1
|
|
2
|
- Identify security risks in LANs and WANs
- Explain how physical security contributes to network security
- Discuss hardware- and design-based security techniques
|
3
|
- Use network operating system techniques to provide basic security
- Implement enhanced security through specialized software
- Describe the elements of an effective security policy
|
4
|
- A hacker is someone who masters the inner workings of operating systems
and utilities in an effort to better understand them
- A cracker is someone who uses his or her knowledge of operating systems
and utilities to intentionally damage or destroy data or systems
- In general, root refers to a highly privileged user ID that has all
rights to create, delete, modify, move, read, write, or execute files on
a system
- A firewall is a specialized device that selectively filters or blocks
traffic between networks
|
5
|
- Assessment of an organization’s security risks
- Regular security audits should be performed at least annually and
preferably quarterly
- You should also conduct a security audit after making any significant
changes to your network
|
6
|
- Social engineering
- Manipulating relationships to circumvent network security measures and
gain access to a system
- Some risks associated with people:
- Intruders or attackers using social engineering or snooping to obtain
passwords
- An administrator incorrectly creating or configuring user IDs, groups,
and their associated rights on a file server
|
7
|
- Some risks associated with people (cont.):
- Network administrators overlooking security flaws in topology or
hardware configuration
- Network administrators overlooking security flaws in operating system
or application configuration
- Lack of proper documentation and communication of security policies
- Dishonest or disgruntled employees abusing their file and access rights
- An unusual computer or terminal being left logged into the network
|
8
|
- Some risks associated with people (cont.):
- Users or administration choosing easy-to-guess passwords
- Authorized staff leaving computer room doors open or unlocked
- Staff discarding disks or backup tapes in public waste containers
- Administrators neglecting to remove access files and rights for former
employees
- Users leaving passwords out in open spaces
|
9
|
- Inherent risks in network hardware and design:
- Wireless transmission can typically be intercepted
- Networks that use leased lines are vulnerable to eavesdropping
- Network hubs broadcast traffic over the entire segment
- If they are not disabled, unused hubs, routers, or server ports can be
exploited and accessed by crackers
|
10
|
- Inherent risks in network hardware and design (cont.):
- If routers are not properly configured to mask internal subnets, users
on outside networks can read the private addresses
- Modems attached to network devices may be configured to accept incoming
calls
- Dial-in access servers used by telecommuting or remote staff may not be
carefully secured and monitored
- Computers hosting very sensitive data may coexist on the same subnet
with computers open to the general public
|
11
|
- Some risks pertaining to networking protocols and software:
- TCP/IP contains several security flaws
- Trust relationships between one server and another may allow a cracker
to access the entire network because of a single flaw
- Network operating system software typically contains “backdoors” or
security flaws
|
12
|
- Some risks pertaining to networking protocols and software (cont.):
- If the network operating system allows server operators to exit to a
command prompt, intruders could run destructive command-line programs
- Administrators might accept the default security options after
installing an operating system or application
- Transactions that take place between applications may be left open to
interception
|
13
|
- Common Internet-related security breaches:
- IP spoofing
- Outsiders obtain internal IP addresses, then use those addresses to
pretend that they have authority to access your internal network from
the Internet
- When a user Telnets or FTPs to your site over the Internet, his or her
user ID and password will be transmitted in plain text
- Crackers may obtain information about your user ID from newsgroups,
mailing lists, or forms filled out on the Web
|
14
|
- Common Internet-related security breaches (cont.):
- Flashing
- Internet user send commands to another Internet user’s machine that
cause the screen to fill with garbage characters
- Denial-of-service attack
- Occurs when a system becomes unable to function because it has been
deluged with messages or otherwise disrupted
|
15
|
- An effective security policy
- Typical goals for security policies:
- Ensuring that authorized users have appropriate access to the
resources they need
- Preventing unauthorized users from gaining access to the network,
systems, programs, or data
- Protecting sensitive data from unauthorized access
|
16
|
- Typical goals for security policies (cont.):
- Preventing accidental damage to hardware or software
- Preventing intentional damage to hardware or software
- Creating an environment where the network and systems can withstand and
quickly recover from any type of threat
- Communicating each employee’s responsibilities with respect to
maintaining data integrity and system security
|
17
|
- After risks are identified and responsibilities for managing them are
assigned, the policy’s outline should be generated with those risks in
mind
- The security policy should explain clearly to users:
- What they can and cannot do
- How these measures protect the network’s security
|
18
|
- Suggestions for team roles
- Dispatcher
- Manager
- Technical support specialist
- Public relations specialist
|
19
|
- Tips for making and keeping passwords secure:
- Do not use the familiar types of passwords
- Do not use any word that might appear in a dictionary
- Make passwords longer than six characters
|
20
|
- Tips for making and keeping passwords secure (cont.):
- Choose a combination of letters and numbers
- Do not write down your password or share it with others
- Change your password at least every 90 days
|
21
|
|
22
|
- Bio-recognition access
- Device scans an individual’s unique physical characteristics
- Relevant questions in assessing physical security:
- Which rooms contain critical systems or data and need to be secured?
- Through what means might intruders gain access to the facility,
computer room, telecommunications room, wiring closet, or data storage
areas?
|
23
|
- Relevant questions in assessing physical security (cont.):
- How and to what extent are authorized personnel granted entry?
- Are employees instructed to ensure security after entering or leaving
secured areas?
- Are authentication methods difficult to forge or circumvent?
|
24
|
- Relevant questions in assessing physical security (cont.):
- Do supervisors or security personnel make periodic physical security
checks?
- Are all combinations, codes, or other access means to computer
facilities protected at all times?
- Does a plan exist for documenting and responding to physical security
breaches?
|
25
|
- Firewall
- Specialized device that selectively filters or blocks traffic between
networks
|
26
|
- Packet filtering firewall
- Router that operates at the Data Link and Transport layers of the OSI
Model
- Also called screening firewalls
|
27
|
- Criteria that a firewall might use to accept or deny data:
- Source and destination IP addresses
- Source and destination ports
- TCP, UDP, or ICMP protocols
|
28
|
- Criteria that a firewall might use to accept or deny data (cont.):
- Packet’s status as the first packet in a new data stream or a
subsequent packet
- Packet’s status as inbound or outbound to or from your private network
- Packet’s status as originating from or being destined for an
application on your private network
|
29
|
- Proxy service
- Software application on a network host that acts as an intermediary
between external and internal networks
- Network host that runs the proxy service is known as a proxy server, or
gateway
|
30
|
|
31
|
- Questions to ask when choosing a firewall:
- Does the firewall support encryption?
- Does the firewall support authentication?
- Does the firewall allow you to manage it centrally and through a
standard interface?
|
32
|
- Questions to ask when choosing a firewall (cont.):
- How easily can you establish rules for access to and from the firewall?
- Does the firewall support filtering at the highest layers of the OSI
Model?
- Does the firewall provide logging and auditing capabilities, or alert
you to intrusions?
- Does the firewall protect the identity of your internal LAN’s addresses
from the outside world?
|
33
|
- Remote access
- Capability for traveling employees, telecommuters, or distant vendors
to access an organization’s private LAN or WAN through specialized
remote access servers
|
34
|
- Important security features for a remote control program:
- Login ID and password requirements for gaining access to the host
system
- Ability for the host system to call back
- Support for data encryption on transmissions between the remote user
and the system
|
35
|
- Important security features for a remote control program (cont.):
- Ability to leave the host system’s screen blank while a remote user
works on it
- The ability to disable the host system’s keyboard and mouse
- Ability to restart the host system when a remote user disconnects from
the system
|
36
|
- Recommended features for a secure remote access server package:
- Login ID and password authentication
- Ability to log all dial-up connections, their resources, and their
connection times
- Ability to perform callbacks to users who initiate connections
- Centralized management of dial-up users and their rights on the network
|
37
|
- Terminal Access Controller Access Control System (TACACS)
- Centralized authentication system for remote access servers that is
similar to RADIUS
|
38
|
- Restriction that network administrators can use to strengthen the
security of their networks
- Some users may be valid only during specific hours
- Some user IDs may be restricted to a specific number of hours per day
of logged-in time
- You can specify that user IDs can log in only from certain workstation
or certain areas of the network
- Set a limit on how many unsuccessful login attempts from a single user
the server will accept before blocking that ID from even attempting to
log on
|
39
|
- Use of an algorithm to scramble data into a format that can be read only
by reversing the algorithm
- In order to protect data, encryption provides the following assurances:
- Data were not modified after the sender transmitted them and before
receiver picked them up
- Data can only be viewed by their intended recipient (or at their
intended destination)
- All of the data received at intended destination were truly issued by
the stated sender and not forged by an intruder
|
40
|
- The most popular kind of encryption weaves a key (random string of
characters) into the original data’s bits to generate a unique data
block
- The scrambled data block is known as cipher text
- The longer the key, the less easily the cipher text can be decrypted by
an unauthorized system
|
41
|
|
42
|
- Private key encryption
- Data are encrypted using a single that only the sender and receiver
know
- Also known as symmetric encryption
- The most popular private key encryption is the data encryption standard
(DES)
|
43
|
|
44
|
- Public key encryption
- Data are encrypted using two keys
- Also know as asymmetric encryption
- Public-key server
- Freely provides provides a list of users’ public keys
- Combination of public key and private key is known as key pair
|
45
|
- Digital certificates
- Password-protected and encrypted file holding an individual’s
identification information
|
46
|
|
47
|
- Cross-platform authentication protocol using key encryption to verify
identity of clients and to securely exchange information once a client
logs onto a system
- The server issuing keys to clients during initial client authentication
is known as a key distribution center (KDC)
- In order to authenticate a client, KDC runs an authentication service
(AS)
- An AS issues a ticket (temporary set of credentials)
- A kerberos client, or user, is known as a principal
|
48
|
- Session key
- Issues to both client and service by authentication service that
uniquely identifies their session
- Authenticator
- User’s timestamp encrypted with the session key
- Ticket granting service (TGS)
- Application separate from AS that also runs on the KDC
- TGS issues client a ticket granting ticket (TGT)
|
49
|
- Pretty Good Privacy (PGP)
- Public key encryption system that verifies authenticity of an e-mail
sender and encrypts e-mail data in transmission
- Secure Sockets Layer (SSL)
- Method of encrypting TCP/IP transmissions en route between client and
server using public key encryption technology
|
50
|
- HTTP
- URL prefix indicating a Web page requires its data to be exchanged
between client and server using SSL encryption
- SSL session
- Association between the client and server identified by an agreement on
a specific set of encryption techniques
- Handshake protocol
- Perhaps the most significant protocol within SSL
|
51
|
- Client_hello
- Message issued from the client to the server
- Server_hello
- Message issues from the server to the client
- Transport Layer Security (TLS)
- Version of SSL being standardized by the IETF
|
52
|
- Defines encryption, authentication, and key management for TCP/IP
transmissions
- IPSec accomplishes authentication in two phases:
- Key management
- Key encryption
|
53
|
- Key management
- IPSec relies on Internet Key Exchange (IKE) for its key management
- In IPSec, two type of encryption may be used:
- Authentication header (AH)
- Encapsulation security payload (ESP)
|
54
|
- Point-to-Point Protocol (PPTP)
- Expands on IPP by encapsulating it so that any type of PPP data can
traverse the Internet masked as pure IP transmissions
- Tunneling
- Process of encapsulating one protocol to make it appear as another
type of protocol
|
55
|
- Layer 2 Forwarding (L2F)
- Layer 2 Tunneling Protocol
- Enhanced version of L2F
- Will gradually replace PPTP and L2F
|
56
|
- A hacker is someone who masters the inner workings of operating systems
and utilities in an effort to better understand them
- The root is a highly privileged user ID that has all rights on a system
- Authentication is the process of verifying a user’s validity and
authority on a system
- Every organization should conduct a security audit at least annually and
preferably quarterly
- The first step in securing your network should be to devise and
implement an enterprise-wide security policy
|
57
|
- A firewall is a specialized device that selectively filters or blocks
traffic between networks
- A more sophisticated security technique is necessary to perform user
authentication
- Remote control systems enable a user to connect to a host system on a
network from a distance and use that system’s resources
- Encryption is the use of an algorithm to scramble data into a format
that can be read only by reversing the algorithm
- Virtual private networks (VPNs) are private networks that use public
channels to connect clients and servers
|