Network Security Devices, Design, and Technology

Security Through Network Devices

  • Security can be achieved through:
    • Security features in standard networking devices.
    • Hardware designed primarily for security.

Standard Network Devices

  • Classified by the OSI layer at which they function.
  • OSI model breaks networking into seven layers, each with different tasks, cooperating with adjacent layers.
  • Security functions of network devices provide a degree of network security.
  • Improperly configured devices introduce vulnerabilities.
  • Examples:
    • Bridges
    • Switches
    • Routers
    • Load balancers
    • Proxies

Bridges

  • Hardware device or software to join two separate computer networks, enabling communication.
  • Connects two LANs or network segments (subnets).
  • Operate at the Data Link layer (Layer 2); connected networks/segments must use the same Layer 2 protocol (e.g., Ethernet).
  • Most OSs allow for software bridges, but creating one could introduce security vulnerabilities.

Switches

  • Connect network hosts intelligently.
  • Learn which device is connected to each port.
  • Examines the MAC address of received frames and associates its port with the MAC address.
    • Stores addresses in a MAC address table.
  • Forwards frames intended for a specific device (unicast) instead of broadcasting.
  • Proper configuration is important for security, including:
    • Loop prevention
    • Flood guard

Flood Guard

  • Defense against MAC flooding attacks. A threat agent overflows the switch with spoofed Ethernet frames, each with a different source MAC address.
  • Switches with port security can limit the number of MAC addresses learned on ports.

Routers

  • Forward packets across different computer networks.
  • Operate at the Network Layer (Layer 3).
  • Can filter specific types of network traffic using an Access Control List (ACL).
  • Can limit traffic entering from unapproved networks.

Load Balancers

  • Help evenly distribute work across a network.
  • Allocate requests among multiple devices.

Advantages

  • Reduces the probability of overloading a single server.

  • Optimizes bandwidth of network computers.

  • Load balancing achieved via software or hardware.

Categories:

  • Layer 4 load balancers: act upon data in Network and Transport layer protocols.
  • Layer 7 load balancers: distribute requests based on data in Application layer protocols.

Scheduling Protocols

  • Round-robin
  • Affinity
  • Other

Proxies

  • Intercept user requests from the internal network and processes the request on behalf of the user.
  • Types:
    • Forward proxy: intercepts user requests from the internal network.
    • Application/multipurpose proxy: "knows" the application protocols.
    • Reverse proxy: routes requests from an external network to the correct internal server.
    • Transparent proxy: requires no configuration on the user’s computer.

Advantages:

  • Increased speed
  • Reduced costs
  • Improved management
  • Stronger security

Network Security Hardware

  • Specifically designed security hardware devices provide greater protection.

Firewalls

  • Can be software or hardware-based.
  • Both inspect packets and either accept or deny entry.
  • Hardware firewalls are typically more expensive and difficult to configure/manage.
  • Software firewalls (host-based firewalls) running on a device protect only that device.
    • All modern OSs include a software firewall.

Network-Based Firewalls

Methods of packet filtering:

  • Stateless packet filtering:
    • Inspects incoming packets and permits or denies based on administrator-defined conditions.
  • Stateful packet filtering:
    • Keeps a record of the state of a connection.
    • Makes decisions based on the connection and conditions.

Firewall actions on a packet:

  • Allow:
    • Let the packet pass through.
  • Drop:
    • Prevent the packet from passing into the network and send no response to the sender.
  • Reject:
    • Prevent the packet from passing into the network but send a message to the sender.

Rule-based Firewalls

  • Use a set of individual instructions to control actions.
  • Each rule is a separate instruction processed in sequence.
  • Rules are stored in text files read when the firewall starts.
  • Static in nature, limited to configured actions.

Application-Based Firewalls

  • Operate at a higher level, identifying applications and making decisions about actions.

Identification Methods:

  • Predefined application signatures
  • Header inspection
  • Payload analysis

Web Application Firewall

  • A special type of application-aware firewall that inspects HTTP traffic.
  • Can block specific sites or types of HTTP traffic.

Virtual Private Network (VPN) Concentrator

  • VPN enables authorized users to use an unsecured public network as if it were a secure private network.
    • All data transmitted is encrypted.

Types of VPNs

  • Remote-access VPN: user-to-LAN connection.
  • Site-to-site: multiple sites connect over the Internet.
  • Always-on VPNs: allows the user to always stay connected.

Endpoints

  • The end of the tunnel between VPN devices.
  • May be software on a local computer or a VPN concentrator.

VPN Concentrator

  • A dedicated hardware device that aggregates VPN connections.
  • Options when using a VPN:
    • Full tunnel: all traffic is sent to the VPN concentrator and protected.
    • Split tunneling: some traffic is routed over the secure VPN, while other traffic directly accesses the Internet.

Mail Gateway

  • Monitors emails for unwanted content.
  • Prevents unwanted messages from being delivered.
  • Email systems:
    • SMTP and POP/POP3.
    • IMAP (more recent): email remains on the email server and is not downloaded to a user’s computer.

Functions:

  • For inbound emails:
    • Searches for malware, spam, and phishing attacks.
  • For outbound email:
    • Detects and blocks the transmission of sensitive data.

Network Intrusion Detection and Prevention

Intrusion detection system (IDS):

  • Can detect an attack as it occurs.

Types:

  • Inline IDS:
    • Connected directly to the network and monitors the flow of data.
  • Passive IDS:
    • Connected to a port on a switch, which receives a copy of network traffic.

Management:

  • In-band: through the network using network protocols and tools.
  • Out-of-band: using an independent and dedicated channel.
FunctionInlinePassive
ConnectionDirectly to networkConnected to port on switch
Traffic flowRouted through the deviceReceives copy of traffic
BlockingCan block attacksCannot block attacks
Detection errorMay disrupt serviceMay cause false alarm

Monitoring Methodologies

  • Anomaly-based monitoring:
    • Compares current behavior with a baseline.
  • Signature-based monitoring:
    • Looks for well-known attack signature patterns.
  • Behavior-based monitoring:
    • Detects abnormal actions by processes or programs.
    • Alerts user who decides whether to allow or block activity.
  • Heuristic monitoring:
    • Uses experience-based techniques.

Types of IDS

  • Host intrusion detection system (HIDS):
    • A software-based application that can detect an attack as it occurs.
    • Installed on each system needing protection.
    • Monitors system calls, file system access, and unauthorized Registry modifications.
    • Detects anomalous activity.

Disadvantages of HIDS

  • Cannot monitor network traffic that does not reach the local system.

  • All log data is stored locally.

  • Resource-intensive and can slow the system.

  • Network intrusion detection system (NIDS):

    • Watches for attacks on the network.
    • NIDS sensors are installed on firewalls and routers to gather information and report back to a central device.
    • NIDS can sound an alarm and log events.

  • Application-aware IDS:

    • A specialized IDS that uses “contextual knowledge” in real-time.
    • Knows the OS version, applications running, and vulnerabilities present.

Intrusion Prevention Systems (IPSs)

  • Monitors network traffic to immediately block a malicious attack.
  • Similar to NIDS but located “in line” on the firewall for quicker action.
  • Application-aware IPS knows which applications are running as well as the underlying OS.

Security and Information Event Management (SIEM)

  • Consolidates real-time monitoring and management of security information.
  • Analyzes and reports on security events.
  • Can be a separate device, software, or a third-party service.

Features:

  • Aggregation
  • Correlation
  • Automated alerting and triggers
  • Time synchronization
  • Event duplication
  • SIEM logs

Other Network Security Hardware Devices

NameDescriptionComments
Hardware security moduleA dedicated cryptographic processor that provides protection for cryptographic keys.A tamper-resistant device that can securely manage, process, and store cryptographic keys.
SSL decryptorA separate device that decrypts SSL traffic.Helps reduce performance degradation and eliminates the need to have multiple decryption licenses spread across multiple devices.
SSL/TLS acceleratorA separate hardware card that inserts into a web server that contains one or more co-processors to handle SSL/TLS processing.Used to accelerate the computationally intensive initial SSL connection handshake, during which keys are generated for symmetric encryption using 3 DES or AES.
Media gatewayA device that converts media data from one format to another.Sometimes called a softswitch, converts data in audio or video format.
Unified Threat Management (UTM)Integrated device that combines several security functions.Multipurpose security appliance that provides an array of security functions, such as antispam, antiphishing, antispyware, encryption, intrusion protection, and web filtering.
Internet content filterMonitors Internet traffic and blocks access to preselected websites and files.Restricts unapproved websites based on URL or by searching for and matching keywords such as sex or hate as well as looking for malware.
Web security gatewayBlocks malicious content in real-time as it appears without first knowing the URL of a dangerous site.Enables a higher level of defense by examining the content through application-level filtering.

Security Through Network Architecture

  • The design of a network can provide a secure foundation for resisting attackers.

Elements

  • Creating security zones
  • Using network segregation

Security Zones

  • Partition the network so that certain users may enter one zone while access is prohibited to others.

Common Zones

  • Demilitarized zones
  • Using network address translation to create zones

Demilitarized Zone (DMZ)

  • A separate network located outside the secure network perimeter.
  • Untrusted outside users can access the DMZ but not the secure network.

Network Address Translation (NAT)

  • Allows private IP addresses to be used on the public Internet.
  • Replaces private IP address with a public address.

Advantage

  • Masks IP addresses of internal devices.
  • An attacker cannot determine the actual IP address of the sender.

Other Zones

NameDescriptionSecurity Benefits
IntranetA private network that belongs to an organization that can only be accessed by approved internal users.Closed to the outside public, thus data is less vulnerable to external threat actors.
ExtranetA private network that can be accessed by authorized external customers, vendors, and partners.Can provide enhanced security for outside users compared to a publicly accessible website.
Guest networkA separate open network that anyone can access without prior authorization.Permits access to general network resources like web surfing without using the secure network.

Network Segregation

Physical network segregation

  • Isolates the network so that it is not accessible by outsiders.

Air gap

  • The absence of any type of connection between devices (secure network and another network).
  • Networks can be segmented using switches into a hierarchy.
  • Core switches reside at the top and carry traffic between switches.
  • Workgroup switches are connected directly to devices.

Virtual LAN (VLAN)

  • Allows scattered users to be logically grouped together, even if attached to different switches.
  • Can isolate sensitive data to VLAN members.

Communication on a VLAN

  • If connected to the same switch, the switch handles packet transfer.
  • A special “tagging” protocol is used for communicating between switches.

Security Through Network Technologies

Technologies

  • Network access control
  • Data loss prevention

Network Access Control (NAC)

  • Examines the current state of a system or network device before it can connect to the network.
  • Devices not meeting specified criteria connect to a “quarantine” network for correction.

Goal

  • To prevent computers with suboptimal security from infecting others.
  • NAC uses software “agents” for information gathering (host agent health checks).

Agent Types

  • Permanent NAC agent
  • Dissolvable NAC agent: disappears after reporting information
  • Agentless NAC: Uses AD to scan the device

Data Loss Prevention (DLP)

  • A system of security tools that recognizes and identifies critical data.
  • Ensures data is protected.

Common uses

  • Monitoring emails through a mail gateway
  • Blocking copying of files to USB drives (USB blocking).

Content inspection

  • A security analysis of the transaction within its approved context.
  • Looks at the security level of data, who is requesting it, where it is stored, when it was requested, and where it is going.

DLP Sensors

  • DLP network sensors
  • DLP storage sensors
  • DLP agent sensors

Actions upon Policy Violation Detection

  • When a policy violation is detected by the DLP agent, it is reported back to the DLP server.
  • Actions:
    • Block the data
    • Redirect it to an individual who can examine the request
    • Quarantine the data until later
    • Alert a supervisor of the request