M4 Single Page

Jackie Channn

conklin_principlesofcomputersecurity_5e_Chap010_PPT.pptx

Home >Computer Science homework help >M4 Single Page

Infrastructure Security

Chapter 10

Principles of Computer Security, Fifth Edition

Objectives (1 of 2)

Construct networks using different types of network devices.

Enhance security using security devices.

Understand virtualization concepts.

Enhance security using NAC/NAP methodologies.

Identify the different types of media used to carry network signals.

Describe the different types of storage media used to store information.

Principles of Computer Security, Fifth Edition

Objectives (2 of 2)

Use basic terminology associated with network functions related to information security.

Describe the different types and uses of cloud computing.

Principles of Computer Security, Fifth Edition

Key Terms (1 of 3)

Basic packet filtering

Bridge

Cloud computing

Coaxial cable

Collision domain

Concentrator

Data loss prevention (DLP)

Firewall

Hypervisor

Hub

Infrastructure as a Service (IaaS)

Internet content filters

Load balancer

Modem

Network access control

Principles of Computer Security, Fifth Edition

Basic packet filtering – Filtering that looks at each packet entering or leaving the network and then either accepts the packet or rejects the packet based on user-defined rules. Each packet is examined separately.

Bridge – A network device that separates traffic into separate collision domains at the data layer of the OSI model.

Cloud computing – The automatic provisioning of on demand computational resources across a network.

Coaxial cable – A network cable that consists of a solid center core conductor and a physical spacer to the outer conductor which is wrapped around it. Commonly used in video systems.

Collision domain – An area of shared traffic in a network where packets from different conversations can collide.

Concentrator – A device used to manage multiple similar networking operations, such as provide a VPN endpoint for multiple VPNs.

Data loss prevention (DLP) – Technology, processes, and procedures designed to detect when unauthorized removal of data from a system occurs. DLP is typically

active, preventing the loss of data, either by blocking the transfer or dropping the connection.

Firewall – A network device used to segregate traffic based on rules.

Hypervisor - A low-level program that allows multiple operating systems to run concurrently on a single host computer.

Hub – A network device used to connect devices at the physical layer of the OSI model.

Infrastructure as a Service (IaaS) – The automatic, on-demand provisioning of infrastructure elements, operating as a service; a common element of cloud computing.

Internet content filters – A content-filtering system use to protect corporations from employees’ viewing of inappropriate or illegal content at the workplace and the subsequent complications that occur when such viewing takes place.

Load balancer – A network device that distributes computing across multiple computers.

Modem – A modulator/demodulator that is designed to connect machines via telephone-based circuits.

Network access control – An approach to endpoint security that involves monitoring and remediating endpoint security issues before allowing an object to connect to a network.

Key Terms (2 of 3)

Network Access Protection (NAP)

Network Admission Control (NAC)

Network-Attached Storage (NAS)

Network interface card (NIC)

Network operations center (NOC)

Next-generation firewall

Platform as a Service (PaaS)

Private branch exchange (PBX)

Proxy server

Principles of Computer Security, Fifth Edition

Network Access Protection (NAP) – A Microsoft approach to network access control.

Network Admission Control (NAC) – The Cisco technology approach for generic network access control.

Network-Attached Storage (NAS) – The connection of storage to a system via a network connection.

Network interface card (NIC) – A piece of hardware designed to connect machines at the physical layer of the OSI model.

Network operations center (NOC) – A control point from where network performance can be monitored and managed.

Next-generation firewall – Firewall technology based on packet contents as opposed to simple address and port information.

Platform as a Service (PaaS) – The concept of having provisionable operational platforms that can be obtained via a service.

Private branch exchange (PBX) – A telephone exchange that serves a specific business or entity.

Proxy server – A server that acts as a proxy for individual requests and is used for performance and security purposes in a scalable fashion.

Key Terms (3 of 3)

Router

Sandboxing

Servers

Shielded twisted-pair (STP)

Software as a Service (SaaS)

Solid-state drive (SSD)

Switch

Unified threat management (UTM)

Unshielded twisted-pair (UTP)

Virtualization

Web security gateway

Wireless access point

Workstation

Principles of Computer Security, Fifth Edition

Router – A network device that operates at the network layer of the OSI model.

Sandboxing – The concept of isolating a system and specific processes form the OS in order to provide specific levels of security.

Servers – The computers in a network that host applications and data for everyone to share.

Shielded twisted-pair (STP) – A physical network connection consisting of two wires twisted and covered with a shield to prevent interference.

Software as a Service (SaaS) – The provisioning of software as a service, commonly known as on-demand software.

Solid-state drive (SSD) – A mass storage device, such as a hard drive, that is composed of electronic memory as opposed to a physical device of spinning platters.

Switch – A network device that operates at the data layer of the OSI model.

Unified threat management (UTM) – The aggregation of multiple network security products into a single appliance for efficiency purposes.

Unshielded twisted-pair (UTP) – A form of network cabling in which pairs of wires are twisted to reduce crosstalk. Commonly used in LANs.

Virtualization – An abstraction of the OS layer, creating the ability to host multiple OSs on a single piece of hardware.

Web security gateway – A device that combines proxy functions with content-filtering functions with the intention of addressing the security threats and pitfalls unique to web-based traffic.

Wireless access point – A network access device that facilitates the connection of wireless devices to a network.

Workstation – The machine that sits on the desktop and is used every day for sending and reading e-mail, creating spreadsheets, writing reports in a word processing program, and playing games.

Devices

Devices are needed to connect clients and servers and to regulate the traffic between them.

Devices expand the network beyond simple client computers and servers.

Devices come in many forms and with many functions.

Each device has a specific network function and plays a role in maintaining network infrastructure security.

Principles of Computer Security, Fifth Edition

A complete network computer solution in today’s business environment consists of more than just client computers and servers.

Devices are needed to expand a network beyond simple client computers and servers to include yet other devices, such as wireless and handheld systems.

Devices come in many forms and with many functions, from hubs and switches, to routers, wireless access points, and special-purpose devices such as virtual private network (VPN) devices.

Workstations

The workstation is the machine that sits on the desktop.

It is used every day for sending and reading e-mail, creating spreadsheets, writing reports in a word processing program, and playing games.

A workstation connected to a network is an important part of the network security solution.

Many threats to information security can start at a workstation, but much can be done in a few simple steps to provide protection from many of these threats.

Principles of Computer Security, Fifth Edition

Most users are familiar with the client computers used in the client/server model called workstation devices.

Servers

Servers are the computers in a network that host applications and data for everyone to share.

Servers come in many sizes.

Server operating systems range from Windows Server, to UNIX, to Multiple Virtual Storage (MVS) and other mainframe operating systems

They tend to be more robust than workstation OSs.

They are designed to service multiple users over a network at the same time.

Servers can host a variety of applications.

Principles of Computer Security, Fifth Edition

Servers come in many sizes, from small single-CPU boxes that may be less powerful than a workstation, to multiple-CPU monsters, up to and including mainframes.

The operating systems used by servers range from Windows Server, to UNIX, to Multiple Virtual Storage (MVS) and other mainframe operating systems.

The OS on a server tends to be more robust than the OS on a workstation system and is designed to service multiple users over a network at the same time.

Servers can host a variety of applications, including web servers, databases, e-mail servers, file servers, print servers, and application servers for middleware applications.

Mobile Devices

Mobile devices such as laptops, tablets, and mobile phones are the latest devices to join the corporate network.

Mobile devices can create a major security gap, as a user may access separate e-mail accounts, one personal, without antivirus protection, and the other corporate.

Principles of Computer Security, Fifth Edition

Device Security, Common Concerns

As more and more interactive devices are being designed, a new threat source has appeared.

Default accounts and passwords are well known in the hacker community.

First steps you must take to secure such devices is to change the default credentials.

Principles of Computer Security, Fifth Edition

In an attempt to build security into devices, typically, a default account and password must be entered to enable the user to access and configure the device remotely. These default accounts and passwords are well known in the hacker community, so one of the first steps you must take to secure such devices is to change the default credentials. Anyone who has purchased a home office router knows the default configuration settings and can check to see if another user has changed theirs. If they have not, this is a huge security hole, allowing outsiders to “reconfigure” their network devices.

Network-Attached Storage

Because of the speed of today’s Ethernet networks, it is possible to manage data storage across the network.

This has led to a type of storage known as Network- Attached Storage (NAS).

The combination of inexpensive hard drives, fast networks, and simple application-based servers has made NAS devices in the terabyte range affordable for even home users.

As a network device, it is susceptible to attacks.

Principles of Computer Security, Fifth Edition

Because of the large size of video files, this has become popular for some users as a method of storing TV and video libraries. Because NAS is a network device, it is susceptible to various attacks, including sniffing of credentials and a variety of brute-force attacks to obtain access to the data.

Removable Storage

Removable devices can move data outside of the corporate-controlled environment.

Removable devices can bring unprotected or corrupted data into the corporate environment.

All removable devices should be scanned by antivirus software upon connection to the corporate environment.

Corporate policies should address the copying of data to removable devices.

Principles of Computer Security, Fifth Edition

Many mobile devices can be connected via USB to a system and used to store data—and in some cases vast quantities of data. This capability can be used to avoid some implementations of data loss prevention mechanisms.

Virtualization (1 of 2)

Virtualization technology is used to allow a computer to have more than one OS present and, in many cases, operating at the same time.

Virtualization is an abstraction of the OS layer.

It creates the ability to host multiple OSs on a single piece of hardware.

A major advantage of virtualization is the separation of the software and the hardware.

It creates a barrier that can improve many system functions, including security.

Principles of Computer Security, Fifth Edition

Virtualization (2 of 2)

The underlying hardware is referred to as the host machine, and on it is a host OS.

A hypervisor is needed to manage virtual machines (VMs).

Virtual machines are typically referred to as the guest OSs.

Newer OSs are designed to natively incorporate virtualization hooks.

Common virtualization solutions include:

Microsoft Hyper-V, VMware, Oracle VM VirtualBox, Parallels, and Citrix Xen

Principles of Computer Security, Fifth Edition

Exam Tip: A hypervisor is the interface between a virtual machine and the host machine hardware. Hypervisors are the layer that enables virtualization.

Either the host OS has built-in hypervisor capability or an application is needed to provide the hypervisor function to manage the virtual machines (VMs).

Newer OSs are designed to natively incorporate virtualization hooks, enabling virtual machines to be employed with greater ease.

Hypervisor (1 of 4)

A hypervisor enables virtualization.

A low-level program that allows multiple operating systems to run concurrently on a single host computer.

The hypervisor acts as the traffic cop that controls I/O and memory management.

Principles of Computer Security, Fifth Edition

Hypervisor (2 of 4)

Major advantages of virtualization:

The separation of the software and the hardware

Creates a barrier that can improve many system functions, including security.

Either the host OS has built-in hypervisor capability or an application is needed to provide the hypervisor function to manage the virtual machines (VMs).

Principles of Computer Security, Fifth Edition

Hypervisor (3 of 4)

Type 1

Type 1 hypervisors run directly on the system hardware.

Referred to as a native, bare-metal, or embedded hypervisors in typical vendor literature.

Are designed for speed and efficiency, as they do not have to operate through another OS layer.

These platforms come with management toolsets to facilitate VM management in the enterprise.

Principles of Computer Security, Fifth Edition

Hypervisor (4 of 4)

Type 2

Type 2 hypervisors run on top of a host operating system.

In the beginning, Type 2 hypervisors were the most popular.

Typical Type 2 hypervisors include Oracle’s VirtualBox and VMware’s VMware Workstation Player.

Are designed for limited numbers of VMs, typically in a desktop or small server environment.

Principles of Computer Security, Fifth Edition

Application Cells/Containers

Application cells/containers holds the portions of an OS that it needs separate from the kernel.

Multiple containers can share an OS and have separate memory, CPU, and storage threads.

A container consists of an entire runtime environment

The application platform, including its dependencies, is containerized

Principles of Computer Security, Fifth Edition

VM Sprawl Avoidance

Sprawl is the uncontrolled spreading of disorganization caused by a lack of an organizational structure when many similar elements require management.

VM sprawl is a symptom of a disorganized structure.

VM sprawl avoidance needs to be implemented via policy.

Principles of Computer Security, Fifth Edition

VM Escape Protection

VM escape occurs when software (typically malware) or an attacker escapes from one VM to the underlying OS and then resurfaces in a different VM.

Large-scale VM environments have specific modules designed to detect escape and provide VM escape protection to other modules.

Principles of Computer Security, Fifth Edition

Snapshots

A snapshot is a point-in-time saving of the state of a virtual machine.

Snapshots uses:

Roll a system back to a previous point in time

Undo operations

Provide a quick means of recovery from a complex, system-altering change that has gone awry

Snapshots act as a form of backup and are typically much faster than normal system backup and recovery operations.

Principles of Computer Security, Fifth Edition

Patch Compatibility

Patches are still needed and should be applied, independent of the virtualization status.

Principles of Computer Security, Fifth Edition

Host Availability/Elasticity

In a virtualization environment, protecting the host OS and hypervisor level is critical for system stability.

Best practice is to avoid the installation of any applications on the host-level machine.

Elasticity refers to the ability of a system to expand/contract as system requirements dictate.

Principles of Computer Security, Fifth Edition

Security Control Testing

It is important to test the controls applied to a system to manage security operations to ensure that they are providing the desired results.

It is essential to specifically test all security controls inside the virtual environment to ensure their behavior is still effective.

Principles of Computer Security, Fifth Edition

Sandboxing

Sandboxing refers to the quarantine or isolation of a system from its surroundings.

Virtualization can be used as a form of sandboxing with respect to an entire system.

Principles of Computer Security, Fifth Edition

Networking

Networks are used to connect devices together.

Networks are composed of components that perform networking functions to move data between devices.

Networks begin with network interface cards, then continue in layers of switches and routers.

Specialized networking devices are used for specific purposes, such as security and traffic management.

Principles of Computer Security, Fifth Edition

Network Interface Cards (1 of 2)

To connect a server or workstation to a network, a device known as a network interface card (NIC) is used.

A NIC is the physical connection between a computer and the network.

Each NIC port is serialized with a unique code, 48 bits long, referred to as a Media Access Control address (MAC address).

Unfortunately, these addresses can be changed, or “spoofed,” rather easily.

Principles of Computer Security, Fifth Edition

A NIC is a card with a connector port for a particular type of network connection, either Ethernet or Token Ring. The most common network type in use for LANs is the Ethernet protocol, and the most common connector is the RJ-45 connector.

The purpose of a NIC is to provide lower-level protocol functionality from the OSI (Open System Interconnection) model. Because the NIC defines the type of physical layer connection, different NICs are used for different physical protocols.

NICs come as single-port and multiport, and most workstations use only a single-port NIC, as only a single network connection is needed. For servers, multiport NICs are used to increase the number of network connections, increasing the data throughput to and from the network.

Each NIC port is serialized with a unique code, 48 bits long, referred to as a Media Access Control address (MAC address). These are created by the manufacturer, with 24 bits representing the manufacturer and 24 bits being a serial number, guaranteeing uniqueness. MAC addresses are used in the addressing and delivery of network packets to the correct machine and in a variety of security situations.

Unfortunately, these addresses can be changed, or “spoofed,” rather easily. In fact, it is common for personal routers to clone a MAC address to allow users to use multiple devices over a network connection that expects a single MAC.

Network Interface Cards (2 of 2)

Figure 10.1 Linksys network interface card (NIC)

Principles of Computer Security, Fifth Edition

This figure shows a common form of a NIC.

Hubs

A hub is networking equipment that connects devices that are using the same protocol at the physical layer of the OSI model.

A hub allows multiple machines in an area to be connected together in a star configuration with the hub at the center.

All connections on a hub share a single collision domain, a small cluster in a network where collisions occur.

Increased network traffic can become limited by collisions; this problem has made hubs obsolete in newer networks.

Hubs also create a security weakness due to sniffing and eavesdropping issues.

Principles of Computer Security, Fifth Edition

A hub configuration can save significant amounts of cable and is an efficient method of configuring an Ethernet backbone.

The collision issue has made hubs obsolete in newer, higher performance networks, with inexpensive switches and switched Ethernet keeping costs low and usable bandwidth high. Hubs also create a security weakness in that all connected devices see all traffic, enabling sniffing and eavesdropping to occur. In today’s networks, hubs have all but disappeared, being replaced by low-cost switches.

Bridges

A bridge operates at the data link layer, filtering traffic based on MAC addresses.

Bridges can reduce collisions by separating pieces of a network into two separate collision domains.

This only cuts the collision problem in half.

A better solution is to use switches for network connections.

Principles of Computer Security, Fifth Edition

Bridges are networking equipment that connect devices using the same protocol at the data link layer of the OSI model.

Switches (1 of 4)

A switch forms the basis for connections in most Ethernet-based LANs.

Switches have replaced hubs and bridges.

A switch has separate collision domains for each port.

When full duplex is employed, collisions are virtually eliminated from the two nodes, host and client.

A switch is usually a Layer 2 device, but Layer 3 switches incorporate routing functionality.

Principles of Computer Security, Fifth Edition

A switch has separate collision domains for each port. This means that for each port, two collision domains exist: one from the port to the client on the downstream side, and one from the switch to the network upstream. When full duplex is employed, collisions are virtually eliminated from the two nodes, host and client. This also acts as a hub-based system, where a single sniffer can see all of the traffic to and from connected devices.

Switches operate at the data link layer, while routers act at the network layer. For intranets, switches have become what routers are on the Internet—the device of choice for connecting machines. As switches have become the primary network connectivity device, additional functionality has been added to them. A switch is usually a Layer 2 device, but Layer 3 switches incorporate routing functionality.

Switches (2 of 4)

Advantages of switches

They improve network performance by filtering traffic.

They provide the option to disable a port so that it cannot be used without authorization.

They support port security allowing the administrator to control which systems can send data to each of the ports.

Switches use the MAC address of the systems to incorporate traffic filtering and port security features.

Port address security based on MAC addresses functionality is what allows an 802.1X device to act as an “edge device.”

Principles of Computer Security, Fifth Edition

A switch filters traffic by only sending the data to the port on the switch that the destination system resides on. The switch knows what port each system is connected to and sends the data only to that port.

The switch uses the MAC address of the systems to incorporate traffic filtering and port security features, which is why it is considered a Layer 2 device.

Port address security based on MAC addresses can determine whether a packet is allowed or blocked from a connection. This is the very function that a firewall uses for its determination, and this same functionality is what allows an 802.1X device to act as an “edge device.”

Switches (3 of 4)

Switch security concerns

They are intelligent network devices and are therefore subject to hijacking by hackers.

Switches are commonly administered using the Simple Network Management Protocol (SNMP) and Telnet protocol.

Both protocols have a serious weakness in that they send passwords across the network in cleartext.

Switches are shipped with default passwords.

Switches are subject to electronic attacks, such as ARP poisoning and MAC flooding.

Principles of Computer Security, Fifth Edition

One of the security concerns with switches is that, like routers, they are intelligent network devices and are therefore subject to hijacking by hackers. Should a hacker break into a switch and change its parameters, he might be able to eavesdrop on specific or all communications, virtually undetected. Switches are commonly administered using the Simple Network Management Protocol (SNMP) and Telnet protocol, both of which have a serious weakness in that they send passwords across the network in cleartext. A hacker armed with a sniffer that observes maintenance on a switch can capture the administrative password. This allows the hacker to come back to the switch later and configure it as an administrator. An additional problem is that switches are shipped with default passwords, and if these are not changed when the switch is set up, they offer an unlocked door to a hacker.

Switches are also subject to electronic attacks, such as ARP poisoning and MAC flooding. ARP poisoning is where a device spoofs the MAC address of another device, attempting to change the ARP tables through spoofed traffic and the ARP table-update mechanism. MAC flooding is where a switch is bombarded with packets from different MAC addresses, flooding the switch table and forcing the device to respond by opening all ports and acting as a hub. This enables devices on other segments to sniff traffic.

Switches (4 of 4)

Loop protection is a concern with switches.

Switches operate at Layer 2 so there is no countdown mechanism to kill packets that get caught in loops or on paths that will never resolve.

The Layer 2 space acts as a mesh, where potentially the addition of a new device can create loops in the existing device interconnections.

Spanning trees technology is employed to prevent loops.

The Spanning Tree Protocol (STP) allows for multiple, redundant paths, while breaking loops to ensure a proper broadcast pattern.

Principles of Computer Security, Fifth Edition

Routers (1 of 2)

A router is a network traffic management device used to connect different network segments.

Operate at the network layer (Layer 3) of the OSI model

Form the backbone of the Internet

Use algorithms and tables to determine where to send the packet

Use access control lists (ACLs) as a method of deciding whether a packet is allowed to enter the network

Must limit router access and control of internal functions

Principles of Computer Security, Fifth Edition

Routers operate at the network layer (Layer 3) of the OSI model, using the network address (typically an IP address) to route traffic and using routing protocols to determine optimal routing paths across a network. Routers form the backbone of the Internet, moving traffic from network to network, inspecting packets from every communication as they move traffic in optimal paths. Routers operate by examining each packet, looking at the destination address, and using algorithms and tables to determine where to send the packet next. This process of examining the header to determine the next hop can be done in quick fashion.

Routers use access control lists (ACLs) as a method of deciding whether a packet is allowed to enter the network. With ACLs, it is also possible to examine the source address and determine whether or not to allow a packet to pass. This allows routers equipped with ACLs to drop packets according to rules built into the ACLs. This can be a cumbersome process to set up and maintain, and as the ACL grows in size, routing efficiency can be decreased. It is also possible to configure some routers to act as quasi–application gateways, performing stateful packet inspection and using contents as well as IP addresses to determine whether or not to permit a packet to pass. This can tremendously increase the time for a router to pass traffic and can significantly decrease router throughput. Configuring ACLs and other aspects of setting up routers for this type of use are beyond the scope of this book.

One serious security concern regarding router operation is limiting who has access to the router and control of its internal functions. Like a switch, a router can be accessed using SNMP and Telnet and programmed remotely. Because of the geographic separation of routers, this can become a necessity, for many routers in the world of the Internet can be hundreds of miles apart, in separate locked structures. Physical control over a router is absolutely necessary, for if any device, be it a server, switch, or router, is physically accessed by a hacker, it should be considered compromised. Thus, such access must be prevented. As with switches, it is important to ensure that the administrator password is never passed in the clear, that only secure mechanisms are used to access the router, and that all of the default passwords are reset to strong passwords.

As with switches, the most assured point of access for router management control is via the serial control interface port. This allows access to the control aspects of the router without having to deal with traffic-related issues. For internal company networks, where the geographic dispersion of routers may be limited, third-party solutions to allow out-of-band remote management exist. This allows complete control over the router in a secure fashion, even from a remote location, although additional hardware is required.

Routers (2 of 2)

Figure 10.2 A small home office router for cable modem/DSL

Principles of Computer Security, Fifth Edition

Routers are available from numerous vendors and come in sizes big and small. A typical small home office router for use with cable modem/DSL service is shown in this figure. Larger routers can handle traffic of up to tens of gigabytes per second per channel, using fiberoptic inputs and moving tens of thousands of concurrent Internet connections across the network. These routers, which can cost hundreds of thousands of dollars, form an essential part of e-commerce infrastructure, enabling large enterprises such as Amazon and eBay to serve many customers’ use concurrently.

Firewalls (1 of 5)

A firewall is a network device—hardware, software, or a combination thereof.

Its purpose is to enforce a security policy across its connections by allowing or denying traffic to pass into or out of the network.

The heart of a firewall is the set of security policies that it enforces.

A key to security policies for firewalls is the principle of least access.

Principles of Computer Security, Fifth Edition

The heart of a firewall is the set of security policies that it enforces. Management determines what is allowed in the form of network traffic between devices, and these policies are used to build rule sets for the firewall devices used to filter network traffic across the network.

Firewall security policies are a series of rules that defines what traffic is permissible and what traffic is to be blocked or denied. These are not universal rules, and there are many different sets of rules for a single company with multiple connections. A web server connected to the Internet may be configured only to allow traffic on port 80 for HTTP, and have all other ports blocked. An e-mail server may have only necessary ports for e-mail open, with others blocked.

A key to security policies for firewalls is the same as has been seen for other security policies—the principle of least access. Only allow the necessary access for a function; block or deny all unneeded functionality. How an organization deploys its firewalls determines what is needed for security policies for each firewall.

Firewalls (2 of 5)

Figure 10.3 How a firewall works

Principles of Computer Security, Fifth Edition

A firewall is a lot like a gate guard at a secure facility. The guard examines all the traffic trying to enter the facility—cars with the correct sticker or delivery trucks with the appropriate paperwork are allowed in; everyone else is turned away.

Firewalls (3 of 5)

Figure 10.4 Linksys RVS4000 SOHO firewall

Principles of Computer Security, Fifth Edition

You may have a small office–home office firewall at your house, such as the RVS4000 shown in this figure. This device from Linksys provides both routing and firewall functions.

Firewalls (4 of 5)

The security topology determines what network devices are employed at what points in a network.

The perfect firewall policy is one that the end user never sees and one that never allows even a single unauthorized packet to enter the network.

To develop a complete and comprehensive security policy, it is first necessary to have a complete and comprehensive understanding of your network resources and their uses.

Principles of Computer Security, Fifth Edition

The security topology determines what network devices are employed at what points in a network.

The perfect firewall policy is one that the end user never sees and one that never allows even a single unauthorized packet to enter the network. As with any other perfect item, it will be rare to find the perfect security policy for a firewall.

To develop a complete and comprehensive security policy, it is first necessary to have a complete and comprehensive understanding of your network resources and their uses. Once you know what your network will be used for, you will have an idea of what to permit. Also, once you understand what you need to protect, you will have an idea of what to block. Firewalls are designed to block attacks before they get to a target machine. Common targets are web servers, e-mail servers, DNS servers, FTP services, and databases. Each of these has separate functionality, and each of these has separate vulnerabilities. Once you have decided who should receive what type of traffic and what types should be blocked, you can administer this through the firewall.

Firewalls (5 of 5)

Figure 10.5 Logical depiction of a firewall protecting an organization from the Internet

Principles of Computer Security, Fifth Edition

At a minimum, the corporate connection to the Internet should pass through a firewall, as shown in this figure. This firewall should block all network traffic except that specifically authorized by the security policy. This is actually easy to do: blocking communications on a port is simply a matter of telling the firewall to close the port. The issue comes in deciding what services are needed and by whom, and thus which ports should be open and which should be closed. This is what makes a security policy useful but, in some cases, difficult to maintain.

How Do Firewalls Work? (1 of 2)

Firewalls enforce the established security policies through a variety of mechanisms, including:

Network Address Translation (NAT)

Basic packet filtering

Stateful packet filtering

Access control lists (ACLs)

Application layer proxies

ACLs are a cornerstone of security in firewalls.

Firewalls can also act as network traffic regulators.

Principles of Computer Security, Fifth Edition

Firewalls enforce the established security policies. They can do this through a variety of mechanisms, including

Network Address Translation (NAT) – NAT translates private (nonroutable) IP addresses into public (routable) IP addresses.

Basic packet filtering – Basic packet filtering looks at each packet entering or leaving the network and then either accepts the packet or rejects the packet based on user-defined rules. Each packet is examined separately.

Stateful packet filtering – Stateful packet filtering also looks at each packet, but it can examine the packet in its relation to other packets. Stateful firewalls keep track of network connections and can apply slightly different rule sets based on whether the packet is part of an established session or not.

Access control lists (ACLs) – ACLs are simple rule sets that are applied to port numbers and IP addresses. They can be configured for inbound and outbound traffic and are most commonly used on routers and switches.

Application layer proxies – An application layer proxy can examine the content of the traffic as well as the ports and IP addresses. For example, an application layer has the ability to look inside a user’s web traffic, detect a malicious web site attempting to download malware to the user’s system, and block the malware.

As they are in routers, switches, servers, and other network devices, ACLs are a cornerstone of security in firewalls. Just as you must protect the device from physical access, ACLs do the same task for electronic access. Firewalls can extend the concept of ACLs by enforcing them at a packet level when packet-level stateful filtering is performed. This can add an extra layer of protection, making it more difficult for an outside hacker to breach a firewall.

Firewalls can also act as network traffic regulators in that they can be configured to mitigate specific types of network-based attacks. In denial-of-service and distributed denial-of-service attacks, an attacker can attempt to flood a network with traffic. Firewalls can be tuned to detect these types of attacks and act as flood guards, mitigating the effect on the network.

How Do Firewalls Work? (2 of 2)

Figure 10.6 Firewall with SMTP application layer proxy

Principles of Computer Security, Fifth Edition

Some high-security firewalls also employ application layer proxies. As the name implies, packets are not allowed to traverse the firewall, but data instead flows up to an application that in turn decides what to do with it. For example, an SMTP proxy may accept inbound mail from the Internet and forward it to the internal corporate mail server, as depicted in this figure.

While proxies provide a high level of security by making it very difficult for an attacker to manipulate the actual packets arriving at the destination, and while they provide the opportunity for an application to interpret the data prior to forwarding it to the destination, they generally are not capable of the same throughput as stateful packet-inspection firewalls. The trade-off between performance and speed is a common one and must be evaluated with respect to security needs and performance requirements.

Next-Generation Firewalls

Next-generation firewalls are characterized by these features:

Deep packet inspection

Move beyond port/protocol inspection and blocking

Add application-level inspection

Add intrusion prevention

Bring intelligence from outside the firewall

Traffic can be managed based on content, not merely site or URL.

Principles of Computer Security, Fifth Edition

Firewalls operate by inspecting packets and by using rules associated with IP addresses and ports. Next-generation firewalls have significantly more

capability and are characterized by these features:

Deep packet inspection

Move beyond port/protocol inspection and blocking

Add application-level inspection

Add intrusion prevention

Bring intelligence from outside the firewall

Next-generation firewalls are more than just a firewall and IDS coupled together; they offer a deeper look at what the network traffic represents. In a legacy firewall, with port 80 open, all web traffic is allowed to pass. Using a next-generation firewall, traffic over port 80 can be separated by web site, or even activity on a web site (for example, allow Facebook, but not games on Facebook). Because of the deeper packet inspection and the ability to create rules based on content, traffic can be managed based on content, not merely site or URL.

Web Application Firewalls vs. Network Firewalls

A web application firewall is the term given to any software package, appliance, or filter that applies a rule set to HTTP/HTTPS traffic.

They shape web traffic and filter out SQL injection attacks, malware, cross-site scripting (XSS), and so on.

A network firewall is a hardware or software package that controls the flow of packets into and out of a network.

Principles of Computer Security, Fifth Edition

Increasingly, the term “firewall” is getting attached to any device or software package that is used to control the flow of packets or data into or out of an organization.

Web application firewalls operate on traffic at a much higher level than network firewalls, as web application firewalls must be able to decode the web traffic to determine whether or not it is malicious.

Network firewalls operate on much simpler aspects of network traffic such as source/destination port and source/destination address.

Concentrators

Network devices called concentrators act as traffic management devices, managing flows from multiple points into single streams.

Concentrators typically act as endpoints for a particular protocol, such as SSL/TLS or VPN.

The use of specialized hardware can enable hardware-based encryption and provide a higher level of specific service than a general-purpose server.

This provides both architectural and functional efficiencies.

Principles of Computer Security, Fifth Edition

Wireless Devices (1 of 2)

Wireless devices bring additional security concerns.

Radio waves or infrared carry data, which allows anyone within range access to the data.

The point of entry from a wireless device to a wired network is performed at a device called a wireless access point.

They can support multiple concurrent devices accessing network resources through the network node they create.

Several mechanisms can be used to add wireless functionality to a machine.

Principles of Computer Security, Fifth Edition

Placing a wireless device behind a firewall does not do any good, because the firewall stops only physically connected traffic from reaching the device. Outside traffic can come literally from the parking lot directly to the wireless device and into the network.

Several mechanisms can be used to add wireless functionality to a machine. For PCs, this can be done via an expansion card. For notebooks, a PCMCIA adapter for wireless networks is available from several vendors. For both PCs and notebooks, vendors have introduced USB-based wireless connectors. The following illustration shows one vendor’s card—note the extended length used as an antenna. Not all cards have the same configuration, although they all perform the same function: to enable a wireless network connection. The numerous wireless protocols (802.11a, b, g, i, and n) are covered in Chapter 12. Wireless access points and cards must be matched by protocol for proper operation.

Wireless Devices (2 of 2)

A typical wireless access point

A typical PCMCIA wireless network card

Principles of Computer Security, Fifth Edition

Modems (1 of 3)

Modem is a shortened form of modulator/demodulator, converting analog signals to digital and vice versa.

A DSL modem is a device connected to special digital telephone lines using a direct connection.

A cable modem is a device connected to cable television lines set up in shared arrangements.

DOCSIS includes built-in support for security protocols.

Both DSL and cable are designed for a continuous connection.

Principles of Computer Security, Fifth Edition

Although DSL modems are not actually modems in the true sense of the word, the term has stuck through marketing efforts directed to consumers. DSL and cable modems offer broadband high-speed connections and the opportunity for continuous connections to the Internet. Along with these new desirable characteristics come some undesirable ones, however. Although they both provide the same type of service, cable and DSL modems have some differences. A DSL modem provides a direct connection between a subscriber’s computer and an Internet connection at the local telephone company’s switching station. This private connection offers a degree of security, as it does not involve others sharing the circuit.

Cable modems are set up in shared arrangements that theoretically could allow a neighbor to sniff a user’s cable modem traffic. Cable modems were designed to share a party line in the terminal signal area, and the cable modem standard, Data Over Cable Service Interface Specification (DOCSIS), was designed to accommodate this concept. DOCSIS includes built-in support for security protocols, including authentication and packet filtering. Although this does not guarantee privacy, it prevents ordinary subscribers from seeing others’ traffic without using specialized hardware.

Both cable and DSL services are designed for a continuous connection, which brings up the question of IP address life for a client. Although some services originally used a static IP arrangement, virtually all have now adopted the Dynamic Host Configuration Protocol (DHCP) to manage their address space. A static IP address has an advantage of remaining the same and enabling convenient DNS connections for outside users. As cable and DSL services are primarily designed for client services as opposed to host services, this is not a relevant issue. A security issue of a static IP address is that it is a stationary target for hackers. The move to DHCP has not significantly lessened this threat, however, because the typical IP lease on a cable modem DHCP server is for days. This is still relatively stationary, and some form of firewall protection needs to be employed by the user.

Modems (2 of 3)

Figure 10.7 Modern cable modem

Principles of Computer Security, Fifth Edition

This figure is a modern cable modem. It has an imbedded wireless access point, a VoIP connection, a local router, and DHCP server. The size of the device is fairly large, but it has a built-in lead-acid battery to provide VoIP service when power is out.

Modems (3 of 3)

Security is needed with a cable/DSL connection.

The modem equipment provided by the subscription service converts the cable or DSL signal into a standard Ethernet signal that can then be connected to a NIC on the client device.

This is still just a direct network connection, with no security device separating the two.

The most common security device used in cable/DSL connections is a router that acts as a hardware firewall.

The firewall/router needs to be installed between the cable/DSL modem and client computers.

Principles of Computer Security, Fifth Edition

Telephony

A private branch exchange (PBX) is an extension of the public telephone network into a business.

The following are security concerns:

They can be compromised from the outside and used by phone hackers (phreakers) to make phone calls at the business’s expense.

A path exists for a connection to outside data networks and the Internet.

A firewall is needed for security on these connections.

Principles of Computer Security, Fifth Edition

VPN Concentrator

A virtual private network (VPN) is a construct used to provide a secure communication channel between users across public networks such as the Internet.

The most common implementation of VPN is via IPsec, a protocol for IP security.

IPsec is mandated in IPv6 and is optional in IPv4.

IPsec can be implemented in hardware, software, or a combination of both and is used to encrypt all IP traffic.

The use of encryption technologies allows either the data in a packet to be encrypted or the entire packet to be encrypted.

Principles of Computer Security, Fifth Edition

Exam Tip: A VPN concentrator is a hardware device designed to act as a VPN endpoint, managing VPN connections to an enterprise.

The use of encryption technologies allows either the data in a packet to be encrypted or the entire packet to be encrypted. If the data is encrypted, the packet header can still be sniffed and observed between source and destination, but the encryption protects the contents of the packet from inspection. If the entire packet is encrypted, it is then placed into another packet and sent via tunnel across the public network. Tunneling can protect even the identity of the communicating parties.

Security Devices

There are a range of security devices that can be employed at the network layer to instantiate security functionality in the network layer.

Devices can be used for intrusion detection, network access control, and a wide range of other security functions.

Each device has a specific network function and plays a role in maintaining network infrastructure security.

Principles of Computer Security, Fifth Edition

Intrusion Detection Systems

Intrusion detection systems (IDSs) are designed to detect, log, and respond to unauthorized network or host use, both in real time and after the fact.

These systems are implemented using software.

In large networks or systems with significant traffic levels, dedicated hardware is typically required as well.

IDSs can be divided into two categories:

Network-based systems and host-based systems

Principles of Computer Security, Fifth Edition

Network Access Control

Managing endpoints on a case-by-case basis as they connect is a security methodology known as network access control.

Two main competing methodologies are:

Network Access Protection (NAP) – Microsoft

Measures host health when connected to the network

Network Admission Control (NAC) – Cisco

Enforces policies chosen by the network administrator

Both Cisco NAC and Microsoft NAP are in their nearing end of life

Principles of Computer Security, Fifth Edition

Network Monitoring/Diagnostic

The network operations center (NOC) allows operators to observe and interact with the network, using the self-reporting and, in some cases, self-healing nature of network devices to ensure efficient network operation.

Software enables controllers at NOCs to measure the actual performance of network devices and make changes to the configuration and operation of devices remotely.

SNMP was developed to perform management, monitoring, and fault resolution across networks.

Principles of Computer Security, Fifth Edition

A computer network itself can be considered a large computer system, with performance and operating issues. Just as a computer needs management, monitoring, and fault resolution, so do networks. SNMP was developed to perform this function across networks. The idea is to enable a central monitoring and control center to maintain, configure, and repair network devices, such as switches and routers, as well as other network services, such as firewalls, IDSs, and remote access servers. SNMP has some security limitations, and many vendors have developed software solutions that sit on top of SNMP to provide better security and better management tool suites.

The concept of a network operations center (NOC) comes from the old phone company network days, when central monitoring centers monitored the health of the telephone network and provided interfaces for maintenance and management. This same concept works well with computer networks, and companies with midsize and larger networks employ the same philosophy. The NOC allows operators to observe and interact with the network, using the self-reporting and, in some cases, self-healing nature of network devices to ensure efficient network operation. Although generally a boring operation under normal conditions, when things start to go wrong, as in the case of a virus or worm attack, the NOC can become a busy and stressful place as operators attempt to return the system to full efficiency while not interrupting existing traffic.

SNMP is the main standard embraced by vendors to permit interoperability. Although SNMP has received a lot of security-related attention of late due to various security holes in its implementation, it is still an important part of a security solution associated with network infrastructure. Many useful tools have security issues; the key is to understand the limitations and to use the tools within correct boundaries to limit the risk associated with the vulnerabilities. Blind use of any technology will result in increased risk, and SNMP is no exception. Proper planning, setup, and deployment can limit exposure to vulnerabilities. Continuous auditing and maintenance of systems with the latest patches is a necessary part of operations and is essential to maintaining a secure posture.

Load Balancers

Load balancers are designed to distribute the processing load over two or more systems.

They are used to help improve resource utilization and throughput but also have the added advantage of increasing the fault tolerance of the overall system since a critical process may be split across several systems.

Should any one system fail, the others can pick up the processing it was handling.

Principles of Computer Security, Fifth Edition

Proxies (1 of 2)

A proxy server (or simply proxy) can be used to filter out undesirable traffic and prevent employees from accessing potentially hostile web sites.

Proxy servers can be completely transparent (gateways or tunneling proxies), or a proxy server can modify the client request before sending it on, or even serve the client’s request without needing to contact the destination server.

Several major categories of proxy servers are in use.

Principles of Computer Security, Fifth Edition

Proxies serve to manage connections between systems, acting as relays for the traffic. Proxies can function at the circuit level, where they support multiple traffic types, or they can be application-level proxies, which are designed to relay specific application traffic. An HTTP proxy can manage an HTTP conversation as it understands the type and function of the content. Application-specific proxies can serve as security devices if they are programmed with specific rules designed to provide protection against undesired content.

Several major categories of proxy servers are in use:

Anonymizing proxy – An anonymizing proxy is designed to hide information about the requesting system and make a user’s web browsing experience “anonymous.” This type of proxy service is often used by individuals who are concerned about the amount of personal information being transferred across the Internet and the use of tracking cookies and other mechanisms to track browsing activity.

Caching proxy – This type of proxy keeps local copies of popular client requests and is often used in large organizations to reduce bandwidth usage and increase performance. When a request is made, the proxy server first checks to see whether it has a current copy of the requested content in the cache; if it does, it services the client request immediately without having to contact the destination server. If the content is old or the caching proxy does not have a copy of the requested content, the request is forwarded to the destination server.

Content-filtering proxy – Content-filtering proxies examine each client request and compare it to an established acceptable use policy (AUP). Requests can usually be filtered in a variety of ways, including by the requested URL, destination system, or domain name or by keywords in the content itself. Content-filtering proxies typically support user-level authentication, so access can be controlled and monitored and activity through the proxy can be logged and analyzed. This type of proxy is very popular in schools, corporate environments, and government networks.

Open proxy – An open proxy is essentially a proxy that is available to any Internet user and often has some anonymizing capabilities as well. This type of proxy has been the subject of some controversy, with advocates for Internet privacy and freedom on one side of the argument, and law enforcement, corporations, and government entities on the other side. As open proxies are often used to circumvent corporate proxies, many corporations attempt to block the use of open proxies by their employees.

Reverse proxy – A reverse proxy is typically installed on the server side of a network connection, often in front of a group of web servers. The reverse proxy intercepts all incoming web requests and can perform a number of functions, including traffic filtering and shaping, SSL decryption, serving of common static content such as graphics, and performing load balancing.

Web proxy – A web proxy is solely designed to handle web traffic and is sometimes called a web cache. Most web proxies are essentially specialized caching proxies.

Deploying a proxy solution within a network environment is usually done either by setting up the proxy and requiring all client systems to configure their browsers to use the proxy or by deploying an intercepting proxy that actively intercepts all requests without requiring client-side configuration.

From a security perspective, proxies are most useful in their ability to control and filter outbound requests. By limiting the types of content and web sites employees can access from corporate systems, many administrators hope to avoid loss of corporate data, hijacked systems, and infections from malicious web sites. Administrators also use proxies to enforce corporate AUPs and track use of corporate resources. Most proxies can be configured to either allow or require individual user authentication—this gives them the ability to log and control activity based on specific users or groups. For example, an organization might want to allow the human resources group to browse Facebook during business hours but not allow the rest of the organization to do so.

Proxies (2 of 2)

Figure 10.8 HTTP proxy handling client requests and web server responses

Principles of Computer Security, Fifth Edition

A proxy server takes requests from a client system and forwards them to the destination server on behalf of the client, as shown in this figure.

Web Security Gateways

Some security vendors combine proxy functions with content-filtering functions to create a product called a web security gateway.

They are intended to address the security threats and pitfalls unique to web-based traffic.

Web security gateways capabilities include:

Real-time malware protection

Content monitoring

Productivity monitoring

Data protection and compliance

Principles of Computer Security, Fifth Edition

Some security vendors combine proxy functions with content-filtering functions to create a product called a web security gateway. Web security gateways are intended to address the security threats and pitfalls unique to web-based traffic. Web security gateways typically provide the following capabilities:

Real-time malware protection (a.k.a. malware inspection) The ability to scan all outgoing and incoming web traffic to detect and block undesirable traffic such as malware, spyware, adware, malicious scripts, file-based attacks, and so on.

Content monitoring The ability to monitor the content of web traffic being examined to ensure that it complies with organizational policies.

Productivity monitoring The ability to measure types and quantities of web traffic that is being generated by specific users, groups of users, or the entire organization.

Data protection and compliance Scanning web traffic for sensitive or proprietary information being sent outside of the organization as well as the use of social network sites or inappropriate sites.

Internet Content Filters

An Internet content filter protects a corporation from employees’ viewing of inappropriate or illegal content at the workplace and the subsequent complications that occur when such viewing takes place.

They filter undesirable content, such as pornography and malicious activity such as browser hijacking attempts or XSS attacks.

Content-filtering systems face many challenges.

Principles of Computer Security, Fifth Edition

Content-filtering systems face many challenges, because the ever changing Internet makes it difficult to maintain lists of undesirable sites (sometime called black lists); terms used on a medical site can also be used on a pornographic site, making keyword filtering challenging; and determined users are always seeking ways to bypass proxy filters. To help administrators, most commercial content-filtering solutions provide an update service, much like IDS or antivirus products that updates keywords and undesirable sites automatically.

Data Loss Prevention

Data loss prevention (DLP) refers to technology employed to detect and prevent transfers of data across an enterprise.

DLP technology can scan packets for specific data patterns.

DLP can be tuned to detect account numbers, secrets, specific markers, or files.

The primary challenge is the placement of the sensor.

The DLP sensor needs to be able observe the data, so if the channel is encrypted, DLP technology can be thwarted.

Principles of Computer Security, Fifth Edition

Unified Threat Management (1 of 3)

A unified threat management (UTM) appliance refers to the “all-in-one security appliances,” many vendors offer that are devices that combine multiple functions into the same hardware appliance.

Most commonly these functions are firewall, IDS/IPS, and antivirus, although all-in-one appliances can include VPN capabilities, antispam, malicious web traffic filtering, antispyware, content filtering, traffic shaping, and so on.

A UTM simplifies the security activity as a single task, under a common software package for operations.

Principles of Computer Security, Fifth Edition

Using a UTM solution simplifies the security activity as a single task, under a common software package for operations. This reduces the learning curve to a single tool rather than a collection of tools. A UTM solution can have better integration and efficiencies in handling network traffic and incidents than a collection of tools connected together.

Unified Threat Management (2 of 3)

Figure 10.9 Unified threat management architecture

Principles of Computer Security, Fifth Edition

This figure illustrates the advantages of UTM processing. Rather than processing elements in a linear fashion, as shown in 10.9a, the packets are processed in a parallelized fashion (b). There is a need to coordinate between the elements and many modern solutions do this with parallelized hardware.

Unified Threat Management (3 of 3)

URL filters block connections to web sites that are in a prohibited list.

Content inspection is used to filter web requests that return content with specific components, such as names of body parts, music or video content, and other content that is inappropriate for the business environment.

UTM appliances can be tuned to detect malware.

Principles of Computer Security, Fifth Edition

Media

Four common methods are used to connect equipment at the physical layer:

Coaxial cable

Twisted-pair cable

Fiber-optics

Wireless

Principles of Computer Security, Fifth Edition

The base of communications between devices is the physical layer of the OSI model. This is the domain of the actual connection between devices, whether by wire, fiber, or radio frequency waves. The physical layer separates the definitions and protocols required to transmit the signal physically between boxes from higher-level protocols that deal with the details of the data itself. Four common methods are used to connect equipment at the physical layer:

Coaxial cable

Twisted-pair cable

Fiber-optics

Wireless

Coaxial Cable (1 of 2)

Coaxial cable has high bandwidth and shielding capabilities.

Compared to standard twisted pair lines, coaxial cable (“coax”) is much less prone to outside interference.

It is much more expensive to run.

It was an original design specification for Ethernet connections.

Today, Ethernet specifications use faster, cheaper twisted-pair alternatives.

“Vampire tap” security risk exists by drilling hole through the outer part of a coax cable.

Principles of Computer Security, Fifth Edition

Coaxial cable is familiar to many households as a method of connecting televisions to VCRs or to satellite or cable services. It is used because of its high bandwidth and shielding capabilities. Compared to standard twisted pair lines such as telephone lines, coaxial cable (“coax”) is much less prone to outside interference. It is also much more expensive to run, both from a cost-per-foot measure and from a cable-dimension measure. Coax costs much more per foot than standard twisted-pair wires and carries only a single circuit for a large wire diameter.

An original design specification for Ethernet connections, coax was used from machine to machine in early Ethernet implementations. The connectors were easy to use and ensured good connections, and the limited distance of most office LANs did not carry a large cost penalty. Today, almost all of this older Ethernet specification has been replaced by faster, cheaper twisted-pair alternatives, and the only place you’re likely to see coax in a data network is from the cable box to the cable modem.

Because of its physical nature, it is possible to drill a hole through the outer part of a coax cable and connect to the center connector. This is called a “vampire tap” and is an easy method to get access to the signal and data being transmitted.

Coaxial Cable (2 of 2)

A coax connector

Principles of Computer Security, Fifth Edition

UTP/STP (1 of 2)

Shielded twisted-pair (STP) has a foil shield around the pairs to provide extra shielding from electromagnetic interference.

Unshielded twisted-pair (UTP) relies on the twist to eliminate interference.

UTP has a cost advantage over STP.

Categories Cat 3, Cat 5/Cat 5e, Cat 6/Cat 6a/Cat 7.

The standard method for connecting twisted-pair cables is via an 8-pin connector, called an RJ-45 connector.

Principles of Computer Security, Fifth Edition

Twisted-pair wires have all but completely replaced coaxial cables in Ethernet networks. Twisted-pair wires use the same technology used by the phone company for the movement of electrical signals. Single pairs of twisted wires reduce electrical crosstalk and electromagnetic interference. Multiple groups of twisted pairs can then be bundled together in common groups and easily wired between devices.

Twisted pairs come in two types, shielded and unshielded. Shielded twisted-pair (STP) has a foil shield around the pairs to provide extra shielding from electromagnetic interference. Unshielded twisted-pair (UTP) relies on the twist to eliminate interference. UTP has a cost advantage over STP and is usually sufficient for connections, except in very noisy electrical areas.

Twisted-pair lines are categorized by the level of data transmission they can support. Three current categories are in use:

Category 3 (Cat 3) – Minimum for voice and 10-Mbps Ethernet.

Category 5 (Cat 5/Cat 5e) – For 100-Mbps Fast Ethernet; Cat 5e is an enhanced version of the Cat 5 specification to address far-end crosstalk and is suitable for 1000 Mbps.

Category 6 (Cat 6/Cat 6a) – For 10-Gigabit Ethernet over short distances; Cat 6a is used for longer, up to 100m, 10-Gbps cables.

Category 7 (Cat 7) For 10-Gigabit Ethernet and higher. Cat 7 has been used for 100 GB up to 15 meters.

The standard method for connecting twisted-pair cables is via an 8-pin connector, called an RJ-45 connector that looks like a standard phone jack connector but is slightly larger. One nice aspect of twisted-pair cabling is that it’s easy to splice and change connectors. Many a network administrator has made Ethernet cables from stock Cat-5 wire, two connectors, and a crimping tool. This ease of connection is also a security issue; because twisted-pair cables are easy to splice into, rogue connections for sniffing could be made without detection in cable runs. Both coax and fiber are much more difficult to splice because each requires a tap to connect, and taps are easier to detect.

UTP/STP (2 of 2)

A typical 8-wire UTP line

A typical 8-wire STP line

A bundle of UTP wires

Principles of Computer Security, Fifth Edition

Fiber (1 of 2)

Fiber-optic cable uses beams of laser light to connect devices over a thin glass wire.

The biggest advantage to fiber is its bandwidth.

Fiber has one major drawback—cost.

When measured by bandwidth, using fiber is cheaper than using competing wired technologies.

But connections to a fiber are difficult and expensive, and fiber is impossible to splice.

Cable companies use coax and DSL providers use twisted-pair to handle the “last mile” scenario.

Principles of Computer Security, Fifth Edition

The biggest advantage to fiber is its bandwidth, with transmission capabilities into the terabits per second range. Fiberoptic cable is used to make high-speed connections between servers and is the backbone medium of the Internet and large networks.

The length of runs of fiber can be much longer, and the data capacity of fiber is much higher.

Splicing fiber is practically impossible; the solution is to add connectors and connect through a repeater. This adds to the security of fiber in that unauthorized connections are all but impossible to make. The high cost of connections to fiber and the higher cost of fiber per foot also make it less attractive for the final mile in public networks where users are connected to the public switching systems. For this reason, cable companies use coax and DSL providers use twisted-pair to handle the “last mile” scenario.

Fiber (2 of 2)

A type of fiber terminator

A typical fiber-optic fiber, terminator,

and connector block

Principles of Computer Security, Fifth Edition

Connections to a fiber are difficult and expensive, and fiber is impossible to splice. Making the precise connection on the end of a fiber-optic line is a highly skilled job and is done by specially trained professionals who maintain a level of proficiency. Once the connector is fitted on the end, several forms of connectors and blocks are used, as shown in the images.

Unguided Media (1 of 3)

Unguided media is a phrase used to cover all transmission media not guided by wire, fiber, or other constraints.

It includes radio frequency, infrared, and microwave methods.

Unguided media have one attribute in common.

They are unguided and as such can travel to many machines simultaneously.

Must assume that unauthorized users have access to the signal.

Principles of Computer Security, Fifth Edition

Transmission patterns can be modulated by antennas, but the target machine can be one of many in a reception zone. As such, security principles are even more critical, as they must assume that unauthorized users have access to the signal.

Unguided Media (2 of 3)

Infrared (IR)

Infrared (IR) is a band of electromagnetic energy just beyond the red end of the visible color spectrum.

Today, IR seems to be everywhere.

IR can also be used to connect devices in a network configuration, but it is slow compared to other wireless technologies.

IR cannot penetrate walls but instead bounces off them.

Nor can it penetrate other solid objects; if you stack a few items in front of the transceiver, the signal is lost.

Principles of Computer Security, Fifth Edition

IR has been used in remote-control devices for years. IR made its debut in computer networking as a wireless method to connect to printers. Now that wireless keyboards, wireless mice, and mobile devices exchange data via IR, it seems to be everywhere.

Unguided Media (3 of 3)

RF/Microwave

RF waves are a common wireless communication method

Use a variety of frequency bands, each with special characteristics

Key features of microwave communications include:

Penetration of building structure

Broadcast capability

The “last mile” problem is the connection of individual consumers to a backbone, an expensive proposition because of the sheer number of connections and unshared line at this point in a network.

Principles of Computer Security, Fifth Edition

Removable Media

Moving storage media represents a security risk from a couple of angles.

The first is the potential loss of control over the data on the moving media.

Second is the risk of introducing unwanted items, such as a virus or a worm, when the media are attached back to a network.

Both of these issues can be remedied through policies and software.

The key is to ensure that the policies are enforced and the software is effective.

Principles of Computer Security, Fifth Edition

Magnetic Media (1 of 5)

Magnetic media store data through the rearrangement of magnetic particles on a nonmagnetic substrate.

Common forms include hard drives, floppy disks, zip disks, and magnetic tape.

All these devices share some common characteristics:

Each has sensitivity to external magnetic fields.

They are also affected by high temperatures, as in fires, and by exposure to water.

Principles of Computer Security, Fifth Edition

Magnetic Media (2 of 5)

Hard drives

Now they are small enough to attach to mobile devices.

A spinning platter rotates the magnetic media beneath heads that read the patterns in the oxide coating.

Capacities are growing.

Security control to help protect the confidentiality of the data is full drive encryption built into the drive hardware.

Using a key that is controlled, through a Trusted Platform Module (TPM) interface for instance, this technology protects the data if the drive itself is lost or stolen.

Principles of Computer Security, Fifth Edition

Hard drives used to require large machines in mainframes. Now they are small enough to attach to mobile devices. The concepts remain the same among all of them: a spinning platter rotates the magnetic media beneath heads that read the patterns in the oxide coating. As drives have gotten smaller and rotation speeds have increased, the capacities have also grown. Today gigabytes of data can be stored in a device slightly larger than a bottle cap. Portable hard drives in the 1TB to 3TB range are now available and affordable.

One of the security controls available to help protect the confidentiality of the data is full drive encryption built into the drive hardware. Using a key that is controlled, through a Trusted Platform Module (TPM) interface for instance, this technology protects the data if the drive itself is lost or stolen. This may not be important if a thief takes the whole PC, but in larger storage environments, drives are placed in separate boxes and remotely accessed. In the specific case of notebook machines, this layer can be tied to smart card interfaces to provide more security. As this is built into the controller, encryption protocols such as Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES) can be performed at full drive speed.

Magnetic Media (3 of 5)

Diskettes

Floppy disks were the computer industry’s first attempt at portable magnetic media.

The movable medium was placed in a protective sleeve, and the drive remained in the machine.

Capacities up to 1.4MB were achieved, but the fragility of the device as the size increased, as well as competing media, has rendered floppies almost obsolete.

Diskettes are part of history now.

Principles of Computer Security, Fifth Edition

Magnetic Media (4 of 5)

Tape

Its primary use has been bulk offline storage and backup.

The advantage of tape is low cost.

The disadvantage of tape is its nature as a serial access medium, making it slow to work with for large quantities of data.

Tapes are still a major concern from a security perspective, as they are used to back up many types of computer systems.

The physical protection afforded the tapes is of concern.

Principles of Computer Security, Fifth Edition

Several types of magnetic tape are in use today, ranging from quarter inch to digital linear tape (DLT) and digital audio tape (DAT). These cartridges can hold upward of 60GB of compressed data.

Tapes are still a major concern from a security perspective, as they are used to back up many types of computer systems. The physical protection afforded the tapes is of concern, because if a tape is stolen, an unauthorized user could establish a network and recover your data on his system, because it’s all stored on the tape. Offsite storage is needed for proper disaster recovery protection, but secure offsite storage and transport is what is really needed. This important issue is frequently overlooked in many facilities. The simple solution to maintain control over the data even when you can’t control the tape is through encryption. Backup utilities can secure the backups with encryption, but this option is frequently not used, for a variety of reasons. Regardless of the rationale for not encrypting data, once a tape is lost, not using the encryption option becomes a lamented decision.

Magnetic Media (5 of 5)

A magnetic tape cartridge for backups

Principles of Computer Security, Fifth Edition

Optical Media (1 of 4)

Optical media involve the use of a laser to read data stored on a physical device.

A laser picks up deformities embedded in the media that contain the information.

As with magnetic media, optical media can be read-write, although the read-only version is still more common.

Principles of Computer Security, Fifth Edition

Optical Media (2 of 4)

CD-R/DVD

They operate as optical storage, with little marks burned in them to represent 1’s and 0’s on a microscopic scale.

The most common type of CD is the read-only version.

A second-generation device, the recordable compact disc (CD-R), allows users to create their own CDs.

A newer type, CD-RW, has a different dye that allows discs to be erased and reused.

The cost of the media increases from CD, to CD-R, to CD-RW.

Principles of Computer Security, Fifth Edition

The compact disc (CD) took the music industry by storm, and then it took the computer industry by storm as well. A standard CD holds more than 640MB of data, in some cases up to 800MB. The digital video disc (DVD) can hold almost 5GB of data single sided, 8.5GB dual layer. These devices operate as optical storage, with little marks burned in them to represent 1’s and 0’s on a microscopic scale. The most common type of CD is the read-only version, in which the data is written to the disc once and only read afterward. This has become a popular method for distributing computer software, although higher-capacity DVDs have replaced CDs for program distribution. A second-generation device, the recordable compact disc (CD-R), allows users to create their own CDs using a burner device in their PC and special software. Users can now back up data, make their own audio CDs, and use CDs as high-capacity storage. Their relatively low cost has made them economical to use. CDs have a thin layer of aluminum inside the plastic, upon which bumps are burned by the laser when recorded. CD-Rs use a reflective layer, such as gold, upon which a dye is placed that changes upon impact by the recording laser. A newer type, CD-RW, has a different dye that allows discs to be erased and reused. The cost of the media increases from CD, to CD-R, to CD-RW.

Optical Media (3 of 4)

A DVD (left) and CD (right)

Principles of Computer Security, Fifth Edition

Optical Media (4 of 4)

Blu-ray discs

The latest version of optical disc is the Blu-ray disc.

Using a smaller, violet-blue laser, this system can hold significantly more information than a DVD.

Blu-ray discs can hold up to 128 GB in four layers.

The transfer speed of Blu-ray at > 48 Mbps is over four times greater than that of DVD systems.

Designed for high-definition (HD) video, Blu-ray offers significant storage for data as well.

DVDs now occupy the same role that CDs have in the recent past.

Principles of Computer Security, Fifth Edition

DVDs now occupy the same role that CDs have in the recent past, except that they hold more than seven times the data of a CD. This makes full-length movie recording possible on a single disc. The increased capacity comes from finer tolerances and the fact that DVDs can hold data on both sides. A wide range of formats for DVDs include DVD+R, DVD-R, dual layer, and now HD formats, HD-DVD and Blu-ray. This variety is due to competing “standards” and can result in confusion. DVD+R and -R are distinguishable only when recording, and most devices since 2004 should read both. Dual layers add additional space but require appropriate dual layer–enabled drives.

Electronic Media (1 of 4)

The latest form of removable media is electronic memory.

Static memory which retains data even without power

Variety of vendor-specific types:

Smart cards, SmartMedia, SD cards, flash cards, memory sticks, and CompactFlash devices

Range from small card-like devices to USB sticks

Storage size ranges from 256MB to 64GB making them capable of carrying significant quantities of information

Principles of Computer Security, Fifth Edition

The latest form of removable media is electronic memory. Electronic circuits of static memory, which can retain data even without power, fill a niche where high density and small size are needed.

Originally used in audio devices and digital cameras, these electronic media come in a variety of vendor-specific types, such as smart cards, SmartMedia, SD cards, flash cards, memory sticks, and CompactFlash devices.

These memory devices range from small card-like devices, of which microSD cards are smaller than dimes and hold 2GB, to USB sticks that hold up to 64GB.

These devices are becoming ubiquitous, with new PCs and netbooks containing built-in slots to read them like any other storage device.

Several recent photo-quality color printers have been released with ports to accept the cards directly, meaning that a computer is not required for printing.

Computer readers are also available to permit storing data from the card onto hard drives and other media in a computer.

The size of storage on these devices ranges from 256MB to 64GB making them capable of carrying significant quantities of information.

Electronic Media (2 of 4)

SD, microSD, and CompactFlash cards

128GB USB 3.0

memory stick

Principles of Computer Security, Fifth Edition

Electronic Media (3 of 4)

Solid-state hard drives

With the rise of solid-state memory technologies comes a solid-state “hard drive.”

Solid-state drives (SSDs) are moving into mobile devices, desktops, and even servers.

Memory densities are significantly beyond physical drives, there are no moving parts to wear out or fail, and SSDs have vastly superior performance specifications.

The only factor that has slowed the spread of this technology has been cost, but recent cost reductions have made this form of memory a first choice in many systems.

Principles of Computer Security, Fifth Edition

Electronic Media (4 of 4)

Figure 10.10 512GB solid-state half-height minicard

Principles of Computer Security, Fifth Edition

This figure shows a 512GB SSD from a laptop, on a half-height minicard mSATA interface.

Security Concerns for Transmission Media

The primary security concern for a system administrator has to be preventing physical access to a server by an unauthorized individual.

One of the administrator’s next major concerns should be preventing unfettered access to a network connection.

Preventing such access is costly, yet the cost of replacing a server because of theft is also costly.

Principles of Computer Security, Fifth Edition

The primary security concern for a system administrator has to be preventing physical access to a server by an unauthorized individual. Such access will almost always spell disaster, for with direct access and the correct tools, any system can be infiltrated. One of the administrator’s next major concerns should be preventing unfettered access to a network connection. Access to switches and routers is almost as bad as direct access to a server, and access to network connections would rank third in terms of worst-case scenarios. Preventing such access is costly, yet the cost of replacing a server because of theft is also costly.

Physical Security Concerns (1 of 2)

A balanced approach is the most sensible approach when addressing physical security, and this applies to transmission media as well.

One of the keys to mounting a successful attack on a network is information.

Usernames, passwords, server locations—all of these can be obtained if someone has the ability to observe network traffic in a process called sniffing.

Many common scenarios exist when unauthorized entry to a network occurs.

Principles of Computer Security, Fifth Edition

Keeping network switch rooms secure and cable runs secure seems obvious, but cases of using janitorial closets for this vital business purpose abound. One of the keys to mounting a successful attack on a network is information. Usernames, passwords, server locations—all of these can be obtained if someone has the ability to observe network traffic in a process called sniffing.

A sniffer can record all the network traffic, and this data can be mined for accounts, passwords, and traffic content, all of which can be useful to an unauthorized user. One starting point for many intrusions is the insertion of an unauthorized sniffer into the network, with the fruits of its labors driving the remaining unauthorized activities. Many common scenarios exist when unauthorized entry to a network occurs, including these:

Inserting a node and functionality that is not authorized on the network, such as a sniffer device or unauthorized wireless access point

Modifying firewall security policies

Modifying ACLs for firewalls, switches, or routers

Modifying network devices to echo traffic to an external node

Network devices and transmission media become targets because they are dispersed throughout an organization, and physical security of many dispersed items can be difficult to manage. Although limiting physical access is difficult, it is essential. The least level of skill is still more than sufficient to accomplish unauthorized entry into a network if physical access to the network signals is allowed. This is one factor driving many organizations to use fiber-optics, for these cables are much more difficult to tap. Although many tricks can be employed with switches and VLANs to increase security, it is still essential that you prevent unauthorized contact with the network equipment.

Physical Security Concerns (2 of 2)

Although limiting physical access is difficult, it is essential.

Despite other measures, it is still essential that you prevent unauthorized contact with the network equipment.

To ensure that unauthorized traffic does not enter your network through a wireless access point, you must either use a firewall with an authentication system or establish a VPN.

Principles of Computer Security, Fifth Edition

Network devices and transmission media become targets because they are dispersed throughout an organization, and physical security of many dispersed items can be difficult to manage. The least level of skill is still more than sufficient to accomplish unauthorized entry into a network if physical access to the network signals is allowed. This is one factor driving many organizations to use fiber-optics, for these cables are much more difficult to tap. Although many tricks can be employed with switches and VLANs to increase security, it is still essential that you prevent unauthorized contact with the network equipment.

Wireless networks make the intruder’s task even easier, as they take the network to the users, authorized or not. A technique called war-driving involves using a laptop and software to find wireless networks from outside the premises. A typical use of war-driving is to locate a wireless network with poor (or no) security and obtain free Internet access, but other uses can be more devastating. A simple solution is to place a firewall between the wireless access point and the rest of the network and authenticate users before allowing entry. Business users use VPN technology to secure their connection to the Internet and other resources, and home users can do the same thing to prevent neighbors from “sharing” their Internet connections. To ensure that unauthorized traffic does not enter your network through a wireless access point, you must either use a firewall with an authentication system or establish a VPN.

Cloud Computing

Cloud computing is a common term used to describe computer services provided over a network.

This includes computing, storage, applications, and services that are offered via the Internet Protocol.

One of the characteristics of cloud computing is transparency to the end user.

Security is a particular challenge when data and computation are handled by a remote party, as in cloud computing.

Clouds can be created by many entities, internal and external to an organization.

Principles of Computer Security, Fifth Edition

One of the characteristics of cloud computing is transparency to the end user. This improves usability of this form of service provisioning. Cloud computing offers much to the user: improvements in performance, scalability, flexibility, security, and reliability, among other items. These improvements are a direct result of the specific attributes associated with how cloud services are implemented.

Security is a particular challenge when data and computation are handled by a remote party, as in cloud computing. The specific challenge is how does one allow data outside their enterprise and yet remain in control over how the data is used, and the common answer is encryption. By properly encrypting data before it leaves the enterprise, external storage can still be performed securely.

Clouds can be created by many entities, internal and external to an organization. Commercial cloud services are already available and offered by a variety of firms, as large as Google and Amazon, to smaller, local providers. Internal services can replicate the advantages of cloud computing while improving the utility of limited resources. The promise of cloud computing is improved utility and, as such, is marketed under the concepts of Software as a Service, Platform as a Service, and Infrastructure as a Service.

Private

If your organization is highly sensitive to sharing resources, you may wish to consider the use of a private cloud.

Private clouds are essentially reserved resources used only for your organization—your own little cloud within the cloud.

This service will be considerably more expensive, but it should also carry less exposure and should enable your organization to better define the security, processing, and handling of data that occurs within your cloud.

Principles of Computer Security, Fifth Edition

Public

The term public cloud refers to cloud service rendered over a system that is open for public use.

In most cases, there is little operational difference between public and private cloud architectures, but the security ramifications can be substantial.

Although public cloud services will separate users with security restrictions, the depth and level of these restrictions, by definition, will be significantly less in a public cloud.

Principles of Computer Security, Fifth Edition

Hybrid

A hybrid cloud structure is one where elements are combined from private, public, and community cloud structures.

When examining a hybrid structure, you need to remain cognizant that operationally these differing environments may not actually be joined, but rather used together.

Sensitive information can be stored in the private cloud and issue-related information can be stored in the community cloud, all of which information is accessed by an application.

This makes the overall system a hybrid cloud system.

Principles of Computer Security, Fifth Edition

Community

A community cloud system is one where several organizations with a common interest share a cloud environment for the specific purposes of the shared endeavor.

An example is local public entities and key local firms sharing a community cloud dedicated to serving the interests of community initiatives.

This can be an attractive cost-sharing mechanism for specific data-sharing initiatives.

Principles of Computer Security, Fifth Edition

100

Software as a Service

Software as a Service (SaaS) is the offering of software to end users from within the cloud.

Rather than installing software on client machines, SaaS acts as software on demand where the software runs from the cloud.

This has several advantages, as updates are often seamless to end users and integration between components is enhanced.

Principles of Computer Security, Fifth Edition

101

Platform as a Service

Platform as a Service (PaaS) is a marketing term used to describe the offering of a computing platform in the cloud.

Multiple sets of software, working together to provide services, such as database services, can be delivered via the cloud as a platform.

Principles of Computer Security, Fifth Edition

102

Infrastructure as a Service

Infrastructure as a Service (IaaS) is a term used to describe cloud-based systems that are delivered as a virtual platform for computing.

Rather than building data centers, IaaS allows firms to contract for utility computing as needed.

Principles of Computer Security, Fifth Edition

103

VDI/VDE (1 of 2)

Virtual desktop infrastructure (VDI) and virtual desktop environment (VDE) are terms used to describe the hosting of a desktop environment on a central server.

Principles of Computer Security, Fifth Edition

104

VDI/VDE (2 of 2)

Advantages to this desktop environment:

From a user perspective, their “machine” and all of its data are persisted in the server environment.

Computing requirements at the edge point are considerably lower and can be performed on older machines.

Users can utilize a wide range of machines to get their work finished.

Security is advantageous because there is nothing to compromise if a device is lost.

Principles of Computer Security, Fifth Edition

105

On-Premises vs. Hosted vs. Cloud

On-premises: the system resides within a local enterprise

Advantage: one of total control and generally high connectivity

Disadvantage: it requires local resources and is not as easy to scale

Hosted services: have the services housed somewhere else, commonly in a shared environment

Storage works the opposite with scale

Principles of Computer Security, Fifth Edition

106

Security as a Service

Security as a Service is the outsourcing of security functions to a vendor that has advantages in scale, costs, or speed.

Different security vendors offer different specializations

Depending on architecture, needs, and scale, these third-party vendors can oftentimes offer a compelling economic advantage for art of a security solution.

Principles of Computer Security, Fifth Edition

107

Cloud Access Security Broker

Cloud access security brokers (CASBs) are integrated suites of tools or services offered as Security as a Service, or third-party managed security service providers (MSSPs), focused on cloud security.

CASB vendors provide a range of security services designed to protect cloud infrastructure and data.

CASBs act as security policy enforcement points between cloud service providers and their customers to enact enterprise security policies as the cloud based resources are utilized.

Principles of Computer Security, Fifth Edition

108

Chapter Summary (1 of 2)

Construct networks using different types of network devices.

Enhance security using security devices.

Understand virtualization concepts

Enhance security using NAC/NAP methodologies.

Identify the different types of media used to carry network signals.

Principles of Computer Security, Fifth Edition

109

Chapter Summary (2 of 2)

Describe the different types of storage media used to store information.

Use basic terminology associated with network functions related to information security.

Describe the different types and uses of cloud computing.

Principles of Computer Security, Fifth Edition

110