CSS 211 - Introduction to Network Security

Lesson 5 - Network Security Fundamentals, Administering a Secure Network

Objectives:

This lesson covers chapters 7 and 8 in the text. It discusses network security devices and procedures. Objectives important to this lesson:

  1. Using standard network devices to enhance security
  2. Network security devices
  3. Using network technologies to enhance security
  4. Secure network design
  5. Common network protocols
  6. Network administration principles
  7. Securing network applications
Concepts:

Chapter 7 really begins on page 272, with a discussion about the OSI network model, which is used to place several network devices in context  based on their roles in the network.

  • Hubs (and cables) belong on the Physical layer (layer 1) because they do not use any address information. This lack of selectivity does not provide any selectivity when passing along frames and packets.
  • Switches belong on the Data-Link layer (layer 2) because they use MAC addresses to determine whether they send a message to one device (as a unicast) or to multiple devices (as a broadcast). Switches will send all messages to all ports initially, but they build address tables based on the source address field in each message they process, associating MAC addresses with the port on which the message was received. The address tables are used to send unicast transmissions whenever possible. This selectivity adds to security by reducing the number of broadcasts, and by sending data/messages only to devices that need them.

    The text tells us that switches can be used to to monitor network traffic for all devices if they support port mirroring, copying all traffic through the port to a selected port that an administrator is monitoring. In a way, this makes the switch act like a hub, but only with respect to the traffic sent to that one port. We are also told that port mirroring is best used in low traffic network. For a high traffic network, the text recommends a network test access point (network tap) which is an appliance that does the same job.
  • Routers belong on the Network layer (layer 3) because they use software addresses (typically IP addresses) to find routes to networks. The text remarks that a router can be configured to filter out packets based on specific criteria, which means that a router may act as a firewall.
  • Load balancers are devices that send traffic to servers or other devices on a rotating basis to evenly distribute some kind of work. A load balancer may be a dedicated network appliance, or it may be software running on a server. The text makes a distinction between layer 4 load balancers and layer 7 load balancers. The difference has to do with which layer the protocol used by the traffic being balanced belongs to.
    • Layers 3 and 4: IP, TCP, UDP
    • Layer 7: HTTP, IMAP POP3, SMTP, DNS
  • Proxies are devices that act for or as another device. The text mentions a proxy server that is used to share an IP address among several devices on its network, so that only the IP address of the proxy server is ever seen by hosts on the Internet. The text lists four benefits of having a proxy server that passes requests to the Internet. Increased speed and reduced cost are not relevant if your users need to access web sites that change regularly: caching on the proxy server is not useful if you need the most current version of a page. Improved management and stronger security are more likely to be real benefits. Blocking access to unacceptable web sites is commonly managed through a proxy server (using a product like SurfControl, now known as Websense). Security is increased by making only the proxy server visible to the Internet, hiding the addresses of your other devices.

The text moves on to discuss specific network security devices (hardware).

  • Network firewalls are compared to host-based firewall software. Their purposes are similar, but a hardware firewall must handle much more traffic. Since they are meant to protect a large number of devices, a network firewall is typically placed at a traffic choke point, like the one in the diagram on page 280. That firewall is between the main switch for a network and the router that provides access to the Internet. It should be monitoring traffic flowing into and out of our network.
    The text reminds us that firewalls may be stateless or stateful. The difference is that stateful firewalls will not allow traffic between devices unless a proper communication session has been established between them. This prevents attacks that begin with an uninvited transmission.
    The text reviews common actions that a firewall may take based on the rules set by an administrator. Simple firewalls may have fewer options:
    • allow - allow the traffic to continue
    • drop - deny the traffic, and send no response to the sender
    • reject - deny the traffic, but send a response that the destination cannot be reached
    • ask - alert an administrator, asking what to do

    Most firewalls will follow rules based on the properties of received packets like the ones in the list on page 281, such are where the traffic is from, where it is going, and what protocol is being used.

    Firewalls may also be application aware, which means they can make decisions about packets based on the application they are trying to access on the receiving device.
  • Spam filters are typically employed as part of an email system, but they may be standalone devices or services purchased from a vendor. The illustrations on page 283 show two possible locations for deploying a spam filter. Unfortunately, the pictures are a little misleading.

    Basic facts first: outgoing email is typically sent across the Internet using Simple Mail Transfer Protocol (SMTP, port 25). This is what your post office uses to send email to another post office. This does require an SMTP server on each of the networks involved. The receiving SMTP server delivers your email to your mailbox, which you can think of as a set of records in a database. Your email client may pull the mail from the mailbox with Post Office Protocol 3 (POP3, port 110), or just read it with Internet Message Access Protocol (IMAP, port 143). There is no specific POP3 or IMAP server involved with those requests to your mailbox, only a service that your client's request activates in the post office.

    So, with that understood, we could install a spam filter to manage all mail before it hits the post office (incoming SMTP traffic), or as a filter for all POP3 or IMAP requests to the post office. The text recommends filtering before the traffic is stored in the post office/mailboxes.
  • Virtual Private Network (VPN) Concentrators take a little explanation. A VPN is a secure communication channel that is often used by people who need to connect to their usual network when they are traveling, working from home, or are otherwise away from their usual work location. A VPN may pass traffic across the Internet, but it can be considered as secure because all traffic passed from one end of the channel to the other is encrypted. Using a VPN provides a level of security that an unsecured data channel cannot provide. Each end of a VPN channel is called an endpoint.
    A VPN Concentrator is typically a hardware device that provides many VPN connections to a network. You might think of it as a server or a switchboard that supports many instances of a particular kind of network connection.
  • Internet Content Filters are often used with proxy servers, as described above. Their purpose is to prevent access to websites and files that are forbidden by company policy. The text mentions that they can work by matching against a list of URLs (URL filtering) or by examining a site or file for restricted or forbidden content (content inspection).
  • Web Security Gateways - similar to a Content Filter, but thesee are reactive in real time to applications like file sharing, script exploits, and malicious code attacks

The next few pages are about intrusion detection and prevention. Let's look at a few definitions:

  • intrusion - someone tries to access or disrupt a system
  • intrusion detection - if a product only does detection, it will notice an attempted or actual intrusion, and will probably tell someone; a detection system does not take action against the intrusion
  • intrusion reaction - if a product reacts to intrusions, it attempts to stop them, contain them, or minimize their effects
  • intrusion prevention - if a product acts to prevent intrusion, it probably does detection as well; I am sometimes notified by my security suite that an attempted intrusion has been detected and stopped, which is what you want such a system to do

When you are researching products in this category, you should be careful to note what the product actually does. If it is marketed as an intrusion detection system (IDS), don't expect it to prevent or stop intrusions. An intrusion detection and prevention system (IDPS) would be preferable to a system that only performed one of those functions.

An IDS, an IPS, or an IDPS may be installed on a computer or a network appliance and allowed to sniff all the packets that pass by. This sort of network-based system may need to be duplicated in various parts of your network, since it has to watch every packet that goes by, and it will not see any packets that are not passed to the network segment it lives on. This type of device or system would use the word network as a qualifier and a prefix (NIDS, NIPS, NIDPS).

The second major option a host-based IDPS. This kind of system can detect changes on the host where it is installed that do not depend on network traffic. On the other hand, it needs to be installed on every host you intend to protect. In a home network, this is not a large burden, but in a commercial setting it can be a lot of work. A convincing argument may be that the antivirus program provided as part of your home contract with a cable provider probably includes this feature. If you are installing Norton 360, for example, you are already installing a system to watch for intrusions as well as to watch for viruses. The variations of this type would use the word host as a qualifier and a prefix (HIDS, HIPS, HIDPS).

The text discusses two network technologies that can provide some security. We have already discussed Network Address Translation as it is used on a proxy server that presents a registered IP address to the Internet, hiding the private addresses that are actually used on your network. The other technology is Network Access Control (NAC) which I have never seen in use. The idea is that when a device is connected to a network, the NAC service should scan the new device for flaws, state of software updates, virus protection currency, and more before it is allowed to join the network. If it fails the test, the device is only allowed to access a quarantined part of the network.

The chapter discusses four more concepts that it calls Network Design Elements.

  • Demilitarized Zone (DMZ) - This is a part of your network that is typically made available to the general public. It may contain a web server, an email server, and some public facing material. It will not be connected to the parts of your network that contain sensitive or secret material. Some people misunderstand, thinking that the DMZ is an unprotected part of the network. This not true: you should use the same protective measures that you use on the rest of your network.
  • Subnetting - Subnets are often created to restrict access to particular resources, to organize a network by job function or by geography, or to create more broadcast domains with fewer users on each one.
  • Virtual LANs (VLANs) - A VLAN is used to place devices or users on the same LAN, even though they may be in separate locations, such as in different buildings, cities, or countries. The network is configured so that particular ports on several switches are assigned addresses that place them on a single logical LAN.
  • Remote Access - This label refers to any technology that lets someone attach to a network they are not physically near. This may mean using a VPN connection, a Remote Access Server connection, or another technology that supports traveling, telecommuting, or distant workers.

Chapter 8 begins with a review of the word protocol, which means either a set of rules for communication over a network, or a program that is run to use that set of rules. The author tells us that TCP/IP is the name of a suite of protocols that is named for the two most important ones in the suite: TCP and IP.

To add to the confusion, the author reminds is that there is also a network model called the TCP/IP model. Before entering a discussion of protocols, the text presents the OSI network model and an older version of the TCP/IP network model. The author is apparently unaware that the TCP/IP model has been revised to have five layers now, not four. It now includes a Physical layer at the bottom, like the OSI model. This is a more recent version, shown with the Department of Defense (DoD) model as well.

DoD, TCP/IP, and OSI Models
Functional Description DoD Layers TCP/IP Layers OSI Layers
Upper Layer Processes Process/Application Application Application
Presentation
Session
Reliable Connections Host-to-host Transport Transport
Internetwork Connections Internet Internet Network
Hardware/Network
Connections
Network Access Network Interface Data-Link
Physical Physical

Having confused us with models, the text continues with a discussion of several protocols.

  • Internet Control Message Protocol (ICMP) - ICMP is a simple protocol that can be used for good and bad purposes. It is meant to communicate information and error messages between devices on a network. The text explains that it has four fields. Various combinations of values in fields 1 and 2 (Type and Code) stand for specific messages about transmission failures, several of which are listed on page 315.
    The text lists four attacks that are associated with ICMP.
    • Network discovery - the attacker sends packets that request information about a network. Not an attack as much as information gathering for an attacker.
    • Smurf attack - the attacker sends ping requests (ICMP echo requests) to as many devices as possible, coding the requests so that the replies will all hit and flood a target machine, typically a server
    • ICMP redirect - the attacker sends a request to a device, asking it to send all traffic to a device of the attacker's choice
    • Ping of death - the attacker sends an ICMP packet that is larger than the largest size allowed for packets on a given network; the target device might crash, or might just be knocked off the network; this kind of attack should not work any longer
  • Simple Network Management Protocol (SNMP) - messages are sent to devices to ask for status information or to configure settings on them; devices need to run service agent software to respond to the SNMP packets; versions 1 and 2 used public and private as the passwords for read and read-write commands, so they are no longer used; version 3 can use encrypted user names and passwords
  • Domain Name System (DNS) - sometimes called Domain Name Service, or Domain Name Space, which make more sense to some of us; a hierarchy of servers are responsible for maintaining a distributed list of all domains registered with IANA; the text mentions a few attacks associated with DNS:
    • DNS poisoning - changing the entries in a hosts table or in a DNS server to point to a desired site or device; less likely to be exploited if we use DNSSEC, a secure version of DNS
    • DNS transfer - the attacker asks a DNS server for a copy of its database, which provides the attacker with information about the addresses, devices, and software used in the server's network
  • File Transfer Protocol (FTP) - FTP is not secure, but the text mentions two updates that are; FTP Secure (FTPS) uses port 20 for data and port 21 for commands (through TLS), may not encrypt data; Secure FTP (SFTP) uses one port, typically port 22, encrypts commands and data
  • Network Basic Input/Output System (NetBIOS) - a Microsoft system of naming devices, which may be run alongside TCP/IP
  • Telnet - a terminal program, made for connection to systems that typically use a character based interface; does not feature security, so SSH is recommended instead
  • Internet Protocol version 6 (IPv6) - the improved version of IP that was devised so that there would be more IP addresses (4.3 billion in IPv4 vs. 340 trillion, trillion, trillion in IPv6); uses 128 addresses, includes security

The section on administration principles begins with the observation that successful management is often based on rules. We are concerned with two types of rules: procedural rules, which may be required by law, by by company policy, or by some other external cause, and technical rules which may be required by procedural rules. The text warns us that technical rules, which have to do with hardware and software, should never be the cause of procedural rules, which have to do with how the company and its staff conduct themselves. This means that we should not let technology dictate how we conduct our business, which is a good idea. Be careful not to let this principle blind you to opportunities to improve our business procedures.

The text presents some rules about configuring routers on page 326:

  1. create a network design - actually plan the placement of your network resources, including the routers that link your LANs
  2. give routers meaningful names - the name of a router serves as part of the prompt when you are on the router's command interface; let the name serve as a reminder of the location and function of the router you are configuring
  3. secure all ports - the physical and virtual ports of a router are entry points for controlling it, so you should protect all of them from attackers
  4. use a strong password for your administrator account - anyone can look up the default password for name brand routers; change the passwords to strong passwords when you set up the devices
  5. make changes from the console - although you can change a device's configuration remotely, you should do it from the console of the device, so you can make a habit of always saving a backup copy of the configuration on your network.

Many devices on a network keep logs of important events. Security logs can record attacks. Access logs can record access requests for files. Audit logs record actions on the system and who they were performed by. Event logs record most events that fail, and some successful events. Administrators should review these logs regularly to develop a baseline for the network, and to look for developing trouble. You should review the device type/log information list on page 328 for more details on what to watch for in these logs.

On page 330, the text begins its discussion of network design principles.

  • network separation - customer facing parts of the network are considered unsecure, and they should be kept separate from the parts of the network that hold secure, sensitive data
  • loop protection - switches learn which MAC addresses to associate with each of their ports, but this can be a problem when the same device can be accessed by different paths through the network; this may cause a switch to send packets for such a device out several ports, as discussed on pages 330 and 331; avoid this problem by installing the Spanning Tree Algorithm, which only uses the best available route to any device
  • VLAN management - as we discussed before, a VLAN places devices in a single LAN, even if they are separated by several LAN segments. The text offers some advice that will avoid problems with VLANs
    • Configure empty switch ports to be on an empty VLAN; this avoids a user plugging a device in an empty port, and joining a LAN they do not belong on
    • change the names for all default VLANs (typically, the default VLAN on any switch is VLAN1)
  • disable switch ports that are not in use, to avoid people joining a LAN or a VLAN without authorization

This seems like enough information for this chapter. Do the assignments below, and refer to the text for any answers not in these notes.