Discussion

Nicholas_9097

Lecture1-netsec_ppt08_l01.pptx

Home >Information Systems homework help >Discussion

Network Security, Firewalls,

and VPNs

Lesson 1

Network Security Basics, Threats, and Issues

www.jblearning.com

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Learning Objective

Explain the fundamental concepts of network security

Review essential Transmission Control Protocol/Internet Protocol (TCP/IP) behavior and applications used in IP networking

Recognize the impact that malicious exploits and attacks have on network security

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Key Concepts

Confidentiality, integrity, and availability (C-I-A)

Network security and its value to the enterprise

Roles and responsibilities in network security

Network security countermeasures

TCP/IP protocol analysis

IP networking protocol

Network management tools

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Key Concepts (continued)

What you need to protect and from whom

Risk assessment for network infrastructure

Wired and wireless network infrastructure risks, threats, and vulnerabilities

Common network hacking tools, applications, exploits, and attacks

Social engineering practices and their impact on network security efforts

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Primary Goals of Information Security

Confidentiality

Security

Availability

Integrity

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Secondary Goals of Information Security

Authentication

Authorization

Nonrepudiation

Privacy

Confidentiality

Integrity

Availability

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Seven Domains of a Typical IT Infrastructure

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

User Domain—This domain refers to actual users whether they are employees, consultants, contractors, or other third-party users. Any user who accesses and uses the organization’s IT infrastructure must review and sign an acceptable use policy (AUP) prior to being granted access to the organization’s IT resources and infrastructure.

Workstation Domain—This domain refers to the end user’s desktop devices such as a desktop computer, laptop, VoIP telephone, or other end-point device. Workstation devices typically require security countermeasures such as antivirus, antispyware, and vulnerability software patch management to maintain the integrity of the device.

LAN Domain—This domain refers to the physical and logical local area network (LAN) technologies (i.e., 100 Mbps/1000 Mbps switched Ethernet, 802.11-family of wireless LAN technologies) used to support workstation connectivity to the organization’s network infrastructure.

LAN-to-WAN Domain—This domain refers to the organization’s internetworking and interconnectivity point between the LAN and the WAN network infrastructures. Routers, firewalls, demilitarized zones (DMZs), and intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are commonly used as security monitoring devices in this domain.

Remote Access Domain—This domain refers to the authorized and authenticated remote access procedures for users to remotely access the organization’s IT infrastructure, systems, and data. Remote access solutions typically involve Secure Sockets Layer (SSL) 128-bit encrypted remote browser access or encrypted virtual private network (VPN) tunnels for secure remote communications.

WAN Domain—Organizations with remote locations require a WAN to interconnect them. Organizations typically outsource WAN connectivity from service providers for end-to-end connectivity and bandwidth. This domain typically includes routers, circuits, switches, firewalls, and equivalent gear at remote locations sometimes under a managed service offering by the service provider.

System/Application Domain—This domain refers to the hardware, operating system software, database software, client/server applications, and data that

is typically housed in the organization’s data center and/or computer rooms.

1/5/18

The Need for Information Security

Risk

Threat

Vulnerability

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Risk: Likelihood that a threat will exploit a vulnerability and the impact it will have on an organization

Threat: The possibility of an vulnerability being exploited

Vulnerability: Weakness in a process or system that has the potential to adversely impact confidentiality, availability, or integrity

Information Assurance

Seven Domains of a Typical IT Infrastructure

Confidentiality

Integrity

Availability

Nonrepudiation

Authentication

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Network security goals vary from organization to organization. Often they include

a few common mandates:

• Ensure the confidentiality of resources

• Protect the integrity of data

• Maintain availability of the IT infrastructure

• Ensure the privacy of personally identifiable data

• Enforce access control

• Monitor the IT environment for violations of policy

• Support business tasks and the overall mission of the organization

1/5/18

Security Policy

Establish goals

Address risk

Provide roadmap for security

Set expectations

Link to business objectives

Map of laws and regulations

Supported by standards, procedures, and guidelines

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

The creation of policies allows the risks of loss, destruction, or corruption of information to be mitigated.

Examples of Network Infrastructures

Workgroup

SOHO

Client/server

LAN versus WAN

Thin client and terminal services

Remote access and VPNs

Boundary networks

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Workgroup

Small

Limited uses

No central authority

Security policy is managed individually

SOHO

Small

Some level of central management

Not scalable

Client/Server

Shared resources

Larger networks

Complexity

Centralized control

1/5/18

A Typical Workgroup

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Workgroup

Small

Limited uses

No central authority

Security policy is managed individually

SOHO

Small

Some level of central management

Not scalable

Client/Server

Shared resources

Larger networks

Complexity

Centralized control

1/5/18

A Typical Client/Server Network

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

A Typical VPN

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Typical Boundary Networks

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

TCP/IP Protocol Suite

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Application

Internet

Network Interface

Transport

Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), Hypertext Transfer Protocol (HTTP), Tele-network (Telnet), File Transfer Protocol (FTP)

Transmission Control Protocol (TCP), User Datagram Protocol (UDP)

Internet Protocol (IP), IPSec, Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP), and Internet Group Management Protocol IGMP

Serial Line Internet Protocol (SLIP), Purchasing Power Parity (PPP)

TCP/IP Networking and OSI Reference Models

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

The TCP/IP model corresponds to layers in the OSI model.

The OSI layers are:

Application layer (layer 7)—This layer enables communications with the host

software, including the operating system. The application layer is the interface

between host software and the network protocol stack. The sub-protocols of this

layer support specifi c applications or types of data.

• Presentation layer (layer 6)—This layer translates the data received from the host

software into a format acceptable to the network. This layer also performs this task

in reverse for data going from the network to the host software.

• Session layer (layer 5)—This layer manages the communication channel, known as

a session, between the endpoints of the network communication. A single transport

layer connection between two systems can support multiple, simultaneous sessions.

• Transport layer (layer 4)—This layer formats and handles data transportation.

This transportation is independent of and transparent to the application.

• Network layer (layer 3)—This layer handles logical addressing (IP addresses)

and routing traffi c.

• Data link layer (layer 2)—This layer manages physical addressing (MAC addresses)

and supports the network topology, such as Ethernet.

• Physical layer (layer 1)—This layer converts data into transmitted bits over the

physical network medium.

1/5/18

7. Application

6. Presentation

5. Session

4. Transport

3. Network

1. Physical

2. Data link

Application

Transport

Internet

Network Interface

The Structure of a Packet

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

A Packet Moves Through the Protocol Stack

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

As data moves from a software application for transmission over the network, it traverses

the layers of the protocol stack from top to bottom. As each layer receives data from the

layer above it, that data becomes the payload with a layer specific header.

At the Data link layer, where Ethernet resides, the data receives a footer, as well. This

process is known as encapsulation. The inverse, known as de-encapsulation, occurs when

a network communication is received. As this process takes place, the data set being

manipulated receives unique names, depending on the layer it traverses.

The encapsulation process of adding headers (and a footer at the Data link layer)

enables data exchange between layers on different systems. This is known as peer-to-peer

communications. The content of a header includes information to be processed by the

corresponding layer on the receiving end of a network link.

The content of the headers are the greatest concern and

focus of a firewall. Application proxy firewalls and stateful inspection firewalls can also

examine the headers and the payload content of layers 5–7.

1/5/18

IP Addressing

Assigned to computers for identification on a network

Internet routing uses numeric IP addresses

IP addresses in packet headers

A packet makes many hops between source and destination

IPv4 32-bit address

IPv6 128-bit address

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Protocol Analysis Functions of a Protocol Analyzer

Why analyze data packets?

Detect network problems, such as bottlenecks

Detect network intrusions

Check for vulnerabilities

Gather network statistics

What does a protocol analyzer do?

Captures and decodes data packets traveling on a network

Allows you to read and analyze them

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

NetWitness Investigator

Threat analysis software

Protocol Analyzer

Captures raw packets from wired and wireless interfaces

Analyzes real-time data throughout the seven layers

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

NetWitness Investigator (cont.)

Filters by Media Access Control (MAC) address, IP address, user, and more

Supports Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)

Gets daily threat intelligence data from the SANS Internet Storm Center

Freely available

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Wireshark

Network protocol analyzer

Captures Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and other packets

Analyzes real-time and saved data

Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and others

Supports IPv4 and IPv6

Allows Voice over IP (VoIP) analysis

Freely available

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Packet Capture Using NetWitness Investigator

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Select parsers to use with capture

Geolocation IP (GeoIP), Search, FLEXPARSE

Define rules or capture

Verify capture configuration settings

Filters and alerts

Network Adapter, Advanced Capture Settings, and Evidence Handling

Start the capture

Trace Analysis Using NetWitness Investigator

Navigation Search

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Select a collection.

Click Navigation.

Select a report.

Select a group of sessions.

Search for specific content.

Open a collection.

Click the Content Search icon.

Search on keyword or regular expression.

TCP/IP Transaction Sessions

Connection-oriented

Sender

Breaks data into packets

Attaches packet numbers

Receiver

Acknowledges receipt; lost packets are resent

Reassembles packets in correct order

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

TCP Three-Way Handshake

Server

Host

1 - SYN

2 - SYN/ACK

3 - ACK

Synchronize (SYN)

Acknowledge (ACK)

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

The TCP three-way handshake used by TCP establishes a session between two systems.

The first system sends a packet with the SYN flag set.

The second system responds with a packet that has the SYN and ACK flags set.

The first system responds with a packet with the ACK flag set.

The two systems have now started a session.

1/5/18

TCP Connection Termination

Acknowledge (ACK)

Finish (FIN)

Server

Host

1 – ACK/FIN

2 –ACK

4 - ACK

3 –ACK/FIN

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Because a TCP connection is two-way, it needs to be “torn down” in both directions.

The TCP connection termination process uses four packets.

The first system sends a TCP packet with the ACK and FIN flags set requesting termination.

The second system sends an ACK response.

The second system then sends a packet with ACK and FIN flags set.

The first system returns an ACK response.

1/5/18

TCP Connection Reset

Server

Host

1 - SYN

2 –SYN/ACK

3 - RST

Synchronize (SYN)

Acknowledge (ACK)

Reset (RST)

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Sometimes a host may need to terminate a connection quickly, due to a port being unreachable or a timeout, for example.

Can send a Reset (RST) packet.

Initial SYN packet should never have FIN or RST associated with it. Indicates an attack/malicious attempt to get by your firewall.

1/5/18

Network Protocol Examination

Normal Packet

Connecting to an FTP server

Port 53 (dns) in UDP

Three-way handshake completes

Packet Showing Evidence of Port Scan

Series of TCP packets, part of three-way handshake

Arrange segments in sequential order by source port

Destination ports also in sequential order

Classic TCP port scan

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Clear-Text Vs Encrypted Protocols

Clear-text Protocols

Are human readable

FTP, Telnet, Simple Mail Transfer Protocol (SMTP), HTTP, Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAPv4), Network Basic Input/Output System (NetBIOS), Simple Network Management Protocol (SNMP)

Encrypted Protocols

Are not human readable

Secure Shell (SSH), SSH File Transfer Protocol (SFTP), HTTP Secure (HTTPS)

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Malware ~ Malicious Code

Distribution Methods

Software downloads

E-mail

Malicious web sites

File transfer

Flaws in software

Effects of Malware

Data loss, exposure, or change

Poor system performance

Pop-up ads

System becomes a “bot” or “zombie”

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Also known as malicious code

Distributed by:

Software downloads

E-mail

Malicious Web sites

File transfer

Flaws in software

Effects of malware:

Data loss, exposure, or change

Poor system performance

Pop-up ads

System becomes a “bot” or “zombie” in control of the attacker

1/5/18

Common Types of Malware

Viruses and Worms

Trojan Horses

Keystroke Loggers (“keyloggers”)

Spyware and Adware

Rootkits

Logic Bombs

Trapdoors and Backdoors

URL Injectors and Browser Redirectors

Exploits

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Malware: Viruses and Worms

Viruses

Infect boot sectors or files, such as executables, drivers, and system

Need user interaction to spread

Worms

Infect systems

Don’t need user interaction to spread

Can be carriers for other types of malicious code

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Viruses

Infect boot sectors or files, such as executables, drivers, and system

Need user interaction to spread

Spread file to file upon opening

May spread to other systems through e-mail or network shares

Worms

Infect systems

Don’t need user interaction to spread

Scan systems for flaws

Exploit flaws to infect other systems

Can be carriers for other types of malicious code

1/5/18

Malware: Trojan Horses

Delivery method for a malicious payload

Usually appear to be a benign program, such as a game or utility

Installed by users without knowledge of malicious payload

Allows remote access to attackers

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Malware: Keystroke Loggers

Also called “keyloggers”

Software-based keyloggers can be installed via worms or Trojan horses

Record keystrokes and transmit them to the attacker

Hardware-based keyloggers

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Also called “keyloggers”

Software-based keyloggers can be installed via worms or Trojan horses

Record keystrokes and transmit them to the attacker

E-mail

FTP

Instant message

Hardware-based keyloggers

Inline with keyboard cable

In keyboard

1/5/18

Malware: Spyware and Adware

Spyware

Adware

May be bundled together

May be embedded in other programs

May masquerade as antimalware product

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Spyware

Monitors and records user activities, like keylogging software

Transmits information back to originating author

Adware

Similar to spyware

Delivers advertising through pop-ups, e-mail, or browser redirection

May be bundled together

May be embedded in other programs

May masquerade as antimalware products

Examples:

BonziBuddy

Gator/Gain Ad Server adware

Antivirus 2008

1/5/18

Malware: Rootkits

Codes that position themselves between the operating system kernel and hardware

Allows attacker to gain root/administrative access to system

Uses of rootkits

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Codes that position themselves between the operating system kernel and hardware.

Allows attacker to gain root/administrative access to system

Can be used to:

Take control of a system

Hide data files

Hide other malware or hacker tools

1/5/18

Malware: Logic Bombs

Malicious code that lies dormant until triggered

Triggering events

Time and date

Program launch

Keyword

Accessing a URL

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Malware: Backdoors and Trapdoors

Synonyms for the same type of malware

Bypass normal authentication or security controls

Benefits to the attacker

Examples of backdoors and trapdoors

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Synonyms for the same type of malware

Bypass normal authentication or security controls

May allow attacker to:

Gain remote access to the system

Alter files and system settings

Install hidden software

Gain control of the system

Turn the system into a bot

Use the system to send spam

Examples:

Back Orifice – Early Microsoft Windows program designed for remote access and administration but also had malicious properties

Mydoom virus – Installs a back door on the infected computer

1/5/18

Malware: URL Injectors and Browser Redirection

Also called browser hijacking

Replace URLs with alternative addresses

Redirect browser to target Web sites

May also change browser home page

May prevent access to anti-malware Web sites

May inject entries into HOSTS file

Other malware may contain URL injector code

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Malware: Exploits

Take advantage of flaws or bugs in software

Often embedded into other forms of malware

May be stand-alone or part of hacker toolkits

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Take advantage of flaws or bugs in software

Code bugs

Timing

Communication

Storage

Often embedded into other forms of malware

May be stand-alone or part of hacker toolkits

1/5/18

Advanced Persistent Threat

Highly targeted

Targeting intelligence often gleaned from other types of attacks

Phishing

Social engineering

Occurrence has increased dramatically but represents a small percentage of attacks

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Impact of Malware on Organizations

Melissa Virus caused $80 million in damages in North America

SQL Slammer Virus

Code Red

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Melissa virus caused $80 million in damages in North America

SQL Slammer virus

$1 billion in damages

Bank of America ATMs unavailable

Continental Airlines flights delayed or canceled

Code Red

300,000+ computers infected

Denial of service

Cisco DSL routers stopped forwarding traffic

Sources:

Sophos http://www.sophos.com/pressoffice/news/articles/1999/12/va_melissa.html

CNET http://news.cnet.com/2009-1001-983540.html

CNET http://news.cnet.com/2100-1001-270314.html&tag=txt

1/5/18

Application Vulnerabilities

Buffer overflow

SQL Injection

Cross-site scripting (XSS)

Cached credentials

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Buffer overflow

Injection of more data than a memory buffer can hold

May result in arbitrary code execution

SQL Injection

Inserts code via unsanitized data input on Web sites

Allows access to back-end databases

Cross-site scripting (XSS)

Attackers insert client-side script into Web pages

Allows malicious scripts to be run in the user’s context

Cached credentials

Credentials stored on local machine, for example browser cache

Can be discovered by and reused by an attacker

1/5/18

Mitigating Application Vulnerabilities

In-House Coding

Operating systems or applications

Vulnerability scanning

Open Web Application Security Project (OWASP) for Web application security

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

The instructor should include real-world examples based on professional experience.

For in-house coding:

Implement secure coding practices.

Include security in the software development life cycle.

Perform testing and quality control.

For operating systems or applications:

Keep abreast of vulnerabilities.

National Vulnerability Database (www.nvd.nst.gov)

US-CERT Vulnerability Notes Database (www.kb.cert.org/vuls/)

SecurityFocus (www.securityfocus.com/vulnerabilities)

Apply patches and updates in a timely manner.

Vulnerability scanning

Open Web Application Security Project (OWASP) for Web application security

Port Scanning

Mechanics	Uses
TCP or UDP packets are sent to ports on a system Scanning performed on single IP address or IP address range Open ports can verify: Indicators of open ports Noticeable and detectable	Useful to both hackers and security professionals Hackers Security Professionals

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

When mentioning vulnerability scanning, stress the importance of conducting periodic vulnerability scans. Vulnerability scanning will be discussed in more detail in Unit 4.

Mechanics

TCP or UDP packets are sent to ports on a system

Scanning performed on single IP address or IP address range

Open ports can verify:

Particular services

Presence of a system

Indicators of open ports

TCP: Full TCP three-way handshake established

UDP: Lack of response may indicate open port since closed ports usually generate errors

Noticeable and detectable

Uses

Useful to both hackers and security professionals

Hackers

Determine existence of hosts

Determine existence of services

Security Professionals

Determine the existence of rogue hosts

Determine existence of rogue servers

Part of a vulnerability scan

General Terms

Confidentiality

Integrity

Availability

Trust

Privacy

Authentication

Authorization

Nonrepudiation

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Networking Terminology

Network

Firewall

Router

Virtual Private Network

IPSec

Demilitarized Zone (DMZ)

Intrusion Detection System (IDS)

Intrusion Prevention System (IPS)

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Risk Terminology

Risk

Threat

Vulnerability

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Policy, Awareness, and Training

Policy ~

sets expectations

Awareness ~

promotes security

Training ~

defines roles and responsibilities

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Policy

Well-defined

Address business needs and security concerns

Sets expectations

Awareness

Promote security

Keep security at the front of users’ minds

Training

Individuals understand their roles and responsibilities

Individuals understand security policy

Security Countermeasures

Common Countermeasures	Uses	Benefits	Limitations
Firewalls	Filter traffic Segmentation	Hardware Software First defense Keep noise out	Perimeter defense Not content oriented Limited to yes or no
Virtual Private Network (VPN)	Remote access Encrypted tunnel	Private tunnel Extends Cover	Man-in-the-middle Not traffic oriented
Intrusion Detection/Prevention System	Monitor traffic May block attacks Host or Network	Notification Prevention	Relies on signatures False positives

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Security Countermeasures (Continued)

Common Countermeasures	Uses	Benefits	Limitations
Data Loss Prevention	Monitor data loss Block data loss	Sensitive Config Breach Notification	Signature reliant False positives Circumventable
Security Incident and Event Management	Aggregate sec logs Correlate sec logs	Monitor and review Generate alerts	False positives Data heavy Limit to log info

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Security Countermeasures (Continued)

Common Countermeasures	Uses	Benefits	Limitations
Continuous Control Monitoring	Checks config Standard compliant Real time monitor	Automate monitors Self correction	Emerging tech Policy dependent
Vulnerability Assessment	Tests systems	Proactive address Centralize tracking	Limited to known Create noise

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

What is Risk?

Risk has several meanings

Danger

Consequences

Likelihood or probability

Definition of risk in formal risk assessment

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Risk has several meanings

Danger

Consequences

Likelihood or probability

Definition of risk in formal risk assessment

A measurement based on the relationship between likelihood and impact

Risk Assessment Methodology

Identification

Analysis

Determine risk for each threat-vulnerability pair

Prioritize mitigation efforts

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Identification

Identify assets.

Identify threats.

Identify vulnerabilities.

Identify existing security controls.

Analysis

Identify threat-vulnerability pairs by matching threats with vulnerabilities to create exploit scenarios.

Analyze the effectiveness of existing controls.

Determine impact of a successful exploitation.

Determine likelihood of a successful exploitation.

Determine risk for each threat-vulnerability pair using a risk matrix.

Use the results to prioritize mitigation efforts.

1/5/18

Measuring Risk

Risk = Impact x Likelihood

Impact: The consequence of a successful exploitation of a vulnerability

Likelihood: How probable is it that an impact will occur?

Risk can be measured

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Risk = Impact x Likelihood

Impact: The consequence of a successful exploitation of a vulnerability

Financial

Reputation

Compliance

Likelihood: How likely is it that an impact will occur?

Risk can be measured

Qualitatively: Low, Moderate, High

Quantitatively: Numerical value

IT risk assessment is usually qualitative.

IT risk assessment is usually qualitative because it is difficult to obtain quantitative values

For qualitative vs quantitative the instructor may use insurance as an example. Insurance companies use actuarial data in order to quantitatively determine risk for the purpose of setting rates. For example, if one lives in an area prone to natural disaster, homeowner’s insurance rates will be higher than for one who does not. If one lives in a high crime area or has a make/model of car that is popular to steal, then auto insurance rates are higher than if one lives in a low crime area and has a vehicle unattractive to thieves. Insurance companies have access to actuarial data that allow them to put a number to likelihood and the impact is the financial loss of the property.

IT does not have the same type of actuarial data and it is difficult to put a dollar value on many of the impacts that can be caused by a successful security incident. Impact is often more than just financial loss – it can involve reputation, employee morale, customer satisfaction, or regulatory issues. It may also depend on the industry, the type of data, and where in the world the data is stored, processed, and transmitted. There are other qualitative components, such as what is important to management, that cannot be addressed in a quantitative risk assessment.

Risk Matrix

		Likelihood
		Low	Medium	High
Impact	Low	Low	Low	Medium
	Medium	Low	Medium	High
	High	Medium	High	Critical

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Hacker Motivation

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Thrill

Hobby

Challenge

Status

Money

Favorite Hacker Targets

Easy assets – those that pay off quickly

Monetary gain

Control of networks

Unique targets

Challenging

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Threats

Social engineering – users are attacked using psychological techniques such as persuasion or impersonation in order to gain access to facilities or computing resources

Phishing – users are tricked into giving away information such as login/passwords via fraudulent e-mail

Trojan horses & Spyware – users are tricked into installing malware on their systems

Vulnerabilities

Weak procedures

Weak physical security

Vulnerabilities in the user domain center around weak procedures and weak physical security.

Examples:

-A social engineer calls up IT pretending to be a user and gets a password reset, thereby gaining access to a user’s account.

-A social engineer impersonates maintenance staff or a repair person and installs keylogging devices on computers.

Risks

Unauthorized access to facilities

Compromised user accounts

Unauthorized access to data

The risk of damage from user-based attacks is high. For example, a successful social engineering attack in which an account is compromised allows the attacker to bypass security controls.

Consider Business Requirements

Availability of the network and its components

Redundancy

High availability

Single point of failure

Denial of service

Sensitivity of the data

Encryption

Access control

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Availability of the network and its components

Redundancy

High availability

Active/Active

Active/Passive

Hot Standby

Cold Standby

Single point of failure

Denial of service

Sensitivity of the data

Encryption

Access control

1/5/18

Internet Exposure

Remote access

Will a VPN work?

Is direct internet access required?

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Availability of the network and its components

Redundancy

High availability

Active/Active

Active/Passive

Hot Standby

Cold Standby

Single point of failure

Denial of service

Sensitivity of the data

Encryption

Access control

A system that needs to be accessed remotely can add additional concerns. Accessing a system over a VPN connection will ensure that the system maintains much of the security associated with the corporate network. If a system requires a direct connection to the internet for external users or customers one may need to consider additional firewalls, the creation of a DMZ, or additional of SSL encryption.

Wired Networks

Lack of external connectivity creates physical isolation

Can rely on physical controls to protect network

External threats must breach physical barrier

If external connectivity is required

No control is the same as physical isolation but security must enable the business

Consider segmentation

Rigorous front door screening

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Lack of external connectivity provides physical isolation

Can rely on physical controls to protect network

External threats must breach physical barrier

If external connectivity is required

No control is the same as physical isolation but security must enable the business

Consider segmentation

Rigorous front door screening

Filtering

Multiple firewalls

VPN for remote access

Connection to a wired network is limited to those directly attached to it. Physical isolation of a network require one to physically access a system connected to the network or otherwise attach to the network. However, the nature of networking is to connect networks to each other. External connectivity requires segmentation and filtering.

Benefits of Wireless Networking

Can be inexpensive to deploy

No need to run wires

Quick connectivity for multiple users

Convenience

Mobility

Ubiquity

All laptops now come equipped with wireless

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Wireless Concerns

Introduces new attack surface

Require additional design considerations to mitigate attack

Data is transmitted over the air and accessible

Use of encryption technology

Consider implementing segmented wireless networks

Require VPN authentication for wireless access

Network can be directly accessed from a distance

Shielding

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Introduces new attack surface

Require additional design considerations to mitigate attack

MAC filtering

Hidden SSID

Authentication

Data is transmitted over the air and accessible

Use of encryption technology

Consider implementing segmented wireless networks

Require VPN authentication for wireless access

Network can be directly accessed from a distance

Shielding

1/5/18

Mobile Networking

Allows user to be completely mobile

Requires considerations for central management

Potential for device to be lost

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Seven Domains of a Typical IT Infrastructure

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

User Domain

Threats

Vulnerabilities

Risks

Any individual associated with the organization, including users, employees, managers, contractors, or consultants, even if they don’t have logins.

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Threats

Social engineering – users are attacked using psychological techniques such as persuasion or impersonation in order to gain access to facilities or computing resources

Phishing – users are tricked into giving away information such as login/passwords via fraudulent e-mail

Trojan horses & Spyware – users are tricked into installing malware on their systems

Vulnerabilities

Weak procedures

Weak physical security

Vulnerabilities in the user domain center around weak procedures and weak physical security.

Examples:

-A social engineer calls up IT pretending to be a user and gets a password reset, thereby gaining access to a user’s account.

-A social engineer impersonates maintenance staff or a repair person and installs keylogging devices on computers.

Risks

Unauthorized access to facilities

Compromised user accounts

Unauthorized access to data

The risk of damage from user-based attacks is high. For example, a successful social engineering attack in which an account is compromised allows the attacker to bypass security controls.

Workstation Domain

Workstations, stand-alone systems, home computers

Threats

Vulnerabilities

Risks

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Threats

-Malware (e.g., viruses, worms, Trojans, spyware, etc.) is a significant threat in this domain.

-Port scanning can be used to find unsecured ports on a workstation, which gives the attacker insight into what type of attack may be successful

-Malicious Web sites use attack techniques such as cross-site scripting to gain access to secure Web transactions

Vulnerabilities

Non-patched operating systems/applications

Weak or no passwords

Insecure use of administrative accounts

Insufficient or no malware protection

Often, workstations are not secured as well as servers and home computers are not secured as well as business computers. Common vulnerabilities include:

-Operating systems may not be patched at all, or may be deficient in patches, particularly systems that are not often connected to the network such as laptops.

-Operating systems may be patched, but users and IT staff may forget to patch applications or may choose not to because it is time consuming and perceived as low risk.

-At home or in organizations where password policies are not centrally administered, systems may have weak passwords or even no passwords.

-Unless specifically prohibited by security policy, the average user is likely to be using an account with administrative privileges, which means that any exploit taking place under the user’s account is doing so with elevated privileges.

-Unless enterprise-level, managed antimalware software is used, there is a chance that malware definitions are not up to date, that scans are not conducted frequently, or that certain functionality has been disabled. For systems that are not connected to the network 24x7, definitions may be significantly out of date.

-Workstations may not be protected by firewalls (hardware or software). Home computers may be attached directly to the internet via cable modem.

Risks

Compromised systems can be used to attack others

Data exposure, loss, or change

Loss of availability

The risk depends on the environment. A compromised home computer may not affect the home user at all; however, while that user sleeps his computer may be conducting denial of service attacks on corporate networks. Alternatively, that same home user could have his bank account login credentials compromised and find that all his money has been transferred to a numbered account in the Cayman Islands. A compromised corporate workstation can lead to loss of confidential or proprietary data such as customer financial information, trade secrets, or payroll information. That compromised system may also be used as a stepping stone to other systems within the network.

LAN Domain

Hosts on private LANs

Threats

Vulnerabilities

Risks

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Threats

The specific threat depends upon the organization and its assets. Generally speaking, however, threats are electronic, natural or human.

-Electronic threats include malware, malicious code, botnets, and software bugs

-Physical threats include hardware failure, natural disasters, and accidental or purposeful damage to equipment

-Human threats include disgruntled employees, poorly trained employees, hackers

Vulnerabilities

Like threats, vulnerabilities are specific to the organization and its resources. For example, different operating systems have different vulnerabilities. Generally, vulnerabilities are caused by weak security procedures, weak security controls, and weak perimeter controls.

Risks

Compromise of one host may result in compromise of the enterprise

Data exposure, loss, or change

Disruption of business

The risk depends on the environment, the organization’s business, the type of assets it has, etc. Basic risks, such as data loss, change, or theft and disruption of business, apply to all organizations. Additionally, it should be stressed that compromise of one host on a network may result in compromise of the enterprise.

LAN-to-WAN Domain

Routers, firewalls, other devices at the LAN/WAN connection point

Threats

Vulnerabilities

Risks

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Threats

-Port scanning: Sequential port scans can be conducted from the public Internet side, revealing details of configuration that may allow an attacker to better profile additional services.

-DoS/DDoS: Because it is a gateway, it is a constrained point with limited bandwidth and the act of filtering increases latency per connection. It is easily saturated.

-Directed attack: The WAN connection is exposed to the public Internet and so is directly accessible.

Vulnerabilities

Weak perimeter security

Remote access to routers and gateways

Weak or default firewall passwords

Incorrect configuration

Misconfiguration – due to complexities in rules sets, if careful planning is not performed in advance misconfigurations can result.

Risks

If an attacker gains control of the firewall, they can easily disrupt gateway functions and create network instability.

Unfiltered malicious traffic

Loss of availability

Disruption of business

An attacker may gain control of the firewall

Remote Access Domain

Organization resources via remote access through dial-up, wireless, or standard broadband Internet connection

Threats

Vulnerabilities

Risks

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Threats

Malware on the remote client

War driving/Netstumbling

Rogue hotspots: If a VPN is not used, remote clients using rogue hotspots risk having their session captured.

Rogue wireless access points and ad hoc wireless within the organization can provide an attack vector into the network.

Vulnerabilities

Unencrypted wireless access points

Local cache of data on remote client

Weak security controls on remote client

Risks

Any service designed to give someone remote access can be exploited remotely

Compromise of a remote system could result in organizational compromise, bypassing network controls

Many remote access systems create encrypted sessions that do not allow direct inspection of packet contents, for example remote desktop protocol [RDP].

Mobile connectivity happens in the open – broadcast traffic is omnidirectional and can be intercepted anonymously

WAN Domain

WAN infrastructure elements, such as routers, switches, and firewalls

Threats

Vulnerabilities

Risks

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Threats

Eavesdropping – Unencrypted traffic can be intercepted.

Availability – The organization does not control the WAN.

Anonymity – Attackers are anonymous when coming in from the WAN because they can spoof their origins or distribute their attacks (e.g., botnets).

Interception/Proxy attacks – Because data moves through a public network, interception along the route of transit allows numerous attacks such as man-in-the-middle.

Vulnerabilities

Dependence on DNS – DNS poisoning or DNS spoofing can compromise traffic intended for hosts and services located in the LAN. Lack of Endpoint Validation – It is possible to construct a TCP/IP packet spoofing its origin, thus concealing backtracking efforts

Countries of convenience – Attackers may conduct their activities using systems located in countries with laws conducive to obscuring originating traffic or without law enforcement support.

Risks

A successful attack on the root DNS servers could cripple name resolution Internet-wide.

Clear-text traffic can be intercepted, rerouted or changed

Compromise of WAN infrastructure elements is undetectable by the organization.

WAN routing involves wide geographic areas and may pass traffic through unknown geopolitical areas.

Without knowing where it’s going, natural disasters, power failures, and other wide area-effecting issues could compromise availability. Laws involving data exposure may be different in other geopolitical areas.

System/Application Domain

Servers, applications, databases, data

Threats

Vulnerabilities

Risks

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Targets: Databases are attractive targets because they contain a large amount of information.

Threats

Cross-site scripting (XSS)

Buffer overflows

SQL Injection

Dos/DDos

Vulnerabilities

Use of default passwords

Weak security controls

Non-patched operating systems/applications

Cached credentials

Insecure coding practices

Risks

Use of unencrypted protocols can allow compromise of data in transit

Lack of code review can introduce instability.

Data exposure, change or loss

DoS attacks against one service can also prevent function of other services on the same host

Summary

Confidentiality, integrity, and availability (C-I-A)

Network security and its value to the enterprise

Roles and responsibilities in network security

Network security countermeasures

TCP/IP protocol analysis

IP networking protocol

Network management tools

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Summary (continued)

What you need to protect and from whom

Risk assessment for network infrastructure

Wired and wireless network infrastructure risks, threats, and vulnerabilities

Common network hacking tools, applications, exploits, and attacks

Social engineering practices and their impact on network security efforts

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Virtual Labs

Analyzing IP Protocols with Wireshark

Using Wireshark and NetWitness Investigator to Analyze Wireless Traffic

Configuring a pfSense Firewall on the Client

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Use the following script to introduce the first lab for this lesson:

“In this lesson, you reviewed the basics of networking protocols, how they work, and how to analyze network traffic using protocol analysis tools. Specifically, you learned about the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, which includes many different protocols, from TCP and IP to ARP, DNS, ICMP, SSH, and more.

A protocol analyzer is a tool that captures packets on a network, enabling you to decode and identify the network information they contain. Understanding how to perform protocol analysis, and distinguish proper from improper protocol behavior, are essential skills for security professionals.

In the lab for this lesson, Analyzing IP Protocols with Wireshark, you’ll learn the basics of the Wireshark protocol analyzer. You’ll become familiar with the application interface and various panes, and learn details about how the analyzer works, such as probe placement, clocking/timing issues, the traffic capture process, and the use of filters. Then you’ll capture IP traffic to a file and answer questions about key IP protocols and the basic configuration of the IP hosts from which traffic is captured.”

Use the following script to introduce the second lab for this lesson:

“In the second lab for this lesson, Using Wireshark and NetWitness Investigator to Analyze Wireless Traffic, you will use Wireshark to view and analyze an existing capture file. You will see some of the wireless aspects of networks as well as some of the aspects of network traffic that remain the same regardless of the physical transport, be it wired or wireless. You will also explore NetWitness Investigator, a threat-analysis application, which gives you a different view of captured network data, making deeper analysis much easier.”

Use the following script to introduce the third lab for this lesson:

“In this lesson, you learned to recognize the impact that malicious exploits and attacks have on network security. You explored hacker motivations and methods, tools used by hackers, social engineering practices, and the general risks, threats, and vulnerabilities of wired and wireless network infrastructures.

Firewalls are an instrumental part of protecting network security, and several labs in this course are devoted to firewall configuration and testing.

In the third lab for this lesson, Configuring a pfSense Firewall on the Client, you’ll configure the pfSense Firewall on a client computer. You’ll begin by planning the implementation of the firewall using a spreadsheet to address configuration questions, much like a real-world network administrator would do. Then you will implement your configuration choices.”

1/5/18

OPTIONAL SLIDES

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Trust – Computers and Networks

The confidence that other users will act in accordance with your organization’s security rules

The belief that others are trustworthy

Third-party trust systems

Example: Digital certificates that a public certificate authority issues

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

Common Network Security Components Used to Mitigate Threats

Hosts and nodes

IPv4 versus IPv6

Firewalls

VPNs

Proxy servers

Network address translation

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18

Common Network Security Components Used to Mitigate Threats (Cont.)

Routers, switches, bridges

The Domain Name System (DNS)

Directory services

Intrusion Detection Systems and Intrusion Prevention Systems

Page ‹#›

Network Security, Firewalls, and VPNs

www.jblearning.com

1/5/18