Protecting Your Network Chapter 17. Objectives Discuss the common security threats in network computing Describe the methods for securing user accounts.

Protecting Your NetworkProtecting Your Network

Chapter 17

ObjectivesObjectives• Discuss the common security threats in

network computing• Describe the methods for securing user

accounts• Explain how firewalls, NAT, port

filtering, and packet filtering protect a network from threats

OverviewOverview

Introduction to Protecting Your Introduction to Protecting Your NetworkNetwork

• What are the threats to networks?– Hackers, etc.– Authorized users with good intentions– Natural disasters– A network threat is anything that can potentially

damage network data, machines, or users• Explore tools and methods for protection

Three Parts to Chapter 17Three Parts to Chapter 17

• Common Threats• Securing User Accounts• Firewalls

Common Threats

• Summary of Common Threats– System crashes/other hardware failures– Administrative access-control weaknesses– Malware, such as viruses and worms– Social engineering– Denial of Service attacks– Physical intrusion– Rogue access points

• System crash/hardware failure– Types of failures

• Hard drives crash• Servers lock up• Power fails

– Redundancy in areas prone to failure• Power backup system• Data backups• Hardware redundancy for fault tolerance

• Administrative access control– Access control list– Powerful administrative tools– Need to keep tools secure– “Super Accounts”

• Windows Administrator account• Linux and Macintosh OS X root account

• Malware– Code designed to do something bad– Virus

• Has two jobs–Replicate

»Makes copies of itself to disks–Activate

»Does something bad

• Malware– Worm

• Identical in function to a virus•Replicates exclusively through networks•Sends out copies of itself

• Malware– Macro

• Any virus exploiting application macros to replicate and activate

• Exists in any application that has built-in macro language

– Microsoft Excel– Microsoft Word– And more…

• Malware– Trojan

• Looks like something harmless• Remote administration tool (RAT)

– Turns infected computer into a server controlled by a remote user

– Captures keystrokes, passwords, files, credit card information, etc.

– Does not replicate

• Malware– Rootkit

• A Trojan that hides from all but the most aggressive anti-malware tools

• Example– Sony’s antipiracy scheme on music CDs– Installed on computers as a rootkit– Creates backdoor for hackers

• Malware– Adware

• Monitors types of Web sites you frequent• Uses information to generate targeted

advertisements• Often uses pop-up windows for ads• Not overtly evil• Often uses deceptive practices• Considered malware by most

• Malware – Spyware

• Sends information about your system or actions over the Internet

• May send keystrokes• May send all contacts in your address book

• Dealing with Malware– Anti-malware programs

• Should run on every computer• Should also be on a network appliance• Update regularly

– Training• All users trained to look for suspicious code• All users trained to not run suspicious code

– Procedures describe what to do if users encounter malware

• Social Engineering– Manipulating people to gain access

to a network– Many ways to use people to gain

unauthorized information– Telephone scam– Physical entry– Phishing

• Denial of Service (DoS)– Attack that brings down a network– Floods network with requests– Smurf attack

• A DoS attack that sends broadcast PINGs• Source IP changed to another system’s address

• Distributed Denial of Service (DDoS)– More menacing than a simple Dos– Uses multiple computers under the control of

a single operator– DDoS operators use malware to control

computers used in the attack• Zombie – one controlled computer• Botnet – a group of controlled computers

• Prevention– Your computer cannot be controlled until

someone installs malware on it– Anti-malware, training, and procedures will

prevent your computer from becoming a zombie

• Physical Intrusion– Protect servers from physical intrusion

• Lock up servers and switches–Server rooms with key-card locks–Log of people entering server rooms–Server in locked in closet at small site

• Never walk away from a server without logging off

• Add a password-protected screensaver

Figure 17.1 Applying a password-protected screensaver

• Protecting clients from physical intrusion– Use screensaver passwords– Use paper shredders– Mind work area

• Do not leave passwords on or near desk• If you must write down passwords, keep

in locked drawers

• Rogue Access Points– Unauthorized WAPs– Huge problem today– Cheap, easy way to plug into a network– Employees install them for convenience– Rarely installed by bad guys– Bad guys detect unsecured WAPs– Sniffer will find WAPs with SSID

broadcasting turned off

Securing User Accounts

• Overview of Securing User Accounts– Internal threats

• Unauthorized access• Data destruction• Other administrative problems

• Passwords– Ultimate key to protecting the network– Protect your passwords– Make users choose good passwords– Make users change passwords at

regular intervals– Do not write passwords on anything!

Figure 17.2 Windows Server option for requiring a user to change a password

• Alternatives to Entering Password– Smart devices

• Credit cards• USB keys, other small devices

– Biometric devices• Fingerprint scanner• Retina scanner• Voice scanner

• Authentication Factor– Something used to authenticate

•Ownership factor: something the user has•Knowledge factor: something the user knows•Inherent factor: a part of the user

– Two-factor authentication combines factors

• Controlling User Accounts– Contains user name and password– Access to accounts restricted – Least privilege approach = permission to

access only the resources a user needs– Tight control is critical– Disable unused accounts

• Controlling User Accounts with Groups– Minimizes administrator’s burden– Add user to one or more groups– Assign permissions to groups– Effective permissions– Be careful of default groups

•Everyone•Guest•Users

Figure 17.3 Giving a group permissions for a folder in Windows

Figure 17.4 Adding a user to a newly created group

• Diligence in Managing User Accounts– Administrator often part of human

resources– Create, disable, enable, and delete user

accounts based on employee status– Keep up with employee changes

• Inheritance– One set of permissions for a user

explicitly assigned to a folder– Second set of explicit permissions to a

subfolder– Inheritance determines user’s actual

permissions to subfolder and contents

Firewalls

• Introduction to Firewalls– Firewalls protect a private network from

external threats– They use a variety of methods– Not necessarily a dedicated device– Placement of firewalls

• Network-based at the edge of a network– a.k.a. a hardware firewall

• Host-based in user’s computers

• Firewall Technologies– Hiding IPs

• Network Address Translation (NAT)• Built into most routers

– Port Filtering (a.k.a. port blocking)• Restricts packets based on port numbers

– Packet Filtering (a.k.a. IP filtering)• Blocks packets based on IP address

Figure 17.5 The netstat –n command showing HTTP connections

Figure 17.6 Web-based port filtering interface

Figure 17.7 YaST configuration program

Figure 17.8 Blocking IP addresses

• Firewall Technologies– Stateless filtering

• Only checks for IP address and port number – Stateful filtering

• Examines packets as a stream• Detects when a stream is disrupted or

packets corrupted• Layer 7 application proxies

– Best stateful filters– Slower and more expensive than stateless filters

• Firewall Technologies– MAC filtering

• Similar to packet filtering• Filters based on MAC address of client• Can be defeated through MAC spoofing

• Personal Firewalls– CompTIA calls these host-based firewalls– Not necessary on dial-up connections– Necessary on other Internet connections

•Turn off Windows File and Print Sharing•Enable a personal firewall

– Use in addition to hardware firewall– Windows Firewall, Zone Alarm Pro, etc.– Windows ICS is only a NAT router

Figure 17.9 ZoneAlarm Pro

• Windows Firewall– Works with or without ICS– Included with Windows – Default blocks all incoming IP packets

that attempt to initiate a session– If needed, manually open ports– OK for single machine or small network– Honey Pot creates a fake attackable

network that records attempts to hack

Figure 17.10 Enabling Windows Firewall

Figure 17.11 Opening TCP/IP ports in Windows Firewall

• Network Zones– Each zone has a level of access to network– Firewall sits between gateway router and

private network– Demilitarized zone (DMZ)

• Lightly protected network between private network and Internet

• Created by two routers– Intranet – firewall-protected private network

Figure 17.12 A DMZ configuration

• Securing Remote Access– More employees access network

from home– Cost-effective for workers and employers– Network security challenge– Balance security with ease of access