• No results found

Developing Network Security Strategies

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Developing Network Security Strategies"

Copied!
36
0
0

Loading.... (view fulltext now)

Download now ( 36 Page )

Full text

(1)

Developing Network Security

Strategies

NETE-4635

(2)

Network Security Design

The 12 Step Program

1. Identify network assets

2. Analyze security risks

3. Analyze security requirements and tradeoffs

4. Develop a security plan

5. Define a security policy

6. Develop procedures for applying security policies

(3)

Network Security Design

The 12 Step Program (continued)

8. Achieve buy-in from users, managers, and technical staff

9. Train users, managers, and technical staff

10. Implement the technical strategy and security procedures

11. Test the security and update it if any problems are found

(4)
(5)

Security Risks

ƒ

Hacked network devices

Data can be intercepted, analyzed,

altered, or deleted

User passwords can be compromised

Device configurations can be

changed

ƒ

Reconnaissance attacks

(6)

Risk Assessment Includes

Probability, Control, and Severity

(7)
(8)

Security Tradeoffs

ƒ

Tradeoffs must be made between

security goals and other goals:

Affordability

Usability

Performance

Availability

(9)

A Security Plan

ƒ

High-level document that

proposes what an

organization is going to do to

meet security requirements

ƒ

Specifies time, people, and

other resources that will be

required to develop a security

policy and achieve

(10)

A Security Policy

ƒ

Per RFC 2196, “The Site Security

Handbook,” a security policy is a

− “Formal statement of the rules by which people who are given access to an

organization’s technology and information assets must abide.”

ƒ

The policy should address

− Access, accountability, authentication, privacy, and computer technology

(11)
(12)
(13)

Security Mechanisms

ƒ Physical security ƒ Authentication ƒ Authorization ƒ Accounting (Auditing) ƒ Data encryption ƒ Packet filters ƒ Firewalls

ƒ Intrusion Detection Systems (IDS)

(14)

Encryption for Confidentiality and Integrity

(15)

Modularizing Security Design

ƒ

Security defense in depth

Network security should be multilayered

with many different techniques used to

protect the network

ƒ

Belt-and-suspenders approach

(16)

Modularizing Security Design

ƒ

Secure all components of a modular design:

− Internet connections

− Public servers and e-commerce servers

− Remote access networks and VPNs

− Network services and network management

− Server farms

− User services

(17)

Cisco SAFE

ƒ

Cisco

SAFE Security Reference Model

(18)

Securing Internet Connections

ƒ

Physical security

ƒ

Firewalls and packet filters

ƒ

Audit logs, authentication, authorization

ƒ

Well-defined exit and entry points

(19)

Securing Public Servers

ƒ Place servers in a DMZ that is protected via firewalls

ƒ Run a firewall on the server itself

ƒ Enable DoS protection

− Limit the number of connections per timeframe

ƒ Use reliable operating systems with the latest security patches

ƒ Maintain modularity

(20)

Security Topologies

Enterprise Network

DMZ

Web, File, DNS, Mail Servers

(21)

Security Topologies

Internet

Enterprise Network DMZ

(22)

Securing Remote-Access and Virtual

Private Networks

ƒ

Physical security

ƒ

Firewalls

ƒ

Authentication, authorization, and auditing

ƒ

Encryption

ƒ

One-time passwords

ƒ

Security protocols

− CHAP

(23)
(24)
(25)
(26)

Securing Network Services

ƒ

Treat each network device (routers, switches,

and so on) as a high-value host and harden it

against possible intrusions

ƒ

Require login IDs and passwords for

accessing devices

− Require extra authorization for risky configuration commands

ƒ

Use SSH rather than Telnet

(27)

Securing Server Farms

ƒ Deploy network and host IDSs to monitor server subnets and individual servers

ƒ Configure filters that limit connectivity from the server in case the server is compromised

ƒ Fix known security bugs in server operating systems

ƒ Require authentication and authorization for server access and management

ƒ Limit root password to a few people

(28)

Securing User Services

ƒ Specify which applications are allowed to run on networked PCs in the security policy

ƒ Require personal firewalls and antivirus software on networked PCs

− Implement written procedures that specify how the software is installed and kept current

ƒ Encourage users to log out when leaving their desks

(29)

Securing Wireless Networks

ƒ Place wireless LANs (WLANs) in their own subnet or VLAN

− Simplifies addressing and makes it easier to configure packet filters

ƒ Require all wireless (and wired) laptops to run personal firewall and antivirus software

ƒ Disable beacons that broadcast the SSID, and require MAC address authentication

(30)

WLAN Security Options

ƒ Wired Equivalent Privacy (WEP)

ƒ IEEE 802.11i

ƒ Wi-Fi Protected Access (WPA)

ƒ IEEE 802.1X Extensible Authentication Protocol (EAP)

− Lightweight EAP or LEAP (Cisco)

− Protected EAP (PEAP)

ƒ Virtual Private Networks (VPNs)

(31)
(32)
(33)
(34)
(35)
(36)

References

Download now ( PDF - 36 Page - 518.79 KB )

Related documents

Work Incentives? Ex Post Effects of Unemployment Insurance Sanctions - Evidence from West Germany

We identify the ex post eect using a matching approach that takes timing of the treatment explicitly into account: we model the eects of a sanction imposed during either of

Former public conveniences Stockport (various locations)

The Purchaser shall be deemed to acknowledge that he has not submitted his offer in reliance on any of the said statements, that he has satisfied himself as to the content of each

Embedded formative assessment and classroom process quality. How do they interact in promoting students\u27 science understanding

How do they interact in promoting students' science understanding - In: American educational research journal 52 (2015) 6, S.. 1-27 -

Electrosurgery is used to destroy

The correct output power can be determined by starting low and increasing the power until the desired out- come is attained (destruction, coagulation, or cutting). Smaller

Pure1 Manage User Guide

In the Analytics page, set the projection method to None to display historical capacity information for each array over the specified range of time.. Hover over the line graph to

Investigating the impact of site activities and conditions on concrete quality of in-situ and precast construction methods

The attributes of durability, aesthetics or fitness for purpose influence the respective components, but are also in turn influenced by the quality aspects of labour,

Children eating well in cities A roadmap for action to support nutritious diets and healthy environments for all children in urban settings

people around the world move into urban areas in ever larger numbers, cities and local governments are playing an increasingly important role in ensuring that children and

IMS Primer. Rick Long, Mark Harrington, Robert Hain, Geoff Nicholls. International Technical Support Organization.

Application Program BMP Application Program IFP Application Program MPP DLI Seprate Address Space DBRC Region Network IMS Message Queues Control Region Address Space Logs Full