Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 24 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
24
Dung lượng
1,63 MB
Nội dung
Contents
Overview 1
Lesson: Determining Threats and Analyzing
Risks to NetworkPerimeters 2
Lesson: Designing SecurityforNetwork
Perimeters 8
Lab A: Designing SecurityforNetwork
Perimeters 17
Module 11:Creatinga
Security Designfor
Network Perimeters
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2002 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio,
and Windows Media
are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module11:CreatingaSecurityDesignforNetworkPerimeters iii
Instructor Notes
In this module, students will learn how to determine threats and analyze risks to
network perimeters. Students will also learn how to designsecurityfornetwork
perimeters, including screened subnets, and for computers that connect directly
to the Internet.
After completing this module, students will be able to:
!
Determine threats and analyze risks to network perimeters.
!
Design securityfornetwork perimeters.
To teach this module, you need Microsoft
®
PowerPoint
®
file 2830A_11.ppt.
It is recommended that you use PowerPoint version 2002 or later to
display the slides for this course. If you use PowerPoint Viewer or an earlier
version of PowerPoint, all of the features of the slides may not be displayed
correctly.
To prepare for this module:
!
Read all of the materials for this module.
!
Complete the practices.
!
Complete the lab and practice discussing the answers.
!
Read the additional reading for this module, located under Additional
Reading on the Web page on the Student Materials CD.
!
Visit the Web links that are referenced in the module.
Presentation:
45 minutes
Lab:
30 minutes
Required materials
Im
p
ortan
t
Preparation tasks
iv Module11:CreatingaSecurityDesignforNetworkPerimeters
How to Teach This Module
This section contains information that will help you to teach this module.
Lesson: Determining Threats and Analyzing Risks to Network
Perimeters
Explain that the perimeter of anetwork is any entry point into an organization’s
network. A screened subnet (which is a type of network perimeter) and a single
computer on anetwork that is directly connected to the Internet are both
examples of anetwork perimeter. Emphasize to students that anetwork
perimeter is more than just a DMZ, demilitarized zone, or screened subnet—it
is anything that reaches outside the network that could allow an attacker inside
the network.
This page is intended simply to give examples of vulnerabilities. To elaborate
attacks, draw upon your own experiences. The next page deals with common
vulnerabilities, so try not to skip ahead.
Explain the vulnerabilities, but do not discuss how to secure against them. The
second lesson in the module covers that topic.
This practice requires that students have classroom access to the Internet. If
students do not have classroom access, simply read the practice answers to
them and then ask students if they have experienced such attacks.
Lesson: Designing SecurityforNetworkPerimeters
This section describes the instructional methods for teaching this lesson.
Emphasize the additional reading and Web sites referenced throughout the
module for additional depth on the topics provided.
This page introduces screened subnets. Use this page to reemphasize what the
perimeter of anetwork is. The common designs shown are known by many
different names. Emphasize the fact that different parts of anetwork may be
separated from each other by perimeters; for example, a main office and a
branch office, or a main network and a test network. Be sure to point students to
the ISA Server Installation and Deployment Guide, under Additional Reading
on the Web page on the Student Materials CD.
This page emphasizes the threats that network computers are under, and the
threats to which those computers expose the network when they connect to
outside networks. Many students may feel that this module is or is supposed to
be about screened subnets; emphasize that an organization’s computer that is
connected to an outside network is effectively on the perimeter of the
organization’s network, and may present a serious risk to network security. As
security designers, students must be aware of the risks involved and design
security measures to mitigate against those risks.
Answers may vary. Use the security responses that students give to generate
classroom discussion.
What Is the Perimeter of
a Network?
Why Perimeter Security
Is Important
Common Vulnerabilities
to Perimeter Securit
y
Practice: Analyzing
Risks to Network
Perimeters
Common Network
Perimeter Desi
g
ns
Guidelines for
Protecting Computers
on a Perimeter
Practice: Risk and
Response
Module11:CreatingaSecurityDesignforNetworkPerimeters v
Use this page to review the content of the module. Students can use the
checklist as a basic job aid. The phases mentioned on the page are from
Microsoft Solutions Framework (MSF). Use this page to emphasize that
students must perform threat analysis and risk assessment on their own
networks for the topic covered in this module, and then they must design
security responses to protect the networks.
Assessment
There are assessments for each lesson, located on the Student Materials
compact disc. You can use them as pre-assessments to help students identify
areas of difficulty, or you can use them as post-assessments to validate learning.
Lab A: Designing SecurityforNetworkPerimeters
To begin the lab, open Microsoft Internet Explorer and click the name of the
lab. Play the video interviews for students, and then instruct students to begin
the lab with their lab partners. Give students approximately 20 minutes to
complete this lab, and spend about 10 minutes discussing the lab answers as a
class.
For general lab suggestions, see the Instructor Notes in Module 2, “Creating a
Plan forNetwork Security.” Those notes contain detailed suggestions for
facilitating the lab environment used in this course.
Customization Information
This section identifies the lab setup requirements foramodule and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
This module includes only computer-based interactive lab exercises, and as a
result, there are no lab setup requirements or configuration changes that affect
replication or customization.
The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for Course 2830A, Designing
Security for Microsoft Networks.
Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
There are no configuration changes on student computers that affect replication
or customization.
Security Policy
Checklist
General lab suggestions
Importan
t
Module11:CreatingaSecurityDesignforNetworkPerimeters 1
Overview
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In this module, you will learn how to determine threats and analyze risks to
network perimeters. You will also learn how to designsecurityfornetwork
perimeters, including screened subnets, and for computers that connect directly
to the Internet.
After completing this module, you will be able to:
!
Determine threats and analyze risks to network perimeters.
!
Design securityfornetwork perimeters.
Introduction
Ob
j
ectives
2 Module11:CreatingaSecurityDesignforNetworkPerimeters
Lesson: Determining Threats and Analyzing Risks to
Network Perimeters
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The perimeter, or boundary, of anetwork is where your organization ends and
the area outside your organization begins. Perimeters are not always easy to
identify. Attackers who penetrate weaknesses in your perimeter can potentially
access information on your network.
After completing this lesson, you will be able to:
!
Describe the perimeter of a network.
!
Explain the importance of perimeter security.
!
List common vulnerabilities to perimeter security.
Introduction
Lesson objectives
Module11:CreatingaSecurityDesignforNetworkPerimeters 3
What Is the Perimeter of a Network?
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A perimeter is any point that connects to networks outside of an organization.
In a typical network, perimeter points can include:
!
Direct Internet connections. Any connection to the Internet from within an
organization.
!
Dedicated WAN links. Wide area network (WAN) links to branch offices,
trusted partners, or other facilities outside of the organization.
!
Screened subnets. Protected areas within anetwork that run services, such
as business-to-business (B2B) services, that the organization exposes to
public networks, such as the Internet.
!
VPN clients. A virtual private network (VPN) tunnel to remote users who
are accessing the internal network across a public network.
!
Applications. Organizations may run applications that access the Internet or
access services running in a screened subnet.
!
Wireless connections. Access to wireless networks can often be gained from
outside of an organization’s physical facilities.
Key points
4 Module11:CreatingaSecurityDesignforNetworkPerimeters
Why Perimeter Security Is Important
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Assets are vulnerable to threats from both external and internal attackers. For
example:
An external attacker runs a series of port scans on a network. The attacker uses
the information to create anetwork diagram of the perimeter, including
computers in the screened subnet, operating systems of network devices and
computers, services running in the screened subnet, and the level of security
that is implemented on the network. The attacker researches known
vulnerabilities of these network devices, computers, and services, and then
attacks the network systematically.
An employee receives an e-mail from a friend through an external Web-based
e-mail account. When the employee opens a file that is enclosed in the e-mail, a
new worm virus automatically spreads to all computers on the internal network.
The traffic from the spreading virus slows legitimate traffic, resulting in a
denial of service (DoS) fornetwork users.
Key points
External attacker
scenario
Internal attacker
scenario
[...]... applications Any e-mail applications that access the Web can spread viruses because they circumvent the mail servers that use the organization’s firewall ! Additional reading Use and maintain antivirus software Third-party antivirus software can prevent attacks from such threats as viruses, Trojan horse applications, and worms Educate users about security Increasing user awareness through information campaigns... domain Northwind Traders recently deployed a Web server so that employees can retrieve their e-mail messages The IT manager has asked you to explain how a Land attack and a SYN flood attack (or SYN-ACK attack) can prevent users from retrieving their e-mail Use the Internet to locate information about how Land and SYN-ACK attacks affect perimeter security Questions 1 What is a Land attack, and how can... the main network You can use routers and firewalls to screen traffic that goes in and out of a screened subnet Types of networkperimeters include: ! Bastion host Acts as the main connection for computers on the internal network that are accessing the Internet As a firewall, the bastion host is designed to defend against attacks that are aimed at the internal network Smaller networks typically use bastion... remain half open The attacker repeatedly changes the spoofed source address on each new packet that is sent to generate additional traffic and deny legitimate traffic An attacker could use a SYN-ACK attack against the router, firewall, or Web server at Northwind Traders to prevent users from retrieving their e-mail messages Sources of information include: • RFC 2267, Defeating Denial of Service Attacks... their email messages? A Land attack sends SYN packets with the same source and destination IP addresses and the same source and destination ports to a host computer This makes it appear as if the host computer sent the packet to itself The host will continue to attempt to contact itself and prevent legitimate traffic from being processed An attacker could use a Land attack against the router, firewall,... Repudiation, Information disclosure, Denial of service, and Elevation of privilege) and life cycle threat models Manage risks Qualitative and quantitative risk analysis Phase Task Details Building Create policies and procedures for securing: Perimeter devices and networkperimeters Servers in screened subnets Computers connected to the Internet Module11:CreatingaSecurityDesignforNetwork Perimeters. .. 17 Lab A: Designing SecurityforNetworkPerimeters *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to apply securitydesign concepts to networkperimeters Scenario You are a consultant hired by Contoso Pharmaceuticals to help the company designsecurityfor its network Each lab uses an interactive application... scenario-based information To begin a lab, on the desktop, click Internet Explorer; this opens a Web page that contains links to each lab Click a link to begin a lab Estimated time to complete this lab: 30 minutes Work with a lab partner to perform the lab ! To complete a lab 1 Read Ashley Larson’s e-mail in each lab to determine the goals for the lab 2 Click Reply, and then type your answer to Ashley’s... Click Send to save your answers to a folder on your desktop 4 Discuss your answers as a class 18 Module11:CreatingaSecurityDesignforNetworkPerimeters Lab A: Designing SecurityforNetworkPerimeters Lab Questions and Answers Answers may vary The following are possible answers 1 How would you configure the firewall? Configure the firewall to permit only inbound and outbound File Transfer Protocol... common, an organization’s network often maintained only one connection to a public network Today, Internet access, remote access, and branch office connectivity have become vital to the operation of an organization As organizations increase their requirements for connectivity, the difficulty of managing network connections increases, and so does the risk that information and computers may be exposed to attack . external and internal attackers. For
example:
An external attacker runs a series of port scans on a network. The attacker uses
the information to create a. Unavailable Because of Malicious SYN
Attacks.
8 Module 11: Creating a Security Design for Network Perimeters
Lesson: Designing Security for