ITS 2110 - Introduction to Network Security

Chapter 7 - Administering a Secure Network

Objectives:

This lesson introduces the student to two major types of attacks. Objectives important to this lesson:

  1. Network security devices
  2. Network architectures
  3. Enhancing security
Concepts:

Chapter 7

Last week, I talked to you a bit about network models. The chart below was part of that.

DoD, TCP/IP, and OSI Models
Functional Description DoD Layers TCP/IP Layers OSI Layers
Upper Layer Processes Process/Application Application 7 - Application
6 - Presentation
5 - Session
Reliable Connections Host-to-host Transport 4 - Transport
Internetwork Connections Internet Internet 3 - Network
Hardware/Network
Connections
Network Access Network Interface 2 - Data-Link
Physical 1- Physical

We can begin this week with a discussion of the word protocol, which means either a set of rules for communication over a network, or a program that is run to use that set of rules. The author tells us that TCP/IP is the name of a suite of protocols that is named for the two most important ones in the suite: TCP and IP. The author discusses several protocols, putting them in the context of the networking models:

  • Internet Control Message Protocol (ICMP) - ICMP is a simple protocol that can be used for good and bad purposes. It is meant to communicate information and error messages between devices on a network. The text explains that it has four fields. Various combinations of values in fields 1 and 2 (Type and Code) stand for specific messages about transmission failures, several of which are listed in the text.

    The text lists four attacks that are associated with ICMP.
    • Network discovery - the attacker sends packets that request information about a network. Not an attack as much as information gathering for an attacker.
    • Smurf attack - the attacker sends ping requests (ICMP echo requests) to as many devices as possible, coding the requests so that the replies will all hit and flood a target machine, typically a server
    • ICMP redirect - the attacker sends a request to a device, asking it to send all traffic to a device of the attacker's choice
    • Ping of death - the attacker sends an ICMP packet that is larger than the largest size allowed for packets on a given network; the target device might crash, or might just be knocked off the network; this kind of attack should not work any longer

  • Simple Network Management Protocol (SNMP) - messages are sent to devices to ask for status information or to configure settings on them; devices need to run service agent software to respond to the SNMP packets; versions 1 and 2 used public and private as the passwords for read and read-write commands, so they are no longer used; version 3 can use encrypted user names and passwords

  • Domain Name System (DNS) - sometimes called Domain Name Service, or Domain Name Space, which make more sense to some of us; DNS represents a hierarchy of servers that are responsible for maintaining a distributed list of all domains registered with IANA; the text mentions a few attacks associated with DNS:
    • DNS poisoning - changing the entries in a hosts table or in a DNS server to point to a desired site or device; less likely to be exploited if we use DNSSEC, a secure version of DNS
    • DNS transfer - the attacker asks a DNS server for a copy of its database, which provides the attacker with information about the addresses, devices, and software used in the server's network

  • File Transfer Protocol (FTP) - FTP is not secure, but the text mentions two updates that are; FTP Secure (FTPS) uses port 20 for data and port 21 for commands (through TLS), may not encrypt data; Secure FTP (SFTP) uses one port, typically port 22, encrypts commands and data

  • Network Basic Input/Output System (NetBIOS) - a Microsoft system of naming devices, which may be run alongside TCP/IP
  • Telnet - a terminal program, made for connection to systems that typically use a character based interface; does not feature security, so SSH (Secure Shell protocol) is recommended instead
  • Internet Protocol version 6 (IPv6) - the improved version of IP that was devised so that there would be more IP addresses (4.3 billion in IPv4 vs. 340 trillion, trillion, trillion in IPv6); uses 128 bit addresses, includes security

The section on administration principles begins with the observation that successful management is often based on rules. We are concerned with two types of rules: procedural rules, which may be required by law, by by company policy, or by some other external cause, and technical rules which may be required by procedural rules. The text warns us that technical rules, which have to do with hardware and software, should never be the cause of procedural rules, which have to do with how the company and its staff conduct themselves. This means that we should not let technology dictate how we conduct our business, which is a good idea. Be careful not to let this principle blind you to opportunities to improve our business procedures.

The text presents some rules about configuring routers:

  1. Create a network design - actually plan the placement of your network resources, including the routers that link your LANs
  2. Give routers meaningful names - the name of a router serves as part of the prompt when you are on the router's command interface; let the name serve as a reminder of the location and function of the router you are configuring
  3. Secure all ports - the physical and virtual ports of a router are entry points for controlling it, so you should protect all of them from attackers
  4. Use a strong password for your administrator account - anyone can look up the default password for name brand routers; change the passwords to stronger passwords when you set up the devices
  5. Make changes from the console - although you can change a device's configuration remotely, you should do it from the console of the device, so you can make a habit of always making a backup copy of the configuration on your network

Many devices on a network keep logs of important events. Security logs can record attacks. Access logs can record access requests for files. Audit logs record actions on the system and who they were supposedly performed by. Event logs record most events that fail, and some successful events. Administrators should review these logs regularly to develop a baseline for the network, and to look for developing trouble. You should review the device type/log information list in the text for more details on what to watch for in these logs.

The text presents a discussion of several network design principles:

  • network separation - customer facing parts of the network are considered unsecure, and they should be kept separate from the parts of the network that hold secure, sensitive data
  • loop protection - switches learn which MAC addresses to associate with each of their ports, but this can be a problem when the same device can be accessed by different paths through the network; this may cause a switch to send packets for such a device out several ports; avoid this problem by installing the Spanning Tree Algorithm, which only uses the best available route to any device
  • VLAN management - as we discussed before, a VLAN places devices in a single LAN, even if they are separated by several LAN segments. The text offers some advice that will avoid problems with VLANs
    • Configure empty switch ports to be on an empty VLAN; this avoids a user plugging a device into an empty (physical) port, and joining a LAN they do not belong on
    • change the names for all default VLANs (typically, the default VLAN on any switch is VLAN1); managing through obscurity is okay, but meaningful names are easier to manage
  • disable switch ports that are not in use, to avoid people joining a LAN or a VLAN without authorization