Business data networks security panko .pdf download

Welcome to the Cloud

Network and Security ManagementChapter 4Panko and PankoBusiness Data Networks and Security, 10th Edition, Global EditionCopyright 2015 Pearson Education, Ltd.1Copyright 2015 Pearson Education, Ltd. 2Security is a Process, not a ProductFazio Engineering ServicesContractor with weak securityFell for spear phishing attack, giving access to the vendor serverFazio used a free antivirus program not meant for corporationsDid not warn for individual messagesCopyright 2015 Pearson Education, Ltd. Failures in the Target BreachWas Able to Move to Sensitive ServersShould not have been able toIgnored Explicit WarningsPriority warning from the FireEye IDS serviceNovember 30, December 1, December 3Exfiltration began on December 2If had stopped the attack then, damage would have been minimal or nonexistentCopyright 2015 Pearson Education, Ltd. Failures in the Target BreachFor a weapon to succeed, a number of steps must go correctlyThis is called the kill chainSecurity attacks also have kill chainsCompanies must look for evidence of kill chain patters and end the chain before the endTarget did notCopyright 2015 Pearson Education, Ltd. Kill Chain AnalysisCopyright 2015 Pearson Education, Ltd. Kill ChainFigure 3.1

Copyright 2015 Pearson Education, Ltd. Copyright 2015 Pearson Education, Ltd. 4.1 Network Demand and Budgets

User demand is growing much faster than network budgets.Cost efficiency is always critical.Copyright 2015 Pearson Education, Ltd. Copyright 2015 Pearson Education, Ltd. 4.2 Quality-of-Service (QoS) Metrics

1 ms = 0.001 secRated SpeedThe speed a system should achieveAccording to vendor claims or to the standard that defines the technologyThroughputThe data transmission speed a system actually provides to usersCopyright 2015 Pearson Education, Ltd. 4.3 Rated Speed, Throughput, Aggregate Throughput, and Individual ThroughputAggregate versus Rated Throughput on Shared LinesThe aggregate throughput is the total throughput available to all users in part of a networkIndividual ThroughputThe individual throughput is an individuals share of the aggregate throughputCopyright 2015 Pearson Education, Ltd. 4.3 Rated Speed, Throughput, Aggregate Throughput, and Individual ThroughputCopyright 2015 Pearson Education, Ltd. 4.3 Rated Speed, Throughput, Aggregate Throughput, and Individual ThroughputYou are in a Wi-Fi hot spot with 20 other people. The access point router is rated as following the 802.11ac standard with options providing 300 Mbps. Throughput is about 50%. At a certain moment, you and four others are sending and receiving. What individual throughput are you likely to receive?Copyright 2015 Pearson Education, Ltd. Speed Knowledge CheckCopyright 2015 Pearson Education, Ltd. CNET News: Steve Jobs' demo failhttps://www.youtube.com/watch?v=znxQOPFg2mo

Copyright 2015 Pearson Education, Ltd. 4.4 Jitter

Jitter is variability in latencyMakes voice and video seem jitteryEngineering networks to reduce jitter can be expensiveService Level Agreements (SLAs)Guarantees for performancePenalties if the network does not meet its service metrics guaranteesCopyright 2015 Pearson Education, Ltd. 4.5 Service Level Agreements (SLAs)Guarantees specify worst cases (no worse than)Lowest speed (e.g., no worse than 1 Mbps)Maximum latency (e.g., no more than 125 ms)SLAs are like insurance policiesCopyright 2015 Pearson Education, Ltd. 4.5 Service Level Agreements (SLAs)Often written on a percentage basisNo worse than 100 Mbps 99.5% of the timeBecause as the percentage increases, additional engineering raises network costs100% compliance would be prohibitively expensiveCopyright 2015 Pearson Education, Ltd. 4.5 Service Level Agreements (SLAs)Residential services are rarely sold with SLA guaranteesIt would be expensive to engineer the network for high-percentage guarantees for residential customersThis would make prices unacceptableBusinesses require high-percentage guarantees and so are willing to pay higher pricesCopyright 2015 Pearson Education, Ltd. 4.5 Service Level Agreements (SLAs)Copyright 2015 Pearson Education, Ltd. Copyright 2015 Pearson Education, Ltd. 4.6 Two-Site Traffic Analysis

Network design is based on speed requirementsThese may be different in the two directionsMost transmission lines are symmetric in speedIn such cases, the higher-speed dictates line speedCopyright 2015 Pearson Education, Ltd. 4.7 Three-Site Traffic AnalysisThere are three sites connected by two links

Copyright 2015 Pearson Education, Ltd. 4.7 Three-Site Traffic AnalysisLink QR must carry the traffic flowing between Q and Rand the traffic flowing between R and S

Copyright 2015 Pearson Education, Ltd. 4.7 Three-Site Traffic Analysis

Copyright 2015 Pearson Education, Ltd. 4.7 Three-Site Traffic Analysis

Copyright 2015 Pearson Education, Ltd. 4.8 Three-Site Traffic Analysis with Redundancy

Each pair of sites is connectedLines only carry traffic between site pairsCopyright 2015 Pearson Education, Ltd. 4.8 Three-Site Traffic Analysis with Redundancy

How can traffic get from Q to R?

Copyright 2015 Pearson Education, Ltd. 4.9 Addressing Momentary Traffic PeaksNormally, network capacity is higher than the traffic.Sometimes, however, there will be momentary traffic peaks above the networks capacityusually for a fraction of a second to a few seconds.Copyright 2015 Pearson Education, Ltd. 4.9 Addressing Momentary Traffic PeaksCongestion causes latency because switches and routers must store frames and packets while waiting to send them out again.Buffers are limited, so some packets may be lost.

Copyright 2015 Pearson Education, Ltd. 4.9 Addressing Momentary Traffic PeaksOverprovisioning is providing far more capacity than the network normally needs.This avoids nearly all momentary traffic peaks wasteful of transmission line capacity.Copyright 2015 Pearson Education, Ltd. 4.9 Addressing Momentary Traffic PeaksWith priority, latency-intolerant traffic, such as voice, is given high priority and will go first.Latency-tolerant traffic, such as e-mail, must wait.More efficient than overprovisioning; also more labor-intensive.

Copyright 2015 Pearson Education, Ltd. 4.9 Addressing Momentary Traffic PeaksQoS guarantees reserved capacity for some traffic, so this traffic always gets through.Other traffic, however, must fight for the remaining capacity.

Copyright 2015 Pearson Education, Ltd. Copyright 2015 Pearson Education, Ltd. 4.10 Threat Environment

You cannot defend yourself unless you know the threat environment you face.Copyright 2015 Pearson Education, Ltd. 4.10 Plan-Protect-Respond

Companies defend themselves with a process called the Plan-Protect-Respond Cycle.Copyright 2015 Pearson Education, Ltd. 4.10 Planning

The Plan-Protect-Respond Cycle starts with Planning.We will look at important planning principles.Copyright 2015 Pearson Education, Ltd. 4.10 Protecting

Companies spend most of their security effort onthe protection phase, in which they apply planned protections on a daily basis.We covered this phase in Chapter 3.Copyright 2015 Pearson Education, Ltd. 4.10 Response

Even with great planning and protection, incidentswill happen, and a company must have a well-rehearsed plan for responding to them.Security Is a Management Issue, Not a Technology IssueWithout good management, technology cannot be effectiveA company must have good security processesCopyright 2015 Pearson Education, Ltd. 4.11 Security Planning PrinciplesSecurity Planning PrinciplesRisk analysisComprehensive securityDefense in depthWeakest link analysisSingle points of takeoverLeast permissions in access controlCopyright 2015 Pearson Education, Ltd. 4.11 Security Planning PrinciplesThe goal is not to eliminate all riskYou would not pay a million dollars for a countermeasure to protect an asset costing ten dollarsYou should reduce risk to the degree that it is economically reasonableYou must compare countermeasure benefits with countermeasure costsCopyright 2015 Pearson Education, Ltd. 4.11 Risk AnalysisCopyright 2015 Pearson Education, Ltd. 4.12: Risk Analysis CalculationCountermeasureNoneADamage per successful attack$1,000,000$500,000Annual probability of a successful attack20%20%Annual probability of damage$200,000$100,000Annual cost of countermeasure$0$20,000Net annual probable outlay$200,000$120,000Annual value of countermeasure$80,000Adopt the countermeasure?YesCountermeasure Acuts the damage per successful attack in half,but does not change the annual probability of occurrence.Copyright 2015 Pearson Education, Ltd. 3.10 Risk Analysis CalculationCountermeasureNoneADamage per successful attack$1,000,000$500,000Annual probability of a successful attack20%20%Annual probability of damage$200,000$100,000Annual cost of countermeasure$0$20,000Net annual probable outlay$200,000$120,000Annual value of countermeasure$80,000Adopt the countermeasure?YesCountermeasure AWill have a net savings of $80,000 per year.Copyright 2015 Pearson Education, Ltd. 3.10 Risk Analysis CalculationCountermeasureNoneBDamage per successful attack$1,000,000$1,000,000Annual probability of a successful attack20%15%Annual probability of damage$200,000$150,000Annual cost of countermeasure$0$60,000Net annual probable outlay$200,000$210,000Annual value of countermeasure-$10,000Adopt the countermeasure?NoCountermeasure Bcuts the frequency of occurrence in half,but does not change the damage per occurrence.Copyright 2015 Pearson Education, Ltd. 3.10 Risk Analysis CalculationCountermeasureNoneBDamage per successful attack$1,000,000$1,000,000Annual probability of a successful attack20%15%Annual probability of damage$200,000$150,000Annual cost of countermeasure$0$60,000Net annual probable outlay$200,000$210,000Annual value of countermeasure-$10,000Adopt the countermeasure?NoThis time, the countermea