Understanding How Security Affects a Network


Implementing security measures can have a significant impact on the network. How much of an impact it has depends on which security measures are implemented and the habits of the network users. Several security measures are used on networks including port blocking, authentication schemes, encryption, and so on. While in today's world we may have no choice but to implement these measures, as a network administrator, you'll need to be aware how they impact the overall network. The following sections help you prepare for this part of the exam.

Blocking Port Numbers

Port blocking is one of the most widely used security methods on networks. Port blocking is associated with firewalls and proxy servers, although it can be implemented on any system that provides a means to manage network data flow, according to data type.

Essentially, when you block a port, you disable the ability for traffic to pass through that port, thereby filtering the traffic. Port blocking is typically implemented to prevent users on a public network from accessing systems on a private network, although it is equally possible to block internal users from external services, and internal users from other internal users, by using the same procedure.

Depending on the type of firewall system in use on a network, you might find that all the ports are disabled (blocked) and that the ones you need traffic to flow through must be opened. The benefit of this strategy is that it forces the administrator to choose the ports that should be unblocked rather than specify those that need to be blocked. This ensures that you allow only those services that are absolutely necessary into the network.

What ports remain open largely depends on the needs of the organization. For example, the ports associated with the services listed in Table 8.1 are commonly left open.

Table 8.1. Commonly Opened Port Numbers and Their Associated Uses

Port Number

Protocol

Purpose

21

FTP

File transfers

22

SSH

Secure remote sessions

25

SMTP

Email sending

53

DNS

Hostname resolution

80

HTTP

Web browsing

110

POP3

Email retrieval

123

NTP

Time information

161

SNMP

Network Management

443

HTTPS

Secure Web transactions

3389

RDP

Windows Terminal Services or Windows Remote Desktop


These are, of course, only a few of the services you might need on a network, and allowing traffic from other services to traverse a firewall is as easy as opening the port. Keep in mind, though, that the more ports that are open, the more vulnerable you become to outside attacks. You should never open a port on a firewall unless you are absolutely sure that you need to.

You can obtain a complete list of port numbers and their associated protocols from the Internet Assigned Numbers Authority (IANA), at www.iana.org/assignments/port-numbers.


Port Blocking and Network Users

Before you implement port blocking, you should have a very good idea of what the port is used for. Although it is true that blocking unused ports does not have any impact on internal network users, if the wrong port is blocked, you can create connectivity issues for users on the network.

For instance, imagine that a network administrator was given the task of reducing the amount of spam emails received by his company. He decided to block port 25, the port used by the Simple Mail Transfer Protocol (SMTP). He may have succeeded in blocking the spam email, but in the process, he also prevented users from sending email.

Authentication

As a security mechanism, authentication is provided by every major network operating system and is implemented in all but the most insecure networks. Its 'impact on network functionality,' as stated in item 3.7 of the Network+ objectives, is that it will require users to identify themselves to the network. This process provides two benefits. It secures the network from unauthorized access and provides a degree of accountability for users once they are logged on.

There are three basic categories of authentication used on modern networks:

  • Passwords The 'traditional' authentication method, passwords do a good job of providing security, but users who choose passwords that are too simple to guess can negate their effectiveness. Additionally, passwords can be passed from one person to another, diminishing their role as an accountability mechanism. Although network users will likely be very comfortable with using passwords, you should make them aware of the rules governing password use in your organization. You should also ensure that they understand the electronic policies that will dictate conditions such as password length and expiration times.

  • Smartcards Smartcards, which are normally used in conjunction with a password or personal identification number (PIN), provide a higher level of accountability and access control than passwords. This is because the user has to be in possession of a physical item (the smartcard), as well as information (the password or PIN) in order to gain access.

  • Biometrics Biometrics, which can mean the scanning or verification of some part of your person, is the ultimate 'proof of person' authentication technique. As it is almost impossible to fake biometric mediums such as fingerprints or retinal patterns, you can be very sure that someone gaining access to the system biometrically is who they say they are. Even so, biometric systems typically also use passwords or PIN numbers as an additional measure of security.

Passwords and Password Policies

Although biometrics and smartcards are becoming more common, they still have a very long way to go before they attain the level of popularity that username and password combinations enjoy. Apart from the fact that usernames and passwords do not require any additional equipment, which practically every other method of authentication does, the username and password process is familiar to users, easy to implement, and relatively secure. For that reason, they are worthy of more detailed coverage than the other authentication systems already discussed.

Passwords are a relatively simple form of authentication in that only a string of characters can be used to authenticate the user. However, how the string of characters is used and which policies you can put in place to govern them make usernames and passwords an excellent form of authentication.

Password Policies

All popular network operating systems include password policy systems that allow the network administrator to control how passwords are used on the system. The exact capabilities vary between network operating systems. However, generally they allow the following:

  • Minimum length of password Shorter passwords are easier to guess than longer ones. Setting a minimum password length does not prevent a user from creating a longer password than the minimum, although each network operating system has a limit on how long a password can be.

  • Password expiration Also known as the maximum password age, password expiration defines how long the user can use the same password before having to change it. A general practice is that a password is changed every month or every 30 days. In high-security environments, you might want to make this value shorter, but you should generally not make it any longer. Having passwords expire periodically is an important feature because it means that if a password is compromised, the unauthorized user will not have access indefinitely.

  • Prevention of password reuse Although a system might be able to cause a password to expire and prompt the user to change it, many users are tempted to simply use the same password again. A process by which the system remembers the last, say, 10 passwords is most secure because it forces the user to create completely new passwords. This feature is sometimes called enforcing password history.

  • Prevention of easy-to-guess passwords Some systems have the capability to evaluate the password provided by a user to determine whether it meets a required level of complexity. This prevents users from having passwords such as password or 12345678.

On the Network+ exam, you will need to identify an effective password policy. For example, a robust password policy would include forcing users to change their passwords on a regular basis.


Password Strength

No matter how good a company's password policy, it is only as effective as the passwords that are created within it. A password that is hard to guess, or strong, is more likely to protect the data on a system than one that is easy to guess, or weak.

To understand the difference between a strong password and a weak one, consider this: A password of six characters that uses only numbers and letters and is not case sensitive has 10,314,424,798,490,535,546,171,949,056 possible combinations. That might seem like a lot, but to a password-cracking program, it's really not much security. A password that uses eight case-sensitive characters, with letters, numbers, and special characters has so many possible combinations that a standard calculator is not capable of displaying the actual number.

There has always been debate over how long a password should be. It should be sufficiently long that it is hard to break but sufficiently short that the user is able to easily remember it (and type it). In a normal working environment, passwords of 8 characters are sufficient. Certainly, they should be no fewer than 6 characters. In environments where security is a concern, passwords should be 10 characters or more.

Users should be encouraged to use a password that is considered strong. A strong password has at least eight characters; has a combination of letters, numbers, and special characters; uses mixed case; and does not form a proper word. Examples might include 3Ecc5T0h and e1oXPn3r. Such passwords might be secure, but users are likely to have problems remembering them. For that reason, a popular strategy is to use a combination of letters and numbers to form phrases or long words. Examples include d1eTc0La and tAb1eT0p. These passwords might not be quite as secure as the preceding examples, but they are still very strong and a whole lot better than the name of the user's household pet.

PasswordsThe Last Word

One last password-related topic is worth mentioning. A password is effective only if just the intended users have it. As soon as a password is given to someone else, its effectiveness as an authentication mechanism is diminished. As a tool for accountability, the password is almost useless. Passwords are a means of accessing a system and the data on it. Passwords that are known by anyone other than the intended user(s) might as well not be set at all.


Encryption

Encryption is the process of encoding data so that, without the appropriate unlocking code, the encrypted data can't be read. Encryption is used as a means of protecting data from being viewed by unauthorized users. If you have ever used a secure website, you have used encryption.

On private networks, encryption is generally not a very big issue. Modern network operating systems often invisibly implement encryption so that passwords are not transmitted openly throughout the network. On the other hand, normal network transmissions are not usually encrypted, although they can be if the need arises. A far more common use for encryption is for data that is sent across a public network such as the Internet or across wireless networks where outside users might be able to gain access to the data. In both of these cases, there is plenty of opportunity for someone to take the data from the network and then read the contents of the packets. This process is often referred to as packet sniffing.

By sniffing packets from the network and reading their contents, unauthorized users can gain access to private information. They can also alter the information in the packet. Therefore, the stronger the encryption method that is used, the better protected the data is.

A number of encryption methods are commonly used, including

  • IP Security (IPSec)

  • Secure Sockets Layer (SSL)

  • Triple Data Encryption Standard (3DES)

  • Pretty Good Privacy (PGP)

For more information on the characteristics of common encryption protocols, refer to Chapter 6, "WAN Technologies, Internet Access, and Security Protocols."

Implementing Encryption

Irrespective of which encryption method or protocol is used, network administrators must be aware that providing encryption for network traffic is not without its considerations. These include

  • Network traffic overhead Encrypting data on a network increases the volume of traffic. Even if, as it is with some encryption methods, the size of the data packets that traverse the network do not increase in size, there is often traffic associated with the setup and breakdown of encrypted communication sessions.

  • Processor Overhead While modern encryption protocols are designed to be as lightweight as possible, there is still always an overhead associated with encrypting or decrypting data. In a small environment with just a few computers, this overhead might be negligible, and server or workstation performance might not be affected. In larger environments, however, or with servers that handle very large amounts of network traffic, the overhead associated with encryption must be considered more carefully.

  • Supported Operating Systems Not all operating systems support all encryption mechanisms. For example, Microsoft Windows Server 2003 relies on IPSec as the primary means of encryption, and Windows XP Professional Edition also supports IPSec, as does Windows 2000 Professional. Earlier versions of Windows, such as Windows 98 and Windows Me, however, do not support IPSec without additional client software.

Another key consideration when using encryption, particularly from a connectivity perspective, is that some operating systems can be configured to deny requests from clients that are not using encryption. This configuration should be implemented only after it has been confirmed that all the client systems can also use encryption. Otherwise, they will not be able to connect to the server.

Public Key Infrastructure (PKI) No discussion of encryption would be complete without the inclusion of Public Key Infrastructure, or PKI. PKI provides a mutually accessible certification authority from which encryption protocols such as IPSec and SSL can obtain, exchange, and transmit keys, in the form of certificates. These certificates then provide a common mechanism by which data can be encrypted and decrypted.




    Network+ Exam Cram 2
    Network+ Exam Cram 2
    ISBN: 078974905X
    EAN: N/A
    Year: 2003
    Pages: 194

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net