Network Security - alishahbaz/Certified-in-Cybersecurity_CC GitHub Wiki

Learning Objectives

  • Explain the concepts of network security.
  • Recognize common networking terms and models.
  • Identify common protocols and ports and their secure counterparts.
  • Identify types of network (cyber) threats and attacks.
  • Discuss common tools used to identify and prevent threats.
  • Identify common data center terminology.
  • Recognize common cloud service terminology.
  • Identify secure network design terminology.
  • Practice the terminology of and review network security concepts.

Key Topics Include

  • Secure Infrastructure Strategies
  • Cloud Computing Infrastructure
  • Network Architecture
  • Ports and Services Management

Networking

What is Networking

A network is simply two or more computers linked together to share data, information or resources.

There are two basic types of networks:

  • A local area network (LAN) is a network typically spanning a single loor or building. This is commonly a limited geographical area.
  • Wide area network (WAN) is the term usually assigned to the long-distance connections between geographically remote networks.

Network Devices

Hubs Hubs are used to connect multiple devices in a network. They’re less likely to be seen in business or corporate networks than in home networks. Hubs are wired devices and are not as smart as switches or routers.

Switch Rather than using a hub, you might consider using a switch, or what is also known as an intelligent hub. Switches are wired devices that know the addresses of the devices connected to them and route traffic to that port/device rather than retransmitting to all devices. O fering greater e iciency for traffic delivery and improving the overall throughput of data, switches are smarter than hubs, but not as smart as routers. Switches can also create separate broadcast domains when used to create VLANs

Router Routers are used to control trffic low on networks and are often used to connect similar networks and control traffic low between them. Routers can be wired or wireless and can connect multiple switches. Smarter than hubs and switches, routers determine the most efficient “route” for the tra ic to low across the network.

Firewall Firewalls are essential tools in managing and controlling network traffic and protecting the network. A firewall is a network device used to filter traffic. It is typically deployed between a private network and the internet, but it can also be deployed between departments (segmented networks) within an organization (overall network). Firewalls ilter traffic based on a de ined set of rules, also called filters or access control lists

Server A server is a computer that provides information to other computers on a network. Some common servers are web servers, email servers, print servers, database servers, and ile servers. All of these are, by design, networked and accessed in some way by a client computer. Servers are usually secured di ferently than workstations to protect the information they contain

Endpoint Endpoints are the ends of a network communication link. One end is often at a server where a resource resides, and the other end is often a client making a request to use a network resource. An endpoint can be another server, desktop workstation, laptop, tablet, mobile phone, or any other end user device.

Other Networking Terms Ethernet (IEEE 802.3) is a standard that de ines wired connections of networked devices

This standard de ines the way data is formatted over the wire to ensure disparate devices can communicate over the same cable

Device Address MAC Every network device is assigned a Media Access Control (MAC) address. An example is 00-13-02-1F-58-F5. The irst 3 bytes (24 bits) of the address denote the vendor or manufacturer of the physical network interface. No two devices can have the same MAC address in the same local network; otherwise an address con lict occurs

IP While MAC addresses are generally assigned in the irmware of the interface, IP hosts associate that address with a unique logical address. This logical IP address represents the network interface within the network and can be useful to maintain communications when a physical device is swapped with new hardware. Examples are 192.168.1.1 and 2001:db8:: f:0:

Microsegmentation

The toolsets of current adversaries are polymorphic in nature and allow threats to bypass static security controls. Modern cyber attacks take advantage of traditional security models to move easily between systems within a data center. Microsegmentation aids in protecting against these threats

A fundamental design requirement of microsegmentation is to understand the protection requirements for traffic within a data center and traffic to and from the internet traffic flows. When organizations avoid infrastructure- centric design paradigms, they are more likely to become more efficient at service delivery in the data center and become apt at detecting and preventing advanced persistent threats.

Microsegmentation Characteristics A fundamental design requirement of microsegmentation is to understand the protection requirements for traffic within a data center and traffic to and from the internet traffic flows. When organizations avoid infrastructure- centric design paradigms, they are more likely to become more efficient at service delivery in the data center and become apt at detecting and preventing advanced persistent threats.

  • Microsegmentation allows for granular restrictions within the IT environment, to the point where rules can be applied to individual machines and/or users, and these rules can be as detailed and complex as desired. For instance, it can limit which IP addresses can communicate to a given machine, at which time of day, with which credentials, and which services those connections can use.

  • Microsegmentation uses logical rules, not physical rules, and does not require additional hardware or manual interaction with the device (that is, the administrator can apply the rules to various machines without having to physically touch each device or the cables connecting it to the networked environment).

  • Microsegmentation is the ultimate end state of the defense-in-depth philosophy; no single point of access within the IT environment can lead to broader compromise.

  • Microsegmentation is crucial in shared environments, such as the cloud, where more than one customer’s data and functionality might reside on the same device(s), and where third-party personnel (administrators/technicians who work for the cloud provider, not the customer) might have physical access to the devices.

  • Microsegmentation allows the organization to limit which business functions, units, offices, or departments can communicate with others, to enforce the concept of least privilege. For instance, the Human Resources office probably has employee data that no other business unit should have access to, such as employee home address, salary, and medical records. Microsegmentation, like VLANs, can make HR its own distinct IT enclave, so that sensitive data is not available to other business units, thus reducing the risk of exposure.

  • In modern environments, microsegmentation is available because of virtualization and software-defined networking (SDN) technologies. In the cloud, the tools for applying this strategy are often called “virtual private networks (VPN)” or “security groups.”

  • Even in your home, microsegmentation can be used to separate computers from smart TVs, air conditioning, and smart appliances, which can be connected and have vulnerabilities. Microsegmentation

Microsegmentation Deep Dive

Some key points about micro segmentation. Micro segmentation allows for extremely granular restrictions within the it environment to the point where rules can be applied to individual machines and or users. And these rules can be as detailed and complex as desired. For instance, we can limit which IP addresses can communicate to a given machine at which time of day with which credentials and which services those connections can utilize. These are logical rules, not physical rules and do not require additional hardware or manual interaction with the device that is the administrator can apply the rules to various machines without having to physically touch each device or the cables connecting it to the networked environment. This is the ultimate end state of the defense in depth philosophy. No single point of access within the it environment can lead to broader compromise. This is crucial in shared environments such as the cloud where more than one customer's data and functionality might reside on the same devices. And where third party personnel, administrators, technicians who work for the cloud provider, not the customer might have physical access to the devices. Micro segmentation allows the organization to limit which business functions units, offices, departments can communicate with others. In order to enforce the concept of least privilege. For instance, the human resources office probably has employee data that no other business unit should have access to such as employee home address, salary, medical records, et cetera. Micro segmentation like V lands can make hr its own distinct it enclave so that sensitive data is not available to other business entities. Thus reducing the risk of exposure in modern environments. Micro segmentation is available because of virtualization and software defined networking Sdn technologies in the cloud. The tools for applying this strategy are often called virtual private networks, VPN or security groups. Even in your home, micro segmentation can be used to separate computers from smart TV S, air conditioning and smart appliances which can be connected and can have vulnerabilities.

Tools to Identify and Prevent Threats

Tool Description Identifies Threats Prevents Threats
IDS Detects abnormal activity, intrusions, and system failures ✔️
HIDS Monitors activity on a single host ✔️
NIDS Monitors/evaluates network activity ✔️
SIEM Gathers and analyzes logs across systems ✔️
Antivirus/Anti-malware Identifies malicious software or processes ✔️ ✔️
Scans Evaluates effectiveness of security controls ✔️
Firewall Filters/manages network traffic ✔️ ✔️
IPS (HIPS/NIPS) Actively detects and blocks threats ✔️ ✔️

Intrusion Detection System (IDS)

An intrusion occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization’s resources.

Intrusion detection is a specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.

An intrusion detection system (IDS) automates the inspection of logs and real-time system events to detect intrusion attempts and system failures. An IDS is intended as part of a defense-in-depth security plan. It will work with, and complement, other security mechanisms such as firewalls, but it does not replace them.

IDSs can recognize attacks that come from external connections, such as an attack from the internet, and attacks that spread internally, such as a malicious worm. Once they detect a suspicious event, they respond by sending alerts or raising alarms. A primary goal of an IDS is to provide a means for a timely and accurate response to intrusions.

Intrusion detection and prevention refer to capabilities that are part of isolating and protecting a more secure or more trusted domain or zone from one that is less trusted or less secure. These are natural functions to expect of a firewall, for example.

IDS types are commonly classified as host-based and network-based. A host-based IDS (HIDS) monitors a single computer or host. A network-based IDS (NIDS) monitors a network by observing network traffic patterns

Host-based Intrusion Detection System (HIDS)

HIDS monitors activity on a single computer, including process calls and information recorded in system, application, security, and host-based firewall logs. It can often examine events in more detail than a NIDS can, and it can pinpoint specific files compromised in an attack. It can also track processes employed by the attacker. A benefit of HIDSs over NIDSs is that HIDSs can detect anomalies on the host system that NIDSs cannot detect. For example, a HIDS can detect infections where an intruder has infiltrated a system and is controlling it remotely. HIDSs are more costly to manage than NIDSs because they require administrative attention on each system, whereas NIDSs usually support centralized administration. A HIDS cannot detect network attacks on other systems

Network Intrusion Detection System (NIDS)

NIDS monitors and evaluates network activity to detect attacks or event anomalies. It cannot monitor the content of encrypted traffic but can monitor other packet details. A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console. These sensors can monitor traffic at routers, firewalls, network switches that support port mirroring, and other types of network taps. A NIDS has very little negative effect on the overall network performance, and when it is deployed on a single-purpose system, it doesn’t adversely affect performance on any other computer. A NIDS is usually able to detect the initiation of an attack or ongoing attacks, but they can’t always provide information about the success of an attack. They won’t know if an attack affected specific systems, user accounts, files, or applications

Security Information and Event Management (SIEM)

Security management involves the use of tools that collect information about the IT environment from many disparate sources to better examine the overall security of the organization and streamline security efforts.

These tools are generally known as security information and event management (or SI-E-M, pronounced “SIM”) solutions. The general idea of a SIEM solution is to gather log data from various sources across the enterprise to better understand potential security concerns and apportion resources accordingly. SIEM systems can be used along with other components (defense-in-depth) as part of an overall information security program

Preventing Threats

While there is no single step you can take to protect against all threats, there are some basic steps you can take that help reduce the risk of many types of threat

  • Keep systems and applications up to date. Vendors regularly release patches to correct bugs and security flaws, but these only help when they are applied. Patch management ensures that systems and applications are kept up to date with relevant patches

  • Remove or disable unneeded services and protocols. If a system doesn’t need a service or protocol, it should not be running. Attackers cannot exploit a vulnerability in a service or protocol that isn’t running on a system. As an extreme contrast, imagine a web server is running every available service and protocol. It is vulnerable to potential attacks on any of these services and protocols.

  • Use intrusion detection and prevention systems. Intrusion detection and prevention systems observe activity, attempt to detect threats, and provide alerts. They can often block or stop attacks

  • Use firewalls. Firewalls can prevent many different types of threats. Network-based firewalls protect entire networks, and host-based firewalls protect individual systems

  • Use up-to-date anti-malware software. A primary countermeasure is anti-malware software

Antivirus

The use of antivirus products is strongly encouraged as a security best practice and is a requirement for compliance with the Payment Card Industry Data Security Standard (PCI DSS).

There are several antivirus products available, and many can be deployed as part of an enterprise solution that integrates with several other security products. Antivirus systems try to identify malware based on the signature of known malware or by detecting abnormal activity on a system. This identification is done with various types of scanners, pattern recognition, and advanced machine learning algorithms.

Anti-malware now goes beyond just virus protection as modern solutions try to provide a more holistic approach detecting rootkits, ransomware, and spyware. Many endpoint solutions also include software firewalls and IDS or IPS systems.

Scans

Regular vulnerability and port scans are a good way to evaluate the effectiveness of security controls used within an organization. They may reveal areas where patches or security settings are insufficient, where new vulnerabilities have developed or become exposed, and where security policies are either ineffective or not being followed. Attackers can exploit any of these vulnerabilities

Firewalls

In building construction or vehicle design, a firewall is a specially built physical barrier that prevents the spread of fire from one area of the structure to another or from one compartment of a vehicle to another.

Early computer security engineers borrowed that name for the devices and services that isolate network segments from each other, as a security measure. As a result, firewalling refers to the process of designing, using, or operating different processes in ways that isolate high-risk activities from lower-risk ones

Firewalls enforce policies by filtering network traffic based on a set of rules. While a firewall should always be placed at internet gateways, other internal network considerations and conditions determine where a firewall would be employed, such as network zoning or segregation of different levels of sensitivity. Firewalls have rapidly evolved over time to provide enhanced security capabilities. This growth in capabilities can be seen in the graphic below, which contrasts an oversimplified view of traditional and next- generation firewalls. It integrates a variety of threat management capabilities into a single framework, including proxy services, intrusion prevention services (IPS) and tight integration with the identity and access management (IAM) environment to ensure only authorized users are permitted to pass traffic across the infrastructure. While firewalls can manage traffic at Layers 2 (MAC addresses), 3 (IP ranges) and 7 (application programming interface (API) and application firewalls), the traditional implementation has been to control traffic at Layer 4

Intrusion Prevention System (IPS)

An intrusion prevention system (IPS) is a special type of active IDS that automatically attempts to detect and block attacks before they reach target systems

A distinguishing difference between an IDS and an IPS is that the IPS is placed in line with the traffic. In other words, all traffic must pass through the IPS and the IPS can choose what traffic to forward and what traffic to block after analyzing it. This allows the IPS to prevent an attack from reaching a target. Since IPS systems are most effective at preventing network- based attacks, it is common to see the IPS function integrated into firewalls. Just like IDS, there are Network-based IPS (NIPS) and Host-based IPS (HIPS).

Network Segmentation: Demilitarized Zone (DMZ)

Network segmentation is an effective way to achieve defense in depth for distributed or multitiered applications. The use of a demilitarized zone (DMZ), for example, is a common practice in security architecture

With a DMZ, host systems that are accessible through the irewall are physically separated from the internal network by means of secured switches or by using an additional irewall to control tra ic between the web server and the internal network. Application DMZs (or semi-trusted networks) are frequently used today to limit access to application servers to those networks or systems that have a legitimate need to connect.

Virtual Private Network (VPN)

A virtual private network (VPN) is not necessarily an encrypted tunnel. It is simply a point-to-point connection between two hosts that allows them to communicate. Secure communications can, of course, be provided by the VPN, but only if the security protocols have been selected and correctly conigured to provide a trusted path over an untrusted network, such as the internet. Remote users employ VPNs to access their organization’s network, and depending on the VPN’s implementation, they may have most of the same resources available to them as if they were physically at the oice. As an alternative to expensive dedicated point-to-point connections, organizations use gateway-to- gateway VPNs to securely transmit information over the internet between sites or even with business partners