Network Security Essentials

Small Office/Home Office (SOHO) Authentication

  • Authentication: Verifying the identity of a user.
  • Authorization: Determining what a user is allowed to access.
  • For SOHO networks, a shared password (preshared key or PSK) often suffices for both authentication and authorization.

Enterprise Network Security

  • Corporate settings require more robust authentication methods than simple passwords.
  • AAA Servers: Authentication, Authorization, and Accounting.
    • Security guards for the network.
    • Centralized authentication and account management.
  • Single Sign-On (SSO): Allows users to log in once and access multiple servers without re-authentication.

RADIUS Server

  • A specific type of AAA server.
  • Acts as the "bouncer" for the network.

Process

  1. Supplicant (Client): A user trying to access the network.
  2. Authenticator (Network Access Server - NAS):
    • Typically a Wi-Fi router or modem.
    • Controls access to the network.
  3. The supplicant attempts to connect through the NAS.
  4. The NAS redirects the authentication request to the RADIUS server.
  5. RADIUS Server:
    • Checks the user's credentials against a directory (e.g., Active Directory).
    • Active Directory: A phone book containing users and their authorized access levels.
  6. If the user is authorized,
    • The RADIUS server allows access to the network.

LDAP (Lightweight Directory Access Protocol)

  • Protocol used by the AAA server (RADIUS) to communicate with Active Directory.

TACACS+ (Terminal Access Controller Access-Control System)

  • Similar to RADIUS, but used for network technicians accessing network equipment (switches, routers).
  • TACACS+ is for accessing equipment.

Kerberos

  • A security protocol that guards information in transit between servers.
  • Enables single sign-on (SSO) functionality.
  • It protects information moving between servers within a network.

Remote Terminal Access Overview

Terminal

  • From early configurations via Teletype devices.
  • A terminal emulator is software that replicates TTY inputs and outputs.

Secure Shell (SSH)

  • Port 22
  • Primary tool for remote access, especially for Linux systems.
  • Provides a secure, encrypted command-line interface.
  • Allows configuration of a computer using only text input.
  • Creates a secure tunnel for transmitting data.

Telnet

  • Port 23
  • Similar to SSH but unsecured.
  • Generally not recommended for use outside a secure local network.

Remote Desktop Protocol (RDP)

  • Designed for remote access to one's own computer.
  • The user on the remote end cannot see the screen.
  • Not intended for troubleshooting or helping others.

Network Time Protocol (NTP)

  • Port 123

  • Synchronizes the clocks of network devices to ensure consistent timestamps.

  • Crucial for accurate log analysis and data consistency.

  • CMOS Battery: Responsible for keeping the time clock accurate.

  • If the CMOS battery fails, it can cause time synchronization issues, preventing network access.

Stratum Levels

  • Indicate the accuracy and source of the time.
  • Stratum 0: Atomic clocks.
  • Stratum 1: Directly synchronized to Stratum 0.
  • Subsequent levels are less accurate.

Network Monitoring Servers

Simple Network Management Protocol (SNMP)

  • Used for managing and monitoring network devices.

Components

  • Network Management System (NMS): Central monitoring tool.
  • Managed Devices: Network devices being monitored (switches, routers, servers).
  • Agents: Software on managed devices that report status to the NMS.
  • Management Information Base (MIB): Database containing information extracted from network devices (CPU load, interface status, error reporting).

Functionality

  • Queries: The NMS requests information from devices.
  • Traps: Devices send alerts to the NMS when specific events occur (e.g., high error rate, congestion).

Syslog

  • A log collection system for network devices, similar to the event viewer on a computer.
  • Provides information on the status and events occurring on network equipment.

Proxy Server

  • Intermediary between clients and the internet.
  • Enhances security by preventing unauthorized access.
  • Caches information to speed up network performance.
  • Used for caching frequently accessed content.

Types

  • Transparent: No special client configuration needed.
  • Non-transparent: Requires specific client settings.

Security Appliances and Methods

Firewall

  • Blocks traffic based on an Access Control List (ACL)
  • ACL blocks by ports, protocol, IP number or content.
    • Ports and protocols
    • IP addresses
    • Heuristics (content-based blocking)
  • Concerns: only blocks specified content.

Intrusion Detection System (IDS) vs. Intrusion Prevention System (IPS)

  • IDS: Detects malicious activity and alerts administrators.
  • IPS: Actively blocks or prevents malicious activity.

Antivirus and Anti-malware

  • Requires regular definition updates and scanning.

Spam Gateway

  • Blocks spam emails.
  • Utilizes DNS security functions to block spoofed messages.
    • SPF (Sender Policy Framework)
    • DKIM (DomainKeys Identified Mail)
    • DMARC (Domain-based Message Authentication, Reporting, and Conformance)

Content Filter

  • Blocks access to certain URLs, domains, or content based on keywords and categories.
  • Uses heuristics to identify and block inappropriate content.
    • Detects potentially inappropriate or malicious content based on patterns.

Data Loss Prevention (DLP)

  • Prevents sensitive data from leaving the network.
  • Scans outbound traffic to identify and block the transmission of sensitive information (e.g., Social Security numbers).

Load Balancer

  • Distributes network traffic across multiple servers.
  • Ensures that no single server becomes overwhelmed.
  • Improves performance and availability.
  • Prevents denial-of-service (DoS) and Distributed Denial of Service (DDoS) attacks.
    • By evenly distributing traffic, load balancers can mitigate the impact of large-scale attacks.

Legacy Systems

  • Systems that are no longer supported or patched.
  • End-of-Life (EOL) systems pose a significant security risk.
    • No longer receive security updates.
  • Hackers may exploit known vulnerabilities in EOL systems.

Embedded Systems

  • Integrated hardware and software built into various devices.

Industrial Control Systems (ICS)

  • Systems that control industrial processes and infrastructure.
  • Power grids, water plants, healthcare systems, and telecommunications networks.
  • Critical for factory automation.

Supervisory Control and Data Acquisition (SCADA)

  • Large-scale version of ICS.
  • Used for controlling nuclear reactors, traffic lights, and other critical infrastructure.
  • Hackers can exploit SCADA systems to cause significant damage.

Internet of Things (IoT)

  • Smart devices that connect to the Internet.
  • Smart appliances, mirrors, and other devices.
  • Often have minimal security features, making them vulnerable to attacks.