Monday, 9 September 2019

How to Maintain Network Security Steps

How to Maintain Network Security Steps

This is a brief on "How to Maintain Network Security Steps". After the end of this article you will able to understand the following  Network Security Steps:

  • Security threats and vulnerabilities need to be taken into account when planning the implementation of a network. All network devices must be protected. This includes routers, switches, devices for end users and even security devices. Networks should be protected against malicious software, such as viruses, Trojan horses and worms.
  • Networks must also be protected against network attacks: recognition, access and denial of service. There are several ways to protect the network against network attacks.
  • Authentication, authorization and accounting network security services (AAA or “triple A”) provide the main framework for configuring access control on network devices.
  • To protect network devices, it is important to use strong passwords. In addition, when accessing network devices remotely, it is recommended to enable SSH instead of the Telnet protocol, which is not secure.

1. SECURITY MEASURES FOR NETWORK DEVICES

Whether they are wired or wireless networks, computer networks are increasingly fundamental to everyday activities. Both people and organizations depend on PCs and networks. Intrusions of unauthorized persons can cause costly network interruptions and job losses. Attacks on a network can be devastating and can cause loss of time and money due to damage or theft of important information or assets.

CATEGORIES OF NETWORK SECURITY THREATS

Intruders can access a network through software vulnerabilities, hardware attacks or by deciphering someone's username and password. Typically, intruders who gain access through software modification or exploitation of software vulnerabilities are called hackers.
Once a hacker gains access to the network, four types of threats may arise:

  • Information theft : Unauthorized entry into a computer to obtain confidential information. The information can be used or sold for different purposes.
  • Identity theft: A form of information theft in which personal information is stolen in order to usurp the identity of another person. Identity theft is a growing problem that costs billions of dollars a year.
  • Data loss or manipulation : Unauthorized entry into a computer to destroy or alter data records. Examples of data loss: sending a virus that changes the format of a PC's hard drive. Example of data manipulation: unauthorized entry into a system of records to modify information, such as the price of an item.
  • Service interruption : Prevent legitimate users from accessing services that they should be able to access.

Even in small networks, security threats and vulnerabilities must be taken into account when planning a network implementation.

PHYSICAL SECURITY

When you think about network security, or even computer security, you may think of attackers who exploit software vulnerabilities.
If the network resources are exposed to physical risks, an attacker may deny the use of such resources.
The four kinds of physical threats are as follows:

  1. Hardware threats : physical damage to servers, routers, switches, wiring plant and workstations
  2. Environmental threats : extremes of temperature (too hot or too cold) or extremes of humidity (too wet or too dry)
  3. Electrical threats : voltage spikes, insufficient voltage supply (partial blackouts), power without conditioning (noise) and total power drop
  4. Maintenance threats : poor management of key electrical components (electrostatic discharge), lack of critical spare parts, poor wiring and labeling
Some of these problems must be addressed in the organization's policies. Some of them depend on a good management and administration of the organization.

TYPES OF SECURITY VULNERABILITIES

Three network security factors are vulnerability, threats and attacks .

  • Vulnerability is the degree of weakness inherent in each network and device. This includes routers, switches, desktops, servers and even security devices.
  • Threats include people interested in taking advantage of every security weakness and trained to do so.
Threats are carried out with a variety of tools, scripts and programs to initiate attacks against networks and network devices. Typically, network devices that suffer attacks are terminals, such as servers and desktops.

2. VULNERABILITIES AND NETWORK ATTACKS

Malicious code attacks include various types of PC programs that were created with the intention of causing data loss or damage to them. The three main types of malicious code attacks are viruses, Trojan horses and worms .

VIRUSES, WORMS AND TROJAN HORSES


  • Virus : A virus is a type of malicious software that is associated with another program to execute a specific unwanted function on a workstation.

Note : In general, viruses require a delivery mechanism, a vector, such as a zip file or some other executable file attached to an email, to transport the virus code from one system to another.

  • Trojan horse : it only differs in that the entire application was created in order to appear to be something else, when in reality it is an attack tool.
  • Worms : they are autonomous programs that attack a system and try to exploit a specific vulnerability of the target. Once the vulnerability is exploited, the worm copies its program from the attacking host to the recently attacked system to restart the cycle.

The anatomy of a worm attack is as follows:

  1. Enabling vulnerability : the worm is installed by exploiting known vulnerabilities of the systems, such as naive end users who open executable attachments without checking emails.
  2. Propagation mechanism : After obtaining access to a host, the worm is copied to that host and then selects new targets.
  3. Content : once a host was infected with the worm, the attacker has access to the host, often as a privileged user. Attackers can use a local vulnerability to raise their privilege level to that of administrator.

RECONNAISSANCE ATTACKS

In addition to malicious code attacks, networks may fall prey to various network attacks.
Network attacks can be classified into three main categories:

  • Recognition attacks : unauthorized detection and schematization of systems, services or vulnerabilities.
  • Access attacks : unauthorized manipulation of data, access to the system or user privileges.
  • Denial of service : they consist of deactivating or damaging networks, systems or services. 
  • Reconnaissance attacks

External attackers can use Internet tools, such as the nslookup and whois utilities, to easily determine the IP address space allocated to a particular company or entity. Once the IP address space is determined, an attacker can ping the publicly available IP addresses to identify the addresses that are active. To contribute to the automation of this step, an attacker can use a ping scan tool, such as fping or gping, that systematically ping all network addresses in a given range or subnet. This is similar to reviewing a section of a phone book and calling each number to see who attends.

ATTACKS WITH ACCESS

Access attacks exploit known vulnerabilities of authentication services, FTP services and Web services to gain access to Web accounts, confidential databases and other confidential information. An access attack allows a person to gain unauthorized access to information that they do not have the right to see. Access attacks can be classified into four types: Password attack, Trust exploitation, Port redirection and Man-in-the-middle attack.



One of the most common types of access attacks is password attack . Password attacks can be implemented with packet detection programs to obtain user accounts and passwords that are transmitted as unencrypted text. Password attacks can also refer to repeated attempts to log in to a shared resource, such as a server or router, to identify a user account, password or both. These repeated attempts are called " dictionary attacks " or "brute force attacks."

ATTACKS ON DOS (DENIAL OF SERVICE)

DoS attacks are the best known form of attack and are also among the most difficult to eliminate. Even within the community of attackers, DoS attacks are considered trivial and are frowned upon, since they require very little effort to execute. However, due to ease of implementation and potentially considerable damage, security administrators must pay special attention to DoS attacks.

DoS attacks have many forms. Fundamentally, they prevent authorized persons from using a service by consuming system resources.

3. MITIGATION OF NETWORK ATTACKS

Antivirus software can detect most viruses and many Trojan horse applications, and prevent them from spreading on the network. Antivirus software can be implemented at the user level and at the network level.Staying up to date with the latest advances in these types of attacks can also contribute to a more effective defense against them. Mitigating worm attacks requires the diligence of network and systems administration personnel. The following are the recommended steps to mitigate worm attacks:

  • Containment : contain the spread of the worm within the network. Divide the uninfected parts of the network into sections.
  • Inoculation : start patching all systems and, if possible, examine for vulnerable systems.
  • Quarantine : Track all infected machines within the network. Disconnect or remove infected machines from the network or block them.
  • Treatment : clean all infected systems and apply patches. Some worms may require a complete reinstallation of the central system to clean the system.

BACKUPS, UPDATES AND PATCHES

The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and apply patches to all vulnerable systems.

This is difficult with uncontrolled user systems in the local network. The administration of numerous systems involves the creation of an image of standard software (operating system and accredited applications whose use is authorized in client systems) that is implemented in new or updated systems. However, security requirements change, and updated security patches may have to be installed on systems that are already implemented.

AUTHENTICATION, AUTHORIZATION AND ACCOUNTING

Authentication, authorization and accounting network security services (AAA or “triple A”) provide the main framework for configuring access control on network devices. AAA is a way of controlling who is allowed to access a network (authenticate), control what people can do while they are there (authorize) and observe the actions they take while accessing the network (accounting).

  • Authentication : Users and administrators must prove that they are who they say they are. Authentication can be established using username and password combinations, challenge and answer questions, token cards and other methods.
  • Accounting : Accounting records what the user does, including the elements he accesses, the amount of time he accesses the resource and all the changes that were made.
  • The concept of AAA is similar to the use of a credit card. The credit card identifies who can use it and how much that user can spend, and keeps track of the items in which the user spent money, as shown in the illustration.

FIREWALLS

In addition to protecting the individual computers and servers connected to the network, it is important to control inbound and outbound network traffic. The firewall is one of the most effective security tools available for the protection of internal network users against external threats. The firewall resides between two or more networks and controls traffic between them, in addition to preventing unauthorized access. Firewall products use different techniques to determine what access to allow and what access to deny on a network.

FIREWALL TECHNIQUES

These techniques are as follows:

  • Packet filtering : prevents or allows access based on IP or MAC addresses.
  • Application filtering : prevents or allows access to specific types of applications according to port numbers.
  • URL filtering : prevents or allows access to websites based on specific keywords or URLs.
  • Stateful packet inspection (SPI) : Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packages are blocked, unless specifically allowed. The SPI may also include the ability to recognize and filter specific types of attacks, such as denial of service (DoS) attacks.

FIREWALLS PRODUCTS

Firewall products can support one or more of these filtering capabilities. In addition, firewalls usually perform network address translation (NAT). The NAT translates an address or group of IP addresses internal and external public IP address sent through the network. This allows you to hide the internal IP addresses of external users.
Firewall products come in different formats.

  • Application- based firewalls: An application- based firewall is a firewall built into a dedicated hardware device, known as a security application.
  • Server- based firewalls: A server- based firewall consists of a firewall application that runs on a network operating system (NOS), such as UNIX or Windows.
  • Integrated firewalls: An integrated firewall is implemented by adding firewall functionalities to an existing device, such as a router.
  • Personal firewalls: Personal firewalls reside on host computers and are not designed for LAN implementations. They may be available by default on the OS or they may come from an external provider.

TERMINAL SECURITY

A network is just as secure as its weakest link. The main threats that are most analyzed in the media are external threats, such as Internet worms and DoS attacks. But the protection of the internal network is as important as the protection of the perimeter of a network. The internal network consists of network terminals. A terminal, or a host, is a computer system or an individual device that acts as a network client. Common terminals are laptops, desktops, servers, smartphones and tablet PCs. If users do not apply security to terminal devices, no security precaution will guarantee a secure network.
The security of terminal devices is one of the most challenging jobs for a network administrator, since it includes human nature. Employees should be trained on the correct use of the network. In general, these policies include the use of antivirus software and host intrusion prevention. The most comprehensive terminal security solutions depend on network access control.

4. DEVICE PROTECTION

A part of network security is to protect the devices themselves, including end devices and intermediaries, such as network devices. When a new operating system is installed on a device, the security settings are set to default values. In most cases, that level of security is insufficient.


On Cisco routers, the Cisco AutoSecure feature can be used to protect the system, as described in the illustration. There are some simple steps that must be followed and that apply to most operating systems:

  • Usernames and default passwords must be changed immediately.
  • Access to system resources should be restricted only to people who are authorized to use those resources.
  • Whenever possible, all unnecessary services and applications should be deactivated and uninstalled.
  • All devices with security patches should be updated as they become available.

SECURE PASSWORDS

To protect network devices, it is important to use strong passwords. The standard guidelines that should be followed are as follows:

  • Use a password length of at least eight characters and preferably ten characters or more. The longer it is, the better the password.
  • Create complex passwords. Include a combination of upper and lower case letters, numbers, symbols and spaces, if allowed.
  • Avoid passwords based on repetition, common dictionary words, sequences of letters or numbers, usernames, family or pet names, biographical information, identification numbers, ancestor names or other easily identifiable information.
  • Enter a password with spelling errors on purpose. For example, Smith = Smyth = 5mYth, or Security = 5security.
  • Change passwords frequently. If a password is compromised without knowing it, the opportunities for the attacker to use it are limited.
  • Do not write down passwords or leave them in obvious places, for example, on your desktop or monitor.

On Cisco routers, the initial spaces for passwords are ignored, but the spaces that follow the first character are not ignored.
Note : One method to create a strong password is to use the space bar in the password and create a phrase composed of many words. This is called a " passphrase ".
Administrators must ensure that strong passwords are used throughout the network. One way to achieve this is to use the same “brute force” attack tools that attackers use as a method to verify password security.

BASIC SECURITY PRACTICES

When implementing devices, it is important to follow all safety guidelines set by the organization. This includes the designation of devices in such a way that it facilitates the tasks of registration and monitoring, but also maintains some type of security. It is not recommended to provide too much information about the use of the device in the host name. There are many other basic security measures that must be implemented.

ADDITIONAL PASSWORD SECURITY

Secure passwords are useful insofar as they are secret. Various measures can be taken to ensure that passwords remain secret. Through the global configuration command service password-encryption , unauthorized persons are prevented from seeing the passwords as unencrypted text in the configuration file. This command causes the encryption of all unencrypted passwords.

Also, to ensure that all configured passwords have a specific minimum length, use the security passwords min-length command of the global configuration mode.

Another way in which hackers discover passwords is simply by brute force attacks, that is, by testing several passwords until one works. It is possible to avoid such attacks if attempts to log in to the device are blocked when a certain number of errors occur within a specific period.

Router (config) # login block-for 120 attempts 3 within 60
This command blocks login attempts for 120 seconds if there are three failed login attempts in 60 seconds.

Example of secure configuration:

Router (config) #service password-encryption
Router (config) #security password min-length 8
Router (config) #login block-for 120 attempts 3 within 60
Router (config) #line vty 0 4
Router (config-vty) # exec-timeout 10 
Router (config-vty) #end
# Show running-config router
-more-
!
line vty 0 4
 password 7 03095A0F034F38435B49150A1819
 exec-timeout 10
 login

MESSAGES

The warning messages are similar to the entry prohibition notices. They are important in order to sue anyone who accesses the system inappropriately in court. Make sure that the warning messages comply with the organization's security policies.

Router (config) # banner motd # message #
EXEC TIMEOUT
Another recommendation is to configure execution timeouts. When configuring the runtime, it instructs the Cisco device to automatically disconnect users on a line after they have been inactive during the runtime timeout value.
Execution timeouts can be configured on console, vty and auxiliary ports.

Router (config) # line vty 0 4
Router (config-vty) # exec-timeout 10
This command disconnects users after 10 minutes.

ACTIVATE SSH

The old protocol to manage devices remotely is Telnet. Telnet is not safe. The data contained in a Telnet packet is transmitted without encryption. Using a tool like Wireshark, it is possible for someone to detect a Telnet session and obtain password information. For this reason, it is especially recommended to enable SSH on devices to obtain a secure remote access method. It is possible to configure a Cisco device to support SSH through four steps:


  1. Step 1 . Make sure the router has a unique host name and configure the network's IP domain name using the ip domain-name domain-name command in global configuration mode.
  2. Step 2 . Unidirectional secret keys must be generated for a router to encrypt SSH traffic. The key is precisely what is used to encrypt and decrypt data. To create an encryption key, use the crypto key generate rsa general-keys modulus module-size command in global configuration mode. AND
Router (config) # crypto key generate rsa general-keys modulus 1024
  1. Step 3 . Create a username entry in the local database using the username secret secret name command of the global configuration mode.
  2. Step 4. Enable incoming SSH sessions by vty using the line vty login local and transport input ssh commands .


The router's SSH service can now be accessed using SSH client software.

No comments:

Post a Comment