1
Network SecurityFundamentals
Steven TaylorPresident, Distributed Networking Associates, Inc.
Publisher/Editor, [email protected]
Larry HettickVice President, Wireline Solutions
Current [email protected]
Thanks to the sponsor…This presentation is made possible in part due to the generous support of Nortel Networks.
2
Agenda
Overview of the problemVarious Vulnerabilities
WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)
The Big Picture
Security RequirementsSecurity is a process of balancing risks and benefitsSome potential security threats
WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)Physical security
Make a decision based on a realistic evaluation; not emotion
3
Agenda
Overview of the problemVarious Vulnerabilities
WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)
The Big Picture
Wide Area Network
EthernetSwitch
Router
WirelessEthernetAccessPoint
Firewall
Network Architecture
4
Workstation Security
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Virus Insider Abuseof Network
Laptop Theft Systempenetration
UnauthorizedAccess
Denial ofService
Experienced Threats to Information Security
Source: CSI/FBI 2004 Computer Crime and Security Survey Results. http://www.gocsi.com
5
EthernetSwitch
LAN Security
Traditional (old) EthernetAdvantage
Shared, “broadcast" medium provides easy access
DisadvantageShared, “broadcast" medium is a significant security risk
6
Switched Ethernet
SwitchedMultiple paths through the switch Dedicated full-speed media
ScalableMultiple speeds to match application
Speed Conversion
Inherently more secure
10 Mbps
100 Mbps
Packet sniffing…Can packets be sniffed?
Yes, if youHave physical accessTap the lineDecode Ethernet, plus IP, plus IP encodingCan do this realtimeAnd you could use encryption (more later)
Is switched Ethernet a security risk?Is it worth the trouble? No worse than traditional telephonyDepends on physical access
7
EthernetSwitch
WirelessEthernetAccessPoint
Wireless LAN Security
Wireless Ethernet
Acts like traditional Ethernet without the wire
Shared, “broadcast" medium provides easy access but is a security risk
Multiple Security enhancements available
Security needs to be implemented carefully and fully
8
EthernetSwitch
Router
WirelessEthernetAccessPoint
Security and IP
IP Address Spoofing
IP address is set by the user
Can be spoofedNeed for authentication
But this problem is mostly solved
Network Address Translation (NAT)Additional mechanisms for advanced functions (like Session Initiated Protocol – SIP)
9
EthernetSwitch
Router
WirelessEthernetAccessPoint
Firewall
Firewalls
Firewalls
Internet
Corporate Network
Applications to limit and control connectivity within network environmentsProvide both external access limitationsand internal resource protection
10
Wide Area Network
EthernetSwitch
Router
WirelessEthernetAccessPoint
Firewall
WAN Security
Common WAN ServicesPrivate line, frame relay and ATMPrivate IP VPNsInternet Backbone VPNs
IPSecSSL
11
Private Line, Frame Relay and ATM Security
Private lines provide dedicated bandwidth per circuit
TDM technologyFrame relay and ATM PVC / SVC addresses are set by network operations
SVC user controls connection, not address
At some point, you must trust the service provider(s)
Common issue for all netsEncryption is available, but not usually required
Private IP VPNsIP-based networks that are not based on the public Internet
“Closed User Group” for each enterpriseOften based on Multiprotocol Label Switching (MPLS)
LSPs (Virtual Circuits) automatically configured based on IP address
“Self-configuring” frame relay
Sometimes deployed as “Virtual Routers”Security issues similar toATM and frame relay
Router B
Router A Router C
Label-Switched Paths (LSPs)
12
ISP #4
ISP #3
Internet Backbone VPNsUses IP as the “UNI” to the networkAny-to-Any connectivityNo inherent security
ISP #1 ISP #2Internet
ISP #4
ISP #3
Internet Backbone VPNsUses IP as the “UNI” to the networkAny-to-Any connectivityNo inherent securityMultiple ISPs connected at “Peering Points”
ISP #1 ISP #2
Peering Point
13
Network A Network B Network C
IPSec VPNs
Internet transport layer
Network A Network B Network C
IPSec VPNs
Internet transport layer“Tunnels” through the Internet
14
What is IPSec?Encapsulation method that encrypts IP packets between two points inside another IP messageAuthenticates and secures VPNsover publicIP services
Internet
IPSec MessageIP packet
What is SSL?Similar to IPSec
Similar encryption algorithms
Browser basedAuthenticates between browser and server
Internet
15
Choosing a WAN Architecture
All methods “work”All methods can be secureOne size doesn’t fit allCorporate “religion” is a majordecision-making factor
Agenda
Overview of the problemVarious Vulnerabilities
WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)
The Big Picture
16
Wide Area Network
EthernetSwitch
Router
WirelessEthernetAccessPoint
Firewall
This is Your Network
Wide Area Network
EthernetSwitch
Router
WirelessEthernetAccessPoint
Firewall
Who’s guarding the door?
17
Thank you!Summary
Overview of the problemVarious Vulnerabilities
WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)
The Big PictureFor more information
Webtorialshttp://www.webtorials.com
Nortel NetworksSponsor of this presentationhttp://www.nortelnetworks.com