Network Security

5.1-5.6: Introduction, Physical and Admin Controls, Firewalls, Network Segmentation, Network Monitoring, Defense in Depth. Go look at the study guides on Canvas for the questions at the end of each section.

Security Controls

Measures implemented to protect the confidentiality, integrity, and availability of data.

Technical Controls

Implemented using computer hardware and software (e.g., firewalls, antivirus software)

Administrative Controls

Implemented using policies, procedures, and user education (e.g., access management policies)

Physical Controls

Manage physical access to computing systems and networks (e.g., security cameras, locked server rooms)

Preventative Controls

Stop attacks before they happen (e.g., firewalls, encryption)

Detective Controls

Identify when attacks occur (e.g. intrusion detection systems)

Corrective Controls

Mitigate the impact of an attack after it occurs (e.g., data backups, incident response plans)

Perimeter Security

Prevents attacks from entering the internal network

Perimeter Security Examples

Firewalls, VPNs, and intrusion prevention systems

Network Security

Secures network infrastructure to prevent lateral movement within a network

Network Security Examples

Network segmentation, access control lists (ACLs)

Host or Endpoint Security

Protects individual devices connected to the network

Host or Endpoint Security Examples

Antivirus software, endpoint detection and response (EDR)

Application Security

Ensures the security of software and applications used on the network

Application Security Examples

Secure coding practices, application firewalls

Data Security

Protects sensitive data from unauthorized access, corruption, or theft

Data Security Examples

Data encryption, access controls, and data masking

Physical Controls

Security measures designed to prevent unauthorized physical access to network infrastructure. Help ensure the safety and integrity of network devices, servers, and data.

Perimeter Security

• Fencing

• Cameras

• Security Guards

Fencing

Establishes a clear boundary around a facility, deterring unauthorized access

Cameras

Monitors activity, providing visual evidence and real-time surveillance

Security Guards

Act as a visible deterrent and provide an immediate response to incidents

Access Control

• Locks on Doors and Cabinets

• Card Readers

Locks on Doors and Cabinets

Prevent unauthorized individuals from accessing network devices and servers

Card Readers

Ensure that only authorized personnel can enter restricted areas where sensitive equipment and data are stored

Device Security

Physical locks and tamper-proof cases can prevent theft or tampering of network devices like servers, routers, and switches

Administrative Controls

Involve policies, procedures, and training programs designed to manage human behavior and ensure compliance with security standards.

Security Awareness Training

Educates employees on identifying and responding to security threats like phishing emails, social engineering, and suspicious activity. Promotes a security-conscious culture within the organization.

Security Policies and Procedures

• Acceptable Use Policy

• Password Policy

• Data Security Policy

Acceptable Use Policy (AUP)

Defines how employees can use company resources responsibly

Password Policy

Establishes requirements for creating strong passwords and regularly updating them

Data Security Policy

Outlines how sensitive data should be accessed, stored, and shared

Enforcement and Monitoring

Administrative controls often include auditing and monitoring to ensure compliance with policies. Violations may result in disciplinary actions, further reinforcing adherence to security measures.

Firewall

A security system used to admit or deny traffic into a network or host. Act as a barrier between a trusted network and an untrusted network. Filters network traffic based on predetermined security rules.

Firewall Implementation

• Can be a standalone physical device

• Can be software installed on a device

Firewall Filtering Criteria

• Source/destination IP addresses

• Logical ports

• Protocols

• Application types

Host-Based Firewall

• Permits/denies traffic into or out of a single device

• Installed on individual computers

• Examples: Windows Defender Firewall, UFW (Linux)

Network-Based Firewall

• Permits/denies traffic into or out of an entire network

• Typically deployed at network boundaries

• Examples: CISCO ASA, Palo Alto Networks Firewalls

Stateless Firewall

• Filters based on packet headers (IP addresses, ports, protocols)

• Examines each packet in isolation

• Simple but less secure

• Limited to header inspection

Stateful Firewall

• Filters based on the state of active connections

• Tracks connection state and context

• Better security through context awareness

• Can track entire communication sessions

Next-Generation Firewall (NGFW)

• Combines capabilities of stateless/stateful firewalls with advanced features

• Includes intrusion prevention, deep packet inspection, application filtering

• Most comprehensive protection

• Can inspect encrypted traffic and identify applications

Access Control Lists (ACLs)

Rules set by network administrators that firewalls use to permit or deny network traffic

ACL Implementation

Specified in order of priority (typically top to bottom)

ACL Processing

The first rule that matches the criteria will be executed for the specified data

Components of a Typical ACL Rule

1. Direction of traffic on an interface

   • Inbound (entering the network)

   • Outbound (leaving the network)

2. Filtering criteria

   • IP addresses (source/destination)

   • Logical ports

   • Services

   • Applications

3. Action to take

   • Permit (allow the traffic)

   • Deny (block the traffic

Rule Processing Example

RULE 1: DENY traffic FROM 192.168.1.100 TO ANY on PORT 25 (SMTP)
RULE 2: ALLOW traffic FROM 192.168.1.0/24 TO 10.0.0.5 on PORT 80 (HTTP)
RULE 3: ALLOW traffic FROM ANY TO 10.0.0.6 on PORT 443 (HTTPS)
RULE 4: DENY ALL OTHER TRAFFIC

Allow Lists (Whitelists)

Lists of entities that are granted permission to access a particular resource

Allow List Default Action

Any entity not on the allow list is implicitly denied access

Allow List Security Approach

Proactive security model

Allow List Advantages

• Provides tighter security control

• Reduces attack surface

• Better protection against unknown threats

Allow List Disadvantages

• May block legitimate entities if they’re unintentionally omitted

• Can impact resource availability

• Requires more maintenance to keep updated

Deny Lists (Blacklists)

Lists of entities that are explicitly denied access to a particular resource

Deny List Default Action

Any entity not on the deny list is implicitly allowed access

Deny List Security Approach

Reactive security model

Deny List Advantages

• Easier to implement initially

• Less likely to block legitimate access

• Requires less day-to-day maintenance

Deny List Disadvantages

• More permissive approach

• Can lead to illegitimate entities gaining access

• May impact the confidentiality of data

• Reactive rather than proactive

Firewall Implementation at Network Perimeter

Protecting the boundary between internal and external networks

Firewall Implementation with Network Segmentation

Dividing networks into security zones

Firewall Implementation for Data Center Protection

Securing server environments

Firewall Implementation for Cloud Security

Protecting cloud-based resources

Firewall Implementation for Remote Access

Securing VPN connections

Firewall Best Practices

• Implement the principle of least privilege

• Use a defense-in-depth approach (multiple layers of security)

• Regularly audit and update firewall rules

• Document all firewall configurations and changes

• Test firewall configurations before deployment

• Monitor firewall logs for suspicious activity

• Establish a process for rule review and removal of outdated rules

Network Segmentation

The process of dividing a computer network into smaller, isolated segments or subnets. Creates logical or physical boundaries between different parts of a network. Establishes control points for monitoring and restricting network traffic between segments. Implements the principle of least privilege at the network level.

Network Segmentation Basic Concept

Transforms a flat network into a compartmentalized structure where traffic between segments is controlled and monitored.

Network Segmentation Benefits

• Breach Containment - Prevents attacks from moving laterally throughout the network

• Attack Surface Reduction - Limits the network resources visible to potential attackers

• Security Zone Creation - Enables different security policies for different network areas

• Access Control - Restricts user and device access to only necessary network resources

• Simplified Compliance - Helps meet regulatory requirements by isolating sensitive data

Network Segmentation Performance Improvements

• Reduced Network Congestion - Isolates network traffic to relevant segments

• Improved Speed: Less broadcast traffic means faster communication within segments

• Better Bandwidth Utilization - Localizes traffic to where it’s needed

• Efficient Troubleshooting - Easier to identify and resolve network issues within smaller segments

Network Segmentation Operational Benefits

• Simplified Management - Easier to manage smaller network segments

• Enhanced Monitoring - More effective visibility into traffic patterns

• Improved Incident Response - Faster isolation of compromised systems

• Better Resource Allocation - Optimized network resource distribution

Firewall Zones and Screened Subnets (DMZ)

• A network segment positioned between public external networks (Internet) and internal private networks

• Typically designated as a lower security zone than internal networks

• Houses publicly accessible resources (web servers, email servers, etc.)

• Keeps public-facing services separated from the internal network

• Uses firewalls to control traffic flow between zones

Virtual Local Area Networks (VLANs)

• Uses switches to create logical separations of physically connected devices

• Devices on different VLANs cannot directly communicate with each other

• Traffic between VLANs must pass through a Layer 3 device

• Enables segmentation without changing physical network topology

• Can group devices by function, department, or security requirements

Subnetting via IP Addressing

• Divides network into different subnets based on IP addressing schemes

• Uses subnet masks to define network boundaries

• Traffic between subnets must pass through a Layer 3 or routing-capable device

• Provides physical or logical separation of network resources

• Can be implemented alongside other segmentation techniques

Combined Approaches to Network Segmentation

• DMZ with firewalls for internet-facing services

• VLANs for internal logical separation

• Subnetting for IP-based organization

• Each approach addresses different security and operational needs

Network Segmentation Planning & Design

• Network Mapping - Document all network assets and data flows

• Risk Assessment - Identify critical assets and potential threats

• Security Requirements - Define security objectives for each segment

• Segmentation Policy - Create clear policies for inter-segment communication

Segmentation Strategies

• Group by Function - Separate networks based on server function (database, application, web)

• Group by Sensitivity - Create segments based on data classification levels

• Group by Department - Segment based on organizational structure

• Zero Trust Approach - Verify all connections regardless of source location

Access Control Implementation

• Default Deny Policies - Block all traffic between segments by default, allowing only necessary communication

• Access Control Lists (ACLs) - Implement detailed rules for traffic filtering

• Defense in Depth - Apply multiple security controls at segment boundaries

• Least Privilege - Grant only necessary access rights between segments

Monitoring and Maintenance

• Traffic Analysis - Continuously monitor inter-segment network traffic

• Security Logging - Maintain logs of all traffic crossing segment boundaries

• Regular Audits - Periodically review segmentation effectiveness

• Update Policies - Adjust segmentation as network needs evolve

Internet-Facing DMZ

• Purpose: Public Services

• Security Level: Lower

• Example Devices/Services: Web servers, DNS, Email gateways

Internal Services Segment

• Purpose: Organization-wide services

• Security Level: Medium

• Example Devices/Services: Directory services, Internal applications

User Network Segmentation

• Purpose: Employee workstations

• Security Level: Medium

• Example Devices/Services: Desktops, Laptops, Printers

Management Segment

• Purpose: Network administration

• Security Level: High

• Example Devices/Services: Management interfaces, Admin consoles

Protected Data Segment

• Purpose: Sensitive Information

• Security Level: Highest

• Example Devices/Services: Financial databases, PII storage

IoT Segment

• Purpose: Connected devices

• Security Level: Isolated

• Example Devices/Services: Smart devices, Building systems

Network Segmentation in Healthcare

Separate medical devices from patient records systems

Network Segmentation in Finance

Isolate payment processing from general operations

Network Segmentation in Manufacturing

Segment operational technology from IT networks

Network Segmentation in Education

Separate administrative, faculty, and student networks

Network Segmentation in Retail

Isolate point-of-sale systems from corporate networks

Common Challenges with Network Segmentation

• Complexity - More complex to manage than flat networks

• Performance Overhead - Potential latency when crossing segment boundaries

• Resource Requirements - Additional hardware/software needs

• Legacy Systems - Difficulty integrating older systems into segmented design

Network Monitoring

A critical component of cybersecurity that involves continuously observing network traffic, system behavior, and events to detect security threats, performance issues, and operational anomalies.

Intrusion Detection Systems (IDS)

A security technology that monitors network traffic and system activities for malicious actions or policy violations. Identifies potential security incidents, logs information about them, and reports to administrators

IDS Key Characteristics

• Monitors and analyzes network traffic to identify suspicious behavior or patterns

• Generates alerts for system administrators when security incidents are detected

• Acts as a passive observer that does not modify or block traffic

• Provides visibility into potential security breaches

• Can be out-of-band (not directly in traffic path)

• Minimal to no latency impact

• Can generate unnecessary alerts

Intrusion Prevention Systems (IPS)

An advanced security technology that not only detects but also takes automated actions to prevent or mitigate security incidents. Identifies and actively responds to potential security threats in real-time.

IPS Key Characteristics

• Monitors and analyzes network traffic like an IDS

• Generates alerts for system administrators when security incidents are detected

• Takes active measures to mitigate and respond to security incidents

• Can automatically block suspicious traffic, terminate suspicious connections, or take other defensive actions

• Must be in-line (directly in the traffic path)

• May introduce slight latency

• May block legitimate traffic

Network Event Logging

The process of recording network activities, system events, and security incidents. Creates detailed records for analysis, troubleshooting, and forensic investigation.

Key Benefits of Network Event Logging

• Provides useful information when investigating the causes and impacts of security incidents

• Helps in early identification of security incidents through regular monitoring

• Creates an audit trail for compliance and forensic purposes

• Enables detection of patterns that might indicate ongoing attacks

Network Events Logged

Authentication Events:

• Successful and failed login attempts

• Password changes

• Account lockouts

System Events:

• System startups and shutdowns

• Service or application starts and stops

• System configuration changes

Network Events:

• Firewall accepts/denies

• Unusual traffic patterns

• Connection attempts to restricted services

Security Events:

• Malware detections

• Policy violations

• Privilege escalations

Network Monitoring Architecture Components

1. Sensors/Agents: Collect data from various points in the network

2. Collection Systems: Aggregate logs and events from multiple sources

3. Analysis Engines: Process collected data to identify patterns and anomalies

4. Alert Systems: Notify administrators of potential issues

5. Response Systems: Implement automated countermeasures (in IPS)

Network Monitoring Deployment Strategies

Network-Based Monitoring:

• Monitors traffic at strategic points in the network

• Less resource-intensive on endpoints

• May miss encrypted traffic

Host-Based Monitoring:

• Agents installed on individual systems

• Can monitor system-level activities

• More resource-intensive

Hybrid Approach:

• Combines network and host-based monitoring

• Provides comprehensive visibility

• Balances resource usage with coverage

Network Monitoring Best Practices

Establish Baselines:

• Document normal network behavior

• Use baselines to identify deviations

Implement Log Management:

• Centralize log collection

• Establish log retention policies

• Ensure timestamp synchronization

Regular Review:

• Schedule routine log reviews

• Automate common analysis tasks

• Look for patterns across multiple data sources

Tuning and Optimization:

• Reduce false positives

• Focus on high-value alerts

• Adjust sensitivity based on threat landscape

Integration with Incident Response:

• Define clear escalation procedures

• Automate initial response where appropriate

• Document lessons learned from incidents

Alert Fatigue

Condition where security personnel become desensitized to alerts due to high volume or frequent false positives

Anomaly Detection

Identifying patterns that do not conform to expected behavior