IS3220 Unit 7 Assignment 1: Create a VPN Connectivity Troubleshooting Checklist. VPN connectivity troubleshooting checklist 1. Users can't access file servers If the user can access the file server using an IP address but not a name, then the most likely reason for failure to connect is a name resolution problem. Name resolution can fail for NetBIOS or DNS host names. If the client operating system is NetBIOS dependent, the VPN clients should be assigned a WINS server address by the VPN server. If the client operating system uses DNS preferentially, VPN clients should be assigned an internal DNS server that can resolve internal network host names. When using DNS to resolve internal network host names for VPN clients, make sure that these clients are able to correctly resolve unqualified fully qualified domain names used on the corporate network. This problem is seen most often when non-domain computers attempt to use DNS to resolve server names on the internal network behind the VPN server. 2. Users can't access anything on the corporate network Sometimes users will be able to connect to the remote access VPN server but are unable to connect to any resources on the corporate network. They are unable to resolve host names and unable to even ping resources on the corporate network. The most common reason for this problem is that users are connected to a network on the same network ID as the corporate network located behind the VPN server. For example, the user is connected to a hotel broadband network and is assigned a private IP address on network ID 10.0.0.0/24. If the corporate network is also on network ID 10.0.0.0/24, they won't able to connect because the VPN client machine sees the destination as being on the local network and will not send the connection to the remote network through the VPN interface. Another common reason for communications failures is that the VPN clients are not allowed access to resources on the corporate network due to firewall rules on the collocated VPN server/firewall device to which they are connected. The solution is to configure the firewall to allow the VPN clients access to the appropriate network resources.
Presentation on theme: "IS3220 Information Technology Infrastructure Security"— Presentation transcript:
1 IS3220 Information Technology Infrastructure Security
Unit 2Network Security Basics
2 Lesson Presentation and Discussions.
Unit 2 Class Agenda 12/17/15Learning ObjectivesLesson Presentation and Discussions.Lab Activities will be performed in class.Assignments will be given in class.Break Times. 10 Minutes break in every 1 Hour.Assignment and labs are posted to the website.
3 Discussion on How to use the Virtual Lab
4 EXPLORE: CONCEPTS
5 4/27/2017Learning ObjectiveExplain the fundamental concepts of network security(c) ITT Educational Services, Inc.
6 4/27/2017Key ConceptsConfidentiality, integrity, and availability mandates for network resource securityNetwork security and its value to the enterpriseRoles and responsibilities in network securityImpact of network infrastructure design on securityFeatures, uses, and benefits of network security countermeasures(c) ITT Educational Services, Inc.
7 Primary Goals of Information Security
4/27/2017Primary Goals of Information SecurityConfidentialitySecurityIntegrityAvailability(c) ITT Educational Services, Inc.
8 Secondary Goals of Information Security
9 Seven Domains of a Typical IT Infrastructure
4/27/2017Seven Domains of a Typical IT InfrastructureUser Domain—This domain refers to actual users whether they are employees, consultants, contractors, or other third-party users. Any user who accesses and uses the organization’s IT infrastructure must review and sign an acceptable use policy (AUP) prior to being granted access to the organization’s IT resources and infrastructure.Workstation Domain—This domain refers to the end user’s desktop devices such as a desktop computer, laptop, VoIP telephone, or other end-point device. Workstation devices typically require security countermeasures such as antivirus, antispyware, and vulnerability software patch management to maintain the integrity of the device.LAN Domain—This domain refers to the physical and logical local area network (LAN) technologies (i.e., 100 Mbps/1000 Mbps switched Ethernet, family of wireless LAN technologies) used to support workstation connectivity to the organization’s network infrastructure.LAN-to-WAN Domain—This domain refers to the organization’s internetworking and interconnectivity point between the LAN and the WAN network infrastructures. Routers, firewalls, demilitarized zones (DMZs), and intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are commonly used as security monitoring devices in this domain.Remote Access Domain—This domain refers to the authorized and authenticated remote access procedures for users to remotely access the organization’s IT infrastructure, systems, and data. Remote access solutions typically involve Secure Sockets Layer (SSL) 128-bit encrypted remote browser access or encrypted virtual private network (VPN) tunnels for secure remote communications.WAN Domain—Organizations with remote locations require a WAN to interconnect them. Organizations typically outsource WAN connectivity from service providers for end-to-end connectivity and bandwidth. This domain typically includes routers, circuits, switches, firewalls, and equivalent gear at remote locations sometimes under a managed service offering by the service provider.System/Application Domain—This domain refers to the hardware, operating system software, database software, client/server applications, and data thatis typically housed in the organization’s data center and/or computer rooms.(c) ITT Educational Services, Inc.
10 The Need for Information Security
RiskThreatVulnerabilityRisk: Likelihood that a threat will exploit a vulnerability and the impact it will have on an organizationThreat: The possibility of an vulnerability being exploitedVulnerability: Weakness in a process or system that has the potential to adversely impact confidentiality, availability, or integrity
11 Information Assurance
4/27/2017Information AssuranceAuthenticationNon-repudiationIntegrityConfidentialityNetwork security goals vary from organization to organization. Often they includea few common mandates:• Ensure the confidentiality of resources• Protect the integrity of data• Maintain availability of the IT infrastructure• Ensure the privacy of personally identifiable data• Enforce access control• Monitor the IT environment for violations of policy• Support business tasks and the overall mission of the organizationSeven Domains of a Typical IT InfrastructureAvailability(c) ITT Educational Services, Inc.11
12 Security Policy Establish goals Address risk
Provide roadmap for securitySet expectationsLink to business objectivesMap of laws and regulationsSupported by standards, procedures, and guidelinesThe creation of policies allows the risks of loss, destruction, or corruption of information to be mitigated.
13 Examples of Network Infrastructures
4/27/2017Examples of Network InfrastructuresWorkgroupSOHOClient/ServerWorkgroupSmallLimited usesNo central authoritySecurity policy is managed individuallySOHOSome level of central managementNot scalableClient/ServerShared resourcesLarger networksComplexityCentralized control(c) ITT Educational Services, Inc.13
14 General Terms Confidentiality Integrity Availability Trust Privacy
15 Networking Terminology
FirewallRouterVirtual Private NetworkIPSecDemilitarized ZoneIntrusion Detection System (IDS)Intrusion Prevention System (IPS)
16 EXPLORE: PROCESS
17 Policy, Awareness, and Training
sets expectationsAwareness ~promotes securityTraining ~defines roles and responsibilitiesPolicyWell-definedAddress business needs and security concernsSets expectationsAwarenessPromote securityKeep security at the front of users’ mindsTrainingIndividuals understand their roles and responsibilitiesIndividuals understand security policy
18 Security Countermeasures
4/27/2017Security CountermeasuresCommon CountermeasuresUsesBenefitsLimitationsFirewallsFilter trafficSegmentationHardwareSoftwareFirst defenseKeep noise outPerimeter defenseNot content orientedLimited to yes or noVirtual Private Network (VPN)Remote accessEncrypted tunnelPrivate tunnelExtends CoverMan-in-the-middleNot traffic orientedIntrusion Detection/Prevention SystemMonitor trafficMay block attacksHost or NetworkNotificationPreventionRelies on signaturesFalse positives(c) ITT Educational Services, Inc.
19 Security Countermeasures (Continued)
4/27/2017Security Countermeasures (Continued)Common CountermeasuresUsesBenefitsLimitationsData Loss PreventionMonitor data lossBlock data lossSensitive ConfigBreach NotificationSignature reliantFalse positivesCircumventableSecurity Incident and Event ManagementAggregate sec logsCorrelate sec logsMonitor and reviewGenerate alertsData heavyLimit to log info(c) ITT Educational Services, Inc.
20 Security Countermeasures (Continued)
4/27/2017Security Countermeasures (Continued)Common CountermeasuresUsesBenefitsLimitationsContinuous Control MonitoringChecks configStandard compliantReal time monitorAutomate monitorsSelf correctionEmerging techPolicy dependentVulnerability AssessmentTests systemsProactive addressCentralize trackingLimited to knownCreate noise(c) ITT Educational Services, Inc.
21 EXPLORE: CONTEXT
22 Consider Business Requirements
4/27/2017Consider Business RequirementsAvailability of the network and its componentsRedundancyHigh availabilitySingle point of failureDenial of serviceSensitivity of the dataEncryptionAccess controlAvailability of the network and its componentsRedundancyHigh availabilityActive/ActiveActive/PassiveHot StandbyCold StandbySingle point of failureDenial of serviceSensitivity of the dataEncryptionAccess control(c) ITT Educational Services, Inc.22
23 Internet Exposure Remote access Will a VPN work?
Is direct internet access required?Availability of the network and its componentsRedundancyHigh availabilityActive/ActiveActive/PassiveHot StandbyCold StandbySingle point of failureDenial of serviceSensitivity of the dataEncryptionAccess controlA system that needs to be accessed remotely can add additional concerns. Accessing a system over a VPN connection will ensure that the system maintains much of the security associated with the corporate network. If a system requires a direct connection to the internet for external users or customers one may need to consider additional firewalls, the creation of a DMZ, or additional of SSL encryption.
24 Wired NetworksLack of external connectivity creates physical isolationCan rely on physical controls to protect networkExternal threats must breach physical barrierIf external connectivity is requiredNo control is the same as physical isolation but security must enable the businessConsider segmentationRigorous front door screeningLack of external connectivity provides physical isolationCan rely on physical controls to protect networkExternal threats must breach physical barrierIf external connectivity is requiredNo control is the same as physical isolation but security must enable the businessConsider segmentationRigorous front door screeningFilteringMultiple firewallsVPN for remote accessConnection to a wired network is limited to those directly attached to it. Physical isolation of a network require one to physically access a system connected to the network or otherwise attach to the network. However, the nature of networking is to connect networks to each other. External connectivity requires segmentation and filtering.
25 Benefits of Wireless Networking
Can be inexpensive to deployNo need to run wiresQuick connectivity for multiple usersConvenienceMobilityUbiquityAll laptops now come equipped with wireless
26 Wireless Concerns Introduces new attack surface
4/27/2017Wireless ConcernsIntroduces new attack surfaceRequire additional design considerations to mitigate attackData is transmitted over the air and accessibleUse of encryption technologyConsider implementing segmented wireless networksRequire VPN authentication for wireless accessNetwork can be directly accessed from a distanceShieldingIntroduces new attack surfaceRequire additional design considerations to mitigate attackMAC filteringHidden SSIDAuthenticationData is transmitted over the air and accessibleUse of encryption technologyConsider implementing segmented wireless networksRequire VPN authentication for wireless accessNetwork can be directly accessed from a distanceShielding(c) ITT Educational Services, Inc.26
27 Mobile Networking Allows user to be completely mobile
Requires considerations for central managementPotential for device to be lost
28 Unit 2 Assignment and Lab
Discussion 2.1 Familiar DomainsAssignment 2.3 Selecting Security CountermeasuresAssignment is due next ClassClass Project:Discussion
29 Unit 2 Lab ActivitiesLab 1.2 Analyze Essential TCP/IP Networking ProtocolsLab 2.2 Network DocumentationLab should be completed using VLab on the school websiteLabs should be completed in Class. If not completed should be submitted in the class.