Network Security Overview
U.S. Public Company Accounting Reform and Investor
Protection Act of 2002 (Sarbanes-Oxley or SOX): Focuses on the accuracy and
controls imposed on a company’s financial records. This was passed as a U.S. federal
law because of a number of corporate and accounting scandals.
Payment Card Industry (PCI) Data Security Standard (DSS): PCI
is a data security standard that defines how to protect credit card holder data,
including the storage and transfer of credit card holder information. Many
retailers that accept credit cards have to meet PCI DSS standards or pay stiff
penalties and are subject to regular and rigorous audits for PCI DSS compliance.
Gramm-Leach-Bliley Financial Services Modernization Act of 1999
(GLBA): Provides protection against the sale of bank and account information
that is regularly bought and sold by financial institutions. GLBA also guards
against the practice of obtaining private information through false pretenses.
U.S. Health Insurance Portability and Accountability Act (HIPAA):
Applies to the protection of private health information that is used
electronically. The purpose is to enable better access to health information, reduce
fraud, and lower the cost of health care in the United States .
EU Data Protection Directive 95/46/EC: Calls for the
protection of people’s right to privacy with respect to the processing of
personal data.
Reconnaissance: The goal of reconnaissance is to gather as
much information as possible about the target host/network. Generally, this
type of information gathering is done before an attack is carried out.
Gaining unauthorized access: Refers to the act of attacking
or exploiting the target system or host. Operating systems, services, and
physical access to the target host have known system vulnerabilities that the
attacker can take advantage of and use to increase his or her privileges. Social
engineering is another technique for obtaining confidential information from
employees by manipulation. As a result of the attacker exploiting the host, confidential
information can be read, changed, or deleted from the system.
Denial of service (DoS): DoS attacks aim to overwhelm
resources such as memory, CPU, and bandwidth and thus impact the target system
and deny legitimate user’s access. Distributed DoS (DDoS) attacks involve
multiple sources working together to deliver the attack.
Feature Description
|
Feature
|
Verifies DHCP transitions and prevents rogue DHCP server from
interfering with production traffic
|
DHCP snooping
|
Intercepts Address Resolution Protocol (ARP) packets and
verifies that the packets have valid IP-to-MAC bindings
|
Dynamic ARP Inspection
(DAI)
|
Prevents unknown source addresses from using the network
as a transport mechanism to carry out attacks
|
Unicast Reverse Path Forwarding (uRFP)
|
Controls what traffic is allowed on the network
|
Access control lists (ACL)
|
Controls the rate of bandwidth that incoming traffic, such
as
ARP packets and DHCP requests
|
Rate limiting
|
When attackers change sensitive data without the proper
authorization, this is called an integrity violation.
Confidentiality breaches occur when the attacker attempts to
read sensitive information.
Security Policy and Process
Basic Approach of a Security Policy:
To help create a security policy, here is generally accepted
approach from RFC 2196:
Step 1. Identify what you are trying to protect.
Step 2. Determine what you are trying to protect it from.
Step 3. Determine how likely the threats are.
Step 4. Implement measures that protect your assets in a
cost-effective manner.
Step 5. Review the process continuously, and make
improvements each time a weakness is found
PKI
- It
relies on asymmetric cryptography, which uses two different keys for
encryption.
- Public
keys are used to encrypt and private keys to decrypt.
- PKI requires a certificate to be issued by a certificate authority (CA) and is used by many e-commerce sites on the Internet.
VPN Description
|
VPN Name
|
Use AH and ESP to secure data; requires endpoints have
IPsec software
|
Standard IPsec
|
Secure encrypted point-to-point GRE tunnels; on-demand
spoke-to-spoke connectivity
|
Cisco DMVPN
|
Simplifies hub-and-spoke VPNs; need to reduce VPN
management
|
Cisco Easy VPN
|
Enables routing and multicast traffic across an IPsec VPN;
non-IP protocol and QoS support
|
Cisco GRE-based VPN
|
Encryption integration on IP and MPLS WANs; simplifies
encryption
management using group keying; any-to-any connectivity
|
Cisco GET VPN
|
The IPsec suite is an open standard. IPsec uses the
following protocols to perform various functions:
- Authentication Headers (AH) provide connectionless integrity and data origin authentication for IP datagram’s and provides protection against replay attacks.
- Encapsulating Security Payloads (ESP) provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.
- Security Associations (SA) provide the bundle of algorithms and data that provide the parameters necessary to operate the AH and/or ESP operations. The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.
No comments:
Post a Comment