ITI581 CYBER SECURITY FUNDAMENTALS

Topic 5
Network Security
Topic Reading

• Chapter 12: Network Security.

• Interact content.
Importance of Networks

Networks are the core of our digital environments.

Provide transfer of data that drives business

functions.

As such they are a key target for would be

attackers, criminals or competitors.
Key Concepts
The OSI Model

The OSI model is a vital

concept within data It is a framework upon
networking, and security, which all data
that you must come to communications are built.
terms with.

Allows any vendor product,

Understanding it greatly
software or hardware, to
assists with
communicate with any other
troubleshooting.
vendor product.
OSI Model

Reference model
• Framework.
• Software & hardware.
• Reading on Interact.

p.471 of
text.
Segmentation

Division of a network into logical or physical groupings.

Trust boundaries.
Functional requirements.
Can be based on: Other depending on importance to
business.

Typical driven using Virtual Layer 2 construct implemented by

switches.
Local Area Networks Divides network into broadcast domains
(VLANs). from a traffic perspective.
Segmentation

• Can also be derived from function:

• Demilitarized Zone (DMZ) – segments of a network that are accessible

to lower trust entities such as external Internet located devices/users.

• Intranets – segments of a network that are accessible to only higher trust

entities such as internal devices/users.

• Extranets – segments of a network providing access to external, but

more trusted, devices/users such as partners or customers.

• These are still facilitated by VLANs in many cases.

Network Access (Admission) Control (NAC)

• Network segmentation divides networks in security zones but do not

provision/manage the access to those zones.

• NAC technologies decide if an incoming system/device/user should be

permitted.

• NAC interrogates incoming devices to ascertain if they meet expected

standards of security.
• Can be done via an installed agent or agentless via a browser.
• If the device meets the expected standard they are admitted.
• If standards are not meet the requesting client is either denied outright or
allocated to a remediation zone where the “standard” can be applied.
Network Access (Admission) Control (NAC)

• Installed agents typically have a greater ability to interrogate a device.

• Items validated may include:

• Patch levels, Security settings, AV versions, other settings.
• Some systems also track user behaviour.

• NAC is therefore a useful tool for policy enforcement but is most useful at
the initial stage of connection.

• Once a device is connected other tools must be used to keep things

secure.
Port Protection

• Protecting your network from nefarious traffic is a tough task and can begin
with securing the flow of traffic into physical/logical ports.

• Port Security is a technology that gives you the ability to limit the number of
hosts that can connect to a port by limiting the incoming MAC addresses.

• Technology varies depending on vendor platform by most port-security

capabilities allow:
• Dynamic locking by specifying a limit to the number of MAC addresses
allowed.
• Static locking by specifying the value of the MAC addresses allowed.
Port-Span, Port-Mirror

• These terms are interchangeable.

• The do not, in and of themselves, protect anything.

• The purpose is to copy or mirror traffic from a specified port/s or network

segment to a security monitoring device such as an IDS or IPS.

• They can also be used for troubleshooting in conjunction with protocol

analyzers.
Virtual Private Network (VPN)

• Creates a virtual network link across a public network (i.e. Internet).

• Connected hosts appear as if they are on the local network.
• Security is achieved using encryption.

• IPSec VPNs operate at Layer 3 and require a client.

• Tunnel mode: protects whole packet.
• Transport mode: only encrypts payload.
• Typically used for site-to-site VPNs or where traffic is not just
web/application based.

• SSL (TLS) VPNs operate using a web browser portal.

• or Tunnel mode similar to IPSec.
Virtual Private Network (VPN)

• Site-to-site (typically between sites and always active).

• Remote access (for mobile users and are only active when required).

• VPNs can be implemented as split-tunnel or full-tunnel.

• Full-tunnel – protect all traffic, more bandwidth required but more secure.
• Split-tunnel – only protects specific traffic sent to remote network, less
bandwidth required but less secure.
Appliances and Security Tools

• There are many different ways in which appliances can be implemented.

• Hardware, virtual, cloud, hybrid.
• Chosen based on performance, manageability, expense, purpose.

• Many types of appliances that serve a number of different functions.

• Jump servers.
• Load balancers.
• Proxy Servers.
• Network Address Translation (NAT) Gateways.
• Content/URL Filters.
• Data Protection or Data Loss Protection (DLP).
Firewalls

• Used to setup traffic treatment profiles by filtering packets on some set

criteria.

• Designed to prevent malicious packets from entering the network.

• Firewall can be software-based or hardware-based.

Firewall Principles

• The foundation of a firewall is the rule base.

– Establishes traffic treatment profile.

• Traffic evaluated using variations of the 5-tuple concept:

– A 5-tuple is a set of five different values that comprise a connection.
1. Source IP address.
2. Source port number.
3. Destination IP address.
4. Destination port number.
5. The protocol in use (TCP or UDP primarily).
Firewall Principles

Application Layer
• Able to decode and understand layer 7 protocols.
• Cannot decrypt so fail for SSL applications (SSH, HTTPS).

Unified Threat Management (UTM)

• All in one wonder box.
– Firewall, IDS/IDP, AV, web content filtering.
– True layer 7…probably more even!
Firewall Necessities

Application awareness
• Layers 3  7.

Application fingerprinting
• Must be able to correctly identify applications flowing through them by traffic
contents.

Granular Application control

• Must identify & characterize application features in order to control those
applications strictly.

QoS
• Based on the traffic priorities of the host network.
Core Functions

NAT
• Static, dynamic, PAT.
• Often debated as a valid security measure.

Audit & logging

• Preferably to a separate and secure management system.
• Can consume vast quantities of disk space.
What else can Firewalls do?

Malware blocking
• Detection, stopping, logging.

AV
• Used as an additional layer of defense in conjunction with other technologies.

IDS/IDP
• Again…as an addition to specific IDS/IDP devices.

URL filtering/caching
• Being at the perimeter FWs are perfectly placed.
• Many FWs are brilliant at this…which saves you!
What else can Firewalls do?

SPAM Filtering
• Similar to web filtering.

Wire speed transmission

• Cannot afford to introduce latency to transmission.
Secure Firewall Design

• Irrespective of type of firewall used location is the most important factor of

design.
– Poorly placed firewalls = false sense of security

• All comm’s in/out of protected networks should flow through a firewall.

• Only authorized traffic is permitted to pass.

– Be explicit with permissions, everything = blocked!

• Most likely best to fail closed.

• Must be able to recognize, resist & log attacks on itself.

Rule Base Practices

• Build rules from most to least specific

– Rules are generally processed top to bottom and stop once a match is
found.

• Place most active rules at the top

– Saves CPU and memory.

• Drop unrouteable packets without question

– RFC1918, internal addresses or broadcasts.
Intrusion Detection (IDS)

Monitors & IDs specific malicious traffic.

• Anything anomalous to the baseline.

– Traffic.
– Access or attempted access.
– Unauthorized changes.
– Unusual log messages or events.
– File manipulation.
– Elevation of rights.
– System changes.
– Many more…..
Threats that ID protects against

Attacks

• Unauthorized activity with malicious intent.

• Network protocol attacks.
– Flag Exploits.
– Fragmentation & reassembly.
• Application attacks.
• Content obfuscation (confusing communication).
Threats that ID cannot detect

• Attacks that use encryption.

• “Misuse” attacks.
– Copying documents.
– Posting documents to portals.
– Social engineering.
Types of IDS & Detection Models

Anomaly detection
• Looks at patterns of behavior and changes or abnormalities.
Signature
• Uses specific knowledge profiles to match against traffic patterns.

Active
• Triggers some configurable action.
Passive
• Logs only.
HIDS

Installed on a host device

• Server, workstation, router, printer, gateway etc.
• Installs as a service.
• Intercepts and scans traffic before any other process.
• Excels at examining application layer interactions.

Realtime
• Always looks for attacks and events.
• Takes up a lot of system resources.
Snapshot
• Takes snapshots to show the differences between a known good state and
a corrupt state.
NIDS

Protects networks

• Most popular form of IDS.

• Capture & analyze live traffic.
• Designed to protect more than one host (cf HIDS).
• Configuration required to ensure detection and analysis is turned on.
• Requires some form of VLAN or port-based traffic mirroring or network tap
to work correctly.
IPS

• Along with detection & reporting IPS can stop attacks in real
time.
• Can sometimes overact!
– False positives can sometimes lead to traffic starvation.
Which should I use?

It depends……

• What do you want to protect?

– Host, subnet, entire network?
– Do you provide network services to customers or are you an enterprise?
– What is your network topology?
– Anomaly Detection or Signature?

There is rarely one solution to a problem but there is often a best solution.
UTM

Unified Threat Management

• All in one security appliance.
– Firewall.
– Gateway AV.
– IDS/IDP.
– SMTP filtering.
– Web filtering.
– VPN.
• Great for blended attacks .
• Reduces complexity of deployment of security services.
Big Picture

• Understand the key security concepts in enterprise security, the supporting

tools and secure design principles.

• Many, varied appliances, tools and implementations to consider.

• Always try to use the most secure version, implementation or design for
anything you do.

• Even with great defences you must still have knowledge of possible attack
vectors.
Thanks for watching!