Lecture Security + Guide to Network Security Fundamentals - Chapter 5 include objectives: Work with the network cable plant, secure removable media, harden network devices, design network topologies.
Chapter 5: Securing the Network Infrastructure Security+ Guide to Network Security Fundamentals Second Edition Objectives • Work with the network cable plant • Secure removable media • Harden network devices • Design network topologies Working with the Network Cable Plant • Cable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment • Three types of transmission media: – Coaxial cables – Twisted-pair cables – Fiber-optic cables Coaxial Cables • Coaxial cable was main type of copper cabling used in computer networks for many years • Has a single copper wire at its center surrounded by insulation and shielding • Called “coaxial” because it houses two (co) axes or shafts―the copper wire and the shielding • Thick coaxial cable has a copper wire in center surrounded by a thick layer of insulation that is covered with braided metal shielding Coaxial Cables (continued) • Thin coaxial cable looks similar to the cable that carries a cable TV signal • A braided copper mesh channel surrounds the insulation and everything is covered by an outer shield of insulation for the cable itself • The copper mesh channel protects the core from interference • BNC connectors: connectors used on the ends of a thin coaxial cable Coaxial Cables (continued) Twisted-Pair Cables • Standard for copper cabling used in computer networks today, replacing thin coaxial cable • Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket Twisted-Pair Cables (continued) • Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference • Unshielded twisted-pair (UTP) cables not have any shielding • Twisted-pair cables have RJ-45 connectors Fiber-Optic Cables • Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal • Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses • A glass tube (cladding) surrounds the core • The core and cladding are protected by a jacket Fiber-Optic Cables (continued) • Classified by the diameter of the core and the diameter of the cladding – Diameters are measured in microns, each is about 1/25,000 of an inch or one-millionth of a meter • Two types: – Single-mode fiber cables: used when data must be transmitted over long distances – Multimode cable: supports many simultaneous light transmissions, generated by light-emitting diodes Designing Network Topologies • Topology: physical layout of the network devices, how they are interconnected, and how they communicate • Essential to establishing its security • Although network topologies can be modified for security reasons, the network still must reflect the needs of the organization and users Security Zones • One of the keys to mapping the topology of a network is to separate secure users from outsiders through: – Demilitarized Zones (DMZs) – Intranets – Extranets Demilitarized Zones (DMZs) • Separate networks that sit outside the secure network perimeter • Outside users can access the DMZ, but cannot enter the secure network • For extra security, some networks use a DMZ with two firewalls • The types of servers that should be located in the DMZ include: – Web servers – E-mail servers – Remote access servers – FTP servers Demilitarized Zones (DMZs) (continued) Intranets • Networks that use the same protocols as the public Internet, but are only accessible to trusted inside users • Disadvantage is that it does not allow remote trusted users access to information Extranets • Sometimes called a cross between the Internet and an intranet • Accessible to users that are not trusted internal users, but trusted external users • Not accessible to the general public, but allows vendors and business partners to access a company Web site Network Address Translation (NAT) • “You cannot attack what you not see” is the philosophy behind Network Address Translation (NAT) systems • Hides the IP addresses of network devices from attackers • Computers are assigned special IP addresses (known as private addresses) Network Address Translation (NAT) (continued) • These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network • Port address translation (PAT) is a variation of NAT • Each packet is given the same IP address, but a different TCP port number Honeypots • Computers located in a DMZ loaded with software and data files that appear to be authentic • Intended to trap or trick attackers • Two-fold purpose: – To direct attacker’s attention away from real servers on the network – To examine techniques used by attackers Honeypots (continued) Virtual LANs (VLANs) • Segment a network with switches to divide the network into a hierarchy • Core switches reside at the top of the hierarchy and carry traffic between switches • Workgroup switches are connected directly to the devices on the network • Core switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches Virtual LANs (VLANs) (continued) Virtual LANs (VLANs) (continued) • Segment a network by grouping similar users together • Instead of segmenting by user, you can segment a network by separating devices into logical groups (known as creating a VLAN) Summary • Cable plant: physical infrastructure (wire, connectors, and cables that carry data communication signals between equipment) • Removable media used to store information include: – Magnetic storage (removable disks, hard drives) – Optical storage (CD and DVD) – Electronic storage (USB memory sticks, FlashCards) Summary (continued) • Network devices (workstations, servers, switches, and routers) should all be hardened to repel attackers • A network’s topology plays a critical role in resisting attackers • Hiding the IP address of a network device can help disguise it so that an attacker cannot find it ... light-emitting diodes Securing the Cable Plant • Securing cabling outside the protected network is not the primary security issue for most organizations • Focus is on protecting access to the. .. with the network cable plant • Secure removable media • Harden network devices • Design network topologies Working with the Network Cable Plant • Cable plant: physical infrastructure of a network. .. access to the cable plant in the internal network • An attacker who can access the internal network directly through the cable plant has effectively bypassed the network security perimeter and can