Fundamental Principles of Network Security

Transcript

Slide 1
Welcome to the Data Center UniversityTM course on the Fundamental Principles of Network Security.

Slide 2: Welcome
For best viewing results, we recommend that you maximize your browser window now. The screen controls
allow you to navigate through the eLearning experience. Using your browser controls may disrupt the
normal play of the course. Click the attachments link to download supplemental information for this course.
Click the Notes tab to read a transcript of the narration.

Slide 3: Objectives
At the completion of this course, you will be able to:
Recognize the major contributors to security problems
Explain basic principles of security protection
Describe the purpose of firewalls
Identify basic network host security
Define various protocols
Utilize best practices for network security

Slide 4: Introduction
Security incidents are rising at an alarming rate every year. As the complexity of threats increase, so do the
security measures required to protect networks. Data center operators, network administrators, and other
data center professionals need to comprehend the basics of security in order to safely deploy and manage
the networks of today. This course will address the fundamentals of secure networking systems, including
firewalls, network topology and secure protocols. We will also take a look at best practices and will introduce
some of the more critical aspects of securing a network.

Fundamental Principles of Network Security Page |1

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
Slide 5: Introduction
Here we see the steep rise in security incidents occurring each year, as reported to the CERT® Coordination
Center, which is a center of Internet security expertise.

Securing the modern business network and IT infrastructure demands a global approach and a firm
understanding of vulnerabilities and associated protective measures. While such knowledge cannot thwart
all attempts at system attack, it can empower network engineers to eliminate certain general problems,
greatly reduce potential damages, and quickly detect breaches. With the ever-increasing number and
complexity of attacks, vigilant approaches to security in both large and small enterprises are a must.

How do security issues arise? Let’s talk about the contributors to security problems. The first topic we will
discuss is human error.

Fundamental Principles of Network Security Page |2

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
Slide 6: Contributors to Security Issues
People are the weakest link in any security plan. Most people are not careful about keeping secrets, such as
passwords and access codes, which form the basis for most secure systems. All security systems rely on a
set of measures employed to control access, verify identity, and protect disclosure of sensitive information.
These measures usually involve one or more secrets. Should this confidential information be revealed, or
stolen, then the systems that are protected by this information can be compromised.

Most systems are compromised in very basic ways. Leaving a piece of paper with a system password
beside a computer monitor may seem illogical, but many people, in fact, do just this.

One other example is the tendency to leave factory default passwords in certain network devices. One such
device might be a network management interface to a UPS. UPS systems, both small in capacity, and large
enough to power 100 servers, are often overlooked in a security scheme. If such devices are left with default
user names and passwords, it could just be a matter of time before someone gains access knowing nothing
more than the device type and its published default credentials.

Now let’s discuss the next topic that can be a contributor to security problems, the cost to the enterprise.

Slide 7: Contributors to Security Issues

A secure enterprise, big or small, should have an approach to security that is comprehensive and end-to-
end if it is to be effective. Some organizations do not have such policies and practices in place. There are
some good reasons for this; security clearly comes at a cost. This cost can be measured not just in dollars,
but also in complexity, time and efficiency. To make the environment as secure as possible, it is necessary
to invest in it, and perform more procedures to ensure it.

The reality is that true security programs are difficult to achieve. It is usually necessary to choose a schema
that has a certain amount of cost, and an understood amount of security coverage. (This is almost always
less than “comprehensive and end to end”.) The point here is to make educated decisions for each aspect

Fundamental Principles of Network Security Page |3

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
of an overall system, and to consciously employ more or less in a calculated fashion. If a data center
manager knows the areas that are less protected, he can at least monitor such areas to determine problems
or breaches.

Data center operators should:

Know the network
Understand different threats
Take steps to ensure physical security
Protect network boundaries with firewalls

Slide 8: Basics of Security Protection

All data center professionals need to have a clear understanding of what they want to protect.

Organizations of any size should have a set of documented resources, assets and systems. Each of these
elements should have a relative value assigned in some manner as to their importance to the organization.
Examples of things that should be considered are servers, workstations, storage systems, routers, switches,
hubs, network and Telco links, and any other network elements such as printers, UPS systems and HVAC
systems. Other important aspects of this task include documenting equipment location and any notes on
dependencies. For instance most computers will rely on power backup systems such as UPSs which
themselves may be part of the network if they are managed. Environmental equipment such as HVAC units
and air purifiers may also be present.

Slide 9: Basics of Security Protection

The next step is to identify the potential threats to each of these elements as shown here.

(Image on next page)

Fundamental Principles of Network Security Page |4

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
Threats can come from both internal and external sources. They may be human-based, automated or even
unintentional natural phenomenon. The latter might more appropriately be categorized under system health

Fundamental Principles of Network Security Page |5

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
threats as opposed to security threats, but one issue can lead to the other. The power outage could be
intentional or through some natural event such as a lightning strike. In either case security is diminished.

Slide 10: Basics of Security Protection

Most experts would agree that all security starts with physical security. Controlling physical access to
machines and network attach points is perhaps more critical than any other aspect of security. Any type of
physical access to an internal site creates a major exposure to the site. Secure files, passwords, certificates
and of other data can usually be obtained if physical access is possible. Fortunately there are all sorts of
access control devices and secure cabinets that can help with this problem.

Slide 11: Basics of Security Protection

The next most important aspect is ensuring the control of digital access into, and out of, the organization’s
network. In most cases, this means controlling the points of connectivity to the outside world, typically the
Internet. Almost every medium and large-scale company has a presence on the Internet and has an
organizational network connected to it. In fact, there is a large increase in the number of smaller companies
and homes getting full time Internet connectivity. Partitioning the boundary between the outside Internet and
the internal intranet is a critical security piece. The internal intranet is referred to as the “trusted” side and
the external Internet as the “un-trusted” side. This generality, however, is not thorough enough to provide a
true security architecture for staffs who are tasked with managing data centers.

Next, let’s discuss firewalls.

Slide 12: Firewalls

A firewall is a mechanism in which a controlled barrier is used to control network traffic into, and out of, an
organizational intranet.

(Image on next page)

Fundamental Principles of Network Security Page |6

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
Firewalls are basically application specific routers. They run on dedicated embedded systems, such as an
Internet appliance, or they can be software programs running on a general server platform. In most cases,
these systems will have two network interfaces, one for the external network, such as the Internet, and one
for the internal intranet side. The firewall process can tightly control what is allowed to traverse from one
side to the other. Firewalls can range from being fairly simple to very complex. As with most aspects of
security, deciding what type of firewall to use will depend upon factors such as traffic levels, services
needing protection, and the complexity of rules required. The greater the number of services that must be
able to traverse the firewall, the more complex the requirement becomes. The difficulty for firewalls is
distinguishing between legitimate and illegitimate traffic.

Fundamental Principles of Network Security Page |7

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
If firewalls are configured correctly, they can be a reasonable form of protection from external threats
including some denial of service (DOS) attacks. If configured incorrectly, they can serve as major security
holes in an organization. The most basic protection a firewall provides is the ability to block network traffic to

certain destinations. This includes both IP addresses and particular network service ports. A site that wishes
to provide external access to a web server can restrict all traffic to port 80, which is the standard http port.
Usually this restriction will only be applied for traffic originating from the un-trusted side. Traffic from the
trusted side is not restricted. All other traffic, such as mail traffic, ftp, and snmp, would not be allowed across
the firewall and into the intranet.

Slide 13: Firewalls

An even simpler case is a firewall often used by people with home or small business cable or DSL routers.
Typically these firewalls are set up to restrict all external access and only allow services originating from the
inside. It is important to note that in neither of these cases is the firewall actually blocking all traffic from the
outside. If that were the case, how could the user surf the web and retrieve web pages? What the firewall is
doing is restricting connection requests from the outside. All connection requests from the inside are passed
to the outside as well as subsequent data transfer on that connection. From the exterior, only a connection
request to the web server is allowed to complete and pass data; all others are blocked.

Slide 14: Firewalls

More complex firewall rules can utilize what are called stateful inspection techniques. This method adds to
the basic port blocking approach by looking at traffic behaviors and sequences to detect spoof attacks and
denial of service attacks. The more complex the rules, the greater the computing power of the firewall
required.

(Image on next page)

Fundamental Principles of Network Security Page |8

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
One problem most organizations face is how to enable legitimate access to public services such as web, ftp
and e-mail while maintaining tight security of the intranet. The typical approach is to form what is known as a
DMZ (Demilitarized zone). In this architecture, there are two firewalls: one between the external network and
the DMZ, and another between the DMZ and the internal network. All public servers are placed in the DMZ.
With this setup, it is possible to have firewall rules which allow public access to the public servers but the
interior firewall can restrict all incoming connections. By having the DMZ, the public servers are still provided
more protection than if they were just placed outside a single firewall site. Here we can see how a DMZ is
used.

Fundamental Principles of Network Security Page |9

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
Slide 15: Workstation Firewalls
There is an important network security factor that most people are only now becoming aware of: Every node
or workstation on a network could be a potential security hole. In the past, basic attention was paid to
firewalls and servers; however, with the advent of the web and the proliferation of new classes of nodes
such as Internet appliances, there are several more dimensions to protecting networks.

Varieties of worm virus programs hijack computers and use them to both further spread themselves as well
as sometimes harm systems. Many of these worms would be stopped or greatly hindered if organizations
had internal systems more locked down. Workstation firewall products can block all port access into and out
of individual hosts that are not part of the normal needs of the host. Additionally, firewall rules on the internal
side that block suspicious connections out of the organization can help prevent worms spreading back out of
an organization. Between the two, both internal and external replication can be reduced. For the most part,
all systems should be able to block all ports that are not required for use.

Now that we have discussed firewalls, let’s move on to our next topic, basic network host security.

Slide 16: Basic network Host Security

Many network devices and computer hosts start up network services by default; each of these services
could represent an opportunity for attackers, worms and Trojans. Very often all of these default services are
not needed. Doing port lockdown by turning off services reduces this exposure. As we discussed while
learning about firewalls, desktops and servers can run basic firewall software to block access to
unnecessary IP ports on the host or restrict access from certain hosts. This practice is important for internal
protection when the outer defenses have been breached. There are many desktop firewall software
packages available that do a great job of protecting hosts; for example, Microsoft is actually bundling a basic
firewall as of Windows XP Service Pack 2.

Fundamental Principles of Network Security P a g e | 10

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
Slide 17: Basic Network Host Security
Poor username and password management is a typical problem in most enterprise networks. While
sophisticated, centralized authentication systems can help reduce problems, there are basic guidelines that
if followed can help tremendously.

Four basic rules that need to be followed for user names and passwords include:
1. Do not use obvious passwords such as spouse’s name, favorite sports team, etc.
2. Use longer passwords with mixed numbers or symbols
3. Change passwords on a regular basis
4. Never leave default credentials in network equipment

Unless computers or equipment have built in policies that can enforce these concepts, these are rules that
must be self-enforced. Default credentials can at least be tested for by having network probes detect
equipment with default credentials.

Slide 18: Basic Network Host Security

Since data networks cannot always be assumed to be protected from the possibility of intrusion, protocols
have been created to increase the security of attached network devices. In general there are two separate
issues to be concerned about, authentication and non-disclosure, or encryption. There are a variety of
schemes and protocols to address these two requirements in secure systems and communication. We’ll
discuss the basics of authentication first and then we’ll talk about encryption.

Slide 19: Basic Network Host Security

Authentication is the action of verifying the identity of a user. When an individual is registered as a user of
systems, he is issued a particular access profile.

Authentication is necessary for controlling access to network elements, in particular network infrastructure
devices. Authentication has two sub concerns: general access authentication and functional authorization.

Fundamental Principles of Network Security P a g e | 11

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
General access is the means to control whether or not a particular user has any type of access right to the
element in question. Usually we consider these in the form of a User account.

Authorization is concerned with individual user rights. What, for example, can a user do once authenticated?
Can they configure the device or only see data.

Let’s take a look at a summary of the major authentication protocols, their features, and their relevant
applications.

Slide 20: Basic Network Host Security

Restricting access to devices is one of the most important aspects of securing a network. Since
infrastructure devices automatically support both the network and computing equipment, compromising the
infrastructure devices can potentially bring down an entire network and its resources. Paradoxically, many IT
departments go through great pains to protect servers, institute firewalls and secure access mechanisms,
but leave basic infrastructure devices with rudimentary security.

Fundamental Principles of Network Security P a g e | 12

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
All devices should have user name password authentication utilizing, as a minimum, ten mixed
alphanumeric characters and symbols. Users should be restricted in both numbers and type of authorization.
Passwords should also be changed with some reasonable frequency, perhaps every three months and
when employees leave, if group passwords are used.

Slide 21: Basic Network Host Security

Centralized authentication methods are effective when either large numbers of users for devices are
involved or large numbers of devices are in the network. Traditionally, centralized authentication was used
to solve the issue of a large number of users; the most common method utilized was remote network access.
In remote access systems, such as dial-up RAS, the administration of users on the RAS network units was
difficult. Any user of the network could attempt to use any of the existing RAS access points. Placing all user
information in all RAS units and then keeping that information up-to-date turned out to be administratively
impossible.

Fundamental Principles of Network Security P a g e | 13

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
Slide 22: Basic Network Host Security
Here we see a Windows Domain controller operating as both an Active Directory server and a RADIUS
server for network elements to authenticate into an Active Directory domain.

Centralized authentication systems such as RADIUS and Kerberos solved this problem by using centralized
user account information that the RAS units, or other types of equipment, could access securely. These
centralized schemes allow information to be stored in one place instead of many places. Instead of having
to manage users on many devices, one location of user management can be used. If user information
needs to be changed, such as a new password, one simple task can accomplish this. If a user leaves, the
deletion of the user account prevents access for all equipment using centralized authentication. A typical
problem with non-centralized authentication in larger networks is remembering to delete accounts in all
places. Centralized authentication systems such as RADIUS can usually be seamlessly integrated with

Fundamental Principles of Network Security P a g e | 14

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
other user account management schemes such as Microsoft’s Active Directory or LDAP directories. While
these two directory systems are not themselves authentication systems, they are used as centralized
account storage mechanisms. Most RADIUS servers can communicate with RAS or other network devices
in the normal RADIUS protocol and then securely access account information stored in the directories. This
is exactly what Microsoft’s IAS server does to bridge RADIUS and Active Directory. This approach means
that not only is centralized authentication being provided for the users of RAS and devices, but also the
account information is unified with the Microsoft domain accounts.

Slide 23: Basic Network Host Security

In some cases, it is important to be concerned about disclosing information that is exchanged between
network elements, computers or systems. Certainly it is not desirable that an attacker could access a bank
account that is not his or capture personal information that may be transmitted over a network.

To avoid data disclosure over a network, encryption methods must be employed that make the transmitted
data unreadable to someone who might somehow capture the data as it traverses a network. There are
many methods to encrypt data.

With respect to network devices such as UPS systems, the concern is not traditionally about the value of
protecting data such as UPS voltages and power strip currents; however, there is a concern with controlling
access to these elements.

Slide 24: Basic Network Host Security

The non-disclosure of authentication credentials such as usernames and passwords is critical in any system
where access is done over non-secure networks, the Internet for example. Even within organizations’
private networks, protection of these credentials is a best practice. While it is less common, many
organizations are starting to implement policies that all management traffic be secure (encrypted) not just
authentication credentials.

Fundamental Principles of Network Security P a g e | 15

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
In either case, some form of cryptographic methods must be employed. Encryption of data is usually
accomplished by the combination of plaintext data (the input) with a secret key using a particular encryption
algorithm (I.e. 3DES, AES, etc.). The result (output) is ciphertext. Unless the user, or a computer, has the
secret key, the ciphertext cannot be converted back to plaintext. This basic methodology is at the core of
any of the secure protocols.

Let’s talk a little more about cryptographic systems.

Slide 25: Basic Network Host Security

Another basic building block of cryptographic systems is the hash. Hash methods take some plaintext input
and perhaps key input and then compute a large number called a hash. This number is a fixed length
(number of bits) regardless of the size of the input. Unlike the encryption methods that are reversible, which
can go back to plaintext with the key, hashes are one way. It is not mathematically feasible to go from a
hash back to plaintext. Hashes are used as special IDs in various protocol systems because they can
provide a check mechanism on data similar to a CRC (Cyclic Redundant Check) on a disk file to detect data
alteration. The hashes are used as a data authentication method (which is different than user
authentication). Any person trying to secretly alter data in transit across a network will alter the hash values,
thus causing detection.

Fundamental Principles of Network Security P a g e | 16

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
Slide 26: Basic Network Host Security
Here we see a basic comparison of cryptographic algorithms and their uses.

Next, let’s explore the topic of secure access protocols.

Slide 27: Secure Access Protocols

There are a variety of protocols such as SSH and SSL that employ various cryptographic mechanisms to
provide security through authentication and encryption methods. The level of security provided is dependent
upon various elements such as the cryptographic methods used, the access to the transmitted data,
algorithm key lengths, server and client implementations and most importantly, the human factor. The most
ingenious crypto scheme is thwarted if a user’s access credential, such as a password or certificate, is
obtained by a third party.

Let’s explore SSH and SSL protocols further.

Fundamental Principles of Network Security P a g e | 17

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
Slide 28: The SSH Protocol
The Secure Shell (SSH) client-server protocol was developed in the mid 1990s in order to provide a secure
mechanism to access computer consoles or shells remotely over unprotected or non-secure networks. The
protocol provides secure methods by addressing user and server authentication and full encryption of all
traffic exchanged between the client and server. The protocol has two versions, V1 and V2, which differ
slightly in the cryptographic mechanisms provided. Additionally, V2 is superior in its ability to protect against
certain types of attacks. (An attack is an attempt by a non-participating third party to intercept, forge or
otherwise alter exchanged data is considered an attack.)

While SSH has been used as a secure access protocol to computer consoles for years, it has traditionally
been less employed in secondary infrastructure equipment such as UPS and HVAC equipment. However,
since networks and the network infrastructure that support them are becoming more and more critical to the
business practices of enterprises, using such a secure access method to all equipment is becoming more
common.

While SSH has been the common secure protocol for console access for command-line like management,
the Secure Socket Layer (SSL) and later the Transport Layer Security (TLS) protocol have become the
standard method of securing web traffic and other protocols such as SMTP (mail).

Let’s take an in-depth look at both now.

Slide 29: The SSL/TLS Protocol

TLS is the most recent version of SSL and SSL is still commonly used interchangeably with the term TLS.
SSL and SSH differ mostly with respect to the client and server authentication mechanisms built into the
protocols. TLS was also accepted as an Internet Engineering Task Force (IETF) standard while SSH never
became a full IETF standard even though it is very widely deployed as a draft standard.

SSL is the secure protocol that protects http web traffic. Both Netscape and Internet Explorer support both
SSL and TLS. When these protocols are used, a formal authentication of the server is made to the client in

Fundamental Principles of Network Security P a g e | 18

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
the form of a server certificate. Because the SSL sessions are all encrypted, the authentication information
and any data on web pages is secure. SSL is always used on web sites that wish to be secure for banking
and other commercial purposes since clients usually access these sites over the public Internet.

Since web based management of network devices (embedded web servers) has become the most common
method of basic configuration and point user access, protecting this management method is very important.
Enterprises that wish to have all network management done securely, but still take advantage of graphical
interfaces such as http, should use SSL based systems. As mentioned before, SSL can also protect other
non-http communication. Should non-http based device clients be used, these systems should also employ
SSL for their access protocols to insure security. Using SSL in all of these cases also has the advantage of
using standard protocols with common authentication and encryption schemes.

Slide 30: Best Practices of Network Security

Well thought-out security policies can significantly increase the security of a network. While policies can be
both complex and cumbersome or basic and straight forward, it is often the simple aspects that prove most
useful. Consider the combination of a centrally managed anti-virus update system and a host scanner to
detect new or out of date systems. While this system would entail setup, central administration and software
deployment capabilities, these are all generally available with modern operating systems. In general,
policies and ideally automatic enforcement tools help reduce the obvious holes in system security so that IT
professionals can concentrate on the more complex issues.

Let’s examine the criteria that would be included in an enterprise network security policy.

Slide 31: Best Practices of Network Security

A typical enterprise network security policy includes:
• Firewalls at all public-private network transit points
• Version controlled and centrally deployed firewall rule sets
• External resources placed in dual firewall, DMZ protected networks
• All network hosts lock down unneeded network ports, turn off unneeded services

Fundamental Principles of Network Security P a g e | 19

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.
 • All network hosts include centrally managed anti-virus software
• All network hosts utilize central security updates
• Secure central authentication such as Radius, Windows/Kerberos/Active Directory
• Centrally managed user management with password policy (I.e. User must change a password
every three months; the password must be a “secure password”)
• Proactive network scanning for new hosts, out of date systems
• Network monitoring for suspicious behavior
• Incident response mechanisms (I.e. Policies, manual, automated, etc.)

This list represents the key items that data center professionals should have in a policy. There are
potentially other wide reaching items which could be included as well. Of course, it’s always important to
balance factors such as company size, risk analysis, cost and business impact when determining the type
and breadth of a policy. A system analysis is typically a good starting point, followed by the business
analysis. Even very small companies should have some form of security policy, since all networks can be
targets regardless of their size.

Slide 32: Summary

To summarize, let’s review some of the information that we have covered throughout the course.
• With the increased number of threats to networks security can no longer be viewed as an option
• Securing all equipment is critical to maintaining uptime
• The amount of time spent repairing a network due to a virus attack can easily be greater than the
upfront time to secure an enterprise
• Many options exists to increase the security of the network while reducing the overhead
• Basic practices, such as periodic software updates, locking down all devices and using centralized
authentication and secure access methods, reduce risks
• Institution of appropriate security policies and frequent network audits increase the overall
protection of the network
Slide 33: Thank You!
Thank you for participating in this Data Center University™ course.

Fundamental Principles of Network Security P a g e | 20

© 2013 Schneider Electric. All rights reserved. All trademarks provided are the property of their respective owners.