available Network Monitoring Tools (Commercial)
WhatsUp Gold
Proactive monitoring and management tool
Iris
Network traffic monitoring and analysis tool
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Integration of Firewalls and VPNs into Network Security Strategies
Functions
Enhanced threat management
Authentication
Encryption
Value Add
Confidentiality
Integrity
Availability
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Confidentiality - keeping information, networks and systems secure from unauthorized access
Integrity - consistency, accuracy and validity of data or information
Availability - resource being accessible to a user, application or computer system when required
6/23/16
47
Tunneling
Creation of quasi-VPN tunnels is a serious network security risk
Exploit can convert almost any protocol at any layer of the OSI model into an encapsulation or tunneling protocol
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Creation of quasi-VPN tunnels is a serious network security risk
Two types of tunnel attacks ~ inbound and outbound
Inbound attacks require a malicious server installed inside the perimeter of a firewall that permits inbound communication.
Outbound attacks require an external server with an internal client that initiates contact and a firewall that permits outbound communication.
Exploit can convert almost any protocol at any layer of the OSI model into an encapsulation or tunneling protocol.
6/23/16
48
Outbound Attacks
Inbound Attacks
Defenses Against Tunneling
Strictly enforce deny-by-default for both inbound and outbound communications
Clearly define in the acceptable use policy (AUP) what is not authorized and deemed a risk
Use network and host IDS/IPS monitoring
Deploy whitelist controls to prevent the installation of unapproved software
Limit mobile code, such as ActiveX, Java, Flash, Silverlight, and JavaScript
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Security Measures in Addition to a Firewall
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Authentication
Encryption
Logging and auditing
Network segmentation and traffic control
Network access control
Virtual private networks for remote access
6/23/16
50
Authentication
Encryption
Logging/ Auditing
Segmentation/ Traffic Control
Access Control
VPN for Remote Access
Choosing a Firewall
Speed, flexibility, and simplicity
Real-time applications and bandwidth
Strong authentication
Detailed logging
Customized unique/complicated filtering
Major threats: internal vs. external
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Buying vs. Building
Off-the-shelf solutions offer ease of setup
Off-the-shelf solutions often work out of the box requiring only to be plugged in
Custom builds can be less expensive and provide more desired features
Custom builds are not good when there are time sensitivities because they require a lot of a IT personnel effort
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Emerging Network Security Technologies
Data leakage prevention (DLP)—New government regulations will drive implementation in health care; HIPAA, HITECH, and PCI have specific data protection requirements
Biometrics—Being included in ATMs, laptops, and computer networks
Virtualization security—Antivirus, vulnerability management, data leakage prevention, and IDS/IPS being developed to run virtually
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Virtual Labs
Complete all remaining Labs
Final Exam
Final will be posted Sunday or Monday of next week.
The Final exam MUST be completed by 11:59PM on Thursday, June 30th!
Networking Project
Paper may be brief (2-5 pages)
Due on Monday
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
6/23/16
54