Professional Documents
Culture Documents
Data Centre Security Lecture 16 March
Data Centre Security Lecture 16 March
The design of security in the Data Center requires understanding the security
threats, the attacks, and the technology to counter them.
You can use such tools as ACLs, firewalls, IDSs, and security features on switches
and routers to mitigate the effects of attacks against servers and network devices.
Designing the Data Center requires configuring the appropriate ciphers on SSL
and IPSec devices, generating and installing certificates, and enabling HMAC on
routers—all of which require an understanding of the key concepts of
cryptography, AAA, and VPNs.
Creating security policies, secure management, and incident response and attack
mitigation are as important as understanding the technology. The last part of this
chapter described the key considerations for creating a Data Center security
framework.
Data Centers are key components of enterprise networks. The Data Center houses
the enterprise applications and data, hence the need for proper security. Losing
data and applications can impact the organization’s ability to conduct business.
a. Threat—An event that poses some harm to the Data Center or its resources
Threats
Data Centers are vulnerable to threats that affect the rest of the enterprise network
and to threats that are specific to the Data Center.
The following are some of the most common threats to Data Centers:
• DoS
• Identity theft
Vulnerabilities
Most of the vulnerabilities found today originated in at least one of the following
areas:
Common attacked
Scanning or Probing
Rather than an attack, this activity precedes an attack to gain access by discovering
information about a system or network. This reconnaissance activity usually
preludes a more severe security incident. The term probe refers to an individual
attempt, whereas a scan consists of a large number of probes by an automated tool.
DOS
The goal of a DoS attack is to degrade service to the point that legitimate users are
unable to conduct their regular activities. DoS attacks can take many different
forms, but the most common case consists of generating large volumes of data to
deliberately consume limited resources such as bandwidth, CPU cycles, and
memory blocks.
A DoS attack can also consist of generating a single malformed packet that
exploits a flaw in an application or protocol stack. Ping of death (PoD) is a good
example. PoD sends an ICMP echo packet that violates the maximum size of the
packet. Some old TCP/IP stacks did not verify the packet size and ended up
allocating more memory than needed, which eventually causes a system crash.
In Data Centers, most DoS attacks target server farms primarily by sending the
servers large volumes of traffic. A large volume of traffic over the network could
lead to network congestion, which is an indirect result of the DoS attack.
DDOS
Unauthorized Access
Unauthorized access consists of gaining access to restricted resources by using a
valid account or a backdoor. An account compromise is a type of unauthorized
access where someone other than the account owner uses the privileges associated
with the compromised account.
Trust Exploitation
These attacks exploit the trust relationships that computer systems have to
communicate. Communications in networked environments are always based on
trust. For example, when a web server communicates with a back-end database, a
trust relationship exists between the two systems. If an attacker can forge his
identity, appearing to be coming from the web server, he or she can gain
unauthorized access to the database. Figure 5-3 displays a trust- exploitation
situation.
Session Hijacking
Session hijacking consists of stealing a legitimate session established between a
target and a trusted host. The attacker intercepts the session and makes the target
believe it is communicating with the trusted host.
Layer 2 Attacks
Layer 2 attacks exploit the vulnerabilities of data link layer protocols and their
implementations on Layer 2 switching platforms. One of the characteristics of
Layer 2 attacks is that the attacker must be connected to the same LAN as the
victims.
Address Resolution Protocol (ARP) spoofing and MAC flooding are examples of
attacks that fall into this category:
• ARP spoofing—An attack in which the attacker forges the identity of a trusted
system by spoofing the system’s IP address.
The network security infrastructure includes the security tools used in the Data
Center to enforce security policies. The tools include packet-filtering technologies
such as ACLs and firewalls and intrusion detection systems (IDSs) both network-
based and host-based. The following sections discuss these security tools.
ACLs
ACLs are filtering mechanisms explicitly defined based on packet header
information to permit or deny traffic on specific interfaces. An ACL is typically
set up as a list that is applied sequentially on the packets until a match is found.
Once the match is found, the associated permit or deny operation is applied.
Firewalls
A firewall is a sophisticated filtering device that separates LAN segments, giving
each segment a different security level and establishing a security perimeter that
controls the traffic flow between segments. Firewalls are typically deployed in
strategic locations and commonly work as the only pass-through point to sensitive
resources. For example, firewalls are most commonly deployed at the Internet
Edge where they act as boundary to the internal networks.
Packet-filtering firewalls
Proxy firewalls
Stateful firewalls
Hybrid firewalls
Packet-Filtering Firewalls
Packet-filtering firewalls, often referred to as screening routers, are network
devices that filter packets based on header information. A router configured
with ACLs is an example of this type of firewall. The capability to identify
different protocols and applications depends on the granularity of the filters.
For example, you can use extended ACLs to specify which TCP/UDP ports
are permitted or blocked.
Proxy Firewalls
Proxy firewalls, also known as application-level proxies, are application-specific
firewalls that are frequently implemented in software. These firewalls are specially
designed to protect applications associated with well-known ports and are
typically limited to SMTP, HTTP, Telnet, and FTP.
Stateful Firewalls
Stateful firewalls keep track of connection state and only permit packets that
match legitimate connections. IOS Firewall, PIX Firewall, and the Catalyst 6500
Firewall Services Module are examples of Stateful firewalls.
Hybrid Firewalls
Hybrid firewalls combine the behavior of the previous types of firewalls, including
key features that make the firewalls more flexible and intelligent in dealing with
application traffic. The comprehensive feature set is the basis for the most
common types of firewalls.
IDS
IDSs are real-time systems that can detect intruders and suspicious activities and
report them to a monitoring system. They are configured to block or mitigate
intrusions in progress and eventually immunize the systems from future attacks.
IDSs have two fundamental components: