|
|
ITS 2110 - Introduction to Network Security
Chapter 7 - Administering a Secure Network
Objectives:
This lesson introduces the student to two major types of attacks.
Objectives important to this lesson:
- Network security devices
- Network architectures
- Enhancing security
Concepts:
Chapter 7
Last
week, I talked to you a bit about network models. The chart below was
part of that.
DoD,
TCP/IP, and OSI Models
Functional
Description |
DoD
Layers |
TCP/IP
Layers |
OSI
Layers |
Upper
Layer Processes |
Process/Application |
Application |
7
- Application |
6
- Presentation |
5
- Session |
Reliable
Connections |
Host-to-host |
Transport |
4
- Transport |
Internetwork
Connections |
Internet |
Internet |
3
- Network |
Hardware/Network
Connections |
Network
Access |
Network
Interface |
2
- Data-Link |
Physical |
1-
Physical |
We
can begin this week with a discussion of the word protocol,
which means either a set of rules
for communication over a network, or a program
that is run to use that set of rules. The author tells us that TCP/IP
is the name of a suite of protocols that is named for the two most important
ones in the suite: TCP and IP.
The author discusses several protocols, putting them in the context of
the networking models:
- Internet Control Message Protocol
(ICMP) - ICMP
is a simple protocol that can be used for good and bad purposes. It
is meant to communicate information and error messages between devices
on a network. The text explains that it has four fields. Various combinations
of values in fields 1 and 2 (Type
and Code) stand for specific
messages about transmission failures, several of which are listed in
the text.
The text lists four attacks that are associated with ICMP.
- Network discovery - the attacker sends packets that request information
about a network. Not an attack as much as information gathering
for an attacker.
- Smurf attack - the attacker sends ping requests (ICMP echo requests)
to as many devices as possible, coding the requests so that the
replies will all hit and flood a target machine, typically a server
- ICMP redirect - the attacker sends a request to a device, asking
it to send all traffic to a device of the attacker's choice
- Ping of death - the attacker sends an ICMP packet that is larger
than the largest size allowed for packets on a given network; the
target device might crash, or might just be knocked off the network;
this kind of attack should not work any longer
- Simple Network Management Protocol
(SNMP)
- messages are sent to devices to ask for status information or to configure
settings on them; devices need to run service agent software to respond
to the SNMP packets; versions 1 and 2 used public
and private as the passwords
for read and read-write
commands, so they are no longer used; version
3 can use encrypted user names and passwords
- Domain Name System (DNS)
- sometimes called Domain Name Service, or Domain Name Space, which
make more sense to some of us; DNS represents a hierarchy of servers
that are responsible for maintaining a distributed list of all domains
registered with IANA;
the text mentions a few attacks associated with DNS:
- DNS poisoning - changing the entries in a hosts table or in a
DNS server to point to a desired site or device; less likely to
be exploited if we use DNSSEC, a secure version of DNS
- DNS transfer - the attacker asks a DNS server for a copy of its
database, which provides the attacker with information about the
addresses, devices, and software used in the server's network
- File Transfer Protocol (FTP)
- FTP is not secure, but the text mentions two updates that are; FTP
Secure (FTPS) uses port 20 for data and port 21 for commands (through
TLS), may not encrypt data; Secure FTP (SFTP) uses one port,
typically port 22, encrypts commands and data
- Network Basic Input/Output System
(NetBIOS) - a Microsoft system
of naming devices, which may be run alongside TCP/IP
- Telnet - a terminal program,
made for connection to systems that typically use a character based
interface; does not feature security, so SSH (Secure Shell protocol)
is recommended instead
- Internet Protocol version 6
(IPv6) - the improved version
of IP that was devised so that there would be more IP addresses (4.3
billion in IPv4 vs. 340 trillion, trillion, trillion in IPv6); uses
128 bit addresses, includes security
The section on administration principles
begins with the observation that successful management is often based
on rules. We are concerned with
two types of rules: procedural
rules, which may be required by law, by by company policy, or by some
other external cause, and technical
rules which may be required by procedural rules. The text warns us that
technical rules, which have to
do with hardware and software,
should never be the cause of procedural
rules, which have to do with how
the company and its staff conduct
themselves. This means that we should not let technology dictate how we
conduct our business, which is a good idea. Be careful not to let this
principle blind you to opportunities to improve our business procedures.
The text presents some rules about configuring routers:
- Create a network design - actually plan the placement of your network
resources, including the routers that link your LANs
- Give routers meaningful names - the name of a router serves as part
of the prompt when you are on the router's command interface; let the
name serve as a reminder of the location and function of the router
you are configuring
- Secure all ports - the physical and virtual ports of a router are
entry points for controlling it, so you should protect all of them from
attackers
- Use a strong password for your administrator account - anyone can
look up the default password for name brand routers; change the passwords
to stronger passwords when you set up the devices
- Make changes from the console - although you can change a device's
configuration remotely, you should do it from the console of the device,
so you can make a habit of always making a backup copy of the configuration
on your network
Many devices on a network keep logs
of important events. Security
logs can record attacks. Access
logs can record access requests for files. Audit
logs record actions on the system and who they were supposedly performed
by. Event logs record most events that fail, and some successful
events. Administrators should review these logs regularly to develop a
baseline for the network, and to look for developing trouble. You should
review the device type/log information list in the text for more details
on what to watch for in these logs.
The text presents a discussion of several network design principles:
- network separation - customer facing parts of the network are considered
unsecure, and they should be kept separate from the parts of the network
that hold secure, sensitive data
- loop protection - switches learn which MAC addresses to associate
with each of their ports, but this can be a problem when the same device
can be accessed by different paths through the network; this may cause
a switch to send packets for such a device out several ports; avoid
this problem by installing the Spanning Tree Algorithm, which only uses
the best available route to any device
- VLAN management - as we discussed before, a VLAN places devices in
a single LAN, even if they are separated by several LAN segments. The
text offers some advice that will avoid problems with VLANs
- Configure empty switch ports to be on an empty VLAN; this avoids
a user plugging a device into an empty (physical) port, and joining
a LAN they do not belong on
- change the names for all default VLANs (typically, the default VLAN
on any switch is VLAN1); managing through obscurity is okay, but meaningful
names are easier to manage
- disable switch ports that are not in use, to avoid people joining
a LAN or a VLAN without authorization
|