TI0067
Information Technology
Security and Risk
Management
Securing the Network
�Overview
• In this chapter we examine the foundations of network security
and look at system security issues, such as securing information
flow by appropriate hardware, and software controls. These
include routers, firewalls, intrusion detection systems, network
separation, operating systems and antivirus software.
2
�Learning Objectives
• describe the basic features of a network and the risks they face
• explain the operation of firewalls
• outline the use of intrusion detection systems to defend networks
• describe the operation of virtual private networks
• discuss the approaches to inter-network security
• discuss the security issues relating to system software
• explain the use of antivirus software
3
�Introduction to Network
Security
4
�5
�Common Deployment of Network
Segments
user
• contains user workstations
servers
• maintains the corporate production servers for a specific locale (email, file and
application servers)
vendor
• provides access for visiting vendors and is restricted to the Internet only
remote access
• provides an entrance point for employees to gain access remotely and would
contain VPN and remote access server (RAS)
storage
• network attached storage maintained on isolated networks
6
�Topology of Computer Networks
token ring
• every computer connects to a physical network cable ring
with two connections
linear bus
• every computer connects to some point in a backbone, which
is terminated at each end
star
• every computer connects to a central point, e.g. hub or switch
7
�8
�Firewall Types and Techniques
• A firewall is a hardware device or software that filters packets as
they are sent between networks, and it is a necessity for a
business network today. This is one particular case where
hardware can do a better job than software, but there is software
that can perform the task adequately, depending on the situation.
In the case of the Linux operating system, the software firewall
(part of the Linux system) could be complemented by a hardware
firewall for additional security.
• There are three types of firewall:
• packet filters
• circuit level gateways
• application gateways
9
�Packet Filters
• Packet filters are constructed so as to examine the header in a
TCP/IP packet and examine the routing information, such as the
packet source and destination address.
• Advantages of using packet-filtering routers are that they are
easier to construct than most other types of firewall configuration.
• The disadvantages of packet filters are that they are vulnerable
since they have a very simple traffic logging mechanism and have
several security-related design weaknesses.
10
�Gateways
• Circuit-level gateways transmit requests for internet
connections. Outbound connections from an internal network
intended for the Internet travel to a relay gateway, which reads
the destination address of the request and creates a link to the
target. The gateway then passes information between the internal
connection request and the external target link.
• Application gateways use specially written code for each specific
application. They are able to examine and interpret the data
within the packet, not just the packet header, as in the case of a
circuit-level gateway. A physical application gateway uses proxy
servers, code that represents both clients and servers.
11
�Firewall Configurations
Packet filtering
• Based on the packet header information, including the source and destination addresses
and port numbers, the packet filter can pass some packets while blocking others.
Stateful inspection packet filtering
• This method also filters on packet header information. Stateful inspection looks at the
packet to see whether it is the beginning of a session, a continuation of a session or the
termination of a session.
Screened-host
• A screening router or firewall appliance is used to ensure that a host on an external
network can communicate only with a bastion host that is attached to an internal network.
Screened-subnet or demilitarized zone
• This DMZ is connected to the internal network and to an external network through
screening routers or a firewall appliance.
Multi-homed host
• The multi-homed hosts do not route packets directly from one network to another,
although they could be configured to do so.
•
12
�Intrusion Detection Systems
• An intrusion detection system (IDS) reads and interprets log files
from routers, firewalls, servers and other network devices to
deter, detect and deflect unauthorized use or attacks on a system.
• Because attacks can span packets, IDS examines packets in two
different ways. It scans each packet individually looking for
patterns (signatures) that are typical of an attack, and it monitors
the packets as a stream of information, thus identifying attacks
spread across multiple packets.
13
�Virtual Private Networks
• A virtual private network (VPN) operates on the public
telecommunication infrastructure, using a tunneling protocol and
security procedures to maintain its privacy. VPNs were developed
to allow private networks to be spread over a large geographic
area without the high expense of leasing private lines. The VPN
allows multiple private networks to be connected over a public
infrastructure.
• When a VPN is implemented between two locations it works in a
very similar manner to the way encrypted data is sent over a wide
area network. To communicate using a VPN, the packets are
encrypted using a point-to-point protocol (PPP), then are sent
over the public network encapsulated with an authorized
protocol. When the packet is received at the destination, data is
decrypted allowing the receiver to access the plaintext.
14
�Inter-network Security
• Inter-network security is the process of linking two or more
networks to give functionality but also maintain the integrity of
such networks. It is a difficult balance to achieve, as often one is a
trade-off against the other.
• Inter-network security has the precondition that each network is
already secure independently. The level of security also largely
relies on the users of the networks, but inter-network protection
exists to l1m1t and define the boundaries of its users.
• At any given time, there are three commonly used methods of
maintaining security in an environment that has one or more
independent networks:
• network isolation
• firewalls and perimeter guards
• multilevel security networks.
15
�Network Isolation
• Network isolation is one of the most commonly used practices in
the military and defence. Network isolation is the practice of
keeping two or more networks entirely separated, and no
connections are allowed between the two. This keeps each
network of computers entirely distinct from the other, with no
knowledge of each other’s existence. This means that it is
physically impossible for data to transfer between networks.
• The problem with this solution is that network isolation pays a
high price for the security. Isolated networks have no physical
method of transferring data, which limits the use of both
networks. At the price of limiting movement of unauthorized data
between networks, the system stops all movement, even that of
required data. Where an isolated network excels in security, it
lacks in functionality.
16
�Firewalls and Perimeter Guards
• The use of firewalls and monitoring software to separate two or
more networks is even more flawed as a system of maintaining
data integrity than isolating networks.
• Firewalls are primarily used to block certain types of traffic, or to
allow traffic only to move into a network as a response, which
makes them ideal as a network perimeter defence. Firewalls are
considered standard as a form of defence on a computing
network, but their use is not considered appropriate as a barrier
within an internal network.
17
�Multilevel Secure Networks
• Multilevel secure networks are a modern idea that aims to
maintain the security that an isolated network achieves while
allowing a larger degree of flexibility. It is designed for
environments that have two or more networks, a high-level (or
more secure) network and a low-level one (less secure).
• Within a multilevel secure network, data may be transmitted from
the low-level network to the high-level network but may not
travel from the high-level network to the low-level one, not even
for acknowledgement of data, which prevents any form of data
being leaked from a more secure computing environment into a
less secure one.
18
�Network Separation
• Network separation is a security technique used primarily in
military and defence networks as a method of ensuring that those
without authorization do not access classified data. In the use of
separated networks, there is often one ‘insecure’ network: a
network that is often connected to the Internet or acts as an
internal intranet.
19
�BIOS and boot loader
• The system’s BIOS essentially controls the behavior of all system
hardware before booting the operating system, when control of
most hardware is delegated to the operating system.
• The system’s BIOS also includes the following options to
strengthen security:
Boot sequence
Virus warning
Security option
20
�The Operating System
21
�Microsoft Windows 2000
File system security
User accounts
Password security
Account lockout policy
Security audits
User rights assignment policy
Additional security options
Active Directory
22
�1. File System Security
• Windows 2000 provides the option of using the FAT32 or NTFS
file systems. FAT32 (32-bit tile allocation table) is the file system
used by Windows 98 and ME. It has no features to control user
access to data and as such is not recommended by Microsoft as a
file system for use in business. NTFS (New Technology file
system) is the file system used by Windows NT-based operating
systems and is the recommended file system in all business
situations, not only for its support for file and folder access
permissions but also because it is required by Windows 2000
Server if Active Directory is to be installed. NTFS is also required
for EFS (Encrypting File System), which is available in Windows
2000 and later
23
�2. User Accounts
• Being a multi-user operating system, Windows 2000 gives
administrators the ability to give every user in the organization
their own user account so that users can access computer systems
with their own credentials and everyone from outside is virtually
locked out. A user’s ‘account’ contains information about the user,
particularly three important things:
• the account ‘username’ which is used by the user to tell the system who
they are
• the account ‘password’, which is the access key that the user uses to prove
their identity to the system
• a 37-character security ID (SID), which starts with the character ‘S’ and is
followed by 36 digits, arranged in groups and separated by hyphens. The
SID is unique to a particular user account.
24
�3. Password Security
• In all of the Windows NT operating systems (including Windows 2000), user
authentication has required the use of a username and password; the
password essentially being the key to the user’s account.
• Windows 2000’s security policy controls provide the following options to
help ensure that a user’s password is secure:
• ‘Enforce password history.’ This option allows administrators to specify the number of
passwords that the system remembers so that passwords cannot be reused.
• ‘Maximum password age.’ The maximum number of days before the system forces the user to
change the password.
• ‘Minimum password length.’ The required minimum number of characters in a user’s
password.
• ‘Password must meet complexity requirements.’ If this policy is on, the password must meet
the following requirements: not contain all or part of the user’s account name; be at least six
characters in length; and contain characters from at least three of the following four
categories:
• English uppercase characters (A to Z)
• English lowercase characters (a to z)
• base 10 digits (0 through to 9)
• Non-alphanumeric characters (e.g. *, l, $, #, %)
25
�4. Account Lockout Policy
• Just as an automatic teller machine captures a card after three
incorrect PIN entry attemps. Windows 2000 can deactivate a
user’s account after a specified number of incorrect password
entry attempts.
• Account lockout duration.’ The length of time an account is locked out
after the number of incorrect password entry attempts reaches the
threshold. If this is set to 0, then the account remains locked out
indefinitely until an administrator unlocks it.
• ‘Account lockout threshold.’ The number of invalid password attempts
before the account is locked out.
• ‘Reset account lockout counter after ...' The length of time before the
recorded number of invalid password entry attempts is reset to zero.
26
�5. Security Audits
• Security audits are essentially logs of every action that the user performs and
actions that the computer itself can automatically perform. By default, the
systems logs can be accessed only by administrators. Windows 2000 allows
administrators to audit the following activities:
• account logon events: when a user logs on or off in which the computer maintaining the audit
is the computer that validates the username and password
• account management: when a user accounts are modified
• directory service access: any object accessed in Windows 2000’s Active Directory
• account logon events: when a user logs on or off, or makes a network connection
• object access: when a user accesses an ‘object’ on the system (e.g. requiring the use of
services)
• policy change: when the audit policy is modified
• privilege use: when a user makes use of any special privileges
• process tracking: when a user interacts with a process
• System events: when the system performs an activity that would normally be placed in the
event log. Auditing system events can also be used in conjunction with the security option
‘Shut down the system immediately if unable to write an event to the security log’ to prevent
DOS attacks, which would normally fill up the security log rather quickly.
27
�6. User Rights Assignment Policy
• The user rights assignment policy options allow administrators to
specify which users have the rights to perform more specific
actions, other than those allowed by the group to which a
particular user belongs. Changes made to these options control
whether any particular user can:
• access the system over the network using their username and password
• act as part of the operating system, giving the user the ability to perform
almost any action on the system, as if they were using a Windows 95-
based system
• locally log on to the system
• shut down or restart the system (locally or remotely)
• perform maintenance on hard drive volumes
• install, uninstall and update device drivers
• adjust memory usage
• change the system clock
• take ownership of files.
28
�7. Additional Security Options
• The security policy controls also provide a set of security options
not covered elsewhere. These options include:
• Renaming the administrator or guest accounts (which can also be done
from within the ‘Local users and groups’ controls for stand-alone servers
and workstations or from within ‘Active Directory users and computers’
for domain controllers and domain members). Renaming the
administrator account provides the opportunity to create a ‘dummy’
account called ‘administrator’ (with no access rights), which can then be
monitored for any suspicious activity.
• preventing users from accessing the system over the network
• forcing the user s log off or disconnection when their permitted logon
hours expire
• preventing the system from being shut down without having to log on
• preventing the username of the last user on the system being displayed in
the ‘username’ box when the next user logs on
• whether the ‘Everyone’ access permission applies to anonymous users
• preventing the installation of drivers that have not been digitally signed
29
�8. Active Directory
• Active Directory is the name given to the directory service in
Windows 2000 that is installed when the server is ‘promoted' to a
domain controller.
• Active Directory contains a feature called ‘operations masters’.
This feature allows a Windows 2000 server running the directory
service to delegate roles to other. Using this feature, it is possible
to create several domain controllers, each responsible for
performing different tasks.
30
�Linux
Boot loader
Passwords
Limiting use of the ‘root’ account
Services
Firewall
31
�1. Boot Loader
• Password protecting the Linux boot loader prevents unauthorized
access to single-user mode (whereby the user becomes the ‘root'
user) and prevents the loading of any other operating system (if
running a dual-boot system), which might be less secure. Also, if
GRUB is the boot loader, password protection prevents
unauthorized access to the GRUB console, where configuration
options can be changed. Securing each of these boot loaders
requires root access.
32
�2. Passwords
• For best password security, Linux will automatically select MD5
and shadow passwords during installation. MD5 is a more secure
encryption method, which also allows non-alphanumeric
characters in password. If this option is deselected, Linux uses
DES encryption, which allows only alpha-numeric characters and
56-bit encryption. Password shadowing is important for security;
otherwise password hashes are left in the password file, which is
readable to everyone and susceptible to a brute force attack off-
site. If password shadowing is enabled, the password hashes are
kept in the password shadow file, which can be read only by the
root user.
33
�3. Limiting Use of The ‘root’ Account
• By default, the user ‘root’ can only access a Linux system locally.
The file/etc/securetty controls that computers the root account
can be used on. If this file is empty, the root user cannot log on at
all (except through SSH). If this file does not exist, the root user
can log on from anywhere, which is potentially unsafe. Further
options exist that are designed to limit the use of the root account,
such as changing the root shell and preventing SSH logins.
34
�4. Services
• For security, most network services in Linux are turned off by default.
Some exceptions include ‘lpd’ (print server), ‘portmap’ (required),
‘xinetd', ‘sendmail’ and ‘sshd’ (secure shell - replacement for telnet).
• Sendmail is an inherently insecure message transfer agent and can be
susceptible to a number of attacks. However, there are some options
that can be used to secure it:
• The sendmail configuration can be modified to specify a limited number of
concurrent connections, child services, and header and message size. These are not
set by default and leave the sendmail service open to a DOS attack.
• The mail spool directory can be stored on a non-NFS volume to protect privacy and
security of email messages from other users.
• If the sendmail service is running on a machine that does HOI require users to
access a shell, then shell access can be denied.
• Use of the third-party port scanner tool ‘nmap’ can be used to monitor open ports,
and any suspicious open ports can then be investigated. An open port running a
service indicated as ‘unknown', although not always sinister, still deserves some
attention.
35
�5. Firewall
• The security level configuration tool and the GNOME Lokkit are
GUI-based tools that create ‘iptables’ rules. ‘iptables’ is the
interface for the ‘netfilter’ subsystem of Linux, which provides
packet filtering options. Command line use of ‘iptables’ provides
access to such functions as IP masquerading, NAT and IP bans,
and can also be used to control network access to specified
services. This can be used to secure the ‘portmap’ service and
other RPC services with weak security mechanisms.
36
�Antivirus Software
• Viruses are malicious (or just annoying) pieces of software that
append themselves to legitimate files, programs or emails, waiting
to be activated by an unsuspecting user.
• Once a malignant virus is activated, its goal is usually to destroy as
much data as it can in a short space of time. Hardware fails here
mainly because new viruses are discovered every day. Although
hardware can be designed to pick up existing viruses, in a few
days the hardware device will long be out of date. Making
hardware ‘updatable’ also presents a problem, as a virus could be
designed to attack the programmable circuits and render the unit
useless.
37
