You are on page 1of 27

Network Defenses

Niken D Cahyani
Gandeva Bayu Satrya

Telkom Institute of Technology

Learning Objectives
After completing this chapter you should be able to do the
following:
Explain how to enhance security through network
design
Define network address translation and network access
control
List the different types of network security devices and
explain how they can be used

Network Design - Subnetting

Subnetting

identifies a network device (called a host) by its unique


Internet Protocol (IP) address, which is a 32-bit (4-byte) address
such as 192.146.118.20.
grouped into classes (Class A, B, C, and special Classes D and
E). IP addresses are actually two addresses: one part is a network
address (such as 192.146.118) and one part is a host address
(such as 20).
improved addressing techniques in 1985 that allowed an IP
address to be split anywhere within its 32 bits, known as
subnetting.

Security - Subnetting

Subnetting a single network into multiple smaller subnets in order to


isolate groups of hosts.
Utilize network security tools to make it easier to regulate who has
access in and out of a particular subnetwork.
Addresses instantly recognizable so that the source of potential
security issues can be quickly addressed. For example, any IP
address beginning with 192.168.50 can indicate mobile users,
192.168.125 may designate executive users, and 192.168.200 can
indicate wireless network users.
Allows network administrators to hide the internal network layout
to make it difficult for attackers.

Subnetting Example

Advantages of Subnetting

Network Design - VLAN

A VLAN allows scattered users to be logically grouped


together even though they may be attached to different
switches.
A degree of security similar to subnetting: isolation, so
that sensitive data is transmitted only to members of the
VLAN
Attacks on the switch that attempt to exploit
vulnerabilities such as weak passwords or default
accounts are common

Network Design - Convergence

Convergence of voice and data traffic over a single IP network.


Two important convergence technologies :

Voice over IP (VoIP)

IP telephony
Benefits :

Cost savings

Management

Application development

Infrastructure requirements

Increased user productivity

Increase security : manage only one network

Convergence - Vulnerability

Network Design - Demilitarized Zone (DMZ)


A separate network that sits outside the secure network
perimeter

Objectives
After completing this chapter you should be able to do the
following:
Define network address translation and network
access control
List the different types of network security devices and
explain how they can be used

Network Technologies Network


Address Translation (NAT)

NAT hides the IP addresses of network devices from attackers.

Network Technologies Network Access Control


(NAC)

NAC examines the current state of a system or network


device before it is allowed to connect to the network.
A specified set of criteria to meet, such as having the
most current antivirus signature, if not, is only allowed to
connect to a quarantine network where the security
deficiencies are corrected.
After the problems are solved, the device is connected to
the normal network.
To prevent computers with sub-optimal security from
potentially infecting other computers through the network

Network Access Control (NAC)

Network Access Control (NAC)

Objectives
After completing this chapter you should be able to do the
following:
List the different types of network security devices
and explain how they can be used

Network Security Devices - Firewall

Rule base which establishes what action the firewall


should take when it receives a packet. The options are:

Allow
Block
Prompt

Stateless packet filtering looks at the incoming packet


and permits or denies it based strictly on the rule base
Stateful packet filtering keeps a record of the state of a
connection between an internal computer and an external
server and then makes decisions based on the connection
as well as the rule base.

Firewall - Rules

Firewall - Rules

Network Security Devices Proxy


Server

A computer system (or an application program) that


intercepts internal user requests and then processes that
request on behalf of the user.
A reverse proxy does not serve clients but instead routes
incoming requests to the correct server. Requests for
services are sent to the reverse proxy that then forwards it
to the server.
To the outside user the IP address of the reverse proxy is
the final IP address for requesting services, yet only the
reverse proxy can access the internal servers.

Proxy Server

Network Security Devices - Honeypot

A computer typically located in a DMZ that is loaded with


software and data files that appear to be authentic, yet they
are actually imitations of real data files configured with
security vulnerabilities so that it is open to attacks.
Purposes of a honeypot:

Deflect attention - A honeypot can direct an attackers attention away from


legitimate servers.
Early warnings of new attacks
Examine attacker techniques

Types of honeypots : Production Honeypots and


Research Honeypots

Network Intrusion Detection System


(IDS)

An intrusion detection system (IDS) attempts to


identify inappropriate activity by comparing new
behavior against normal or acceptable behavior and
issuing an alert.
Examples functions of IDS:

Configure the firewall to filter out the IP address of the intruder.


Launch a separate program to handle the event. Save the packets
in an evidence file for further analysis. Send e-mail, page, or a
cell phone message to the network administrator.
Terminate the TCP session by forging a TCP FIN packet to force
a connection to terminate.

Host and Network Intrusion Prevention Systems


(HIPS/NIPS)

HIPS : IPS which installed on each system, such as a server or


desktop that needs to be protected.
Most HIPS monitor the following desktop functions:

System calls
File system access
System Registry settings
Host input/output

Designed to integrate with existing antivirus, anti-spyware, and


firewalls that are installed on the desktop computer.
Network intrusion prevention systems (NIPS) work to protect the
entire network and all devices that are connected to it.

Protocol Analyzers

Detect a potential intrusion by :

detect statistical anomalies.


examine network traffic and look for well-known patterns of attack, much like
antivirus scanning.
protocol analyzer technology.

Protocol analyzers can fully decode application-layer


network protocols, such as Hypertext Transport Protocol
(HTTP) or file transfer protocol (FTP). Once these
protocols are decoded, the different parts of the protocol
can be analyzed for any suspicious behavior.

Internet Content Filter

Integrated Network Security


Hardware

Multipurpose security appliances that provide multiple security


functions, such as:

Antispam and antiphishing


Antivirus and antispyware
Bandwidth optimization
Content filtering
Encryption
Firewall
Intrusion protection system

Combine or integrate multipurpose security appliances with a


traditional network device such as a switch or router to create
integrated network security hardware.