1. Network Security
1.1 Explain the security function and purpose of network devices and technologies
Firewalls : Firewalls protect against and filter out unwanted traffic. A firewall can be an individual device or can be added to a router. For example, most SOHO routers have a firewall built in, and Cisco Integrated Services Routers include the Cisco IOS Firewall. Regular routers, and routers with firewall functionality, have the ability to block certain kinds of traffic. For example, if the ICMP protocol has been blocked, then you would not be able to ping the router.
1. A personal firewall is software that resides on the end users computers. This is different from a regular firewall, in the sense that a personal firewall is geared to protect a single user computer.
2. The following are the basic types of firewall architectures:
Hub : A hub is basically a multi-port repeater. When it receives a packet, it repeats that packet out each port. This means that all computers that are connected to the hub receive the packet whether it is intended for them or not. It's then up to the computer to ignore the packet if it's not addressed to it. This might not seem like a big deal, but imagine transferring a 50 MB file across a hub. Every computer connected to the hub gets sent that entire file (in essence) and has to ignore it.
Bridge : A bridge is a kind of repeater, but it has some intelligence. It learns the layer 2 (MAC) addresses of devices connected to it. This means that the bridge is smart enough to know when to forward packets across to the segments that it connects. Bridges can be used to reduce the size of a collision domain or to connect networks of differing media/topologies, such as connecting an Ethernet network to a Token Ring network.
Switch : A switch is essentially a multi-port bridge. The switch learns the MAC addresses of each computer connected to each of its ports. So, when a switch receives a packet, it only forwards the packet out the port that is connected to the destination MAC address. Remember that a hub sends the packet out every port.
Router : A router works at the logical layer of the IP stack. It is basically required to route packets from one network (or subnet) to another network (or subnet). In the given question, all the computers are within the same subnet and a router is inappropriate.
Gateway : A gateway works at the top layers of the TCP/IP stack. For example, a Gateway may be used to facilitate communication between a Unix mail server and a Windows mail server.
Load Balancer : A load balancer is used to distribute workload across multiple computers or a computer cluster. It could be done by a dedicated hardware or software.
Proxies : proxies also called as proxy servers cache website information for the clients, reducing the amount of requests that need to be forwarded to the actual corresponding web server on the Internet. These save time, use bandwidth efficiently also help to secure the client connections.
VPN ( Virtual Private Network) : VPN is private network formed using public Internet. It is formed between two hosts using tunneling protocols such as PPTP, L2TP, etc. Using VPN, you can connect two LANs in geographically distant locations together, as if they were located in the same building. The cost of connecting these LANs together is small since public Internet is used for providing the WAN link.
1. The VPN can be implemented in any of the following combinations:
a. Gateway-to-gateway VPN: It is transparent to the end users.
b. Gateway-to-host VPN
c. Host-to-gateway VPN
d. Host-to-host VPN :This configuration provides the highest security for the data
The host-to-host configuration provides the highest security for the data. However, a Gate-to-Gateway VPN is transparent to the end users.
2. VPN concentrators allow for secure encrypted remote access.
3. Intranet: It is used by the employes within the organization.
4. Extranet : The customers and vendors of the company use this for order processing,and inventory control on-line.
NIDS (Network Intrusion Detection System) : It is a type of IDS (intrusion detection system) that Detects malicious network activities. It constantly monitor the network traffic. A honeypot or honeynet is used to attract and trap potential attackers. Example Snort,
NIPS (Network Intrusion Prevention System) : It is designed to inspect traffic, and based on its configuration or security policy, it can remove, detain, or redirect malicious traffic. It removes, detains, or redirects malicious traffic. Example MacAfee Intrushield.
Protocol Analyzer And Packet Analyzer (Sniffer) : These are loaded on a computer and are controlled by the user in a GUI environment; they capture packets enabling the user to analyze them and view their contents. Example Network Monitor
Spam filters : Spam filters will help to filter out spam (unwanted e-mail). They can be configured in most e-mail programs or can be implemented as part of an anti-malware package
Network firewalls : These are also called as packet filters and these operate at low level of the TCP/IP stack. These do not allow packets to pass through unless they meet some established set of rules.
Application Firewall : It can control the traffic associated with specific applications. These work on the application layer of TCP/IP stack. These inspect each packet traveling to and from an application like browser, telnet and block them if they are improper according to set rules.
URL Filtering : URL filtering is used categorize the websites on the internet. You can allow/block specific website access to o the web users of the organization. This can be done by referring to central database or by classifying the websites in real time. URL filtering can also be made applicable only during certain times of a day or days of a week, if required.
Content inspection : Content inspection is the process in which user data is actively monitored for malicious elements, and bad behaviour according to configured policies before allowing or denying the content to pass through the gateway and enter into the network. This prevents any confidential data going outside the network.
1.2 Apply and implement secure network administration principles
All web applications such as Web servers, News servers, email servers etc. need to be configured as secure as possible. This can be achieved by
Removing all unnecessary services. These are the services that are installed but not used. For example, you might have installed TFTP, but not using it. It is better to remove the application or service that is not used as it may provide an opportunity to a hacker to abuse the resource.
Remove all unnecessary protocols: These are the protocols that are installed but not used. For example, you might have installed Novell Netware protocol but not necessary. It is preferable to remove that protocol.
Enable server and application logs: The logs provide an opportunity to look into the activity on the server over the past few hours or days. Check for any unusual activity such as failed login attempts etc.
Secure router configuration : Before a router is put on a network make sure you set a username and password for it. Also, the password should be complex and difficult to crack. Make sure you check all default settings and change them according to requirement.
Access control lists (ACLs) :
ACL resides on a router, firewalls or computers and decides who can access the network and who cannot. That means it enable or deny traffic. It specify which user or group of users are allowed what level of access on which resource. It makes use of IP addresses and port numbers.
Port Security : It deals more with switches and the restriction of MAC addresses that are allowed to access particular physical ports.
802.1X : It is an IEEE standard that is known as port-based Network Access Control (PNAC). It works on Data Link Layer. It connect hosts to a LAN or WLAN. It also allows you to apply a security control that ties physical ports to end-device MAC addresses, and prevents additional devices from being connected to the network.
Flood Guards : It can be implemented on some firewalls and other devices. It tracks network traffic to identify scenarios such as SYN, ping, port floods, etc. By reducing this tolerance, it is possible to reduce the likelihood of a successful DoS attack. If it looks that an resource is being overused, then the flood guard comes in to picture.
Loop protection : To avoid loops, many network administrators implement Spanning Tree Protocol in their switches. Loop protection should be enabled on the switch to prevent the looping that can occur when a person connects both ends of a network cable to the same switch
Implicit deny : It requires that all access is denied by default and access permissions are granted to specific resources only when required. An implicit deny clause is implied at the end of each ACL, and it means that if the provision in question has not been explicitly granted, then it is denied.
Log Analysis : Log analysis is used to determine what happened at a specific time on a particular system.