Module 8.0 ? ISP Responsibility 8.0 - Chapter Introduction 8.0.1 - Introduction Single Diagram Diagram 1, Slide Show Slide One As the reliance on network services increases, the ISP must provide, maintain, secure, and recover critical business services. Slide Two The ISP develops and maintains security policies and procedures for their customers along with disaster recovery plans for their network hardware and data. Slide Three After completion of this chapter, you should be able to: * Describe ISP security policies and procedures. * Describe the tools used in implementing security at the ISP. * Describe the monitoring and managing of the ISP. * Describe the responsibilities of the ISP with regard to maintenance and recovery. 8.1 - ISP Security Considerations 8.1.1 - ISP Security Services Two Diagrams Diagram 1, Image A man sitting at his work station is in the background typing in his user name and password. In the foreground there is a sinister looking character holding up a laptop displaying the user name and password. Diagram 2, Image Image on the Windows logon page with the security properties window in the background. Several security practices are listed: Password Security Choose a complex password. A complex password consists of a mix of upper case characters, lower case characters, numbers, and symbols. A complex password should be at least eight characters in length and never be based on a dictionary word or personal information that someone may be able to guess. It is also recommended that passwords be changed periodically. Software exists that can allow a hacker to crack passwords by trying every possible combination of letters, numbers, and symbols to figure out passwords. By changing your password periodically, brute force password cracking is less of an issue because by the time the hacker cracks the password, the password should already be changed to something different. Extraneous Services One of the most common methods used to compromise a computer system is to exploit unconfigured or misconfigured services. The nature of a service is it listens for requests from external computer systems. If the service has a known exploitable flaw due to not being configured or being configured incorrectly, then a hacker or a worm can compromise that service and gain access to the computer system that the service is running on. As a best practice, remove or disable all unnecessary services. For services that are necessary or cannot be uninstalled, make sure you follow the best practices in any configuration guides for that particular service. Patch Management New security exploits are constantly being identified for operating systems almost every day. All it takes is a simple search online and you may be able to find sites that list various exploitable vulnerabilities for virtually every operating system that is available today. Operating system developers release updates regularly - daily in some cases. It is important to regularly review and install security updates for your operating systems. Most intrusions by a hacker or infections from worms and viruses can be prevented by patching the operating system regularly. Application Security Unpatched and unnecessary applications installed on an operating system can increase the risk of being compromised. Just as the operating system needs to be patched regularly, so do the installed applications. Internet based applications, such as Internet browsers and email applications, are the most important applications to constantly patch, since these applications are the most targeted type of application. User Rights On a typical modern operating system there are multiple levels of access to the operating system. When a user account has administrative access to the operating system, malware can more easily infect the computer system. This is due to the unrestricted access to the file system and system services. Normal user accounts do not have the ability to install new applications since the accounts do not have access to areas of the file system and system files that are necessary to install most applications. As a result, normal users are not as susceptible to malware infections that try to install or access certain areas of the file system. As a best practice, users should only have the level of access required to perform their normal daily work. Administrative access should only be used on occasion to perform functions that are not permitted as a normal user. Security Scanning There are many tools that can help you secure your operating system. Most security scanning tools review many system security weaknesses and report back on how to rectify the problems the software found. Some of the more advanced scanning software packages go beyond the typical operating system security scans and look at the software and services that are running on a computer and suggest ways to protect the entire system from attack. Tip Microsoft has a freely downloadable tool called the Microsoft Baseline Security Analyser (MBSA) that examine everything from user account security to installed windows services and even checks to see the current patch level of you operating system. Another popular utility creating for scanning for vulnerabilities is the Nessus Vulnerabilities Scanner. This scanning tool is not specific to Windows so it scans for vulnerabilities on a variety of different platforms. Many other tools are available online. Usually, it is best to use more than one toll to examine the security of your system to get the best overall results. 8.1.2 - Security Practices Two Diagrams Diagram 1, Image Screenshot of the My Documents Properties window showing the security tab. Diagram 2, Animation Small network with a radius authentication server connecting via a gateway to an ISP. A host labeled Attacker is also connected to the ISP and makes a Network Access Attempt. Inside the network there are two host, one is labeled Legitimate Network Access Attempt and the other is labeled Attacker Network Access Attempt. Unauthorized users may attempt to access network resources either from inside or outside of the network. All clients attempting to log in are challenged by the AAA authentication service on the Radius Server. The authentication service verifies the username and password using a database of valid users. An authenticated user is authorized to use specific services in the network. When a user logs out, the accounting service records where the user has been, what they have done, and how long they used a network service. 8.1.3 - Data Encryption Three Diagrams Diagram 1, Image Clear Text Image shows a user at his workstation logging onto a web server. His logon is User Name: User name: john Password: friend. The image also shows a hackers sitting at his workstation accessing the same web server. Typing in User Name: User name: john Password: friend Encrypted Data Image shows a user at his workstation logging onto a web server. His logon is User Name: User name: john Password: ****. The image also shows a hackers sitting at his workstation accessing the same web server. Typing in User Name: User name: ???? Password: ???? Diagram 2, Image Web Encryption A host connected to a server uses the following protocols. Unsecure: HTTP Secure: HTTPS Email Encryption A host connected to a server uses the following protocols. Unsecure: SMTP POP3 IMAP4 Secure: SMTP with SSL or TLS, POP3 with SSL, IMAP4 with SSL or TLS Telnet Encryption A host connected to a router uses the following protocols. Unsecure: Telnet Secure: SSH File Transfer Encryption A host connected to a server uses the following protocols. Unsecure: FTP Secure: FTPS IPSec Encryption A host connected to a server uses the following protocols. Unsecure: Any application Secure: :Application with IPSec Diagram 3, Hands-on Lab 8.2 - Security Tools 8.2.1 - Access Control Lists and Port Filtering Three Diagrams Diagram 1, Image Denial of Service Attack DoS attack An attacker computer uses a DoS attack on a file server to deny legitimate user traffic. DDoS Attack An attacker computer uses a control command to order a number of compromise computers to launch a synchronized remote controlled attack on a target server to deny legitimate user traffic. DRDoS Attack An attacker computer uses a spoof request on a number of unknowing computers which then unknowingly respond to the spoof request thus launching a DRDoS attack on a target server to deny legitimate user traffic. Diagram 2, Image Port Filtering Image shows a router with port filtering allowing traffic on web port 80. Denying traffic on Telnet port 23 and denying traffic on SSH port 22. A port filter can be implemented to prevent access to all other ports except web port 80. If a user tries to connect to the server using any other port, such as Telnet on TCP port 23, the user is denied access. This protects the server from being compromised. Access Lists An access list on a router allowing traffic from Network A to go through to Network C, but deny traffic Network A to go to Network B. Using an access control list, all computers on Network A are denied access from all computers on Network B. Network A is specified as the source network and Network B as the destination network. Traffic is denied if it meets those conditions. This still allows the computers on Network A to talk to the server on Network C. Diagram 3, Hands-on Lab 8.2.2 - Firewalls Three Diagrams Diagram 1, Animation Dynamic or Stateful Packet Firewall Host H1 is connected via Ethernet to a firewall which is connected to a network cloud via a serial connection. Host H2 is connected via serial connection to the same cloud. And a server is connected via internet connection to the internet cloud. H1 sends a FTP packet, as it passes through the firewall, the firewall says ?I will add this conversation to my database?. The packet continues onto its destination, the server. The server replies with a FTP packet, when the packet passes through the firewall, the firewall says ?this conversation is in my database. This packet is allowed.? The packet continues on to its destination H1. H2 sends a FTP packet through the internet cloud, as it passes through the firewall, the firewall says ?this conversation is not in my database and is not allowed.? The packet it dropped. Diagram 2, Image Three servers labeled accounting, human resources and sales are collectively labeled (Trusted) Network Servers. These servers connect to an internal firewall. From this internal firewall a mail server and web server are collectively labeled the DMZ. The internal firewall is connected to a Border (Cisco IOS Firewall) which in then connected to the Internet which is untrusted. Diagram 3, Packet Tracer Exploration 8.2.3 - IDS and IPS Four Diagrams Diagram 1, Image Intrusion Detection System An intrusion detection system (IDS) is connected to a switch which is situated in line between a firewall and corporate network. The switch is also connected to a management station. The firewall is connected to the internet on the other side of the network. Any intrusion from outside the network is detected by the IDS and an alert is sent to the management system. Intrusion Prevention System The intrusion prevention system (IPS) sits in line between the firewall and corporate network. The firewall connects to the internet on the other side of the network. Any intrusion from outside the network is stopped by the IPS. Diagram 2, Animation An intrusion detection system (IDS) is connected to a switch which is situated in line between two routers. On one side of the first router is the internet and on one side of the other router is the target. The switch is also connected to a management station. An intruder starts an attack on the target computer from the internet. The IDS sensor detects the attack and sends an alert to the management station. Diagram 3, Image An IPS Sensor sits between two routers. On the other side of the first router is the internet and on the far side of the second router is the target. The sensor is also connected to a switch which connects to the management station. When an attacker sends a attacker through the internet to the target computer the sensor blocks the attack and sends an alert via the switch to the management station. Diagram 4, Activity Identify characteristics and features of IPS and IDS. Which is a feature of an IDS solution? * All network traffic must pass through an IDS device to enter the network. * IDS detects malicious traffic through passive traffic monitoring. * IDS prevents intrusions by blocking all malicious activity before it makes it into the network. * IDS notifies the attacker that they are generating malicious traffic and will be blocked if it continues. Which three statements about IPS solutions are true? (Choose three) * IPS solutions actively block malicious activity by being in-band with the traffic. * IPS solutions analyze only layer 7 of the OSI model to identify malicious activity. * IPS solutions protect the network from worms, viruses, malicious applications, and vulnerability exploits. * IPS solutions proactively protect against malicious activity. 8.2.4 - Wireless Security Two Diagrams Diagram 1, Image MAC Filtering A laptop wirelessly connects to a wireless router. The router says ?Your MAC address is in the list. You are allowed to connect.? Another laptop tried to wirelessly connect to a wireless router. The router says ?Your MAC address isn't in the list. You are not allowed to connect.? WEP A laptop wirelessly connects to a wireless router. The router says ?Your WEP key does match. You are allowed to connect. ? Another laptop tries to wirelessly connect to a wireless router. The router says ?Your WEP key does not match. You are not allowed to connect.? WPA/WPA2 A laptop wirelessly connects to a wireless router. The router says ?Your WPA key does match. You are allowed to connect. ? Another laptop tries to wirelessly connect to a wireless router. The router says ?Your WPA key does not match. You are not allowed to connect.? A third laptop tries to wirelessly connect to a wireless router. The router says ?Your WPA key has expired. You are not allowed to connect.? Diagram 2, Packet Tracer Exploration 8.2.5 - Host Security Four Diagrams Diagram 1, Image A Secure Router is connected to a Secure Switch which is connected to a host which has host-based firewall. The secure switch is also connected to a Secure Server which also has a host-based firewall. Diagram 2, Image Diagram depicts a hacker attempting to connect to a server (via the Internet) that has a host based firewall. Known Attacks A hacker attacks a server with a host-base firewall via the internet using a known attack. The host based firewall says ?I recognize that. You are blocked.? Protect servers from many known attacks by specifically blocking the traffic over ports that are known to be associated with malicious activity. Exploitable Services A hacker attacks a server with a host-base firewall via the internet using an attack on web service. The host based firewall says ?You aren't permitted on that port. You are blocked.? Protect exploitable services running on servers by preventing access to the ports that the service is using. Worms and Viruses A hacker attacks a server with a host-base firewall via the internet using a blaster worm. The host based firewall says ?I've detected a worm and will remove it!? Prevents this malware from being able to access servers over the network and can also help prevent the spread of worms and viruses by controlling outbound traffic that originates from a server. Back Doors and Trojans A hacker attacks a server with a host-base firewall via the internet using a trojan client trying to connect to server. The host based firewall says ?I am detecting a connection to an unauthorized service and will deny it.? Prevent the back door or Trojan from sending a message by limiting outbound network access, or prevent the attacker from connecting to the service created by the software. Diagram 3, Image Image of a PC with a big large ?virus alert? in red on the screen. Diagram 4, Hands-on Lab 8.3 - Monitoring and Managing the ISP 8.3.1 - Service Level Agreements Two Diagrams Diagram 1, Image Service Level Agreement Service Description * Defines the range of services that an ISP will provide. * Includes the service amount or service volume and the times when the service is and is not covered by the SLA. Availability, Performance and Reliability * Availability - hours and days per month per year that service is available. * Performance - a measure of service capability expectations during peak data volumes. * Reliability ? a measure of how fast an ISP can respond to unexpected events that cause the service to stop. Tracking and Reporting * Defines how often reports, such as performance reports, will be provided to the customer. * Includes a written explanation of what level of network service users are experiencing. Problem Management * Defines the process that will be used to handle and resolve unplanned incidents. * Defines what the different levels of problem are and who should be called for each problem level. Security * Defines security measures that are the ISP responsibilities versus customer responsibilities. * Determines how network services that the ISP offers fit within the security policies of the customer and the ISP. Termination * Defines termination agreement and costs if services are terminated early. Typically SLAs are renegotiated annually and coincide with the budget cycle of the customer. Penalties for Service Outages * Describe the penalties for a network service failure. This is especially important if the ISP is providing services critical for business operation. Costs * Describes the charges to the customer by defining services rather than equipment. The ISP is able to cost out the services needed and the customer only pays for the services they use. Diagram 3, Hands-on Lab 8.3.2 - Monitoring Network Link Performance Two Diagrams Diagram 1, Image The ISP connects to a gateway router which connects to a switch that then connects to several servers and hosts on a subnet. When the management station is connected as one of the hosts within the subnet it is In-Band Monitoring and managing network devices while on the network. When the management station is connected directly to the gateway device it is Out-of-Band Monitoring and managing network devices while consoled into the router. Diagram 2, Hands-on Lab 8.3.3 ? Selecting In-Band and Out-of-Band Tools Three Diagrams Diagram 1, Image A network cloud is connected via serial link to a gateway router, the gateway router is labeled Management agent and router MIB. The gateway router is connected to a switch labeled Management Agent and Switch MIB. The switch is connected to a subnet with several hosts and servers. One of the servers is labeled central MIB, one of the hosts is labeled Management station Network Management Protocol. Diagram 2, Animation Animation shows a small network connected to the internet with a web server with SNMP agent with the address 192.168.1.10. A server labeled central MIB and an SNMP Management station with the address 192.168.1.5. A user calls reporting a problem. The man sitting at the SNMP Management station says ?my customer called and their web server is really slow!? The management station sends a request to the agent for connection statistics and includes community string (get 192.168.1.10 2#B719). The man sitting at the SNMP management station says ?how many users are on their webserver?? The web server with the agent says ?does my community string match 2#B719? Is 192.168.1.5 an IP address I know? Yes? The agent verified the community string and IP address. Agent sends the statistics for the number of connections. The man sitting at the management station thinks ?10,000 users? No wonder this web server is slow.? Diagram 3, Image A network technician uses a management station to view Syslog messages stored on a Syslog server. The Syslog messages come from routers, internet based systems and switches. These clients send messages to the Syslog server. A pop-up window shows a graphic of a query type and query results. 8.4 - Backups and Disaster Recovery 8.4.1 - Backup Media Four Diagrams Diagram 1, Image Hardware Failure As hardware ages the probability of hardware failure and other loss increases. Hardware failure usually means a lot of lost data. Recovering from hardware failure requires replacing the failed hardware and restoring all the data from a current backup. User Error User error includes accidently overwriting a file, deleting an important file, editing a file incorrectly, or deleting important information within a file. This type of data loss often represents a higher impact to the user than to the company. The company will typically loose productivity time while the user recreates or retrieves the lost data. With user error, generally a specific file or folder must be retrieved from a backup source. Theft Thieves target laptops, memory stick, CD?s and DVD?s, tapes, or other data storage devices. When taking company data off site, create backup copies of all data. Keep careful track of portable data sources. It is also a good idea to encrypt all data on portable devices so that it is of no use to the thief. Malicious Activity Viruses and hackers can destroy data. Some viruses target specific types of file to corrupt. Some viruses can effect the hard drive that the data is stored on and can cause the drive to be inaccessible. Additionally, hackers can manipulate data, such as defacing a website to gain exposure. Operating System Failure A bad patch or driver update could result in serious operating system failure, preventing access to needed data. With backed up operating system files, the operating system can often be restored at a functional level. However, a reinstallation may be necessary and possibly a full restore of all the missing data. Diagram 2, Image Images of varies types of backup media. Diagram 3, Image Image of tape backup and optical disk backup media. Diagram 4, Image Image of hard disc backup and solid state backup media. 8.4.2 - Methods of File Backup Three Diagrams Diagram 1, Image Normal Backup A full backup is completed daily. Differential Backup Only files changed since last full backup are backed up. Incremental Backup Only files changed since last incremental backup is backed up. Diagram 2, Image Swap Media: image of a backup room which uses swap media. Review Backup Logs: screen shot of back up logs. Perform Trial Restores: screen shot of a restore backup screen. Perform Drive Maintenance: screen shot of several windows including a defrag window and disk clean up utility. Diagram 3, Hands-on Lab 8.4.3 ? Best Practices for Disaster Recovery Four Diagrams Diagram 1, Image Image shows network infrastructure of head quarters and how it directly translates to the layer of the network in the back up site. Diagram 2, Image Five small images representing a vulnerability assessment, risk assessment, management awareness, planning group and prioritise. Diagram 3, Image Five small images representing a network design recovery strategy, inventory and documentation, verification, approval and implementation and review. Diagram 4, Activity Match the disaster recovery planning step to the correct disaster recovery procedure: A: Develop Resiliency Design and Recovery Strategy B: Study C: Establish Priorities for network and application D: Approval E: Implementation F: Review G: Establish a planning group H: Prepare a current inventory and document of the plan I: Management awareness J: Perform risk assessments and audits K: Develop verification criteria and procedures 1. Write a brief report that will assess how vulnerable the critical business processes and associated applications are to the most likely disasters. 2. An announcement is to be made of the disaster recovery project which is being led by a senior management person. 3. Key people from each business unit gather together to provide regular monthly reports to senior management. 4. Create reports that analyze the risk and impact to the business of the top ten potential disasters. 5. Priorities should be based on the following levels: Mission Critical, Important and Minor. 6. Develop a recovery strategy to cover how you would manage your network in each of the ten disaster scenarios. 7. Produce an inventory of all locations, devices, vendors, used services and contract names. 8. Prove that your disaster recover strategy works. 9. Obtain senior management approval for the plan. 10. Perform regular practices where the whole company will have to participate. 11. Analyze how well your periodic drills have been implemented into the plan. 8.5 - Chapter Summary 8.5.1- Summary The summary consists of eight slides with the following information: Slide 1 Image shows a screen shot of the My Document Properties window, the Windows login and the system properties window. * Desktop security services for customers, include: creating secure passwords, securing applications with patches and upgrades, removing unnecessary applications, performing security scans and setting appropriate permissions on resources. * When assigning permissions to files and folders, a security best practice is to apply permissions based on the principle of least privilege. Slide 2 Image shows the authentication service verifying username and password on its database of valid users. * Authentication, authorization, and accounting (AAA) is a three-step process used to monitor and control access on a network. It requires a database to keep track of user credentials, permissions, and account statistics. * Digital encryption is the process of encrypting transmitted data between the clients and servers. Many protocols offer secure versions. * As a best practice, use the secure version of a protocol whenever the data being exchanged is meant to be confidential. Slide 3 Image shows a denial of service attack and port filtering. * There are many security threats including DoS, DDoS, DRDoS attacks. * Port Filters and Access Lists are used to help protect against security threats. * Port filtering can restrict or allow traffic based on TCP or UDP port. * Access lists define traffic that is permitted or denied based on IP addresses as well as Slide 4 Image shows the difference between and intrusion detection system and an intrusion prevention system. * A firewall is network hardware or software that defines what traffic can come into and go out of sections of the network. * IDS is a software- or hardware-based solution that passively listens to network traffic. It does not stop the initial traffic from passing through to the destination. * IPS is an active physical device or software feature. Traffic actually passes through IPS interfaces and the IPS can block all suspicious activity in real time. * A host-based firewall and Anti-X software runs directly on a host operating system and protects the host from malicious attacks that might have made it through all other layers of defense. Slide 5 Image shows in-band monitoring and managing network devices while on the network. * A service level agreement (SLA) is an agreement between a service provider and a service user that clearly documents the expectations and obligations. * ISPs monitor and check connectivity of devices. They accomplish this through in-band or out-of-band management. In-band management is preferred for managing servers accessible on the network. Slide 6 Image shows an SNMP management station monitoring a web server with SNMP. * A service level agreement (SLA) is an agreement between a service provider and a service user that clearly documents the expectations and obligations. * ISPs monitor and check connectivity of devices. They accomplish this through in-band or out-of-band management. In-band management is preferred for managing servers accessible on the network. Slide 7 Images of different types of back up media. * There are several backup solutions available including: tape, optical, hard disk, and solid state media. * There are also three methods of backing up data, including: full backup, differential backup, and incremental backup. A combination of all three backup methods is generally recommended. Slide 8 Image shows a diagram of head quarters network and how it directly relates to a diagram of the back up site. * A disaster recovery plan is a comprehensive document that describes how to restore operation quickly and keep a business running during or after a disaster occurs. * Assess the vulnerabilities, assess the risk, ensure management awareness, establish a planning group and prioritize needs, when creating a disaster recovery plan.