advertisement

LAN Security Router

100 %
0 %
advertisement
Information about LAN Security Router
Entertainment

Published on September 13, 2007

Author: AscotEdu

Source: authorstream.com

advertisement

LAN Security:  LAN Security Prof. Charles Topics Covered:  Topics Covered LAN Guidelines Controlling End User Access Policy-Based Network Management Segmenting LAN Traffic Honey-pot Systems Static IP Addresses vs. DHCP Conclusion LAN Guidelines:  LAN Guidelines Many of the issues on Operating Systems Security Password Guidelines Controlling End User Access:  Controlling End User Access Controlling End User Access Passwords When users can access resources Group association File access Resource limitations Controlling End User Access:  Controlling End User Access Concurrent Logins Should consideration restricting concurrent logins for end users May consider System Administrators Save Network resources Memory, licenses, hard drive andamp; CPU Security Unauthorized use of an account (hacker or co-worker) Forgetting to logout Automatic logout andamp; lock screen w/ inactiveness Controlling End User Access:  Controlling End User Access Available Disk Space Limited disk space to end users Unlimited disk space: Purchase of additional disk drives Uneven usage of end user disk space Information system crashing due to over use Policy Clean up disk space (sys admin, end user or program) Operational Cost Time, personnel andamp; equipment Controlling End User Access:  Controlling End User Access Restrictions To specific workstations Restricted area Confidential information andamp; sensitive transactions To specific Servers Restricted to system administrator only Computer Center/Room Time/Day During business hours Most OS/Information Systems has the capability Access to Directories and Trustee Rights:  Access to Directories and Trustee Rights Least Privilege A user, resource or process has no more privileges that necessary to be able to fulfill its functions Users should only be given access rights to directories they need to function Access should be removed Transferred, temp assignment leave company Trustee rights should be audited Controlling End User Access:  Controlling End User Access File Attributes File access should be granted on need: Read, Write, Delete andamp; Execute Confidential, Sensitive, Classified, FOUO Operating System Executables Strictly enforced for root-kits/Trojans Tripwire, Hash Functions Other Privileges:  Other Privileges Network commands andamp; executables should be restricted to system admins Consider changing Administrators account Do not allow remote network access to admin accounts Remove Inactive Accounts:  Remove Inactive Accounts Review network accounts (Policy) Remove accounts that are not required Guest, group, anonymous FTP, etc.. Lock/Deleted inactive accounts Hacker like inactive accounts No calls to the help desk for password issues Single Sign-On:  Single Sign-On Many time users need to access many system during the day to complete task Multi usernames and passwords Forget information Write down information Create vulnerabilities SSO Systems Kerberos User authenticate once, and control to all resources are controlled by the Kerberos Server by using tickets and tokens Single Sign-On:  Single Sign-On SSO Systems PKI User uses digital certificates for authentication and network access Other approaches Meta-directories LDAP – light weight directory protocol Use to synchronize passwords and user attributes Distributed Computing Environments (DCE) Similar to Kerberos, works well in multi vendor environment Policy-Based Network Management:  Policy-Based Network Management Policy-Based Network Management is the process of bringing together the properties of various network resources under a central administrative control Ideal for organizations with medium to large networks Implemented in Windows 2000 with it Active Directory Services (ADS). Policy-Based Network Management:  Policy-Based Network Management Policy-Based Network Management Goals: Simplify network management process Ensure security andamp; integrity through centralized management of the distributed network resources Availability of network resources Priority traffic handling (QoS) Ensure critical information does not content with FTP and Internet traffic. Segmenting LAN Traffic:  Segmenting LAN Traffic Ethernet is the most commonly used LAN protocol. Any device on a network segment can monitor communications between any other device on the same network. Should segment for security and performance Security Eavesdropping -andgt; Sniffers Performance Hub, collision -andgt; switches Honey-pot Systems:  Honey-pot Systems Deception systems are components put in place to entice and deceive unauthorized users while or after they have gained access to information system. Honey-pot systems are decoy or lure systems Create deception of available services, ports and protocols Honey-pot Systems:  Honey-pot Systems Honey-pots are usually deployed with IDS Two deployment approaches Minefield Grouped with other information systems DMZ Separate network away from production information systems The Law Enticement vs. Entrapment Honey-pot Systems:  Honey-pot Systems Honey-pots are usually deployed with IDS Honey-pot products CyberCop Simulate an entire network from one work stations Deception ToolKit Dr. Fred Cohen – www.all.net Deception application Recourse Technologies ManTrap ManHunt HoneyNet Project Default systems Honey-pot Systems:  Honey-pot Systems HoneyNet Project The Honeynet Project is a non-profit research group of thirty security professionals dedicated to information security. Goal to learn the tools, tactics, and motives of the blackhat community and share these lessons learned. It is hoped that our research will benefit both its members and the security community. Honey-pot Systems:  Honey-pot Systems HoneyNet Project It is our hope and intent to support the security community in the three following ways. Raise awareness. To raise awareness of the threats and vulnerabilities that exist in the Internet today. We raise awareness by demonstrating real systems that were compromised in the wild by the blackhat community. Many people believe it can't happen to them. We hope to change their mind. Teach and inform. For those in the community who are already aware and concerned, we hope to give you the information to better secure and defend your resources. Historically, intelligence about attackers has been limited to the tools they use. The Project intends on providing additional information, such as their motives in attacking, how they communicate, when they attack systems and their actions after compromising a system. Research To provide the technology and methods of information gathering. Organizations, such as universities, may be interested in developing their own ability to research threats or adversaries. Honey-pot Systems:  Honey-pot Systems HoneyNet Project Information http://project.honeynet.org/ Lance Spitzner Know your enemy Static IP Addresses vs. DHCP:  Static IP Addresses vs. DHCP DHCP Enables an automated assignment of IP addresses Static IP addresses Each system is individually configured with an IP address Static IP Addresses vs. DHCP:  Static IP Addresses vs. DHCP DHCP Workstation (DHCP Client) dynamically obtain an IP addresses from a server (DHCP Server). When logging on Obtain new IP after time Static IP Address Administrators assign to a workstation Permanent Static IP Addresses vs. DHCP:  Static IP Addresses vs. DHCP DHCP Advantages Simple configurations Efficient assignment of IP addresses Ease of administration DHCP Disadvantages Temporary IP Assignments Hard to ID suspicious systems Unauthorized access Hot ports for connectivity Static IP Addresses vs. DHCP:  Static IP Addresses vs. DHCP Static IP addressing Advantages Location and identity Static IP addressing Disadvantages Administratively intensive New PC roll outs New organization/Mergers The End:  The End Questions Routers & SNMP:  Routers andamp; SNMP Prof. Charles Topics Covered:  Topics Covered Router Issues Risks Cisco IOS Cisco Secure Integrated Software (SIS) Simple Network Management Protocol (SNMP) Router Issues:  Router Issues Router are a critical element of the Internet and corporate networks. Routers are network devices Connect two or more networks Operate at level 3 of the OSI Model Control the flow of data packets Determine the best path Separate LAN segments First Line of Defense ACLs packet filtering VPNs Router Issues:  Router Issues Routers server 3 primary purposes: Route network traffic Static routes and routing tables Segment Frames for intra-LAN/WAN Communications Ethernet to Token Ring/ Ethernet to Frame Relay Ability to deny and permit traffic ACLs Protocols, ports and IPs Risks:  Risks Routers are subjected to the same risk as computers Has OS Configuration Weakness (passwords, telnet) Technology weakness (Bugs, DoS) Policy weakness (not monitor) Incorrectly configured/comprised router Bring down a whole site Cisco IOS:  Cisco IOS Started at Stanford Univ. in ’84 80 to 90 percent of market for routers, switches and hubs. Majority of products on the Internet and Corp. IOS (Internetworking Operating Systems) Runs on all Cisco routers and other Cisco devices Cisco IOS:  Cisco IOS Examples of how Cisco IOS is similar to Server Os for security Banner or MOTD Multi passwords levels and encrypted passwords Default settings not encrypt Show startup or show running commands Configuration details (IP, SNMP andamp; routing info) TFTP Way to administer Cisco router Information on an unsecured server can cause problem IP, passwords andamp; etc… Modifications TFTP does not require authentication Cisco IOS:  Cisco IOS CDP (Cisco Discovery Protocol) Gather information about other routers on the network Platform and protocols Hackers can use to further compromise Configuration weakness - Enabled by default, should be disabled on most routers, unless needed. Cisco Secure Integrated Software (SIS):  Cisco Secure Integrated Software (SIS) Optional software by Cisco Formerly called Cisco IOS firewall feature set Must be purchased, does not come with standard IOS package Secure network perimeter Provides secure connections over the Internet Can provide Firewall Stateful inspection andamp; application-based filtering IDS Signature-based VPN IPSEC andamp; L2TP Comes with client software Simple Network Management Protocol (SNMP):  Simple Network Management Protocol (SNMP) Developed to allow remote monitoring and management of devices and information systems. Can obtain Statistics Example page 195, figure 10.3 HP Open view andamp; Cisco REM SNMP not Secure Clear text Information Eavesdropping threat Simple Network Management Protocol (SNMP):  Simple Network Management Protocol (SNMP) SNMP andamp; MRTG MRTG – Multi Router Traffic Grapher Developed by Tobias Oetiker nad Dave Rand Using Perl andamp; C Obtained at www.mrtg.org Communications with SNMP To review traffic load Generates web pages and GIF for visual representation SNMP provides device management through agents Any SNMP managed device must have an SNMP agent Simple Network Management Protocol (SNMP):  Simple Network Management Protocol (SNMP) SNMP Problem Weak and insecure authentication Community strings pass in clear text Password equivalent Request and Response function uses community strings Many tools to aid hackers SNMP Sniff A SNMP packet sniffer for SNMPv1 andamp; SNMPv2 Hacker can Modify and delete router configurations Change routing tables Crash the network Open for all access Simple Network Management Protocol (SNMP):  Simple Network Management Protocol (SNMP) SNMP Countermeasures Use ACLs to limit exposure Never use default community strings Tools to detect SNMP Sniffers SNMPSweep Ex. Pg 198, figure 10.4 Simple Network Management Protocol (SNMP):  Simple Network Management Protocol (SNMP) SNMPv2 andamp; SNMPv3 When SNMPv1 was designed Security not an issue Security not my problem Became popular for hackers SNMPv2 Offers a little more security, but didn’t catch on SNMPv3 Will offer grater and better security Simple Network Management Protocol (SNMP):  Simple Network Management Protocol (SNMP) SNMPv2 andamp; SNMPv3 When SNMPv1 was designed Security not an issue Security not my problem Became popular for hackers SNMPv2 Offers a little more security, but didn’t catch on SNMPv3 Will offer grater and better security Simple Network Management Protocol (SNMP):  Simple Network Management Protocol (SNMP) SNMP Hints Limit access to SNMP devices to read-only functionality Prevent unauthorized users from gaining control and causing great damage Send traps information to a syslog server and review as part of your policy Reporting of events

Add a comment

Related presentations

Related pages

Cisco Wireless LAN Security Overview - Cisco

Cisco Wireless LAN Security Overview. Download. Print. Available Languages. Download Options. PDF (514.9 KB) View with Adobe Reader on a variety of devices.
Read more

Router Security - WAN and Network Protection - Cisco

Cisco router security offers VPN technologies and threat-defense solutions for branch and WAN aggregation routers in an integrated form factor. Learn more.
Read more

Local Area Network – Wikipedia

Ein Local Area Network (englische Aussprache [ləʊkl ˈɛəɹɪə ˈnɛtwɜːk], zu Deutsch lokales oder örtliches Netzwerk), kurz LAN, ist ein ...
Read more

Wireless security - Wikipedia

Wireless Intrusion Prevention Systems can be used to provide wireless LAN security in this network model. ... With encryption on the router level or VPN, ...
Read more

WLAN-Router im Test - Bestenliste - CHIP

Fazit: Krawumm! – die neue FritzBox 7580 schlägt ein wie eine Bombe. Nicht nur, dass der WLAN-Router, wie immer bei AVM, über eine grandiose ...
Read more

Die besten WLAN-Router - COMPUTER BILD

Der COMPUTER BILD-Test zeigt: WLAN-Router ist nicht gleich WLAN-Router! Die Bestenliste enthält die schnellsten Geräte nach Testnoten sortiert.
Read more

WLAN Router von 1&1 - Ihr DSL Modem

WLAN Router günstig bei 1&1: Buchen Sie jetzt eine der 1&1 DSL-Flats und bestellen Sie einen WLAN Router in Top-Qualität günstig dazu.
Read more

Hochsicherheits-VPN-Router - LANCOM Systems GmbH

Die abhörsicheren Hochsicherheits VPN-Router von LANCOM bieten standortübergreifenden Netzen und kritischen Infrastrukturen BSI-zertifizierten Schutz vor ...
Read more

LANCOM Systems - Germany´s No. 1 for Wireless LAN and ...

LANCOM Systems bietet sichere ... & VoIP-Router, Switches, Wireless LAN für den ... wir mit dem Qualitätszeichen „IT-Security Made in Germany“ und ...
Read more

dLAN® Adapter. Internet und WLAN überall - devolo AG

Über LAN und WLAN verbinden Sie Ihre Endgeräte in allen Räumen bei voller Signalstärke. ... Router per dLAN® Adapter mit der nächsten Steckdose ...
Read more