SlideShare a Scribd company logo

Chapter 12 - Securing a Network CompTIA Network+

Download as PPTX, PDF
D
daddodon18

CompTIA Network+

1 of 56
Download to read offline
CompTIA Network + Chapter 12 Securing a Network
Objectives  What are the goals of network security, and what sorts of attacks do you need to defend against?  What best practices can be implemented to defend against security threats?  What are the characteristics of various remote-access security technologies?
Objectives  How can firewalls be used to protect an organization’s internal network, while allowing connectivity to an untrusted network, such as the Internet?  How can virtual private networks (VPN) be used to secure traffic as that traffic flows over an untrusted network?  What is the difference between intrusion prevention and intrusion detection systems, and how do they protect an organization form common security threats?
Securing a Network  Today’s networks are increasingly dependent on connectivity with other networks.  However, connecting an organization’s trusted network to untrusted network’s such as the Internet, introduces security risks.  To protect your organization’s data from malicious users, you need to understand the types of threats against which you might have to defend.
 For most of today’s corporate networks, the demands of e-commerce and customer contact require connectivity between internal corporate networks and the outside world.  All networks require network security Security Fundamentals
 Confidentiality – keeping the data private  Integrity – ensures that data has not been modified  Availability – the data is accessible when needed Three Primary Goals of Network Security
Data Confidentiality Integrity Availability C I A Security Fundamentals
 Confidentiality can be provided by encryption.  Encryption has two basic forms:  Symmetric encryption -- implies that the same key is used by both the sender and receiver to encrypt and decrypt a packet.  DES is an old, insecure protocol  3DES and AES are much better  Asymmetric encryption -- uses different keys for the sender and receiver of a packet  RSA is the most common system, used by HTTPS Security Fundamentals
 Integrity can be provided by hashing  Hash value is like a fingerprint of the data  Any alteration in data changes the hash  Ethernet uses CRC32 to detect transmission errors  MD5 is an old, insecure hash function  SHA-1, SHA-2, and SHA-3 are newer and more secure Security Fundamentals
 Availability can be provided by fault tolerance  Attacks on availability are called Denial of Service (DoS) attacks  A DoS attack from many machines is called a Distributed Denial of Service (DDoS) attack Security Fundamentals
Security Fundamentals Figure 12-1 Symmetric Encryption Example
Security Fundamentals Figure 12-2 Asymmetric Encryption Example
Security Fundamentals  Categories of Network Attacks  Confidentiality Attacks  Makes confidential data visible to an attacker  Integrity Attacks  Alters data in transit or at rest  Availability Attacks  Makes system unavailable to authorized users
Security Fundamentals Figure 12-3 Confidentiality Attack Example Attacker compromises the Web server, then pivots to attack the database server
Security Fundamentals  Attack techniques  Packet capture  Ping sweep and port scan  Dumpster diving  Electromagnetic emanations  Wiretapping telephone lines  Social engineering  Steganography  Covert channels  Bouncing attack
Security Fundamentals Figure 12-4 Integrity Attack
Security Fundamentals  Integrity Attack Methods  Salami attack (many small alterations)  Data diddling (changes data before it is stored)  Virus (attached to an EXE file)  Worm (travels through a network)  Trojan (masquerades as innocent software)  Trust relationship exploitation  Botnet  Session hijacking
Security Fundamentals  Password attacks  Keylogger (steal keypresses)  Packet capture  Brute force (guess all possible passwords)  Dictionary (try passwords from a dictionary)
Security Fundamentals Figure 12-5 DoS Attack
Security Fundamentals Figure 12-6 TCP SYN Flood Attack Example
Security Fundamentals Figure 12-7 Smurf Attack Example
Security Fundamentals  Availability Attacks  DoS  DDoS  SYN flood  Buffer overflow  ICMP flood (Smurf attack)
Security Fundamentals  Electrical Disturbances  At a physical level, an attacker could launch an availability attack by interrupting or interfering with electrical service available to a system, such as the following:  Power Spikes  Electrical surges  Power faults  Blackouts  Power sag  Brownout  To combat these threats, you might want to install uninterruptable power supplies (UPS) and generator backup for strategic devices in your network.
Security Fundamentals  Attacks on a System’s Physical Environment  Attackers could also intentionally damage computing equipment by influencing the equipment’s physical environment.  Temperature  Humidity  Gas  Consider the following recommendations to mitigate such environmental threats:  Computing facilities should be locked.  Access should require access credentials  Access point should be visually monitored.  Climate control system should be monitored.  Fire detection and suppression systems should not do damage to computer equipment if possible.
Defending Against Attacks  Now that we have an understanding of security fundamentals, it is now time to talk about how to defend against security threats using network devices.  User Training  Many attacks require user intervention in order to be carried out.  For example a user needs to execute an application containing a virus before the virus takes any actions.  Similarly, social engineering requires a user to give sensitive information to an attacker in order for the attacker to access the user’s account.
Defending Against Attacks  User Training (cont.)  As a result, several potential attacks can be thwarted through effective user training.  As a few examples, users could be trained on using polices such as the following:  Never give your password to anyone, even if they claim to be from IT.  Do not open e-mail attachments from unknown sources.  Select strong passwords, consisting of at least eight characters and containing a mixture of alphabetical (upper- and lowercase), numeric, and special characters.  Change your password monthly (or more often)
Defending Against Attacks  Patching  Some attacks are directed at vulnerabilities known to exist in various Oss and applications.  As these are discovered, the vendors of the OSs, or application often respond by releasing a patch.  A patch is designed to correct a known bug of fix a know vulnerability in a piece of software  A network administrator should have a plan for implementing patches as they become available.
Defending Against Attacks  Security Policies  One of the main reasons security breaches occur within an organization is the lack of a security policy or, if a security policy is in place, the lack of effectively communicating/enforcing that security policies to all concerned.  A security policy is a continually changing document that dictates a set of guidelines for network use.  The main purpose of a security policy is to protect the asset of an organization.  Asset – intellectual property, processes and procedures, sensitive customer data, and specific server functions.
Defending Against Attacks Figure 12-8 Components of a Security Policy
Security Fundamentals  Incident Response  Everyone will get hacked  Respond effectively  Contain damage  Reverse harm  Improve security to prevent repeated attack
Defending Against Attacks  Vulnerability Scanners  After you deploy your network-security solution, components of that solution might not behave as expected.  Additionally, you might not be aware of some of the vulnerabilities in your network devices.  You should periodically test your network for weakness.  These test can be performed using application designed to check for a variety of known weakness.  These application are known as vulnerability scanners.  Nessus is a full vulnerability scanner  Nmap (actually just a port scanner, not a full vulnerability scanner)
Defending Against Attacks Figure 12-9 Nessus
Defending Against Attacks Figure 12-10 Nmap
Defending Against Attacks  Honey Pots and Honey Nets  A honey pot acts as a distracter. Specifically, a system designated as a honey pot appears to be an attractive target.  The attacker then use their resources attacking the honey pot, the end result of which is the they leave the real servers alone.  honey pot -- signal machine that draws they attacker attention.  Honey net -- multiple machines that draw the attacker attention.  A honey pot/net can also be used to study how attackers conduct their attacks.
Defending Against Attacks  Access Control List (ACL)  ACLs are rules, typically applied to router interfaces, that specify permit or deny traffic.  ACL’s filtering criteria:  Source IP  Destination IP  Source Port  Destination Port  Source MAC  Destination MAC
Defending Against Attacks Figure 12-11 ACL Example
Defending Against Attacks  Remote Access Security  Although ACLs can be used to permit of deny specific connection flowing through a router, you also need to control connections to network devices.  Many of these remote-access security methods have been introduced in preceding chapters
Remote Access Security Methods  RAS  RDP  PPPoE  PPP  SSH  Kerberos  AAA  RADIUS  TACACS+ • NAC • 802.1x • CHAP • MS-CHAP • EAP • Two-factor authentication • Single sign-on
Defending Against Attacks  Firewalls  At this point, we have introduced various security threats, along with best practices to protect your network form those threats.  Now we are going to cover three additional layers of security that can be applied to a network.  The additional layers consist of firewalls, virtual private networks, and intrusion detection and prevention systems.
Defending Against Attacks  Firewall Types  A firewall defines a set of rules to dictate which types of traffic are permitted of denied as that traffic enters of exits a firewall interface.  Software firewall -- can be used to protect a signal system or can be software loaded in a computer with more that one NIC, controlling traffic between them.  Hardware firewall – is an appliance that acts as the firewall.  Firewall Inspection Types  Packet-filtering firewall (stateless) -- inspect traffic solely on a packet’s header. One at a time.  Stateful firewall – recognize that a packet is part of a session that might have originated inside the LAN or outside the LAN
Defending Against Attacks Figure 12-12 Packet-Filtering Firewall
Defending Against Attacks Figure 12-13 Stateful Firewall
Defending Against Attacks  Firewall Zones  A firewalls interface can be defined as belonging to different firewall zones.  After the zones are created, you then set up rules based on those zones.  Typical zones names:  Inside  Outside  DMZ
Defending Against Attacks Figure 12-14 Firewall Zone Example
Defending Against Attacks  Virtual Private Networks (VPN).  Much of today’s workforce is located outside of a corporate headquarters location.  Some employees work in remote offices, while other telecommute, and other travel as part of their job.  These employees need a secure method to connect back to the headquarters (HQ).  WAN technologies could be used but would be expensive to implement.  A VPN supports secure communication between two sites over an untrusted network.
Defending Against Attacks  VPN (cont.)  There are two primary categories of VPNs  Site to Site -- interconnects two sites, as an alternative to a leased line, at a reduced cost.  Client to Site – interconnects a remote user with a site, as an alternative to dial-up or ISDN connectivity, at a reduced cost.
Defending Against Attacks Figure 12-15 Sample Site-to-Site VPN
Defending Against Attacks Figure 12-16 Sample Client-to-Site VPN
Defending Against Attacks  Overview of IPsec  Broadband technologies, such as cable and DSL, in addition to other VPN transport mechanisms, often traverse and untrusted network, such as the Internet.  IPsec VPNs offer strong security features, such as the following:  Confidentiality  Integrity  Authentication  IKE Modes and Phase  IPsec use a collection of protocols to provide features. One of the primary protocols the IPsec uses is the Internet Key Exchange
Defending Against Attacks Transport mode encrypts only the payload Tunnel mode encrypts the whole packet
Defending Against Attacks Figure 12-18 IPsec VPN Steps
Defending Against Attacks  VPN Protocols  SSL/TLS  Strong, used by HTTPS  L2TP / IPSec  L2F  Old tunneling protocol from Cisco, no encryption  PPTP  Old Microsoft VPN protocol, weak encryption
Defending Against Attacks  Intrusion Detection and Prevention  When an attacker launches an attack against a network, intrusion detection systems (IDS), and intrusion prevention systems (IPS) technologies are often able to recognize the attack and respond appropriately.  Attacks might be recognizable by comparing incoming data streams against a database of well-known attack signatures.  IDS Versus IPS  IDS, sits parallel to the network, is a passive device, that monitors all traffic and sends alerts.  IPS, sits in-line to the network, is an active device, that monitors all traffic and sends alerts and deals with the offending traffic.
Defending Against Attacks Figure 12-19 IDS and IPS Network Placement
Defending Against Attacks  IDS and IPS Device Categories  IDS and IPS device can be categorized based on how they detect malicious traffic.  Detection Methods  Signature-based detection  Policy-based detection  Anomaly-based detection  Deploying Network-Based and Host-Based Solutions  NIPS and HIPS solutions can work in tandem. This help further protect the system.
Defending Against Attacks Figure 12-20 NIDS, NIPS, and HIPS Deployment Example
Ad

Recommended

Cloud Computing & Security
Cloud Computing & SecurityCloud Computing & Security
Cloud Computing & Security
Awais Mansoor Chohan
 
Module 3.pdf
Module 3.pdfModule 3.pdf
Module 3.pdf
Sitamarhi Institute of Technology
 
Module 3.Infrastructure and Network Security:
Module 3.Infrastructure and Network Security:Module 3.Infrastructure and Network Security:
Module 3.Infrastructure and Network Security:
Sitamarhi Institute of Technology
 
Essentials Of Security
Essentials Of SecurityEssentials Of Security
Essentials Of Security
xsy
 
Chapter 4.ppt
Chapter 4.pptChapter 4.ppt
Chapter 4.ppt
girmawodajo
 
Network security
Network security Network security
Network security
Madhumithah Ilango
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
Sreerag Gopinath
 
Running head Cryptography1Cryptography16.docx
Running head Cryptography1Cryptography16.docxRunning head Cryptography1Cryptography16.docx
Running head Cryptography1Cryptography16.docx
healdkathaleen
 
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
EMERSON EDUARDO RODRIGUES
 
New internet security
New internet securityNew internet security
New internet security
university of mumbai
 
NewIinternet security
NewIinternet securityNewIinternet security
NewIinternet security
university of mumbai
 
A Brief Note On Companies And The Largest Ever Consumer...
A Brief Note On Companies And The Largest Ever Consumer...A Brief Note On Companies And The Largest Ever Consumer...
A Brief Note On Companies And The Largest Ever Consumer...
Erin Moore
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
newbie2019
 
PROJECT REPORT.docx
PROJECT REPORT.docxPROJECT REPORT.docx
PROJECT REPORT.docx
Sakamsivasankarreddy
 
Common Types of Cyber Attacks & How to Prevent Them.pptx
Common Types of Cyber Attacks & How to Prevent Them.pptxCommon Types of Cyber Attacks & How to Prevent Them.pptx
Common Types of Cyber Attacks & How to Prevent Them.pptx
KalponikPrem
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docx
mccormicknadine86
 
COMPUTER AND NETWORK SECURITY.pptx
COMPUTER AND NETWORK SECURITY.pptxCOMPUTER AND NETWORK SECURITY.pptx
COMPUTER AND NETWORK SECURITY.pptx
DebmalyaSingha
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Cyber security
Cyber securityCyber security
Cyber security
Bablu Shofi
 
Network and system administration Chapter 5.pptx
Network and system administration Chapter 5.pptxNetwork and system administration Chapter 5.pptx
Network and system administration Chapter 5.pptx
gadisaadamu101
 
Cyber security & network attack6
Cyber security & network attack6Cyber security & network attack6
Cyber security & network attack6
HCL Technologies
 
Network security
Network securityNetwork security
Network security
Simranpreet Singh
 
Ne Course Part Two
Ne Course Part TwoNe Course Part Two
Ne Course Part Two
backdoor
 
cybersecurity
cybersecuritycybersecurity
cybersecurity
maha797959
 
Lecture2-InforSec-Computer and Internet security.pptx
Lecture2-InforSec-Computer and Internet security.pptxLecture2-InforSec-Computer and Internet security.pptx
Lecture2-InforSec-Computer and Internet security.pptx
markhorid1
 
امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكات
Amr Rashed
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
Manjunath G
 
Network and Security-2.pptx
Network and Security-2.pptxNetwork and Security-2.pptx
Network and Security-2.pptx
Dhanvanthkesavan
 
apa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdfapa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdf
Ishika Ghosh
 
Sinhala_Male_Names.pdf Sinhala_Male_Name
Sinhala_Male_Names.pdf Sinhala_Male_NameSinhala_Male_Names.pdf Sinhala_Male_Name
Sinhala_Male_Names.pdf Sinhala_Male_Name
keshanf79
 
Ad

More Related Content

Similar to Chapter 12 - Securing a Network CompTIA Network+ (20)

compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
EMERSON EDUARDO RODRIGUES
 
New internet security
New internet securityNew internet security
New internet security
university of mumbai
 
NewIinternet security
NewIinternet securityNewIinternet security
NewIinternet security
university of mumbai
 
A Brief Note On Companies And The Largest Ever Consumer...
A Brief Note On Companies And The Largest Ever Consumer...A Brief Note On Companies And The Largest Ever Consumer...
A Brief Note On Companies And The Largest Ever Consumer...
Erin Moore
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
newbie2019
 
PROJECT REPORT.docx
PROJECT REPORT.docxPROJECT REPORT.docx
PROJECT REPORT.docx
Sakamsivasankarreddy
 
Common Types of Cyber Attacks & How to Prevent Them.pptx
Common Types of Cyber Attacks & How to Prevent Them.pptxCommon Types of Cyber Attacks & How to Prevent Them.pptx
Common Types of Cyber Attacks & How to Prevent Them.pptx
KalponikPrem
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docx
mccormicknadine86
 
COMPUTER AND NETWORK SECURITY.pptx
COMPUTER AND NETWORK SECURITY.pptxCOMPUTER AND NETWORK SECURITY.pptx
COMPUTER AND NETWORK SECURITY.pptx
DebmalyaSingha
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Cyber security
Cyber securityCyber security
Cyber security
Bablu Shofi
 
Network and system administration Chapter 5.pptx
Network and system administration Chapter 5.pptxNetwork and system administration Chapter 5.pptx
Network and system administration Chapter 5.pptx
gadisaadamu101
 
Cyber security & network attack6
Cyber security & network attack6Cyber security & network attack6
Cyber security & network attack6
HCL Technologies
 
Network security
Network securityNetwork security
Network security
Simranpreet Singh
 
Ne Course Part Two
Ne Course Part TwoNe Course Part Two
Ne Course Part Two
backdoor
 
cybersecurity
cybersecuritycybersecurity
cybersecurity
maha797959
 
Lecture2-InforSec-Computer and Internet security.pptx
Lecture2-InforSec-Computer and Internet security.pptxLecture2-InforSec-Computer and Internet security.pptx
Lecture2-InforSec-Computer and Internet security.pptx
markhorid1
 
امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكات
Amr Rashed
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
Manjunath G
 
Network and Security-2.pptx
Network and Security-2.pptxNetwork and Security-2.pptx
Network and Security-2.pptx
Dhanvanthkesavan
 
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUEScompTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
compTIA guide to get the CERTIFICATION EMERSON EDUARDO RODRIGUES
EMERSON EDUARDO RODRIGUES
 
New internet security
New internet securityNew internet security
New internet security
university of mumbai
 
NewIinternet security
NewIinternet securityNewIinternet security
NewIinternet security
university of mumbai
 
A Brief Note On Companies And The Largest Ever Consumer...
A Brief Note On Companies And The Largest Ever Consumer...A Brief Note On Companies And The Largest Ever Consumer...
A Brief Note On Companies And The Largest Ever Consumer...
Erin Moore
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
newbie2019
 
PROJECT REPORT.docx
PROJECT REPORT.docxPROJECT REPORT.docx
PROJECT REPORT.docx
Sakamsivasankarreddy
 
Common Types of Cyber Attacks & How to Prevent Them.pptx
Common Types of Cyber Attacks & How to Prevent Them.pptxCommon Types of Cyber Attacks & How to Prevent Them.pptx
Common Types of Cyber Attacks & How to Prevent Them.pptx
KalponikPrem
 
CMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docxCMST&210 Pillow talk Position 1 Why do you think you may.docx
CMST&210 Pillow talk Position 1 Why do you think you may.docx
mccormicknadine86
 
COMPUTER AND NETWORK SECURITY.pptx
COMPUTER AND NETWORK SECURITY.pptxCOMPUTER AND NETWORK SECURITY.pptx
COMPUTER AND NETWORK SECURITY.pptx
DebmalyaSingha
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Cyber security
Cyber securityCyber security
Cyber security
Bablu Shofi
 
Network and system administration Chapter 5.pptx
Network and system administration Chapter 5.pptxNetwork and system administration Chapter 5.pptx
Network and system administration Chapter 5.pptx
gadisaadamu101
 
Cyber security & network attack6
Cyber security & network attack6Cyber security & network attack6
Cyber security & network attack6
HCL Technologies
 
Network security
Network securityNetwork security
Network security
Simranpreet Singh
 
Ne Course Part Two
Ne Course Part TwoNe Course Part Two
Ne Course Part Two
backdoor
 
cybersecurity
cybersecuritycybersecurity
cybersecurity
maha797959
 
Lecture2-InforSec-Computer and Internet security.pptx
Lecture2-InforSec-Computer and Internet security.pptxLecture2-InforSec-Computer and Internet security.pptx
Lecture2-InforSec-Computer and Internet security.pptx
markhorid1
 
امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكات
Amr Rashed
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
Manjunath G
 
Network and Security-2.pptx
Network and Security-2.pptxNetwork and Security-2.pptx
Network and Security-2.pptx
Dhanvanthkesavan
 

Recently uploaded (20)

apa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdfapa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdf
Ishika Ghosh
 
Sinhala_Male_Names.pdf Sinhala_Male_Name
Sinhala_Male_Names.pdf Sinhala_Male_NameSinhala_Male_Names.pdf Sinhala_Male_Name
Sinhala_Male_Names.pdf Sinhala_Male_Name
keshanf79
 
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Celine George
 
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public SchoolsK12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
dogden2
 
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptxSCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
Ronisha Das
 
Introduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe EngineeringIntroduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe Engineering
Damian T. Gordon
 
Political History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptxPolitical History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptx
Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India.
 
Operations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdfOperations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdf
Arab Academy for Science, Technology and Maritime Transport
 
GDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptxGDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptx
azeenhodekar
 
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACYUNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
DR.PRISCILLA MARY J
 
Presentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem KayaPresentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem Kaya
MIPLM
 
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdfExploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Sandeep Swamy
 
How to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POSHow to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POS
Celine George
 
One Hot encoding a revolution in Machine learning
One Hot encoding a revolution in Machine learningOne Hot encoding a revolution in Machine learning
One Hot encoding a revolution in Machine learning
momer9505
 
Biophysics Chapter 3 Methods of Studying Macromolecules.pdf
Biophysics Chapter 3 Methods of Studying Macromolecules.pdfBiophysics Chapter 3 Methods of Studying Macromolecules.pdf
Biophysics Chapter 3 Methods of Studying Macromolecules.pdf
PKLI-Institute of Nursing and Allied Health Sciences Lahore , Pakistan.
 
Odoo Inventory Rules and Routes v17 - Odoo Slides
Odoo Inventory Rules and Routes v17 - Odoo SlidesOdoo Inventory Rules and Routes v17 - Odoo Slides
Odoo Inventory Rules and Routes v17 - Odoo Slides
Celine George
 
To study Digestive system of insect.pptx
To study Digestive system of insect.pptxTo study Digestive system of insect.pptx
To study Digestive system of insect.pptx
Arshad Shaikh
 
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Library Association of Ireland
 
Understanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s GuideUnderstanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s Guide
GS Virdi
 
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptxYSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
Yale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
apa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdfapa-style-referencing-visual-guide-2025.pdf
apa-style-referencing-visual-guide-2025.pdf
Ishika Ghosh
 
Sinhala_Male_Names.pdf Sinhala_Male_Name
Sinhala_Male_Names.pdf Sinhala_Male_NameSinhala_Male_Names.pdf Sinhala_Male_Name
Sinhala_Male_Names.pdf Sinhala_Male_Name
keshanf79
 
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Celine George
 
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public SchoolsK12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
dogden2
 
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptxSCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
SCI BIZ TECH QUIZ (OPEN) PRELIMS XTASY 2025.pptx
Ronisha Das
 
Introduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe EngineeringIntroduction to Vibe Coding and Vibe Engineering
Introduction to Vibe Coding and Vibe Engineering
Damian T. Gordon
 
Political History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptxPolitical History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptx
Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India.
 
Operations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdfOperations Management (Dr. Abdulfatah Salem).pdf
Operations Management (Dr. Abdulfatah Salem).pdf
Arab Academy for Science, Technology and Maritime Transport
 
GDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptxGDGLSPGCOER - Git and GitHub Workshop.pptx
GDGLSPGCOER - Git and GitHub Workshop.pptx
azeenhodekar
 
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACYUNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
UNIT 3 NATIONAL HEALTH PROGRAMMEE. SOCIAL AND PREVENTIVE PHARMACY
DR.PRISCILLA MARY J
 
Presentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem KayaPresentation of the MIPLM subject matter expert Erdem Kaya
Presentation of the MIPLM subject matter expert Erdem Kaya
MIPLM
 
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdfExploring-Substances-Acidic-Basic-and-Neutral.pdf
Exploring-Substances-Acidic-Basic-and-Neutral.pdf
Sandeep Swamy
 
How to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POSHow to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POS
Celine George
 
One Hot encoding a revolution in Machine learning
One Hot encoding a revolution in Machine learningOne Hot encoding a revolution in Machine learning
One Hot encoding a revolution in Machine learning
momer9505
 
Biophysics Chapter 3 Methods of Studying Macromolecules.pdf
Biophysics Chapter 3 Methods of Studying Macromolecules.pdfBiophysics Chapter 3 Methods of Studying Macromolecules.pdf
Biophysics Chapter 3 Methods of Studying Macromolecules.pdf
PKLI-Institute of Nursing and Allied Health Sciences Lahore , Pakistan.
 
Odoo Inventory Rules and Routes v17 - Odoo Slides
Odoo Inventory Rules and Routes v17 - Odoo SlidesOdoo Inventory Rules and Routes v17 - Odoo Slides
Odoo Inventory Rules and Routes v17 - Odoo Slides
Celine George
 
To study Digestive system of insect.pptx
To study Digestive system of insect.pptxTo study Digestive system of insect.pptx
To study Digestive system of insect.pptx
Arshad Shaikh
 
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Library Association of Ireland
 
Understanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s GuideUnderstanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s Guide
GS Virdi
 
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptxYSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
Yale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
Ad

Chapter 12 - Securing a Network CompTIA Network+

  • 1. CompTIA Network + Chapter 12 Securing a Network
  • 2. Objectives  What are the goals of network security, and what sorts of attacks do you need to defend against?  What best practices can be implemented to defend against security threats?  What are the characteristics of various remote-access security technologies?
  • 3. Objectives  How can firewalls be used to protect an organization’s internal network, while allowing connectivity to an untrusted network, such as the Internet?  How can virtual private networks (VPN) be used to secure traffic as that traffic flows over an untrusted network?  What is the difference between intrusion prevention and intrusion detection systems, and how do they protect an organization form common security threats?
  • 4. Securing a Network  Today’s networks are increasingly dependent on connectivity with other networks.  However, connecting an organization’s trusted network to untrusted network’s such as the Internet, introduces security risks.  To protect your organization’s data from malicious users, you need to understand the types of threats against which you might have to defend.
  • 5.  For most of today’s corporate networks, the demands of e-commerce and customer contact require connectivity between internal corporate networks and the outside world.  All networks require network security Security Fundamentals
  • 6.  Confidentiality – keeping the data private  Integrity – ensures that data has not been modified  Availability – the data is accessible when needed Three Primary Goals of Network Security
  • 8.  Confidentiality can be provided by encryption.  Encryption has two basic forms:  Symmetric encryption -- implies that the same key is used by both the sender and receiver to encrypt and decrypt a packet.  DES is an old, insecure protocol  3DES and AES are much better  Asymmetric encryption -- uses different keys for the sender and receiver of a packet  RSA is the most common system, used by HTTPS Security Fundamentals
  • 9.  Integrity can be provided by hashing  Hash value is like a fingerprint of the data  Any alteration in data changes the hash  Ethernet uses CRC32 to detect transmission errors  MD5 is an old, insecure hash function  SHA-1, SHA-2, and SHA-3 are newer and more secure Security Fundamentals
  • 10.  Availability can be provided by fault tolerance  Attacks on availability are called Denial of Service (DoS) attacks  A DoS attack from many machines is called a Distributed Denial of Service (DDoS) attack Security Fundamentals
  • 11. Security Fundamentals Figure 12-1 Symmetric Encryption Example
  • 12. Security Fundamentals Figure 12-2 Asymmetric Encryption Example
  • 13. Security Fundamentals  Categories of Network Attacks  Confidentiality Attacks  Makes confidential data visible to an attacker  Integrity Attacks  Alters data in transit or at rest  Availability Attacks  Makes system unavailable to authorized users
  • 14. Security Fundamentals Figure 12-3 Confidentiality Attack Example Attacker compromises the Web server, then pivots to attack the database server
  • 15. Security Fundamentals  Attack techniques  Packet capture  Ping sweep and port scan  Dumpster diving  Electromagnetic emanations  Wiretapping telephone lines  Social engineering  Steganography  Covert channels  Bouncing attack
  • 17. Security Fundamentals  Integrity Attack Methods  Salami attack (many small alterations)  Data diddling (changes data before it is stored)  Virus (attached to an EXE file)  Worm (travels through a network)  Trojan (masquerades as innocent software)  Trust relationship exploitation  Botnet  Session hijacking
  • 18. Security Fundamentals  Password attacks  Keylogger (steal keypresses)  Packet capture  Brute force (guess all possible passwords)  Dictionary (try passwords from a dictionary)
  • 20. Security Fundamentals Figure 12-6 TCP SYN Flood Attack Example
  • 21. Security Fundamentals Figure 12-7 Smurf Attack Example
  • 22. Security Fundamentals  Availability Attacks  DoS  DDoS  SYN flood  Buffer overflow  ICMP flood (Smurf attack)
  • 23. Security Fundamentals  Electrical Disturbances  At a physical level, an attacker could launch an availability attack by interrupting or interfering with electrical service available to a system, such as the following:  Power Spikes  Electrical surges  Power faults  Blackouts  Power sag  Brownout  To combat these threats, you might want to install uninterruptable power supplies (UPS) and generator backup for strategic devices in your network.
  • 24. Security Fundamentals  Attacks on a System’s Physical Environment  Attackers could also intentionally damage computing equipment by influencing the equipment’s physical environment.  Temperature  Humidity  Gas  Consider the following recommendations to mitigate such environmental threats:  Computing facilities should be locked.  Access should require access credentials  Access point should be visually monitored.  Climate control system should be monitored.  Fire detection and suppression systems should not do damage to computer equipment if possible.
  • 25. Defending Against Attacks  Now that we have an understanding of security fundamentals, it is now time to talk about how to defend against security threats using network devices.  User Training  Many attacks require user intervention in order to be carried out.  For example a user needs to execute an application containing a virus before the virus takes any actions.  Similarly, social engineering requires a user to give sensitive information to an attacker in order for the attacker to access the user’s account.
  • 26. Defending Against Attacks  User Training (cont.)  As a result, several potential attacks can be thwarted through effective user training.  As a few examples, users could be trained on using polices such as the following:  Never give your password to anyone, even if they claim to be from IT.  Do not open e-mail attachments from unknown sources.  Select strong passwords, consisting of at least eight characters and containing a mixture of alphabetical (upper- and lowercase), numeric, and special characters.  Change your password monthly (or more often)
  • 27. Defending Against Attacks  Patching  Some attacks are directed at vulnerabilities known to exist in various Oss and applications.  As these are discovered, the vendors of the OSs, or application often respond by releasing a patch.  A patch is designed to correct a known bug of fix a know vulnerability in a piece of software  A network administrator should have a plan for implementing patches as they become available.
  • 28. Defending Against Attacks  Security Policies  One of the main reasons security breaches occur within an organization is the lack of a security policy or, if a security policy is in place, the lack of effectively communicating/enforcing that security policies to all concerned.  A security policy is a continually changing document that dictates a set of guidelines for network use.  The main purpose of a security policy is to protect the asset of an organization.  Asset – intellectual property, processes and procedures, sensitive customer data, and specific server functions.
  • 29. Defending Against Attacks Figure 12-8 Components of a Security Policy
  • 30. Security Fundamentals  Incident Response  Everyone will get hacked  Respond effectively  Contain damage  Reverse harm  Improve security to prevent repeated attack
  • 31. Defending Against Attacks  Vulnerability Scanners  After you deploy your network-security solution, components of that solution might not behave as expected.  Additionally, you might not be aware of some of the vulnerabilities in your network devices.  You should periodically test your network for weakness.  These test can be performed using application designed to check for a variety of known weakness.  These application are known as vulnerability scanners.  Nessus is a full vulnerability scanner  Nmap (actually just a port scanner, not a full vulnerability scanner)
  • 34. Defending Against Attacks  Honey Pots and Honey Nets  A honey pot acts as a distracter. Specifically, a system designated as a honey pot appears to be an attractive target.  The attacker then use their resources attacking the honey pot, the end result of which is the they leave the real servers alone.  honey pot -- signal machine that draws they attacker attention.  Honey net -- multiple machines that draw the attacker attention.  A honey pot/net can also be used to study how attackers conduct their attacks.
  • 35. Defending Against Attacks  Access Control List (ACL)  ACLs are rules, typically applied to router interfaces, that specify permit or deny traffic.  ACL’s filtering criteria:  Source IP  Destination IP  Source Port  Destination Port  Source MAC  Destination MAC
  • 36. Defending Against Attacks Figure 12-11 ACL Example
  • 37. Defending Against Attacks  Remote Access Security  Although ACLs can be used to permit of deny specific connection flowing through a router, you also need to control connections to network devices.  Many of these remote-access security methods have been introduced in preceding chapters
  • 38. Remote Access Security Methods  RAS  RDP  PPPoE  PPP  SSH  Kerberos  AAA  RADIUS  TACACS+ • NAC • 802.1x • CHAP • MS-CHAP • EAP • Two-factor authentication • Single sign-on
  • 39. Defending Against Attacks  Firewalls  At this point, we have introduced various security threats, along with best practices to protect your network form those threats.  Now we are going to cover three additional layers of security that can be applied to a network.  The additional layers consist of firewalls, virtual private networks, and intrusion detection and prevention systems.
  • 40. Defending Against Attacks  Firewall Types  A firewall defines a set of rules to dictate which types of traffic are permitted of denied as that traffic enters of exits a firewall interface.  Software firewall -- can be used to protect a signal system or can be software loaded in a computer with more that one NIC, controlling traffic between them.  Hardware firewall – is an appliance that acts as the firewall.  Firewall Inspection Types  Packet-filtering firewall (stateless) -- inspect traffic solely on a packet’s header. One at a time.  Stateful firewall – recognize that a packet is part of a session that might have originated inside the LAN or outside the LAN
  • 41. Defending Against Attacks Figure 12-12 Packet-Filtering Firewall
  • 42. Defending Against Attacks Figure 12-13 Stateful Firewall
  • 43. Defending Against Attacks  Firewall Zones  A firewalls interface can be defined as belonging to different firewall zones.  After the zones are created, you then set up rules based on those zones.  Typical zones names:  Inside  Outside  DMZ
  • 44. Defending Against Attacks Figure 12-14 Firewall Zone Example
  • 45. Defending Against Attacks  Virtual Private Networks (VPN).  Much of today’s workforce is located outside of a corporate headquarters location.  Some employees work in remote offices, while other telecommute, and other travel as part of their job.  These employees need a secure method to connect back to the headquarters (HQ).  WAN technologies could be used but would be expensive to implement.  A VPN supports secure communication between two sites over an untrusted network.
  • 46. Defending Against Attacks  VPN (cont.)  There are two primary categories of VPNs  Site to Site -- interconnects two sites, as an alternative to a leased line, at a reduced cost.  Client to Site – interconnects a remote user with a site, as an alternative to dial-up or ISDN connectivity, at a reduced cost.
  • 47. Defending Against Attacks Figure 12-15 Sample Site-to-Site VPN
  • 48. Defending Against Attacks Figure 12-16 Sample Client-to-Site VPN
  • 49. Defending Against Attacks  Overview of IPsec  Broadband technologies, such as cable and DSL, in addition to other VPN transport mechanisms, often traverse and untrusted network, such as the Internet.  IPsec VPNs offer strong security features, such as the following:  Confidentiality  Integrity  Authentication  IKE Modes and Phase  IPsec use a collection of protocols to provide features. One of the primary protocols the IPsec uses is the Internet Key Exchange
  • 50. Defending Against Attacks Transport mode encrypts only the payload Tunnel mode encrypts the whole packet
  • 51. Defending Against Attacks Figure 12-18 IPsec VPN Steps
  • 52. Defending Against Attacks  VPN Protocols  SSL/TLS  Strong, used by HTTPS  L2TP / IPSec  L2F  Old tunneling protocol from Cisco, no encryption  PPTP  Old Microsoft VPN protocol, weak encryption
  • 53. Defending Against Attacks  Intrusion Detection and Prevention  When an attacker launches an attack against a network, intrusion detection systems (IDS), and intrusion prevention systems (IPS) technologies are often able to recognize the attack and respond appropriately.  Attacks might be recognizable by comparing incoming data streams against a database of well-known attack signatures.  IDS Versus IPS  IDS, sits parallel to the network, is a passive device, that monitors all traffic and sends alerts.  IPS, sits in-line to the network, is an active device, that monitors all traffic and sends alerts and deals with the offending traffic.
  • 54. Defending Against Attacks Figure 12-19 IDS and IPS Network Placement
  • 55. Defending Against Attacks  IDS and IPS Device Categories  IDS and IPS device can be categorized based on how they detect malicious traffic.  Detection Methods  Signature-based detection  Policy-based detection  Anomaly-based detection  Deploying Network-Based and Host-Based Solutions  NIPS and HIPS solutions can work in tandem. This help further protect the system.
  • 56. Defending Against Attacks Figure 12-20 NIDS, NIPS, and HIPS Deployment Example