Protecting Your Network Chapter 17
Jan 13, 2016
Protecting Your NetworkProtecting Your Network
Chapter 17
ObjectivesObjectives• Discuss the common security threats in
network computing• Describe the methods for securing user
accounts• Explain how firewalls, NAT, port
filtering, and packet filtering protect a network from threats
OverviewOverview
Introduction to Protecting Your Introduction to Protecting Your NetworkNetwork
• What are the threats to networks?– Hackers, etc.– Authorized users with good intentions– Natural disasters– A network threat is anything that can potentially
damage network data, machines, or users• Explore tools and methods for protection
Three Parts to Chapter 17Three Parts to Chapter 17
• Common Threats• Securing User Accounts• Firewalls
Common Threats
• Summary of Common Threats– System crashes/other hardware failures– Administrative access-control weaknesses– Malware, such as viruses and worms– Social engineering– Denial of Service attacks– Physical intrusion– Rogue access points
• System crash/hardware failure– Types of failures
• Hard drives crash• Servers lock up• Power fails
– Redundancy in areas prone to failure• Power backup system• Data backups• Hardware redundancy for fault tolerance
• Administrative access control– Access control list– Powerful administrative tools– Need to keep tools secure– “Super Accounts”
• Windows Administrator account• Linux and Macintosh OS X root account
• Malware– Code designed to do something bad– Virus
• Has two jobs–Replicate
»Makes copies of itself to disks–Activate
»Does something bad
• Malware– Worm
• Identical in function to a virus•Replicates exclusively through networks•Sends out copies of itself
• Malware– Macro
• Any virus exploiting application macros to replicate and activate
• Exists in any application that has built-in macro language
– Microsoft Excel– Microsoft Word– And more…
• Malware– Trojan
• Looks like something harmless• Remote administration tool (RAT)
– Turns infected computer into a server controlled by a remote user
– Captures keystrokes, passwords, files, credit card information, etc.
– Does not replicate
• Malware– Rootkit
• A Trojan that hides from all but the most aggressive anti-malware tools
• Example– Sony’s antipiracy scheme on music CDs– Installed on computers as a rootkit– Creates backdoor for hackers
• Malware– Adware
• Monitors types of Web sites you frequent• Uses information to generate targeted
advertisements• Often uses pop-up windows for ads• Not overtly evil• Often uses deceptive practices• Considered malware by most
• Malware – Spyware
• Sends information about your system or actions over the Internet
• May send keystrokes• May send all contacts in your address book
• Dealing with Malware– Anti-malware programs
• Should run on every computer• Should also be on a network appliance• Update regularly
– Training• All users trained to look for suspicious code• All users trained to not run suspicious code
– Procedures describe what to do if users encounter malware
• Social Engineering– Manipulating people to gain access
to a network– Many ways to use people to gain
unauthorized information– Telephone scam– Physical entry– Phishing
• Denial of Service (DoS)– Attack that brings down a network– Floods network with requests– Smurf attack
• A DoS attack that sends broadcast PINGs• Source IP changed to another system’s address
• Distributed Denial of Service (DDoS)– More menacing than a simple Dos– Uses multiple computers under the control of
a single operator– DDoS operators use malware to control
computers used in the attack• Zombie – one controlled computer• Botnet – a group of controlled computers
• Prevention– Your computer cannot be controlled until
someone installs malware on it– Anti-malware, training, and procedures will
prevent your computer from becoming a zombie
• Physical Intrusion– Protect servers from physical intrusion
• Lock up servers and switches–Server rooms with key-card locks–Log of people entering server rooms–Server in locked in closet at small site
• Never walk away from a server without logging off
• Add a password-protected screensaver
Figure 17.1 Applying a password-protected screensaver
• Protecting clients from physical intrusion– Use screensaver passwords– Use paper shredders– Mind work area
• Do not leave passwords on or near desk• If you must write down passwords, keep
in locked drawers
• Rogue Access Points– Unauthorized WAPs– Huge problem today– Cheap, easy way to plug into a network– Employees install them for convenience– Rarely installed by bad guys– Bad guys detect unsecured WAPs– Sniffer will find WAPs with SSID
broadcasting turned off
Securing User Accounts
• Overview of Securing User Accounts– Internal threats
• Unauthorized access• Data destruction• Other administrative problems
• Passwords– Ultimate key to protecting the network– Protect your passwords– Make users choose good passwords– Make users change passwords at
regular intervals– Do not write passwords on anything!
Figure 17.2 Windows Server option for requiring a user to change a password
• Alternatives to Entering Password– Smart devices
• Credit cards• USB keys, other small devices
– Biometric devices• Fingerprint scanner• Retina scanner• Voice scanner
• Authentication Factor– Something used to authenticate
•Ownership factor: something the user has•Knowledge factor: something the user knows•Inherent factor: a part of the user
– Two-factor authentication combines factors
• Controlling User Accounts– Contains user name and password– Access to accounts restricted – Least privilege approach = permission to
access only the resources a user needs– Tight control is critical– Disable unused accounts
• Controlling User Accounts with Groups– Minimizes administrator’s burden– Add user to one or more groups– Assign permissions to groups– Effective permissions– Be careful of default groups
•Everyone•Guest•Users
Figure 17.3 Giving a group permissions for a folder in Windows
Figure 17.4 Adding a user to a newly created group
• Diligence in Managing User Accounts– Administrator often part of human
resources– Create, disable, enable, and delete user
accounts based on employee status– Keep up with employee changes
• Inheritance– One set of permissions for a user
explicitly assigned to a folder– Second set of explicit permissions to a
subfolder– Inheritance determines user’s actual
permissions to subfolder and contents
Firewalls
• Introduction to Firewalls– Firewalls protect a private network from
external threats– They use a variety of methods– Not necessarily a dedicated device– Placement of firewalls
• Network-based at the edge of a network– a.k.a. a hardware firewall
• Host-based in user’s computers
• Firewall Technologies– Hiding IPs
• Network Address Translation (NAT)• Built into most routers
– Port Filtering (a.k.a. port blocking)• Restricts packets based on port numbers
– Packet Filtering (a.k.a. IP filtering)• Blocks packets based on IP address
Figure 17.5 The netstat –n command showing HTTP connections
Figure 17.6 Web-based port filtering interface
Figure 17.7 YaST configuration program
Figure 17.8 Blocking IP addresses
• Firewall Technologies– Stateless filtering
• Only checks for IP address and port number – Stateful filtering
• Examines packets as a stream• Detects when a stream is disrupted or
packets corrupted• Layer 7 application proxies
– Best stateful filters– Slower and more expensive than stateless filters
• Firewall Technologies– MAC filtering
• Similar to packet filtering• Filters based on MAC address of client• Can be defeated through MAC spoofing
• Personal Firewalls– CompTIA calls these host-based firewalls– Not necessary on dial-up connections– Necessary on other Internet connections
•Turn off Windows File and Print Sharing•Enable a personal firewall
– Use in addition to hardware firewall– Windows Firewall, Zone Alarm Pro, etc.– Windows ICS is only a NAT router
Figure 17.9 ZoneAlarm Pro
• Windows Firewall– Works with or without ICS– Included with Windows – Default blocks all incoming IP packets
that attempt to initiate a session– If needed, manually open ports– OK for single machine or small network– Honey Pot creates a fake attackable
network that records attempts to hack
Figure 17.10 Enabling Windows Firewall
Figure 17.11 Opening TCP/IP ports in Windows Firewall
• Network Zones– Each zone has a level of access to network– Firewall sits between gateway router and
private network– Demilitarized zone (DMZ)
• Lightly protected network between private network and Internet
• Created by two routers– Intranet – firewall-protected private network
Figure 17.12 A DMZ configuration
• Securing Remote Access– More employees access network
from home– Cost-effective for workers and employers– Network security challenge– Balance security with ease of access