Module 11: Creating a Security Design for Network Perimeters v
Use this page to review the content of the module. Students can use the
checklist as a basic job aid. The phases mentioned on the page are from
Microsoft Solutions Framework (MSF). Use this page to emphasize that
students must perform threat analysis and risk assessment on their own
networks for the topic covered in this module, and then they must design
security responses to protect the networks.
Assessment
There are assessments for each lesson, located on the Student Materials
compact disc. You can use them as pre-assessments to help students identify
areas of difficulty, or you can use them as post-assessments to validate learning.
Lab A: Designing Security for Network Perimeters
To begin the lab, open Microsoft Internet Explorer and click the name of the
lab. Play the video interviews for students, and then instruct students to begin
the lab with their lab partners. Give students approximately 20 minutes to
complete this lab, and spend about 10 minutes discussing the lab answers as a
class.
For general lab suggestions, see the Instructor Notes in Module 2, “Creating a
Plan for Network Security.” Those notes contain detailed suggestions for
facilitating the lab environment used in this course.
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
This module includes only computer-based interactive lab exercises, and as a
result, there are no lab setup requirements or configuration changes that affect
replication or customization.
The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for Course 2830A, Designing
Security for Microsoft Networks.
Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
There are no configuration changes on student computers that affect replication
or customization.
Security Policy
Checklist
General lab suggestions
Importan
t
Module 11: Creating a Security Design for Network Perimeters 1
Overview
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In this module, you will learn how to determine threats and analyze risks to
network perimeters. You will also learn how to design security for network
perimeters, including screened subnets, and for computers that connect directly
to the Internet.
After completing this module, you will be able to:
!
Determine threats and analyze risks to network perimeters.
!
Design security for network perimeters.
Introduction
Ob
j
ectives
2 Module 11: Creating a Security Design for Network Perimeters
Lesson: Determining Threats and Analyzing Risks to
Network Perimeters
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The perimeter, or boundary, of a network is where your organization ends and
the area outside your organization begins. Perimeters are not always easy to
identify. Attackers who penetrate weaknesses in your perimeter can potentially
access information on your network.
After completing this lesson, you will be able to:
!
Describe the perimeter of a network.
!
Explain the importance of perimeter security.
!
List common vulnerabilities to perimeter security.
Introduction
Lesson objectives
Module 11: Creating a Security Design for Network Perimeters 3
What Is the Perimeter of a Network?
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A perimeter is any point that connects to networks outside of an organization.
In a typical network, perimeter points can include:
!
Direct Internet connections. Any connection to the Internet from within an
organization.
!
Dedicated WAN links. Wide area network (WAN) links to branch offices,
trusted partners, or other facilities outside of the organization.
!
Screened subnets. Protected areas within a network that run services, such
as business-to-business (B2B) services, that the organization exposes to
public networks, such as the Internet.
!
VPN clients. A virtual private network (VPN) tunnel to remote users who
are accessing the internal network across a public network.
!
Applications. Organizations may run applications that access the Internet or
access services running in a screened subnet.
!
Wireless connections. Access to wireless networks can often be gained from
outside of an organization’s physical facilities.
Key points
4 Module 11: Creating a Security Design for Network Perimeters
Why Perimeter Security Is Important
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Assets are vulnerable to threats from both external and internal attackers. For
example:
An external attacker runs a series of port scans on a network. The attacker uses
the information to create a network diagram of the perimeter, including
computers in the screened subnet, operating systems of network devices and
computers, services running in the screened subnet, and the level of security
that is implemented on the network. The attacker researches known
vulnerabilities of these network devices, computers, and services, and then
attacks the network systematically.
An employee receives an e-mail from a friend through an external Web-based
e-mail account. When the employee opens a file that is enclosed in the e-mail, a
new worm virus automatically spreads to all computers on the internal network.
The traffic from the spreading virus slows legitimate traffic, resulting in a
denial of service (DoS) for network users.
Key points
External attacker
scenario
Internal attacker
scenario
Module 11: Creating a Security Design for Network Perimeters 5
Common Vulnerabilities to Perimeter Security
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Of all the areas of your network, the network perimeter has the greatest
exposure to public networks and therefore is one of the areas most threatened
by attack. Before Internet connectivity became common, an organization’s
network often maintained only one connection to a public network.
Today, Internet access, remote access, and branch office connectivity have
become vital to the operation of an organization. As organizations increase their
requirements for connectivity, the difficulty of managing network connections
increases, and so does the risk that information and computers may be exposed
to attack.
For more information about common attacks to network perimeters, see:
!
The Web page, Hacking Methods, on the Internet Security Systems Web
site, at: http://www.iss.net/security_center/advice/Underground/
Hacking/Methods/Technical/default.htm.
!
The white paper, Managing the Threat of Denial-of-Service Attacks, on the
CERT Coordination Center Web site, at: http://www.cert.org/
archive/pdf/Managing_DoS.pdf.
Key points
Additional readin
g
6 Module 11: Creating a Security Design for Network Perimeters
Practice: Analyzing Risks to Network Perimeters
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Northwind Traders has 10,000 users who work in one facility. All users have
computers running Microsoft
®
Windows
®
2000 that belong to an Active
Directory
®
directory service domain. Northwind Traders recently deployed a
Web server so that employees can retrieve their e-mail messages.
The IT manager has asked you to explain how a Land attack and a SYN flood
attack (or SYN-ACK attack) can prevent users from retrieving their e-mail. Use
the Internet to locate information about how Land and SYN-ACK attacks affect
perimeter security.
1. What is a Land attack, and how can it prevent users from receiving their e-
mail messages?
A Land attack sends SYN packets with the same source and destination
IP addresses and the same source and destination ports to a host
computer. This makes it appear as if the host computer sent the packet
to itself. The host will continue to attempt to contact itself and prevent
legitimate traffic from being processed. An attacker could use a Land
attack against the router, firewall, or Web server at Northwind Traders
to prevent users from retrieving their e-mail.
Sources of information include:
• The Web page, CERT Advisory CA-1997-28 IP Denial-of-Service
Attacks, on the CERT Coordination Center Web site, at:
http://www.cert.org/advisories/CA-1997-28.html.
• Q165005, Windows NT Slows Down Because of Land Attack.
Introduction
Questions
Module 11: Creating a Security Design for Network Perimeters 7
2. What is a SYN-ACK or SYN flood attack, and how can it prevent users
from receiving their e-mail messages?
At the beginning of a TCP connection, a SYN-ACK attack sends a SYN
packet to the target host from a spoofed source IP address. The target
host responds with a SYN-ACK packet, and then leaves the TCP
sessions in a half-open state while waiting for the spoofed host to
respond. Because the spoofed host will never respond, the session will
remain half open. The attacker repeatedly changes the spoofed source
address on each new packet that is sent to generate additional traffic
and deny legitimate traffic. An attacker could use a SYN-ACK attack
against the router, firewall, or Web server at Northwind Traders to
prevent users from retrieving their e-mail messages.
Sources of information include:
• RFC 2267, Defeating Denial of Service Attacks which employ IP
Source Address Spoofing.
• Q142641, Internet Server Unavailable Because of Malicious SYN
Attacks.
8 Module 11: Creating a Security Design for Network Perimeters
Lesson: Designing Security for Network Perimeters
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A perimeter of a network is by nature a place of low trust. You must ensure that
your network perimeter is secure and that it provides the services that you, your
customers, and your partners require. Identify the perimeter, decide what
services you will provide in the perimeter, and determine how you will securely
manage and monitor these services. You can also use firewalls and hardware
devices to secure your network perimeter from attack.
After completing this lesson, you will be able to:
!
Describe common network perimeter designs.
!
Explain the steps for designing a secure screened subnet.
!
Explain how perimeter devices protect a network.
!
List guidelines for protecting computers on a perimeter.
Introduction
Lesson objectives
Không có nhận xét nào:
Đăng nhận xét