Lesson 1: Understanding Network Infrastructure Security

Lesson 1: Understanding Network Infrastructure Security

This lesson is an introduction to common network infrastructure security concerns. Just as the human skeletal system is the framework of your body, the network infrastructure is the framework of your network. One successful attack on your network infrastructure can cripple your network or even open it to different types of attacks. To properly defend your network infrastructure, you must understand the common security concerns that apply to the network infrastructure.


After this lesson you will be able to

  • Discuss general security concerns for your network infrastructure

  • Explain how the physical network infrastructure could be at risk

  • Document potential exploitations of network infrastructure device configurations

Estimated lesson time: 10 minutes


Infrastructure Security Overview

Organizations and individuals are concerned about protecting their data, equipment, trade secrets, and the privacy of their associates. Successful attacks against a network infrastructure could result in a compromise or loss of any or all of those items. To protect your network infrastructure from attack, you must first be aware of the types of attacks that could be launched against it, which include any of the following:

  • Physical sabotage; equipment destruction

  • Packet sniffing; eavesdropping

  • Network mapping and port scanning to identify targets for attack

  • Reconfiguration or disabling of connectivity or security devices

  • Use of your network devices to launch an attack on another network

  • Use of your network devices to host unauthorized, illegal, or destructive services

  • Erasing data

To protect your network from such attacks, you must control access to critical resources, protocols, and network access points. This includes protecting the physical security of equipment and the configuration of devices.

Securing Physical Equipment

The equipment that forms your network infrastructure should be as physically secure as possible. If an attacker can gain access to your router, switch, or even server, your network infrastructure could be easily compromised. Attacks need not be sophisticated to be effective. A person with a knife or hammer in the wiring closet or server room could potentially cause more damage than a computer virus.

Scott Culp of the Microsoft Security Response Center compiled a list called "Ten Immutable Laws of Security." The third law states, "If a bad guy has unrestricted physical access to your computer, it's not your computer anymore." This is also true if the attacker is able to gain unrestricted physical access to any of the equipment that is part of your network infrastructure. Any system to which an attacker is able to gain unrestricted physical access should be considered fully compromised.

More Info
To learn more about "The Ten Immutable Laws of Security" visit http://www.microsoft.com/technet and search for that title.

The solution is preventing attackers from ever gaining access to your network infrastructure. Unfortunately, protecting every hub, switch, PC, router, cable, and other component from every type of physical attack is difficult. In addition to protecting your network from attackers, you should be concerned with other forces that could compromise the integrity of your network. For example, fires, floods, tornadoes, and earthquakes could destroy your network infrastructure.

Some ways in which you might physically secure your network infrastructure include the following:

  • Hire security guards.

  • Install sensors, alarms, and closed-circuit TV cameras and monitoring equipment.

  • Use physical access badges and security cards.

  • Install backup electrical power.

  • Bury network cables (or enclose them in walls).

  • Lock wiring closets and server rooms.

  • Encase equipment in protective housings.

  • Use tamper-proof seals on equipment casing.

  • Install fences and parking lot gates.

  • Maintain fire-extinguishing and detection systems appropriate for your equipment and facility.

  • Ensure your facilities meet appropriate construction standards.

Physically securing your network infrastructure first involves prioritization. You must decide what equipment is most critical and in the greatest need of securing. For example, the loss of a central server, router, switch, or hub is probably a bigger problem than the loss of a cable connecting a public terminal to your network.

You should use a cost-benefit analysis to determine how much of your network infrastructure you should secure. When performing such an analysis, consider the cost of securing the equipment against the costs that could be incurred if the equipment were compromised. Also, consider the likelihood that the equipment would be compromised or lost. Such consideration is called risk assessment and is explored further in Chapter 10, "Organizational Security."

Securing Equipment Configuration

Equipment configuration is another area in which your network infrastructure might be vulnerable to an attack. Attacks on device configuration can be physical, such as rerouting cables in a wiring closet, or logical, such as changing the routing table of a router.

Physical security, as discussed previously, is required to protect equipment from physical configuration attacks. Logical security is required to secure your network infrastructure from attacks on device configuration that can take place remotely. For example, routers and switches maintain logical routing or switching tables, which allow them to correctly transfer network packets to their proper destination. An attacker might try to modify or corrupt those tables to redirect or stop normal network communication. To protect your routers, switches, and central servers, you can assign complex passwords to management consoles to help prevent someone from gaining unauthorized administrative access. Complex passwords have mixed case, alphanumeric, multiple characters, and special characters that are difficult to guess or crack with a password-cracking program. Secure passwords should be at least six characters in length, which is defined as a minimum by many operating system vendors and organizations. However, some are moving to seven or even eight character password minimums.

To protect your device configurations, restrict remote access wherever possible. To protect passwords from compromise through packet sniffing, use the strongest authentication and encryption methods available to each device you must configure remotely. Authentication and encryption are covered briefly later in this chapter. For more in-depth coverage of authentication, see Chapter 7, "User Security." Encryption is covered in more detail in Chapter 3, "Certificate Basics" and Chapter 6, "Application Security." The focus of this text is on security issues concerning network infrastructure equipment. In many cases, only brief descriptions of infrastructure devices are provided. If you require a more thorough description of devices discussed in this chapter, please read the Network+ Certification Training Kit, Second Edition (Microsoft Press, 2001), and the A+ Certification Training Kit, Third Edition (Microsoft Press, 2001).

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

  1. List three or more items that are considered part of a network infrastructure.

  2. What are some of the actions you might take to secure your physical network infrastructure?

  3. In addition to physical attacks, what other types of attacks might be directed against your network infrastructure?

  4. Name other security threats that are not related to people attacking your network.

Lesson Summary

  • You must control access to critical resources, protocols, and network access points. This includes protecting the physical security of equipment and the configuration of devices.

  • Attacks against your network infrastructure can include physical attacks, such as destruction or theft of equipment, and the physical modification of equipment configurations. Attacks can also involve the logical modification of network infrastructure device configurations, such as changing a routing or switching table.

  • You can protect your physical network infrastructure with security personnel, closed-circuit TV, alarms, access cards, locks, tamper-proof seals, backup electrical power, and similar measures.

  • Restrict remote administration of network infrastructure equipment whenever possible. When you must allow remote administration, be sure to use the most secure authentication and encryption possible.



Security+ Certification Training Kit
Security+ Certification Training Kit (Pro-Certification)
ISBN: 0735618224
EAN: 2147483647
Year: 2002
Pages: 55

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net