9. Security
Security has one purpose: „to protect assets“
In terms of computer networks the assets can be:
- Information
- files, data streams …
- Servers
- Configurations
- User accounts
- Passwords
- Devices
10. Network Security Goals (CIA Model)
1. Confidentiality: Ensure that the secrecy is
enforced and the information is not read by
unauthorized users.
2. Integrity: modification of data is not
permitted to unauthorized Users.
3. Availability: prevention of loss of access
to resources and information.
11. Security Policy
• Policy define how the security is implemented with a set of laws. And that’s done
by answering the following questions
What are you trying to protect?
What data is confidential?
What resources are precious?
What are you trying to protect against?
Who is authorized to login into the management plan ?
12. Vulnerabilities
Vulnerability is a weakness which is inherent in network, device, technology or
policy.
Types of vulnerabilities:
- Technology weaknesses
- Configuration weaknesses
- Security policy weaknesses
13. Threats
Threats: are the people eager, willing, and qualified to take advantage of each
security weakness, and they continually search for new methods and techniques to
do so.
`
Types of threats:
- Internal Threat
- External Threat
16. Firewalls
Is a network security system (Software/hardware) that monitors and controls
the incoming and outgoing network traffic, based on predetermined security
rules.
• Modern firewalls includes
- Intrusion Prevention System
- Authentication, Authorization, and Vulnerability assessment systems.
17. Intrusion Detection System (IDS)
Used to monitor for “suspicious activity” on a network
• Syslog Server :
18. VPN
Virtual Private Network is a type of private network that uses public
telecommunication, such as the Internet, instead of leased lines to communicate.
VPN uses several protocols such as:
• PPTP -- Point-to-Point Tunneling Protocol
• L2TP -- Layer 2 Tunneling Protocol
19. Encryption
• Encryption -- is a method of “scrambling” data before transmitting it onto the Internet.
- Public Key Encryption Technique - Digital signature
20. k
1- phase one : Network infrastructure Design & layout planning
2- Phase Two : Application of Protection & Implementation of Secure
Policy
21. Network Design
Is the process of arranging the various components of a network to supply the
demands of the subscribers.
Our network design must answer some pretty basic questions
- What stuff do we get for the network ?
- What’s the size and type of the devices ?
- How do we connect it all ?
- How do we configure it to work right ?
- What’s method of connection ?
- Finally Is the network secure ?
22. Phase one Objectives
Design a sophisticated network Infrastructure to EEE and the other surrounding
departments of the Engineering faculty that accomplishes the concept of
availability
Connect the total infrastructure of the department’s by a main core-switch.
Assigning interfaces and different DHCP pools for each department
Distribute VLAN subnets that covers (Classes, Labs and Staff offices)
Configure the Wireless access point for each
23. GNS3
GNS3 is a Graphical Network Emulator that allows us to
design complex network topologies. It provides Real
Implementation to various devices such as Routers,
Switches and Firewalls
29. Switches distribution in each department
Department Floors 24 - Port
Switches
48 – Port
Switch
Wireless
access
Points
Electric and Electronic
Eng.
3 1 2 1
Marine Eng. 2 2 - 1
Mechanical Eng. 1 1 1 1
Architectural Eng. 3 1 1 1
31. Phase Two
Applying the security protocols.
Creating encrypted password for the management plan
Configure Isolation mechanism.
Allowing the head of department’s networks to be able to connect to each other.
Creating a syslog server.
Configure VPN private network.
Creating a zone-base firewall.
Applying authentication for users.
32. Securing the Management plan:
Enable password for each network device and authentication retries limit.
Enable SSH encryption for VTY auxiliary port.
35. Initialize the Zone based Firewall
Separate the Network into three zones
1- In Zone (internal network)
2- Out zone (ISP)
3- Self (Firewall)
configure the interfaces of the firewall
Inside(trusted) Interfaces: Outside(untrusted) Interface:
FastEthernet0/0 (20.1.0.2)/24 FastEthernet1/0 (192.168.137.5)/24
37. Configure VPN tunnel for Wireless Users
Define the interface for the wireless access point in the CCP then select the Pre-
shared Key authentication
47. Conclusion
Network designing and security is an important field that is getting more and more
attention as the internet expands. Providing the resources and the type for connection is a
primary task that should be considered before implementing a network, keeping in mind
the security measures and policies needed to be applied for the clients and the
communication chain to keep it safe.
An effective network design should be developed with:
1- Understanding of the network design concepts such as reliability and availability .
2- learning the factors that make a network vulnerable and weak to potential threats and
attackers.
3-Needed level of security that’s required to achieve stability and confidentiality of the
subscribers.
4- Finally implementing and configuring the network components to supply the demand of
the clients while aligns with the security plan that has been imprinted.
Topology : the arrangement of the network components
Speed: of the data transition between source and distiation
Cost: less money more honey
Security: indicates how protected the network is
Avalibility: of the network to the subscribers 24/7 of the time
Sacbility: how easily the network can accommodate more users and data transmission requirements
Reliability: indicates the dependability of the components that make up the network
PAN: is a computer network organized around an individual person.
LAN: is a group of devices that share a common communications line.
Wan: used in large geographical area such as cities or countries.
Network components can be divided into 4 groups :
1- End Points: such as PC, Servers
2- Interconnections: NIC LAN Card
3- Network media: which can be a physical media such as cables, wireless media
4-Connector devices : switch, router
Assets can be defined as something of value
In network security certain concepts needed to be attained, which are :
Confidin: who’s authorized to be log in or reading the data
Intig: Is the data that arrived is the same data that has being sent
Avalib: of the network resources and services to subscribers.
Vulnerabilities may exist in computer systems and networks, allowing the system to be open to a technical attack or in administrative procedures
Internal threats can cause more damages to the network information than the external ones
Dos : attacks that originate from a large number of systems that usually controlled from a single master sending a ping packet to network server causing it to fail.
Min: Is an attack where the attacker secretly relays and alters the communication between two parties who believe they are directly communicating with each other
Firewall acts like a shield from outside threats, allowing only pre-determined protocols to pass throw while denying the others.
Is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities
VPN acts like a private tunnel in untrusted network such as the internet, establishing encrypted communication between the two parties.
or simply alters the data in such way to hide it from unauthorized Individuals to see it
Encryption have several techniques such as:
As shown in figure, the EEE Department consist three floors
The first floor contains 7 classes and one beta office for students
The second floor consist of the staff offices and 3 labs
The last floor consist of two labs and the admistration office
The total contains 4 departments of the Eng faculty, (names)
The infrastructure consist of 3 layers
Which Provides connectivity for network hosts and end devices, contains the 48 and 24 port switches, also the wireless access points
Core layer contains fast switching layer 3 device that connect the departments together.
As shown this layer contains the AAA and syslog server that are connected to the Firewall then to the isp
Access switches are chosen depending on the number of the classes, labs, and floors that has been estimated in each department
1- to designate when and who is authorized to access/configure the network components.
2- designated for administrators.
3- to separate each VLAN for the other
4- !!!!!
5-to receive and correlate events
6-for Wireless access point users.
7-using captive portal application.
3 authentication retries and 60 sec idle time
To segregate each vlan from the other, we used extended access list protocols in main core-switch as shown in this figure
Using kiwi syslog program to receive messages from the core-switch and firewall, while choosing the debugging level of log
The figure demonstrate the firewall applied policies form in zone to out zone
In this action we Emulate the password spoofing attack to aquire the usern & passw of the administrator, this action attack was a failure due to the ssh protocol that has been used