Network Countermeasures

A network countermeasure is considered the implementation of an action, software, or the placement of a physical component in order to reduce the threat of intrusion or attack from outside influences. The best ways to protect your network and reduce the threat from outside your network perimeter is through the implementation of Virtual Private Networks (VPNs) and firewalls. Pay very close attention to the subjects discussed in this section. Chances are, you will be asked several questions on the real exam related to this subject matter.

Virtual Private Networks (VPNs)

As soon as the efficiency and security of LANs (local area networks) became evident to administrators, it became clear that these secure networks needed a farther reach. Until the advent of VPN (virtual private networking), this involved the costly use of fiber-optic or ISDN leased lines. Unfortunately, the expense of maintaining a private WAN (wide area network) grows with the distance from point A to point B. So, once the Internet proved itself as a reliable way to exchange data, businesses naturally turned to it to extend their networks. The Internet, though, is as wide open as the big skies of Montana. A process was needed to harness the global reach of this massive TCP/IP network while ensuring secure, reliable, and quick communications. Enter VPN.

In a nutshell, a VPN is a private network routed through public lines. VPNs use virtual connections established over the Internet as opposed to a dedicated, leased-line approach. They are used to connect multiple LANs (site-to-site) as well as to facilitate communications with users in the field. For instance, once a mobile user connects to their ISP (Internet service provider) from any location, they can then be authenticated on the company network over a VPN. This type of remote access VPN is also called a VPDN (virtual private dial-up network). It's fast, secure, scalable, and best of all: the intricacies are transparent to the user.

So, now that you have an idea of what VPN is and why it's used, let's talk about security. By nature, the study of security is a sensitive endeavor. If you have been hired to establish a secure network, you'd better be sure that's what your employer ends up with. So, how does this VPN achieve such security through the vast gulf that is the Internet? There are actually several ways VPN keeps your data secure but don't take my word for it. You need facts that are discussed in the following sections.

Firewalls

The first step in implementing a VPN is having a solid firewall installed. Firewalls are used to prevent access to private networks from the Internet or other interconnected networks. They can come in either hardware or software form, or a combination of the two. A firewall can be programmed to block traffic based on the type of packet trying to get through, which protocol or port is being used for the transmission, or a host of other user-defined rules. A firewall is an implementation of software, hardware, or a combination of both, specifically designed to keep unauthorized users, programs, and other threats from entering a computer system or network. A typical firewall analyses every packet of information that attempts to enter or exit a network or computer system. If the packet does meet the specifications implemented by the firewall, the packet or connection is denied access. Several implementations of firewall techniques are provided through the use of a packet filter, a proxy server, or an application or circuit gateway. (Firewalls will be discussed in more detail shortly.)

IPSec (Internet Protocol Security)

Using a group of protocols developed by the IETF (Internet Engineering Task Force), this method enables the secure transfer of packets at the IP layer. IPSec employs two encryption modes: transport and tunnel. Using the transport mode, only the data portion (or payload) of a packet is encrypted while the header remains unchanged. In tunnel mode, security is further enhanced because both the payload and header are encrypted. An IPSec-compliant device (router, firewall, and so on) is required on the receiving end to decrypt the packet. Sending and receiving devices must both obtain a common public key for this method to work, which is accomplished by using a protocol called Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley). ISAKMP/Oakley also enables the receiver to authenticate the sender using a digital certificate.

Encryption

Encryption is a way of sending data in a form that only the intended receiving computer can decrypt. Most encryption systems use one of the two following standard ways of accomplishing this: symmetric-key and public-key.

Symmetric-key Encryption

The method employs a single key to encode and decode messages. While simpler than the public-key approach, this method requires the sending and receiving computers to exchange the key securely first. Think of this approach as a secret code that both parties must have in order to decrypt messages. Public-key encryption gets around this problem by transmitting the public key to anyone who wants it while never transmitting the private key.

Public-key Encryption

Also called asymmetric encryption, this method employs both a public key and a private key. Only your computer knows the private key and the public key is handed to any computer that wishes to engage in secure communications. To decipher an encrypted message, the receiving computer must utilize both the public key provided by you and its own private key. For instance, if Computer A wishes to send a secure message to Computer B, it would use Computer B's public key to encode the message. Computer B then uses its own private key to decrypt it. Using this method, it's near impossible to discover the private key if all you have is the public key. This process was developed in 1976 by Whitfield Diffie and Martin Hellman and is sometimes referred to as Diffie-Hellman encryption. One public-key system, Pretty Good Privacy (PGP), is now widely used for secure transmissions over the Internet.

Tunneling

Another technology that enables VPNs to work is called tunneling. This process involves encapsulating a network protocol within a packet prior to transmission. To tunnel data, the three following types of protocols are used:

• Carrier protocol: The native protocol used by the network carrying the data.

• Tunneling protocol: The protocol (PPTP, IPSec, L2F, L2TP, or GRE) that the original data is encapsulated in.

• Passenger protocol: The protocol (IPX, NetBeui, or IP) native to the original data.

Tunneling enables the secure transmission of packets using protocols not supported by the Internet to be sent inside IP packets. For instance, a remote user sends a message from their laptop over the VPN. The original message was in the form of a NetBEUI packet, which is useless on the Internet. Once this packet is encapsulated in an IP packet, it can make its way through the Internet via PPP, for example, and arrive at its destination back in its original form.

In a VPDN, PPP is usually used to tunnel packets. A few other protocols developed in the image of PPP are L2TP (Layer 2 Tunneling Protocol), L2F (Layer 2 Forwarding), and PPTP (Point-to-Point Tunneling Protocol). In a site-to-site VPN, GRE (Generic Routing Encapsulation) or IPSec in tunnel mode are most often the tunneling methods of choice.

Secure Remote Procedure Call (RPC)

Secure Remote Procedure Call (RPC) is essentially a protocol that is used to allow a client-side application program to execute or request a service from a server computer without being concerned with network intricacies or server procedures. The RPC protocol operates at the Transport and Application layers of the OSI reference model. RPC allows for multiple programs to be easily distributed and executed across a network environment.

Firewalls

As mentioned earlier, a firewall is typically a combination of hardware or software or both, placed between two networks in order to protect an internal network from outside influences. The three main implementations of firewalls are packet filter techniques, circuit gateways, and application proxies. Each of these are described next.

Packet Filtering

Packet sniffing programs and network monitors can capture and analyze network packets coming into or going out of a network. These tools can identify bad NICs as well as malicious activities and send alerts to security administrators. What most packet filters actually do is examine UDP and TCP ports and packet header information. Table 4.2 displays some of the best known TCP and UDP ports, and the upper-layer protocols that use them.

Packet filters identify good from bad packet information. However, the main disadvantage to most of the packet filtering programs available today is their inability to identify whether the packets were sent by a normal, innocent user or a threatening, vicious source. It is important to note that most network routers in use today implement some sort of packet filtering. This can effectively provide protection to a certain extent. Unfortunately, most routers do not have effective logging capability, which can allow certain attacks to go unnoticed. Remember, packet filters are considered to be a basic line or first generation of firewall defense. However, they can allow or disallow network access based on port- and or protocol-related information. The advantage of a packet filtering router is its ability to analyze and drop or pass packets quickly. The major disadvantage of this technology is that packets are not typically analyzed beyond source and destination address.

Packet filtering firewalls operate at the Network layer of the OSI reference model.

Circuit Gateways

The effectiveness and functionality of a circuit gateway lies between a packet filter and an application proxy. A circuit gateway operates at the Session layer of the OSI reference model. It is essentially a packet filter that relays packets for one host to another based on protocol and IP address. A circuit gateway forms a sort of tunnel through a firewall allowing two specified hosts to interact. The main advantage of a circuit gateway is its ability to log more information than a simple packet filter.

The major advantage of a circuit gateway firewall is that it supports NAT (Network Address Translation.) NAT will be discussed shortly.

Application Proxies

Applications proxies or gateways operate at the Application and Presentation layers of the OSI reference model. They are concerned with specific applications and actual data. The application proxy offers much more control than packet filters and circuit gateways by controlling or limiting user access from within the protocol itself. In other words, with an application proxy, administrators can actually control what information can be sent out or pulled into a network. Application proxies allow untrusted networks to be blocked and FTP traffic can be controlled. The major disadvantage of this type of firewall is the administrative overhead required to maintain this type of control. It is common practice today for most administrators to implement a combination of circuit and application technologies to manage and protect an internal network properly.

There are three important notes regarding application proxy firewalls:

• They must be configured for each separate service that is to be analyzed.

• They are intelligent enough to understand information contained within protocols.

• They monitor the state of every configured connection and have the ability to intercept or capture a properly configured channel.

Stateful Inspection Firewall

Stateful inspection firewalls have the ability to remember detailed information about packets that have previously passed through them. Then, they are able to compare and analyze this information and decide whether to let certain packets through the firewall. In other words, a stateful firewall can compare incoming requests to outbound messages and see if there is a relationship between the two. If not, the firewall can block the incoming request.

Stateful firewalls provide better overall analysis than most other firewall types such as packet filters. They have the ability to compare packet information over time and provide for a much more effective firewall solution.

Network Address Translation (NAT)

Network Address Translation (NAT) is an Internet standard. It is most often used with routers to provide firewall security by hiding an internal private network's range of IP addresses from outside networks. What NAT actually does is translate a given set of internal IP addresses to a separate set of IP addresses that can be seen and accessed outside of a local area network. The translation of internal to external and external to internal IPs provides security and a sort of authentication service to requests.

Another benefit of using NAT is that many internal IP addresses can be translated to use one external address. This allows a company to conserve global IPs and use one address to connect outside of the network. For example, a company could combine or map the IP addresses of several ISDN connections into one connection to the Internet. It is possible for administrators to use NAT to map in the following fashions:

• Map a local network IP address statistically to a single global IP address.

• Map a local Network IP address to a pool of global IP addresses owned by a company.

• Map a single global IP address to a pool of local network IP addresses.

• Map a local network IP address and TCP port address to a global IP address or global pool if IP addresses.

Demilitarized Zone (DMZ)

A Demilitarized Zone (DMZ) is a neutral area between an internal network and the Internet that typically contains one host system or a small network of systems. The DMZ sits between a private and a public network and can be made up of one or several systems that house Web pages and non-critical company data that can be accessed from outside an intranet or LAN. In other words, a DMZ is located behind a firewall and can be seen from the Internet. If the Web pages or non-critical data are destroyed or lost, it is usually not a major catastrophe in a DMZ based on the fact that the applications that support the Web pages and critical data are stored within the local network.

A DMZ host can accept Internet requests from SMTP, FTP, HTTP, or name resolution services such as DNS. The real benefit from using a DMZ is simply the ability to provide certain information to outside sources without allowing unauthorized access to critical internal services, information, and programs. DMZ capabilities and products are available from such manufactures as Cisco Systems.