Scribd Logo
Upload

Welcome to Scribd!

  • 501 CH 4 Securing Your Network

    Uploaded by

    something
    20 views46 pages

    Original Title

    501 Ch 4 Securing Your Network

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views46 pages

    501 CH 4 Securing Your Network

    Uploaded by

    something

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 46

    Chapter 4

    Securing Your Network

    CompTIA Security+
    Get Certified Get Ahead
    By Darril Gibson

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Introduction
    • Exploring advanced security devices

    • Securing wireless networks

    • Understanding wireless attacks

    • Using VPNs for remote access

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Understanding IDSs and IPSs
    • Intrusion Detection System (IDS)
    – Detective control
    – Attempts to detect attacks after they occur
    • Firewall is a preventive control
    – Attempts to prevent the attacks before they occur.
    • Intrusion Prevent System (IPS)
    – A preventive control
    – Will stop an attack in progress.
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Packet Sniffing
    • Also called protocol analyzer

    • Captures and analyzes network traffic

    • Wireshark – free packet sniffer

    • IDSs and IPSs include packet sniffing


    capabilities
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Host- and Network-Based IDS
    HIDS NIDS
    • Additional software on a • Installed on network
    workstation or server devices, such as routers or
    • Can detect attacks on the firewalls
    local system • Monitors network traffic
    • Protects local resources on • Can detect network-based
    the host such as operating attacks such as smurf
    system files attacks
    • Cannot monitor network • Cannot monitor encrypted
    traffic traffic and cannot monitor
    traffic on individual hosts.
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Sensor and Collector Placement

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    IDS Detection Methods
    Signature-based Heuristic-, behavior-based
    • Also called definition-based • Also called anomaly-based
    • Use a database of • Starts with a performance
    predefined traffic patterns baseline of normal behavior
    (such as CVE list) • IDS compares activity
    • Keep signature files up-to- against this baseline
    date • Alerts on traffic anomalies
    • Most basic form of • Update the baseline if the
    detection environment changes
    • Easiest to implement

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    IDS Considerations
    • Data sources and trends
    • Reporting
    • IDS thresholds
    • False positives
    – Increase administrator’s workload
    • False negatives
    – No report during an incident

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    IDS Responses
    Passive Active
    • Notifies • Notifies
    – Pop-up window • Modifies environment
    – Central monitor – Modify ACLs
    – E-mail – Close processes
    – Page – Divert the attack
    – Text message

    • Counterattacks
    • Don’t do it
    • Attackers are dedicated
    • Attackers have unlimited time
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    IDS vs IPS
    • IPS is a preventive control
    – Can actively monitor data streams
    – Can detect malicious content
    – Can stop attacks in progress

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    IDS vs IPS
    • IPS is placed in line with traffic
    – IDS is out-of-band

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    SSL/TLS Tools
    • SSL/TLS accelerators
    – Offloads encryption services to another hardware
    device
    – Place close server needing the service

    • SSL decryptors
    – Placed in DMZ between users and Internet
    – Allows inspection of content
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Other Tools
    • Honeypots and Honeynets
    – Used to divert an attacker
    – Allow IT administrators an opportunity to observe
    methodologies
    – Can be useful to observe zero day exploits
    • 802.1x port security
    – Provides port-based authentication
    – Prevents rogue devices from connecting

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Securing Wireless Networks
    • WAPS and wireless routers

    – All wireless routers are WAPs

    – Not all WAPs are wireless routers

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Wireless Routers

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Fat vs Thin APs
    • Fat AP
    – Also known as stand-alone, intelligent, or
    autonomous AP
    – Includes everything needed to run wireless
    network
    • Thin AP
    – Controller-based AP

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Band Selection and Channel Widths

    IEEE Standard Frequency Band Channel Width


    802.11b 2.4 GHz 22 MHz
    802.11g 2.4 GHz 20 MHz
    802.11n 2.4 GHz and 5 GHz 20 MHz and 40 MHz
    802.11ac 5 GHz 20 MHZ, 40 MHz, 80 MHz, and 160 MHz

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Access Point SSID
    • Network name

    • Change default SSID

    • Disabling SSID broadcast


    – Hides from some devices
    – Does not hide from attackers

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    MAC Filtering

    Demo

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Wireless Antennas
    • Antenna types and placement
    • Wireless power and signal strength

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Network Architecture and Zones
    • Wireless
    – Provides wireless devices access to wired networks
    • Guest
    – Typically provides Internet access to guests
    – Rarely gives access to network resources
    • Ad hoc
    – Network between two or more wireless networks
    – As needed

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Wireless Cryptographic Protocols
    • WPA – Interim replacement for WEP
    – Deprecated
    • WPA2 – Current standard
    – Provides best security when used with CCMP
    • TKIP
    – Older encryption protocol used with WPA
    • CCMP
    – Based on AES
    – Recommended to be used with WPA2
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Securing Wireless Networks
    • WEP – Don’t use
    – Multiple weaknesses

    • WPA – Interim replacement for WEP


    – Stronger with AES instead of TKIP

    • WPA2 – Current standard


    – Provides best security when used with CCMP
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Wireless Settings
    • PSK vs Open

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Enterprise Mode
    • Adds strong authentication
    • Uses an 802.1X server (implemented as a
    RADIUS server) to add authentication
    – RADIUS server
    – RADIUS port
    – Shared secret Demo
    • Similar to a password

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Enterprise Mode

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Authentication Protocols
    • EAP-TLS • EAP
    – Most secure (compared – Uses pairwise master key
    to other EAP methods) • EAP-FAST
    – Provides mutual – Replaced LEAP
    authentication

    • PEAP
    Requires certificate on
    – Requires certificate on
    802.1x server
    server
    – Requires certificate on
    the clients • EAP-TTLS
    – Requires certificate on
    802.1x server
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Wireless
    • RADIUS federation
    – Provides single sign-on for two or more entities
    – Federation includes multiple 802.1x servers
    – Can use any of the EAP versions

    • Captive Portals
    – Free Internet access
    – Paid Internet access
    – Alternative to IEEE 802.1x
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Wireless Attacks
    • Disassociation attack
    – Removes a wireless client from a wireless network
    • WPS
    – Streamlines process of configuring wireless clients
    • WPS attack
    – Brute force method to discover WPS PIN
    – Reaver

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Wireless Attacks
    • Rogue access points
    – Unauthorized AP
    • Evil twins
    – Rogue AP with same SSID as legitimate AP
    • Jamming attack
    – Broadcasts noise or other signals on same
    frequency

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Wireless Attacks
    • IV attack
    – Attempts to discover PSK from the IV
    • NFC attack
    – Uses an NFC reader to capture data

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Bluetooth Wireless
    • Bluejacking
    – Unauthorized sending of text messages from a
    Bluetooth device
    • Bluesnarfing
    – Unauthorized access to or theft of information
    from a Bluetooth device
    • Bluebugging
    – Allows an attacker to take over a mobile phone

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Wireless Attacks
    • Wireless replay attacks
    – Captures data
    – Attempts to use to impersonate client

    • RFID attacks
    – Sniffing or eavesdropping
    – Replay
    – DoS
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Misconfigured Access Points
    • Use WPA2 with CCMP

    • Disable WPS

    Demo

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Exploring Remote Access
    • VPNs and VPN concentrators

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Tunneling Protocols
    • IPsec as a tunneling protocol
    – Authentication
    • AH provides authentication &integrity (protocol ID 51)
    – Encryption
    • ESP adds confidentiality (protocol ID 50)
    – Uses tunnel mode for VPNs with IKE over port 500

    • TLS as a tunneling Protocol


    – Useful when VPN go through NAT
    – SSTP uses TLS over port 443
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    VPN Tunnel Comparisons
    • Split tunnel
    – Encrypts only some traffic (such as traffic going to
    private network)

    • Full tunnel
    – Encrypts all traffic from client
    – Can route client traffic through UTM in private
    network for monitoring and protection
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Site-to-Site VPNs
    • Gateways as VPN servers

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Always-On VPNs
    • Site-to-site VPNs

    • Regular VPNs for users

    • Mobile devices

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Network Access Control
    • Health agents
    – Inspects clients for predefined conditions
    – Restricts access of unhealthy clients to a
    remediation network
    – Used for VPN clients
    and internal clients

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    NAC Agents
    • Permanent
    – Installed on client and remains on client
    – Persistent NAC agent
    • Dissolvable
    – Does not stay on client
    – Downloaded to client when session starts
    – Removed during or after session
    – Commonly used for mobile devices
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Identity and Access Services
    • PAP – Sends passwords in cleartext

    • CHAP – uses shared secret

    • MS-CHAP – replaced by MS-CHAPv2

    • MS-CHAPv2 – provides mutual authentication

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Identity and Access Services
    • RADIUS

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Identity and Access Services
    • TACACS+
    – Cisco alternative to RADIUS
    – Uses TCP port 49
    – Encrypts entire authentication process
    – Uses multiple challenges and responses
    • Diameter
    – Extension of RADIUS
    – Supports EAP
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    AAA Protocols
    • Provide authentication, authorization, and
    accounting

    – Authentication verifies a user’s identification


    – Authorization provides access
    – Accounting tracks user access with logs

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Chapter 4 Summary
    • Exploring advanced security devices

    • Securing wireless networks

    • Understanding wireless attacks

    • Using VPNs for remote access

    • Labs http://gcgapremium.com/501labs/

    GetCertifiedGetAhead.com © 2017 YCDA, LLC

    You might also like