IT Infrastructure Security

Revision as of 19:22, 18 March 2009 by Neil (Talk | contribs) (Proxy Service Firewalls)

Revision as of 19:22, 18 March 2009 by Neil (Talk | contribs) (Proxy Service Firewalls)

PreviousTable of ContentsNext
The Basics of Email and Web SecurityIT Media Security Basics


IT security is a multi-discipline subject requiring a number of different skills sets and knowledge areas. A key area of knowledge which is vital for any security specialist is a clear understanding of IT infrastructure and how it relates to the creation of a comprehensive security strategy.

In this chapter of Security+ Essentials we will look at the various components that comprise the IT infrastructure of an organization. Some of these components are specifically designed to provide security (such as firewalls), whilst others a simply necessary to meet the needs of an IT operation (such as routers and switches).

Understanding Firewalls

Much like a firewall in real life protects parts of a buildings from a spreading fire, an IT firewall protects computer systems from the dangers posed by an internet connection. A firewall is essentially a component located between a computer or a network of computers and the internet. The specific purpose of a firewall is to prevent unauthorized access to the computer systems it is configured to protect. Firewalls take the form of software, hardware or a combination of both and are not limited to use by large companies. Any one who owns a computer (including home users) that is connected to the internet for even short periods of time should have a firewall configured.

A good security strategy should consist of multiple layers of protection and in such a scenario, the firewall is typically the first line of defense.

Firewalls fall into three main categories - Packet-filtering, Proxy-service and Stateful-inspection firewalls, each of which will be covered in detail here.

Packet-Filtering Firewalls

Packet-filtering firewalls operate at the Network layer (layer 3) of OSI model are the most basic of firewall types. The concept of packet filtering involves defining which data packets are permitted to pass through the firewall based on a number of criteria. Essentially, filtering can be specified based IP addresses, ports and protocols. It is possible, for example to block any packets originating from a particular IP address (or IP address range), or to block all traffic attempting to enter on port 23 (the Telnet port).

Packet-filtering firewalls are typically built into routers and provide either a command-line to graphical interface for specifying the filtering rules. The defenses provided by such firewalls are considered to be weak since they can only block what IP addresses that an administrator knows in advance are likely to be malicious. They are, however, extremely fast and easy to configure, and provide good first line of defense.


Proxy Service Firewalls

<google>ADSDAQBOX_FLOW</google> A proxy service firewall is placed between the internet and an internal network of computers and acts as a go-between for the two environments. With a proxy service in place, internal client computers do not connect directly to outside resources. Instead they connect to the proxy server which in turn connects with the external resource on behalf of the client, thereby masking the internal IP address of the client. Any response from the external resource is handled by the proxy service and passes them along to the client that originally requested the data.

Under such a scenario no internal system are ever in direct contact with a remote server or service and all internal IP addresses are masked by the proxy server. Proxy servers can also provide caching functions, where web pages which are frequently accessed by internal clients are stored by the server such that they can quickly be supplied when requested by the client leading to faster response times. Proxy service firewalls are available in two basic forms, Circuit-level gateway which works at the Session layer of the OSI model to verify that all sessions are legitimate and Application level-gateway which works at the OSI Application layer to control traffic of particular types (such as HTTP, FTP and SNMP).

Stateful Inspection Firewalls

Stateful-inspection firewalls (also known as dynamic packet filtering firewalls) operate at the OSI Network layer and combine some features of both packet-filtering and proxy server firewalls. A stateful-inspection firewalls not only examines the header information of packets, but also monitors sessions to ensure that they are legitimate and maintains state tables for each connections. Using these state tables, every packet received by the firewall can be viewed within the context of preceding traffic, allowing malicious data to be intercepted and blocked.

Routers

Routers are devices used to connect different network segments and operate at the OSI Network layer. Routers operate by examining each received packet and using algorithms together with routing tables to determine the optimal path for the data to reach its ultimate destination. Routers essentially form the backbone of the internet. Routing tables are either updated manually by an administrator, for configured automatically using a variety of different protocols including Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP), Enhanced Interor Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF).

Routers also include some security in the form of Access Control Lists (ACLs) which drop packets based on pre-defined rules, stateful-inspection and packet filtering.

Perhaps the biggest potential security risk for routers involves remote access to internal functions and configuration options. Due to their distributed nature all routers provide remote administration features. It is essential, therefore, that strict password conventions are used and that encrypted communications are used when logging into a remote router.

Switches

Most switches operate at the Data Link layer (layer 2) of the OSI model (although newer models are now moving up to the Network Layer) and are the basis of most Ethernet based local networks. Each port on a switch is a separate collision domain making switches much more efficient than Hubs (where all ports are on the same collision domain). Routing is based on the MAC addresses of devices connect to the switch.

As with routers, administrative access to switch devices must be carefully controlled using strict passwords and secure communications protocols during remote access.

Wireless

Starting with wide spread deployment in home networks Wireless Access Points and corresponding wireless network adapters have now begum to appear within business enterprises. This progress has accelerated considerably since the introduction of the N variant of the 802.11 Wi-Fi standard.

Wireless networking introduce a unique set of security threats that must be taken into consideration. First and foremost, the data transmitted over a wireless network is not confined to the cables concealed under floor boards, within wall cavities and false ceilings. Instead the data is quite literally traveling through the air waves. This means that anyone within range of the signal transmissions has the potential to intercept the data. In fact, placing a wireless device behind a firewall essentially renders the firewall impotent. The firewall will only block unwanted intrusion coming into the firewall the physical connection to the internet. Compromising the wireless network from outside the building effectively bypasses the firewall.

A number of techniques are available to provide at least some level of security to wireless networks. One standard is Wired Equivalent Privacy (WEP) which was initially intended to provide a level of security for wireless networks which was at least as secure as a wired network. WEP relies on encryption to prevent the easy interception of wireless data by eavesdroppers. Encryption RC4 based using shared 40-bit or 128-bit encryption keys. Unfortunately both levels of encryption have been proven to be breakable. That said, WEP is better than no protection at all, and if it is your only option be sure to choose the highest level of encryption.

An improved wireless encryption and authentication standard is called Wi-Fi Protected Access (WPA and WPA2). WPA data is encrypted using the RC4 stream cipher, (both 128-bit key and 48-bit) together with keys which dynamically change as the system is operational. WPA is considered to be considerably more secure than the WEP standard.

Most wireless access points also provide MAC address filtering, accepting only data from devics with a MAC address which matches a pre-defined list of trusted devices. Once again the ability to fake the IP address of many systems increases the chances that a rogue system can be made to masquerade as a trusted system.

Just like routers and switches, wireless access points provide support for remote administration. String password selection enforcement and secure communications must always be used when accessing the access point administration interfaces.

DSL and Cable Modems

The word modem comes from the term modulator/demodulator which describes the conversion of digital signals to analog and vice versa. Original modems were used to transfer data between computer systems over analog phone lines. The modem converts the data form the digital form understood by the computer to the analog form required by the phone line. At the receiving end the process is reverse, converting the analog signal back to digital form. Most modems today are actually either Digital Subscriber Line (DSL) or Cable modems. The term modem is now something of a misnomer since no conversion to analog form takes place. The name modem appears to have stuck however. Instead these modems convert the signals used by the DSL or Cable provider into standard Ethernet signals suitable for consumption by network devices.

Both Cable and DSL modems provide continuous broadband connectivity to the internet. This comes with considerable advantages in terms of speed and convenience but also includes the risks inherent in having computers connected to a constantly active internet connection.

Most basic cable and DSL modems provided by phone and cable companies do not contain any kind of firewall, and even if they did it is unlikely the cable and phone companies would trust us with configuring them. It is essential, therefore, that any computers connected either directly to a modem, or connected to a network that is, are protected by at least a firewall. This can be achieved either by installing a modem which contains a firewall or, vene better, installing a router containing a firewall between the modem and the internal network.

Remote Access Service (RAS)

Remote Access Service (RAS) is a feature of Microsoft Windows which provides access over a dial-up connection between a client and a server. Once a remote client has gained access to the server through a serious of authentication and authorization protocols the client has the equivalent functionality of a direct network connection to the server. For added security the RAS configuration can also be configured to only allow access after it has called back to an approved telephone number to complete the connection to the client.

RAS servers should be considered to be insecure and ideally placed in a DMZ so that malicious activity via the server can be blocked by the inner DMZ firewall.

Telecom/PBX

Private Branch Exchanges (PBXs) extend the public telephone network into company office buildings and for somne time have been a popular target for hackers. With the increase of more configurable systems and the growth of Voice Over IP (VoIP) these PBX systems have increasing been integrated into the overall enterprise IT infrastructure making them a potential weak link in the security chain. This threat is best addressed by installing firewalls specifically designed to protect both data and phone based systems.

Another common exploit of PBXs involves phone hackers (also known as phreakers) hacking into the system and using it to make expensive international calls at the company's expense. These kinds of attacks may also be blocked using sepcialized firewalls. In fact, such firewalls allows rules to be specified to control such issues as long distance access at certain hours of the day, or to require access codes to be entered by users before making international or long distance calls.

Virtual Private Networks (VPN)

A virtual private network is a mechanism by which secure remote access is provided between a client and server over a public network (typically the internet). A number of methods can be used to deploy VPN connections and these were covered in detail in the chapter entitled Understanding Communications Security. VPNs use the concept of encryption to prevent confidential information falling into the wrong hands. Encryption either involves encrypting the data contained in IP packets and sending them to the destination where the data is decrypted, or encrypting the entire packet, wrapping it in another packets and sending that to the destination ( a concept known as tunneling) thereby concealing the identity of the sending and receiving parties.

Intrusion Detection Systems (IDSs)

Intrusion Detection Systems (IDSs) are designed to analyze network data or host activity in real-time and identify and respond to unauthorized activities when they are detected.

The two types of IDS available are host-based and network based intrusion detection:

  • Network-based Intrusion Detection - This type of IDS monitors the flow of data packets on a network and identifies packets which have slipped through the firewall. Packets are compared against databases of known attack signatures and the communication blocked if a match is found. Network based IDS has a couple of shortcomings. Firstly, an IDS can only monitor one segment of a network, raising the possibility that unauthorized traffic may be missed by the system. To avoid this problem Network based IDSs are typically placed at the point of entry to a network such as just inside or just outside the firewall. A second problem is that an IDS is only has good as the signature database on which it relies. Unfortately, not all threats can be identified by a specific signature leading to the possibility of attacks being missed.
  • Host-based Intrusion Detection - Host based intrusion detection involves running agents on all servers on a network which serve to gather usage and performance data such as disk and file access, CPU utilization and user activities. This data is transfered to the IDS where it is gathered and analyzed to identify activity patterns which are known to be associated with unauthorized activity. Such system can also detect when activity deviates considerably from the normal baseline activity levels. When a problem is detected an administrator is alerted so that it may be investigated. Host based IDSs work well on small networks but generally have difficulty scaling up to larger enterprises.

Network Monitoring and Diagnostics

A wide range of tools are available for the purposes of monitoring networks and diagnosing problems. Such tools include ping, traceroute, nslookup, netstat and ifconfig/ipconfig. These tools all when to diagnose if a problem exists on a network and, if so, where the problem might exist.

Simple Network Management Protocol (SNMP)

The Simple Network Management Protocol (SNMP) operates at the Application layer of the OSI model and designed to collect statistics from devices connected to a TCP/IP network. The SNMP infrastructure contains a suite of three components consisting of the SNMP managed node, SNMP agent and the SNMP network management station.

The SNMP agent runs on network devices and transmits data to the management station. SNMP version 1 was considered insecure but later versions (2 and 3) have introduction greater levels of authentication (version 2, for example uses MD5 for authentication).



PreviousTable of ContentsNext
The Basics of Email and Web SecurityIT Media Security Basics