Ch 3

3.1 Network Segmentation & VLAN

Network Segmentation (network zoning)

• Network segmentation: Segmenting a network to create security zones

• Security zone: network segment with specific security requirements

• Common deployed security zones

  • Trusted (private) zone: contains protected network resources only accessible to authorized users

    • Highest trust level

    • Private IP address

    • Unreachable from outside the zone

    • Ex: LAN (local area network)

  • Untrusted (public) zone: outside an org's control

    • Lowest trust level

  • Demilitarized zone (DMZ) (screened subnet): between a trusted and untrusted zone

    • Protects org's private network in a trusted zoen from unstrusted traffic

    • Ex: web, email, or DNS server

• Jump server (jump box/host): minimally configured server in a security zone used for managing the hosts in the security zone

  • Bridge b/w two different but controlled security zones

VLAN (virtual local area network)

• Virtual local area networks: broadcast domain that's segmented at the data link layer (2nd layer)

  • implement logical segmentation

  • Allows multiple logical networks to coexist on a single physical network infrastructure

• VLANs enable hosts to be assigned to specific network segments based on various criteria:

  • Port-based VLAN (interface-based or static VLAN): host is connected to a specific switch port that is assigned to a VLAN

  • Protocol-based VLAN: protocol types are used to assign a host to a VLAN

  • MAC-based VLAN: host's MAC address is used to assign the host to a VLAN

• VLAN improves network performance and efficiency by restricting broadcast domains and reducing network latency

3.2 Zero Trust

Zero trust framework

• Zero trust: security framework enforcing continuous authentication, authorization, and security configuration validation for all users

  • *doesn't trust anyone

  • Assumes the following:

    • Network is compromised

    • Extern and internal threat exist on the network

    • Device location isn't sufficient for deciding trust

    • Every device, user, and network flow is authenticated and authorized

    • Policies must be dynamic and derived form several data sources

Zero trust network components

• Control plane: manages authentication, authorization, and policy enforcement for network access

• Includes:

  • Policy engine: determines the application of policy for each request

  • Trust engine: scores device and user trust

  • Data stores: store authentication data for the requesting device and user

  • Policy administrator: administers policy decisions, establishing or blocking connection to protected resources

• Data plane: enforces security policies and controlling data access within the network

  • Includes:

    • Device and user: requesting access to protected resources

    • Policy enforcement point (PEP): enforces policy decisions

    • Protected resources: assets secured by policy enforcement

• Data Flow of zero trust:

  • User/device requests access

  • PEP sends request to control plane to the policy engine

  • Policy engine compares the PEP's request with info from the trust engine and data stores

  • Policy engine receives the info and determines the policy applied

  • Policy administrator send the decision from the control plane to the data plane

  • PEP authorizes access and establishes a connection

  • User has access to the protected resource

• Control plane always asks for reauthorization

• Uses fine-grained policies based on multiple factors which support the implementation of the principle of least privilege

3.3 Firewalls: Types and Security appliances

Firewall

• Firewall: network device/software program controlling inbound and outbound traffic based on a set of rules

• Hardware (appliance) firewall: firewall implemented in a physical device

  • Has a dedicated processor, memory and operating system

  • Fast response times and can handle high traffic loads

• Software firewall: firewall implemented in software and runs on the computer where its stored

  • Slower but cheaper

• Firewall failure modes:

  • Fail-open: allows traffic to flow freely when the firewall fails ensuring access to critical network services while potentially exposing the network to security threats during downtime

  • Fail-closed: blocks all traffic when the firewall fails risks disruption of legitimate network activity

• Open-source firewall: software firewall with freely available source code that can be modified and redistributed

• Proprietary firewall: owned by an entity

Firewall types

• Stateless firewall (packet filter): allows or blocks a packet based on the information in the packet header

  • Inspects packets independently from other packets

  • Info in a packet header: source and destination IP addresses, port numbers, and protocol type

  • Uses an access control list (ACL) to determine which packets are allowed or disallowed

    • Access control list: list of rules

• Stateful firewall (dynamic packet filter): firewall that monitors and tracks active network connection session and blocks a packet that doesn't belong to an active session

  • Continuously analyzes context of traffic on a network

  • Keeps track of network connection sessions including DNS request/responses

Network security appliance

• Network security appliances combine the functionality of several devices to improve network security and simplify the management of devices

• Unified threat management (UTM): security appliance that provides multiple security functions at a single point on a network

  • Provides multiple services including network firewalling, intrusion detection, and prevention, malware detection and removal, DDoS protection, and web, content, and e-mail filtering

• Net-generation firewall (NGFW): a packet filtering firewall combined with other tech to detect and block network attacks

3.4 Firewalls: Host-based, virtual, and application

Virtual and host-based firewalls

• Virtual firewall: provides packet filtering within a virtualized environment

• Modes for a virtual firewall

  • Bridge mode: firewall runs on a virtual machine and monitors and controls inbound/outbound traffic on the virtual machine

  • Hypervisor mode: firewall resides in a host's hypervisor kernel and monitors and controls inbound/outbound traffic on the virtual machines running on the host

• Host-based firewall: runs on a host and controls the host's inbound and outbound network traffic

  • Allows and blocks traffic on the same port

Applications and devices for traffic control

• Network address translation (NAT) gateway: device that enables multiple hosts with private IP addresses to connect to the Internet using a single public IP address

  • Intermediary between a group of hosts on an internal network and external network

    • Provides a security layer for an internal network by masking a private network's IP addresses

    • Nat gateway disallows an external device to initiate an inbound connection

• Application firewall: protects an applications by controlling its input and output

  • Controls communications at the application layer

• Web application firewall (WAF): type of application firewall that filters HTTP and HTTPS traffic between a web application and the internet

Web filtering

• Web filtering methods for firewalls:

  • DNS filtering: blocks access to specific webpages, prevents the resolution of DNS queries for block domains

  • URL filtering: blocks access to specific webpage based on the webpage URL

  • Content filtering: controls access to web content based on the requested content and predefined criteria

3.5 Network intrusion detection and prevention systems (NIDS/NIPS)

• Intrusion detection system (IDS): device/software that uses sensors to detect a malicious activity or a security policy violation in a system

  • Network intrusion detection system (NDIS)

  • Host-based intrusion detection system (HIDS): IDS that detects a threat to a host

    • Monitors and analyzes a host's running processes, network traffic to and from a host, and host's log files to detect a threat

• Network intrusion prevention system (NIPS): blocks a threat to a network

  • Takes automatic action to secure a network and can perform corrective and protective functions

NIPS/NIPS deployment modes:

• Inline mode (in-band mode): NIDS/NIPS deployment mode where network traffic is passed through a NIPS/NIDS

• Passive mode (out-of-band-mode): NIDS/NIPS where NIPS/NIPS receives a copy of network traffic

  • Connected to a data monitoring port (switched port analyzer (SPAN) test port (TAP)

  • Cannot block a network attack

Intrusion Detection Methods (IDS)

Methods for detecting a network attack

• Signatured-based detection (knowledge-based detection): uses the attack's pattern (fingerprint or signature)

  • Attack's signature include any network packet headers, data sequences of known malware, source or destination of IP addresses, malicious domains, and email subject lines

  • Cannot detect an unknown attack 

  • Keeps a database of attack patterns

• Anomaly-based detection: detects an attack by identifying a network state that is different from the network's normal state

  • The ids builds a profile of normal network activity and flags any network activity that is different from the profile

  • Profile includes: user, host and application behavior

  • Can detect an unknown attack

• Behavior-based detection: detects by searching for a specific pattern that matches a threat behavior

  • Flags actions that shouldn't be performed by the process as abnormal

• Heuristic-based detection: detects an attack by adaptive techniques

  • Use an attack signatured base but dynamically changes the signatures based on learned behavior or real-time network traffic

  • Can detect a previously unknown network attack

*the only