Networks and Security

Reading:  Pfleeger, Chapter 7


* Network Security
	building "trustable" systems from "untrusted" components
	don't always have lots of control over: vendor OS contents, network device SW
	have to configure network components as much as possible to get desired results
	network layers
		application
		service protocol
		IP
		link/physical

* Network components
	physical layer - cable, wireless, telecommunications links
	hub - coax in a box
	switches - switch at MAC/IP layer
	routers - route at IP layer
	hosts
	firewalls
	networks are components of larger networks

* LAN vs. WAN
	LAN - local area net
		geographically limited - building(s)
		common administrative domain (owner/operators)
		often only one "trust domain" - everything trusted as same level
		one or more links to other LANs - via Internet or owned links

	WAN - wide area net
		geographically diverse - city, state, region, continental scope or larger
		common administrative domain (owner/operators) for backbone itself
			BUT all networks connected to it owned by others
		ALWAYS multiple "trust domains" - everything NOT trusted as same level
		one or more links to other WANs - via Internet or owned links
		interconnected LANs
		"backbone service provider"

* network topologies - basics
	common bus (wireless, ethernet)
	star/hub (point-to-point, switch, router)
	ring (FDDI, token-ring)

* BASIC NETWORK DIAGRAMS

* network design - security principles
	its all about different levels of trust and separation
	well-defined security perimeter(s)
	"defense in depth" (castles and keeps)
	concentric rings (domains) of trust
	multiple independent trust domains
	segregate by trust level or function or services

* network design - process
	identify assets (resources), vulnerabilities, threats (risks), controls
	identify services, servers, clients
	rank assets, services, servers by "trust" and critical nature
	move resources (services, servers) and users (clients) into separate trust domains
	use hierarchical domains and disjoint domains as needed
	plan to replace unsafe services (plaintext passwords, etc.)

* Security perimeters
	are walls around and between security domains
	must be well-defined in terms of
		resources within
		services provided and used
		mechanism used to protect
	are typically implemented with "firewalls" (routers)

* Trust (again)
	Who trusts who?
	The Rule - only trust things at the same or higher level of trust
	hosts trust hosts, networks and services
	networks trust networks
	users trust hosts and networks

* NETWORK TRUST DIAGRAM (rings and non-hierarchical domains)
	What goes where?

* Least trustworthy - Internet ("outside")
	things you have no control over
	"them"
	your users (while traveling, or at home)
	your biggest threat

* Untrusted ("Outside" or "Inside")
	things you control, but do not want to trust
	public and sacrificial servers
	things you could destroy and still function
	public web servers, secondary (external) DNS, etc.

* Less trusted
	things you control, and trust to some limited extent
	things that are not to be trusted by important core services
	desktops
	some servers - intranet web servers, print servers

* More trusted
	things you control, and depend on
	you trust them because you have to
		file servers
		email servers
		admin servers
		important web servers
		database servers

* Critical
	security services
		Kerberos KDC
		certificate servers
		logging, audit, IDS
	"core services"
		business critical
		financial data
		production control (manufacturing?)
		primary (private) DNS
		time servers

* Defining security perimeters (trust)
	routers and firewall filters (rules)
	NFS and other server relationships
	tcp_wrappers configurations
	*POLICY*

* Firewalls
	"If you have a firewall, you are doing it wrong" - Bill Cheswick
	a single firewall at the border is not enough
	crunchy outer shell vs. soft chewy center
	use multiple trust domains

* "every host a firewall"
	every host becomes a security domain
	can assist in securing hosts
		think "MAC for hosts"

* Possible network architecture
	external borders
	rings of trust
	disjoint domains (play net, etc.)



* Questions

	Is it possible to build a "trustable" network from untrustable components?

	Why is is easier to "tap" an Ethernet than a point-to-point link?

	Why is it "safe" to run some weak protocols within a LAN, but not on a WAN?

	Why is an Ethernet hub *not* part of a "star/hub" network? (Confusing terminology)

	Are switches and VLANS sufficient to prevent "sniffing"?

	Is it a good idea to combine critical servers and desktops on
	the same LAN segment?  Why or why not?

	Why is plaintext authentication sometimes acceptable in a LAN?
	How does this compare to a WAN?

	What is the appropriate device to put between 2 trust domains?

	Is it appropriate for a network server to depend on (trust) a user's desktop?

	Why are time servers "critical" services?

	Why is audit a "critical" service?

	Why is one firewall always the wrong answer?